Unpacking method exhaustiv list


Analyzis work made by G-RoM.
Some test were done by Beta Team of course ;).

Default Options (check dox).

	    Ŀ
	    Name             Method    Options               
	    Ĵ
	    BJFNT 1.x      *unknown*   Create new import.    
                                       Do not recompute obj. 
	    Ĵ
	    ENC 0.1         Standard   Do not recompute obj. 
	    Ĵ
            HASIUK used      HASIUK    Default               
	    by Activision   /NeoLite   			
	    Ĵ
	    LOUIS Cryptor   Standard   Default 		
                                       Do not recompute obj. 
	    Ĵ
	    Manolo           Manolo    Rebuild Import Table  
	    Ĵ
	    NeoLite x.xx     HASIUK    Default               
	                    /NeoLite                         
	    Ĵ
	    PECRYPT32         none                           
	    Ĵ
            PELOAD          Standard   Do not recompute obj. 
	    Ĵ
	    PELOCK            none                           
	    Ĵ
	    PESHiELD <0.2   PESHiELD   Do not recompute obj.	
	    Ĵ
	    Petite           Petite    Default              	
	    Ĵ
	    Securom         Standard   Original CD required. 
                                       Do not recompute obj. 
	    Ĵ
	    Shrinker <3.3     none      			
	    Ĵ
	    Shrinker 3.3   Shrinker33  Do not recompute obj. 
	    Ĵ
	    STNPE 1.xx      Standard   Do not recompute obj. 
	    Ĵ
            VBox            Vbox Std   Create new import     
                                       Breakpoint check      
	    Ĵ
          !*VBox with TRY     Vbox     Create new import     
                dialog       Dialog    Breakpoint check      
	    Ĵ
	    WWPack32<1.10  WWPACK32 I  Default               
	    Ĵ
	    WWPack32 1.10  WWPACK32 II Default               
	    Ĵ
	    WWPack32 1.11  WWPACK32 I  Default               
	    

*   : Beware !!! VBOX seems to be able to wrap 16 bits applications !!! Since
      ProcDump32 isn't able to handle them, there is no chance that we remove
      Vbox from there. Such  problem occured with WINRAR for WIN 3.1x/NT 3.51
      which seems to be a PE but it is not really one : weird !!!!! There are
      some other problems but you can correct them easily with  ProcDump dump
      + "unpacked" file (I know, not everybody... But again, ProcDump32 is an
      helper, Not the solution of all problems !!). You will need to stamp a
      few part of dump into "unpacked" file to fix it totally... Sigh !!

!   : If it doesn't work, don't mail me... I DON'T CARE OF THIS CRAPPY LAYER.
      I can personaly remove it in 1 Min.

NOTA: The "Do not recompute obj" is not necessary : u can leave this option
      checked, it only impact on produced PE size. Indeed, cryptors leaves
      object size untouched.

  For  unknown packer,  try  to use  the  Standard  Unpacker prior to try the
*unknown*  one, the  method  to return  to  original  code  is  used  by many
cryptors / packers. If  it fails, or <sigh!>  Hang up,  then  use the unknown
unpacker AND please note the  value displayed if it was successfully unpacked
This  address is  where the  return to original code is done. If you subtract
from this address the IMAGEBASE, and the OBJECT LOADER RVA, u will know where
to set the BPX. If u don't understand what I say Study PE Format ;).

Packer/Protector tested but not working (yet ?):


  Shrinker 3.2 : This one has a fucking bad loader. For Example:

    xor eax,eax
    mov byte ptr [eax],20  <- Fault !

   is a part of the loader (SEH). Later in the loader such crap occurs
   too. Tip : Try to use J0B unshrinker for version 3.2 OR do it by the
   hand : BPMB .LOAD+2672h X (.LOAD RVA).

  PECRYPT32 : Ahem... I talked much with Random and told him many tips
   like how my import detection work, etc... Moreover there are several
   MTE in the code and Some IDT manipulations which cause the loader to
   not be traced totally. I personnally tested trace of 10 MILLIONS  of
   lines with an access violation error at the end. IN CONCLUSION : you
   can't trace it by using ProcDump... At least you can analyze a dump.
   The full support of PECRYPT32 will be done one day.... When I got or
   did a fully featured tracer or, may be if a  crazy guy can try to do
   it with the script language ;).

  PELock   : It contains some code that detect debug API, support for
   it will come with Ring 0 Tracer.

  PESHiELD 0.2 : Well I can't test it much coz it is quite incompati-
   ble with win98. But Support for it will come with Ring 0 Tracer too.

 Generally, always use specific unpackers/deprotectors because they handle
 perfectly the PE and restore it to its EXACT state before protection.

Final Words :


If u did a script to support a packer/protector, Send it to me.
If u have a cryptor/pecryptor I don't have... send it too ;)

Good Luck.
