Unpacking method exhaustiv list


Analyzis work made by G-RoM.
Some test were done by Beta Team of course ;).

Default Options (check dox). Options informations below are for ur personnal
knowledge, Normally ProcDump32 choose the right configuration for packers it
knows. *Unknown* mode use the actual ProcDump options informations : You may
need to adapt them.

Ŀ
Name             Method    Options                Section To remove after
Ĵ
ASPACK< 1.08  ASPACK <1.08 Create new import.     Last one.              
Ĵ
ASPACK  1.08  ASPACK 1.08  Create new import.     Last one.              
Ĵ
ASPACK  1.08.2ASPACK1.08.2 Create new import.     Last one.              
Ĵ
ASPACK  1.08.3ASPACK1.08.3 Create new import.     Last one.              
Ĵ
BJFNT 1.x      *unknown*   Create new import.     Last one.              
                           Do not recompute obj.                         
Ĵ
CodeSafe 3.x  CodeSafe 3.x Default                                       
Ĵ
ENC 0.1         Standard   Do not recompute obj.                         
Ĵ
HASIUK used      HASIUK    Default                None                   
by Activision   /NeoLite                                                 
Ĵ
IntelliSecure   Monitor!   none                   None                   
      R2       See Below                                                 
Ĵ
LOUIS Cryptor   Standard   Default                Last section           
                           Do not recompute obj.                         
Ĵ
Manolo           Manolo    Rebuild Import Table   .manolo section        
Ĵ
NeoLite 1.xx     HASIUK    Default                None                   
                /NeoLite   Rebuild Header                                
Ĵ
Neolite 2.xx    NeoLite2   Rebuild Header                                
                           Create New Import                             
Ĵ
PCShrink<0.4    PCShrink   Create New Import      last one               
Ĵ
PCGuard 2.10  PCGuard 2.10 Rebuild Import Table                          
Ĵ
PECRYPT32         none                            Depend on version      
Ĵ
PELOAD          Standard   Do not recompute obj.  .peload section        
Ĵ
PELOCK            none                            last one               
Ĵ
PEPACK           PEPack    Rebuild Import Table   PEPACK!! section       
Ĵ
PE-PROT 0.9    *unknown*   Rebuild Import Table   PEPROT section         
               under W9X   Trace API                                     
Ĵ
PESHiELD <0.2   PESHiELD   Do not recompute obj.  ANAKIN98 section       
Ĵ
Petite 1.2     Petite<1.3  Default                .petite section        
Ĵ
Petite 1.3     Petite 1.x  Create new import      .petite section        
       1.4                 U will need to fix                            
                           reloc pointer too.                            
Ĵ
Petite 2.0     Petite 2.0  Create new import      .petite section        
                           U will need to fix                            
                           reloc pointer too.                            
Ĵ
Petite 2.1     Petite 2.1  Create new import      .petite section        
                           U will need to fix     ONLY after u fixed the 
                           a bit import table     import table           
Ĵ
Securom r1&r2   Standard   Original CD required.  .cms*                  
                           Do not recompute obj.                         
Ĵ
Securom > r2    Securom    Original CD required.  .cms*                  
                Plugin     Do not recompute obj.                         
Ĵ
Sentinel shell  Sentinel   Dongle REQUIRED.                              
                           Create new import                             
Ĵ
Shrinker 3.2   Shrinker32  Ignore Faults          .load object at least  
                           Rebuild Import Table                          
Ĵ
Shrinker 3.3   Shrinker33  Do not recompute obj.  None                   
                           Rebuild Import Table                          
Ĵ
Shrinker 3.4   Shrinker34  Do not recompute obj.  None                   
                           Rebuild Import Table                          
Ĵ
Soft Sentry    SoftSentry  Default                Delete all object from 
                                                  20/20tm. Then u will   
                                                  have to fixup relocs & 
                                                  resources pointers.    
Ĵ
STNPE 1.xx      Standard   Do not recompute obj.                         
Ĵ
TimeLock 3.x      Vbox     Create new import      WeiJunLi section       
               std/Dialog  Ignore Faults                                 
Ĵ
UPX 0.xx          UPX      Create new import.     Last two objects       
Ĵ
VBox <4.2       Vbox Std   Create new import      WeiJunLi section       
                           Ignore Faults                                 
                           Do not recompute obj.                         
Ĵ
VBox with TRY     Vbox     Create new import      WeiJunLi section       
    dialog       Dialog    Ignore Faults                                 
     <4.2                  Do not recompute obj.                         
Ĵ
VBox 4.2        VBoX 4.2   Create new import      WeiJunLi section       
                 Plugin                                                  
Ĵ
VGCRYPT 0.xx   *Unknown*   Ignore Faults          .vgc if present        
Ĵ
WWPack32<1.10  WWPACK32 I  Default                .WWP32 section         
Ĵ
WWPack32>1.11  WWPACK32 II Default                .WWP32 section         
Ĵ
WWPack32 1.11  WWPACK32 I  Default                .WWP32 section         


For Intellisecure R2:

 This  layer  is the  most   stupid I ever saw. Anyway, To remove it,  Run ur
 "protected" app, hit Launch, then switch to ProcDump, Refresh  process List,
 Select the file u launched & KILL IT (yes !). Then u will notice in the list
 a file called ISR2RT.exe which is your unprotected APP. Simply  rename  this
 file & remove the Hidden Attributes....  ALL IS DONE.


FOR VBOX :

 Validate the TRY button, THEN validate OK in ProcDump32 so that Application
 is unwrapped totally ;).

NOTA: The "Do not recompute obj" is not necessary : u can leave this option
      checked, it only impact on produced PE size. Indeed, cryptors leaves
      object size untouched.

  For  unknown packer,  try  to use  the  Standard  Unpacker prior to try the
*unknown*  one, the  method  to return  to  original  code  is  used  by many
cryptors / packers. If  it fails, or <sigh!>  Hang up,  then  use the unknown
unpacker AND please note the  value displayed if it was successfully unpacked
This  address is  where the  return to original code is done. If you subtract
from this address the IMAGEBASE, and the OBJECT LOADER RVA, u will know where
to set the BPX. If u don't understand what I say Study PE Format ;).

Packer/Protector tested but not working (yet ?):


  PECRYPT32 & PELOCK : This time will come soon... a few things to fix
   and it will be done.

  PESHiELD 0.2 : Same as above ;).

  PETiTE 2.10 : Wait a bit that I code a little automatic remover ;).

 Generally, always use specific unpackers/deprotectors because they handle
 perfectly the PE and restore it to its EXACT state before protection.

Final Words :


If u did a script to support a packer/protector, Send it to me.
If u have a cryptor/pecryptor I don't have... send it too ;)

Good Luck.
