Showing posts with label Unpacking. Show all posts

04 October 2008

Author:

Unpacking StuFF

The Chinese have updated OD plugin:
OllyDBG v1.10 plugin - StrongOD v0.18

Temptress Moon Shadow by sea [CUG]
====================================================================

[2008.09.18 v0.18]
1, to repair the Ctrl + G calculation rva, offset when a small BUG
2, when the program is not running the state, Detach before running program
3, restoration of the original data OD zone copy BUG
4, repair od after the CPU running very high occupancy rate BUG
5, you can set it to skip some of the exception handling

[2008.09.02 v0.17]
1, to skip some of the improper handling of the abnormal OD
2, correctly handle the instructions int 2d

[2008.08.31 v0.16]
1, joined the drive to protect the process, the hidden window, over most of the anti-debugging
2, driver support for the custom equipment 000 (ollydbg.ini of DeviceName, equipment were not more than 8 characters)
ollydbg.ini of [StrongOD], you can set up their own
HideWindow = 1 to hide the window
HideProcess = 1 to hide the process
ProtectProcess = 1 protection process
DriverKey =- 82693034 and the key driver of communication
DriverName = fengyue0 who drives (not more than 8 characters)

3, OD will be the creation of the parent process into the process explorer.exe (copied from shoooo code)

/////////////////////////////////////////////////////////////

The increase in the version of the driver, if a blue screen, set up minidump spread to the Forum, thank you
OllyDbg original use as much as possible, and other generally do not need the anti-anti plugin in conjunction with plug-in (including phant0m)

[Note of the final film Temptress Moon by the sea in the editing 2008-9-19 20:52]

House accounts, anti shell had the option to use the skills

The following are no special note are the original OD add a plug-in plug-in StrongOD operate

Ollydbg.ini in the first [Plugin StrongOD] the following HideWindow, ProtectProcess into the value of 1, the value of KernelMode turned into a preserve

1, Themida / WinLicense
Plug-in option to set a minimum
Original run OD, included in the main program Themida v1.9.9.0, stopped at the entrance after the removal of all breakpoints, Shift + F9 up-and-run
2, ExeCryptor v2.4.1
Plug-in option to set a minimum
Original run OD, set up break point on break point in the system to stop
ExeCryptor v2.4.1 included in the main program, stopped at the breakpoint system, according to Alt + B, remove the breakpoint EP
And then Shift + F9, you can
3, TTProtect v1.05 DEMO
Plug-in option to set a minimum. Original run OD, loading TTProtect v1.05 DEMO main program, Shift + F9
4, VMProtect v1.65.2
vmp v1.65 added to the xp system under the OD of the new anti
Plug-in option to set a minimum. Original run OD, loading VMProtect v1.65.2 main program, Shift + F9

Homepage: http://bbs.cracktool.com/viewthread.php?tid=28854&extra=page%3D1
http://www.unpack.cn/viewthread.php?tid=26870
http://cracklab.ru/f/index.php?action=vthread&forum=3&topic=12832

Download:
StrongOD v0.18.rar 101.89 KB

13 September 2008

Author:

ExeInfo PE ver. 0.0.1.9 C by A.S.L

1 comments

___________________________________________________________________________

ExeInfo PE ver. 0.0.1.9 C by A.S.L (c) 2006.03-2008.xx

freeware version for Windows XP

Windows 32 PE executable file checker, compilators, exe packers...

with solve hint for unpack/internal exe tools/rippers
___________________________________________________________________________

Internal Tools Menu:
---------------------
- overlay remover - generate new file without overlay data
- save overlay as external file
- EP Corrector (for Delphi) - generate many exe file with Entry Point
- EP Corrector (for Delphi) Runtime - correct EP
- XoR permutator (xor,or,shl..) - create one file with xor data (255x2000 bytes)
- Section splitter - save exe sections as files & exe header
- 8/16 bit string finder - enter 8 bit string = searching 16 bit strings & 8 bit (F7 key)
- REGistry call finder + CLSID - find registry call & regedit.exe strings
- overlay xor uncrypter - uncrypt one byte crypted exe in ovl.

File Menu:
--------------------
+ Rename file
+ Copy file As.. *.bak
+ Execute - create executable process (exe)
+ Execute - windows ext. associate (dll, zip...)
+ Delete file (ALt+Del) - work in multiscan mode
+ Run multifile scanner mode (Directory scan)
+ - view global log file (c:\Raport-exeinfo-log.txt)
- delete global log file (no confirm)

Rippers Menu:
--------------------
- www address searcher inside exe - work on any file
- ExE inside ExE (Win32 Pe windows executable) - work on any file
- Zip archives inside ExE www.winzip.com - work on any file
- Rar archives inside ExE www.rarlab.com - work on any file
- CAB MS archives inside ExE (for MSI installers ) - work on any file
- SWF flash Adobe animation files (internal length fixer for non exe files)
- ICO nonstandard icon ripper
- (All in one) - for lazy boys (without 'www address')

keys:
--------------------
F1 key - keyboard help
F2 key - Multiple file scanner for *.exe files
F3 key - external view (hiewdemo.exe or hiew32.exe) path directory
F4 key - external test (peid.exe) path directory
F5 key - external test RDG Packer Detector (I read location from Win registry)
F6 key - external test DiE.exe Detect it Easy (I read location from Win registry - shell integration req.)
F7 key - 8/16 bit String finder
F9 key - :-) UPX pack
F10 key - :-) UPX unpack
Alt+S - ZOOM Window x2!
Alt+Delete - delete file

"+", "-" - Numeric KEY = adjust transparent Form

Non executable file detection:
--------------------
Image file - jpg, png, gif (87/89), bmp
Sound file - mp3 (ID3/noID), wma, ogg
Video file - avi (divx/xvid), wmv, mpg, 3GP
Archive file - 7zip, zip, rar
others: chm (Microsoft HTML Help), msi, pdf, xml, fws, cws, php, html, hlp, mdb, lnk.

Overlay detector:
--------------------
01. zip archives
02. cab archives
03. SWF Flash object (packed & unpacked format)
04. Executable PE file
05. 7zip archives
06. RAR archives

Plugins like a Peid.exe (70% compatible:-()
-------------------------

Multiscaner use - command line:
--------------------
Exeinfope *.* /s
Exeinfope *.exe /s

Show All PE files and sent to log file (silent mode no GUI ! -> !ExEinfo-Multiscan.log)

-------------------------

ACM* - anti cheat mechanism
_______________________________________________________________________
www site: www.exeinfo.go.pl host: www.geocities.com/exeinfo_pe (download limits!)
Mirror: www.exeinfo.cjb.net
_______________________________________________________________________

ExeInfo detection list:
----------------------------------------------
001. RealArcade Wrapper (Microsoft Visual C++) 50%
002. Borland Delphi (2.0 - 7.0)
003. Microsoft Visual C++ ver. 5.0~6.0 (exe)
004. Microsoft Visual C++ ver. 7.x (exe, dll)
005. PEtite 2.x -> Ian Luck
006. UPX exe 0.89.6 - 1.02/1.05-1.93B -> Markus & Laszlo
007. UPX dll file - 1.93Beta -> Markus & Laszlo
008. Aspack v2.12 -> Alexey Solodovnikov
009. EXECryptor v.2.3.1-6 (www.strongbit.com)
010. Morphine ver.2.7b (plugin Peid.exe)
011. AC protect 2.0 by RIScO Software Inc. (www.ultraprotect.com)
012. ASprotect 2.1 reg (www.aspack.com/asprotect.htm) only exe files DLL files detect as ASpack:)
013. AHTeam EP Protector ver.0.3 priv
014. WinUpack 0.39 final by Dwing (http://dwing.51.net):-((
015. Software Compress ver. 1.2 Lite - www.bgsopt.com
016. PEcompact ver.2.78a - 2.92 - www.bitsum.com
017. nsPack ver.2.3 unreg - by North Star - www.nsdsn.com
018. nsPack ver.3.0 - 4.1 reg - by North Star - www.nsdsn.com
019. Mole Box 2.5.7 by Teggo. - www.molebox.com
020. Microsoft Visual C++ ver. 8 (???)
021. EXE Guarder 1.8-2.1 (2006/2008 unreg) www.exeicon.com/exeguarder
022. EXE Wrapper ver. 2.3-2.5 (www.533soft.com/exewrapper) - how to remove password
023. Exe password protector 1.0.5.100 (protect/unprotect)
024. TASM/MASM
025. MS Visual Basic 5.0-6.0 dll
026. MS Visual Basic 5.0-6.0 exe
027. Armadillo 4.4x-4.62 32bit - www.siliconrealms.com (effectiveness = 60%)
028. Enigma protector v1.1x - www.enigma.izmuroma.ru © Sukhov Vladimir 2004-2006
029. SVK-Protector v1.32 demo - Pavol Cerven - www.anticracking.sk
030. Generic check: ASprotect 1.? old version (www.aspack.com/asprotect.htm) exe only
031. Generic check - AC protect 1.? by RIScO Software Inc. (www.ultraprotect.com)
032. Packman v1.0 Brandon LaCombe (http://packman.cjb.net)
033. modified exe, EP code = Borland Delphi (2.0-7.0)
034. ExeStealth V2.76 www.webtoolmaster.com
035. FSG v2.0 F[ast] S[mall] G[ood] - www.xtreeme.prv.pl
036. Generic check - Aspack v2.1x -> Alexey Solodovnikov
037. Aspack v2.12b? -> Alexey Solodovnikov
038. Program protector v2.1unreg (exe password - DECODE PASS!) - www.blumentals.net
039. Obsidium v1.3 software protection system (demo) - www.obsidium.de
040. ARMprotector v0.1 by SMOKE 2004
041. ARMprotector v0.3 by SMOKE 2004
042. SDProtector Profesional Edition v1.12 (2003)- www.sdprotector.com
043. Themida 1.0-1.3? - Adv.Win.Software Protection System (c) 2004-2005 Oreans Technologies - www.oreans.com
044. yodas Protector v1.03.3 - http://yodap.has.it 2004-2006
045. yoda's Crypter v1.3 - Ashkbiz Danehkar 2004-2005
046. PE-Pack v0.99 (c) 1998 by ANAKiN
047. WATCOM C/C++ 1988-1995
048. Microsoft CAB SFX module
049. Generic check: Microsoft Visual C++ vx.x
050. UPX -> Markus & Laszlo ver. [2.00] <- version info from file 051. PeSpin v1.304 public by CyberBob - http://pespin.w.interia.pl 052. UPX -> Markus & Laszlo ver. [] - EXE modified!!!
053. UPX -> with extra sections - Real EP resolver ([] - required Fast scan unchecked)
054. PolyEnE v0.01+ Polymorphic Encryptor (c) 2001 Lennart Hedlund ([] - required Fast scan unchecked)
055. Nullsoft PiMP Stub - (read from Ovl: NullsoftInst3")
056. eXpressor PE Packer v1.4.5.1 - www.cgsoftlabs.ro (exe, dll)
057. Thinstall 2.4x - 2.5x -> Jitit Software - www.thinstall.com
058. Thinstall 2.7x -> Jitit Software - www.thinstall.com
059. Nullsoft scriptable install system 2.xx - (read from Ovl: NullsoftInst)
060. Inno Setup Module [SFX] - Borland Delphi Inno Setup Module [unknown]
061. Private EXE Protector 1.7 (2003-2006) www.setisoft.com
062. Excalibur v1.03r (c) by forgot -> read from file [Excalibur (c) DFCG], http://www.breezer.ful.cn
063. MSLRH v.032a - SISTEMA DE PROTECCION ANTICRACKEO
064. ShareGuard Loader V3.6 Zapper Software - www.zapperSoftware.com
065. Borland C++ 1999
066. Zip Sfx Archive
067. Rar Sfx Archive
068. 7-Zip Sfx Archive
069. WinZip Sfx ver. 8.x www.winzip.com
070. Zylom Game Installer zip Sfx (MS Visual C++ 7.0)
071. Borland C++ 2002/2005 - Copyright 200X Borland Corporation
072. WinZip Sfx (generic check) www.winzip.com
073. Lock Express 2.0 Build 9.2 - 1997-2006 Sciensoft Research Inc
074. FreeBASIC Compiler v0.14-0.17 (c)2004-2006 Andre Victor T.Vicentini - console App.
075. generic check: InstallShield 2003 (MS Visual C++ 5/6.0)
076. InstallAware Setup Squeezer InstallShield - www.installaware.com (7zip archive)
077. Installer Nullsoft PiMP Stub (UPX pack)
078. Generic check: Nullsoft PiMP Stub installer
079. ASprotect 1.1c old version (www.aspack.com/asprotect.htm)
080. Microsoft Visual C#/Basic.NET
081. Setup Dev INSTALLER – Version 1.3 © Shere Khan – November 2005 (MS Visual C++ 5/6.0)
082. Dev-C++ Compiler v4.9.9.2 - Bloodshed Software (www.bloodshed.net)
083. Generic check: EXE STICKER like DotFix FakeSigner
084. DotFix FakeSigner v3.4 (ASPR Stub) http://fakesigner.dotfix.net
085. PeLock v.1.x Bartosz Wójcik www.pelock.prv.pl
086. MS IExpress 2.0 - Win32 Cabinet Self-Extractor
087. generic check: MS IExpress x.x - CAB installer (in section II)
088. InstallShield (R) Setup Launcher v.7.x CAB file (MS Visual C++ 5/6.0)
089. PEcompact ver.1.41-v1.84 - www.bitsum.com
090. ORiEN ver.2.11~2.12 - (1994-2003 http://zalexf.narod.ru)
091. VMProtect v.1.2x (demo) 2003-2006 PolyTech - www.polytech.ural.ru (only EP protection)
092. FASM v1.67 50% detection
093. Private exe Protector v1.9x - www.setisoft.com (morph)
094. Krypton The Krypter v0.3 by Yado - www.lockless.com
095. MEW 11 SE 1.2 by Northfox (2004) - Northfox.uw.hu
096. PEncrypt 4.0 Public Release/4.0 Phi -> junkcode - www.junkcode.cjb.net
097. SDProtector Pro Edition v.1.16 (1.1 SDP!) <- info from file. www.sdprotector.com 098. PE Diminisher v.0.1 (1999) - www.phrozencrew.com/~teraphy 099. !EP (EXE Pack) v1.0 g-l-u-k [TeaM-X] 2005 - www.softprot.cjb.net 100. [G!X]'s Protector v1.2 - http://breezer.ys168.com 101. Active PE Scrambler/APES/v. 1.0 (2005) [TeaM-X] - www.team-x.ru 102. (UPX) PowerArchiver 2006 [ZIP/CAB/unknown] SFX v.9.63.x - www.powerarchiver.com 103. GameHouse.com installer (MS Visual C++) inside Wise Installer 104. Dev-C++ Compiler v4.9.9.2 (MINGW 32 v5.x.x) - Bloodshed Software (www.bloodshed.net) 105. Hide&Protect v1.0x (2005) - www.SoftWar-protect.com 106. WWPack32 ver 1.xx (1997, 98) by P. Warezak and R.Wierzbicki 107. CHAOS Self Extractor 3.9 (1998-2006) (WWPack-ed) http://safeSofthome.com !108. Xtreme-Protector v.1.08 (c)2003 www.oreans.com/xprotector/xprot.htm 109. LCC Win32 v1.x (Jacob Navia) http://www.cs.virginia.edu/~lcc-win32/ 110. LCC Win32 v1.x DLL (Jacob Navia) www.cs.virginia.edu/~lcc-win32 111. Hmimys-Packer v1.0 112. ExeFog v.1.1x - 2005 - www.bagie.xost.ru 113. PolyCrypt PE v.2.1.x (2004-2005) - www.jlabsoftware.com (exe/dll) 114. SimplePack v1.0-1.2 (LZMA/APLIB - Packman compression library 1999-2005 Igor Pavlov) 115. SimplePack v1.11-1.2x (Method 2 NT) 116. Unopix Version 1.10 Final 2006 Scrambler for PE files (exe/dll) !117. PPC PROTECT ver 1.1 (2006) Alexey Gorchakov www.ppc-protect.com 118. Inno Setup Uninstaller - Borland Delphi 119. Armadillo v2.5x-v2.6x - www.siliconrealms.com 120. DotFix NiceProtect v1.2 by GPcH Soft (2006) - www.niceprotect.com 121. CreateInstall v4.x Gentee (2004 - 2006) - www.createinstall.com 122. Gentee Programming Language © 2004-2006 www.gentee.com 123. RLPack v.1.11 BasicEdition (uses aPLib 0.42) http://ap0x.jezgra.net 124. ReversingLabsProtector 0.7.4beta http://ap0x.headcoders.net 125. Install Creator Pro ver.2.0 (2003) - www.clickteam.com 126. PowerBasic/CC 3.0x/CC 4.0/Win 7.0x/Win 8.0x - www.powerbasic.com 127. WinUHA ver.2.0 Sfx Archive - www.winuha.com (UPX) 128. ZipGenius 6.0.x Sfx Archive - www.zipgenius.it (Borland Delphi) 129. PEbundle ver.3.20 (2003) Jeremy Collake - www.bitsum.com + Alloy Executable Compressor v.4.x- Copyright © 2000-2006 PGWARE - www.pgware.com 130. Lazy Assembler Version 0.53 (26 Sep 2006) Freeware (c) 2000-2006 Stepan Polovnikov 131. nPack v1.1.300 (aPlib) by NEOx (2006) www.uinc.ru 132. Installer - Setup Factory 6.0-7.0 Indigo Rose Corporation (2006) MS V C++ 6.0 133. dePack by deNULL - www.ooooQ.cn 134. Goat's PE Mutilator v.1.6 (2005) - www.geocities.com/killereaglesoftware 135. RLPack v.1.14-1.18 BasicEdition (uses aPLib 0.43/LZMA 4.30) http://ap0x.jezgra.net 136. VBOWatch protector v2.0 Copyright [c] 2006 MoonLight - www.ooooQ.cn 137. Generic check: build like - Private exe Protector v2.0 - www.setisoft.com 138. Easy Code v.1.0x (GUI for assembler) Ramon Sala - www.easycoder.org 139. Mole Box 2.6.1 by Teggo. - www.molebox.com 140. SLVcOdeProtector v.1.12 by SLV - www.ooooQ.cn 141. Exewrap MFC Application v.1.0 (2003) 142. Microsoft Visual C++ 8 compiler (2006) 143. RosAsm V2.039c - http://betov.free.fr (effectiveness 80%) 144. Software Compress ver. 1.4 Lite - www.bgsopt.com 145. Intel (R) C++ Compiler 146. FreePascal ver: FPC 1 - 2 Win32 -> (Berczi Gabor, Pierre Muller & Peter Vreman)
147. Open WATCOM C/C++32 Portions Copyright (c) Sybase 1988-2002
148. File2Pack SFX v.2.0 2006 (F2P Self Extractor) SHOW PASSWORD! - www.mental9production.com (MS VB5/6)
149. PV Logiciels dotNet Protector 4.0 2003-2005 http://dotnetprotector.pvlog.com
150. ReflexiveArcade Game wrapped file (*.RWG)
151. DAStub Dragon Armor (BamBam0.0.4.1) from Orient 2006 www.ooooQ.cn
152. Akala EXE Lock ver.3.20 www.zero2000.com (Aspack v2.12 -> Alexey Solodovnikov) - PASSWORD DECODER(N) OR HOW TO REMOVE PASSWORD
153. BeRoEXEPacker - Version 1.00 - Copyright (C)2006, Benjamin BeRo Rosseaux (Exe/DLL)
154. EXE Password Protector v.1.1 (MSV C++ v7) - www.eltima.com/products/exe-password - INFO HOW TO REMOVE PASSWORD
155. AGInstaller 1.9.12 (UPX pack) Copyright (c) 2001-2006 Agentix Software - www.aginstaller.com
156. CreateInstall v2003.3.5 www.createinstall.com/www.gentee.com (EP check & OVL)
157. Protection PLUS - Instant plus (software key) 2.0.98.0 (2005) - www.softwarekey.com Concept Software
158. Wise Installation System! std/pro 9.02 (c) Wise Solutions Inc. - www.wise.com
159. Wise Installation System! ver. ?.? (c) Wise Solutions Inc. - www.wise.com
160. Wise Uninstaller Wizard (sec3) - www.wise.com - MS Visual C++ ver.6
161. m9P Editor Plus v.1.0.300 Distributable Executable Rich Text - DERT™ X ©mental9Production, 2005 - www.mental9Production.com - INFO HOW TO REMOVE PASSWORD
162. Nullsoft uninstaller - www.nullsoft.com - (UPX packed)
163. Nullsoft uninstaller - www.nullsoft.com
164. Softwrap (XTREAMLOK) ver. 1.x~3.x - www.softwrap.com (exe/dll)
165. RLPack v.1.14-16 Full Edition - False signatures unichecker
166. RLPack v.1.14-16 Full Edition (uses aPLib 0.43/LZMA 4.3x) http://ap0x.jezgra.net
167. Salfeld Computer EXE Password 2004 v 7.114.0.0 trial - www.salfeld.com (Borland Delphi)
168. Wise for Windows Installer pro 4.21 (CAB) - www.wise.com
169. Tarma Installer ver. 2.99.2156 (2005) Tarma Software Research Pty Ltd. - www.tarma.com (MS Visual C++)
170. NTkrnl Secure Suite v.01 packer or protector - www.ntkrnl.com (exe)
171. NTkrnl Secure Suite v.01 packer or protector - www.ntkrnl.com (dll)
172. [dUP2 -> diablo2oo2] v.2.1x patchengine (patch) - Mircosoft MacroAssembler - http://diablo2oo2.cjb.net
173. [dUP2 -> diablo2oo2] v.2.1x patchengine (loader installer) - Mircosoft MacroAssembler - http://diablo2oo2.cjb.net
174. PE password encryptor 31-01-2000 by SMT (asm) - [OEP finder included]
175. WinUDA 0.271 sfx (2004) by Dwing http://dwing.51.net
176. kkrunchy 0.1x >> radical exe packer - www.farbrausch.de/~fg/kkrunchy
177. kkrunchy 0.23 alpha 2 >> radical exe packer (c) f. giesen 2003-2005 - www.farbrausch.de/~fg/kkrunchy
178. CyberInstaller Suite 2006 1.1 - SilverCyberTech 2003-2007
179. Eurora3D - free installator - www.extramedia.co.yu/eurora3d (ASM)
180. Microsoft Visual C++ ver. 7.1 [DEBUG] exe
181. Fucking Fake File 1.0 by wspomagacz 2005.11 (EXE Binder exe,jpg hidden inside])
182. Anskya Polymorphic Packer V 1.3 Code By Anskya
183. Self-Extracting Archive Utility (SEAU) ver. 15.0 2006 (Aspack v2.12 -> Alexey Solodovnikov) - http://gammadyne.com
184. PE-Pack v 1.0 (c) 1998 by ANAKiN
185. PKLITE32(tm) - Version 1.1 02-15-1999 (exe)
186. PKLITE32(tm) - Version 1.1 02-15-1999 (DLL)
187. EncryptPE V2.2006.10.25 China Cracking Group - www.encryptpe.com
188. CC386 Version 3.28.1.6 Copyright (C) (GPL) LADSoft 1994-2006
189. PC Guard for Win32 V5.01 - www.sofpro.com
190. JDPack ver 1.01 (2005) - www.tlzj18.com ???
191. Netopsystems AG INSTALLER FEAD(R) SFX (MS C++) - www.netopsystems.com (packed UPX & not packed)
192. Borland C++ 1995~1998 - www.borland.com
193. eXpressor PE Packer v1.5.0.1 - www.cgsoftlabs.ro
194. Excelsior Installer v1.0 2003-2007 (MS Visual C++ 6.0) - www.excelsior-usa.com
195. tElock v0.98 Freeware PE-Compressor/Encryptor (c)2000-2001 by tE!
196. UPX Lock v1.02 (2007.02) - www.team-x.ru
197. softSENTRY 3.00 1999 - 20/20 Software Inc. www.twenty.com (site closed)
198. DxPack ver 0.86 (2001.06)
199. Neolite 2.0 -> Neoworx Inc. (1999.03.20) - www.neoworx.com (site closed)
200. ZipWorx SecureEXE v3.0 (2004-2007) www.zipworx.com (Neolite packed)
201. [PE-DIY Tools V1.10 2004] by A.Young (PoJieYong) - www.w-yong.com (how to unprotect, oep info)
!202. aUS v0.5 beta (upx scrambler 2005.08) - http://ap0x.headcoders.net (bad link?)
203. EXE protector 2.01a Eyhab Hillail (1998-2003)- http://oxygen72.tripod.com (how unprotect pass)
204. 32Lite 0.03a -> Oleg Prokhorov www.????
205. aPackage SFX v.1.14 2001-2002 Joergen Ibsen [32Lite v0.03a packed]
206. NTPacker V2.1 by ErazerZ (2005.12) ErazerZ@gmail.com (zPlib/XOR/aPlib+xor)
207. WinHKI v1.77 SFX 2000-2007 by Hanspeter Imp (hki archive only) www.winhki.com (packed PEcompact ver.2.7x)
208. nBinder 5.1.0 (24.03.2007 MSV C++ 8.0) NKProds Software - www.nkprods.com
.209. (Basic check): Securom 7.1 -> Sony DADC - www.securom.com
210. Cexe Executable Compressor v1.0b Copyright 1999, Tinyware, Inc. - www.tinyware.com by Scott Ludwig
211. ASprotect 2.3 SKE (www.aspack.com/asprotect.htm) 25%
212. Easypano Virtual Tour player (MSV C++) - www.easypano.com
213. PeX v0.99 bart/CrackPl (2000) (APLib 0.26 by J.Ibsen) - longdiy.myrice.com
214. YZPack v.2.0b.aplib (c) UsAr (2007.03)
215. YZPack v.1.1 LZMA (c) UsAr (2006.08)
216. YZPack v.1.2 aplib/LZMA (c) UsAr (2007.03)
217. ExeStealth V2.72 (Share.ver) - www.webtoolmaster.com
218. Generic check: ExeStealth V?.? (share.ver) - www.webtoolmaster.com
219. ExeStealth V2.x (Regg.ver) - www.webtoolmaster.com
220. nsPack ver.1.x - x.x by North Star - www.nsdsn.com
221. Microsoft Visual C++ 6 DLL
222. exe32pack 1.42 Copyright 1999-2004 www.SteelBytes.com
223. Protect Exe 0.4 Beta (PROEX) 2002 - www.dpaehl.de.cx (UPX packed)
224. SexyPacker v.1.0.1.0 (c) 2001 - www.smalleranimals.com (SFX) MSV C++ 5.0
225. ID Executable Password 1.2 (c) 2005 Fastlink2 Build: 08/08/2005 - www.idsecuritysuite.com - !SHOW PASSWORD!
226. ID Application Protector v.1.2 Unreg (c) 2005 Fastlink2 - www.idsecuritysuite.com (OEP info, how to clear TRIAL)
227. Pelles C for Windows v2.xx - 4.50 ExE (1999-2006) - www.smorgasbordet.com/pellesc
228. Wise for Windows Installer pro ?.?? (CAB in section 4) MS C++ - www.wise.com
229. WinUtilities 5.2 EXE Protector 1.0 (2002-2007) YL Computing Inc. - www.ylcomputing.com - (Info how Pass remove/unprotect)
230. [section protection] VMProtect v.1.25 - 1.x (demo) 2003-2006 PolyTech - www.polytech.ural.ru
231. REALbasic 2007 R2 Standard Edition (1997-2007 REAL Software) - www.realbasic.com (exe only)
232. UPX 3.0 -> Markus & Laszlo ver. [3.00] <- info from file. (sign for DEV C++ compiler) 233. Microsoft Visual C++ ver. 7.1 EXE/DLL (3 bytes sign - easy to false) 234. Beria v0.07 public WIP (2005) - symbiont (aPlib) 235. NoodleCrypt version 2 by NoodleSpa (2000.08) 236. VPacker v0.02.10 by tt.t (exe only 2006.04 aPlib) 237. Private exe Protector v.2.00-2.15 (18.04.2007) www.setisoft.com 238. Free Pascal Compiler v.2.1.4 i386 GUI APP (11.05.2007) Berczi Gabor - www.freepascal.org 239. Free Pascal Compiler v.2.1.4 i386 CON APP (11.05.2007) Berczi Gabor - www.freepascal.org 240. Free Pascal Compiler v.2.1.4 i386 DLL APP (11.05.2007) Berczi Gabor - www.freepascal.org 241. Installshield v.12 (MSV C++) www.installshield.com/www.macrovision.com 242. generic check2: InstallShield v.12-14 2008 (MS Visual C++) www.installshield.com/www.macrovision.com 243. FASM (1.3x-1.67) 2004-2007 http://flatassembler.net - Tomasz Grysztar 244. Thinstall VS 3.0.x -> Jitit Software - www.thinstall.com
245. Astrum InstallWizard v2.24.20 (1999-2006) - www.thraexsoftware.com (MS Visual C++)
246. WinZip SelfExtractor 3.0 (MSV C++ v7) 1996-2006 WinZip Int. LCC - www.winzip.com
247. Wise Instalation Express v7.0 2006 (SFX CAB) MSV C++ - wise.com/ALTIRIS
248. VisageSoft Installer? WISE for Win/.msi (MSCF CAB) Borland C++ - www.visagesoft.com
249. ST Protector v1.5 SE (2006) - Silent Software - www.???
250. (exe) Visual Protect v2.5.7 (2000.12 www.visagesoft.com
251. (dll) Visual Protect v2.5.7 (2000.12 www.visagesoft.com
252. eXpressor PE Packer v1.5.0.1 (MODE: Protection) - www.cgsoftlabs.ro
253. The Enigma Protector 1.31 unreg (2007.06.15) - Vladimir Sukhov - www.enigmaprotector.com (exe/dll)
254. generic check: (exe) Visual Protect (2000?) www.visagesoft.com
255. RCryptor 1.6d by Vaska (2007.01) only exe file protector - (OEP info )
256. Polymorph Crypter,Beta Morphnah (c) puccxak.com (2007.05) - (OEP info)
257. Pohernah v1.0.3 puccxak.com ( 2007.03 )
258. QIP[Crypt] (2007.06) Borland Delphi Crypter
259. SimbiOZ (RUS) !Rootkit exe hider! (OEP info - for C++/Delphi)
260. AsdPack2 (EP overflow exe - Delphi or C++ detector) [detection 75%]
261. QSetup Instalation Suite 8.5.0.4 - 26.05.2007 - www.pantaray.com
262. Perplex PE-protector v1.01devel 2002-2003 by [tc] GiveMe5/BliZZaRD
263. Mole Box 2.6.4 by Teggo. - www.molebox.com
264. !EP (exe pack) v1.4 (lite) final - Team-X (2007.04) www.team-x.ru, http://exetools.blog.com.cn
265. DalKrypt 1.0 by DalKiT - www.dalkit.fr.st (26.10.2003) Anti-SI, Anti-Debug, Anti-Dump
266. NackedPacker v1.0 by BigBoote (2004.01-2007.06?)- www.PEArmor.com
267. WATCOM C/C++32 Run-Time system (c) Sybase Inc, 1988-2000
268. MS Visual C++ v.5 DLL Method 1 (MS VBasic kit library) ACM*
269. Open Source Code Crypter 1.0 by p0ke (9.06.2007) - www.swerat.com - http://unnamed.bot.nu (Borland Delphi)
270. Private Personal Packer (PPP) Version 1.0.2 (13.03.2007) - www.ConquestOfTroy.com ACM*
271. Wise for Windows Installer v.?.?? (CAB in section 4) MS C++ 7.0
272. Inteli check: unknown Installer - MSCF Cab file
273. Armadillo x.x ~ 5.0 32bit [exe-low protection only]
274. Armadillo x.x ~ 5.0 32bit [Dll-std protection]
275. Inteli check: MASM assembler (no signature)
276. Inteli check: unknown ver. WATCOM C/C++32 (c) Sybase 1988-200?
277. inteli check: Dev - (MINGW 32 v ?.?.?) - Bloodshed Software (www.bloodshed.net)
278. Borland Delphi 2006? - www.borland.com
279. Borland C++ - (DLL) Copyright 1994/96, 1999 Borland Intl.
280. CRYPToCRACk's PE Protector 0.9.3 (2007.01) Lukas Fleischer - cryptocrack.de
281. Break-Into-Pattern, a.k.a BIP, v0.1 (2006.01) - http://n0name.exmuros.net http://undergroundkonnekt.net
282. DotFix NiceProtect 2.5 (with internal packer) GPcH Soft - www.niceprotect.com
283. DotFix NiceProtect 2.5 (Krypton sign) GPcH Soft - www.niceprotect.com
284. DotFix NiceProtect 2.5 (SVKP 1.3x sign) GPcH Soft - www.niceprotect.com
285. DotFix NiceProtect 2.5 (Visual C++ sign) GPcH Soft - www.niceprotect.com
286. Borland Delphi (Component) xxxx - www.borland.com
287. Microsoft Visual C++ ver. x.x DLL (5-8)
288. Microsoft Visual C++ ver. 8.0 DLL (83) ACM*
289. Microsoft Visual C++ ver. 7.xx DLL (83)
290. Private exe Protector v.2.25 (28.06.2007) www.setisoft.com
291. Microsoft Visual C++ ver. 9.0 exe (E8)
292. Microsoft Visual C++ ver. 9.0 DLL (8B)
293. PEiD Plugin -> Exe Converter v.1.00 (BobSoft)
294. MarjinZ EXE-Scrambler SE (MS Visual C++ 8.0)
295. Microsoft Visual C++ v7.10/8.0/9.0 DLL (8B)
296. Borland VCL Component for .NET (Borland Developer Studio 4 (c) 2006 v.10.0.2)
297. PDF2EXE v1.0 CoolPDF Software - www.pdf2exe.com (2006.10)- PASSWORD DECODER:-)
298. RealBasic v.?.? ExE - www.realbasic.com
299. RealBasic v.?.? DLL - www.realbasic.com
300. Generic check - Aspack vx.x -> Alexey Solodovnikov
301. generic ckeck: FreePascal ver: FPC 1.x.x
302. UPX -> (exe) Markus & Laszlo ver. 0.72 OBSOLETE VER. (12.05.1999) ACM*
303. UPX -> (dll) Markus & Laszlo ver. 0.72 OBSOLETE VER. (12.05.1999) ACM*
304. ScanTime UnDetectable by MarjinZ (STUD RC4 1.0) Marjinz-Crypter.exe
305. Free Pascal Compiler version 2.0.4 [2006/08/21] for i386 ACM*
306. Active Basic v4.24.00 © 2006.04.08 (exe) Discoversoft - www.activebasic.com (Japan) *ACM
307. Aspack v2.0 -> Alexey Solodovnikov - www.aspack.com
308. Play Basic v.1.0x - 1.63 (2D game creator) www.playbasic.com
309. (exe) UPX obsolete ver. 0.50 - 0.72 -> Markus & Laszlo
310. ANDpakk2 v0.06 (Jul 18 2006) Dmitry "AND" Andreev - http://and.intercon.ru
311. ANDpakk2 v0.18 (Jul 16 2007) 2006,2007 Dmitry "AND" Andreev - http://and.intercon.ru
312. PEiD-Bundle v1.03 by BoB (2007.03.30) - www.secretashell.com/BobSoft
313. Exe Stealth Packer or Protector v.3.16 - www.webtoolmaster.com (NTkrnl)
314. 20to4 v2004.04.18 Copyright 2001-2004 20to4.net
315. Borland C++ 1995 DLL *ACM
316. nBinder LIMITED v4.0 2006 - www.nkprod.ro (MSV C++ 8.0)
317. mkfpack llydd (aPlib) 28.05.2007
318. KByS 0.28 beta EXE (shoooo) China 2006.05.23 *ACM
319. KByS 0.28 beta DLL (shoooo) China 2006.05.23 *ACM
320. Microsoft Visual C++ ver. 8.0 DEBUG/Visual Studio 2005 (FF) *ACM
321. mPack - mario PACKer version 0.0.2 (c) DeltaAziz
322. WinUDA 0.291 clasic sfx 2005 by Dwing http://dwing.51.net
323. Cryptic v2.1 - EXE Crypter Copyright [c] 2007.09.26 Tughack (MS Visual Basic exe stub)
324. aSm Protector v1.0 Copyright [c] 2007.09.29 AT4RE
325. AverCryptor v.1.02beta by Sec|Null os1r1s (2007.08.23) - www.secnull.org
326. Muckis Protector 2 coded 2007 by Mucki *ACM
327. Rewolf DLL packager v1.0 V.2007 http://rewolf.prv.pl (OEP info)
328. x86 Virtualizer ReWolf (VIII.2007) - http://rewolf.pl
329. BeRo Tiny Pascal Compiler (EXE) http://bero.0ok.de
330. CDS SS V1.0 beta1 (c) CyberDoom [Team-X member] (2005.12.18) *ACM
331. [dUP2 -> diablo2oo2] v.2.16 patchengine (loader installer) - Microsoft MacroAssembler - http://diablo2oo2.cjb.net
332. Borland C++ 2002 & 2005 DLL - www.borland.com
333. WinUpack 0.37-0.39 by Dwing - http://dwing.51.net (BE&60 sign)
334. Flash2X EXE Packager ver.2.1.0 2007 - http://flash2x.net/exepackager (Borland Delphi) - RIP HINTs
335. D1S1G PEiD Plugin by D1N (10-24-2007) PEiD Signature and PE Overlay Tool (only OVL protection)
336. WinUtilities EXE Protect 2.1 - www.ylcomputing.com (MS C++ 6.0) (how to pass remove)
337. Hacker's Patcher version 0.07 Veacheslav Patkov (2007.09.21) - http://patkov-site.narod.ru/eng.html
338. Enigma Protector 1.35 (2007.10.12)- www.enigmaprotector.com ,Vladimir Sukhov
339. FSG v1.33 F[ast] S[mall] G[ood] - www.xtreeme.prv.pl *ACM
340. FishPE Shield v.1.1x Crypt by HellFish (http://hellfish.ys168.com) - sign NOT TESTED trojan
341. Microsoft Visual C++ v4.2 DLL *ACM
342. 32lite DLL [32Lite v0.03a]
343. FishPE Shield v.2.0.x Crypt by HellFish (http://hellfish.ys168.com)
344. SmartE protection -> Microsoft (trial/CD check/...)
345. Microsoft Visual Basic v6.0 DLL
346. Dev-C++ Compiler v4 old - Bloodshed Software ( www.bloodshed.net )
347. Dev-C++ DLL (MINGW 32 v x.x.x)- Bloodshed Software (www.bloodshed.net) ASLsign
348. PhrozenCrew PE Shrinker (c)1999 by Virogen version 0.71 beta 06/27/99
349. DarkCrypt v1.2 priv by DMX (2007.12.25)
350. yoda's Crypter 1.2 http://yodap.has.it (2001.01.14) *ACM
351. yoda's Crypter 1.1 http://yodap.has.it (2000.12.29) *ACM
352. XPack: freeware packer (c)2007 JoKo, Version 0.98 02/18/2007 - www.soft-lab.de/joko/ExePack.htm
353. XComp: freeware packer (c)2007 JoKo, Version 0.98 02/18/2007 - www.soft-lab.de/joko/ExePack.htm
354. Microsoft Visual C++ ver. 8.0 DLL (83_II)
355. VMProtect v.1.6x (demo) 2003-2008 PolyTech - www.vmprotect.ru
356. SIS-Crypt (2005.10.29)
357. Microsoft Visual C++ ver. 3.x (3~4)
358. ExeSax v.0.9.1 EXE encryptor (CAVE Method only) 2006.09.18
359. Luck007 2.7 GUI (exe) by Luckliuliu@yahoo.com (2007.06.07) str (60%)
360. WinKrypt v1.0 Copyright © 1999 MrCrimson/[WkT!99] *ACM
361. HASP HL Protection V1.X -> Aladdin - www.aladdin.co.il
362. Setup Factory for Win Installer v.1.1.1017 (21.11.2007) www.IndigoRose.com
363. PECRC ver.0.88chn
364. Microsoft Visual C++ ver. x.x DLL (55-10b)
365. (U/R) Private exe Protector v.2.5 (12.01.2008) www.setisoft.com
366. PeSpin v1.32 (2008.03.09) by CyberBob - http://pespin.w.interia.pl
367. Thunderbolt 0.02 deXep (2005.04.15)
368. Hying's Armor v0.765 - China Cracking Group (2000-2001) (no options)
369. Hying's Armor v0.765 - China Cracking Group (2000-2001) (option: VC6++ sign)
370. Generic check: Hying's Armor v0.765 - China Cracking Group (2000-2001)
371. ZProtect v1.3.0.0 26.02.2008 (demo) 2006-2008 Lifeengines - www.zprotect.cn (exe/dll)
372. Armadillo v1.xx - v2.xx or 2.51 - 3.xx DLL Stub -> Silicon Realms Toolworks
373. Obsidium v1.3.5.4 (exe/dll) - 2008.02.04 Obsidium Software - www.obsidium.de
374. Obsidium v1.2.5.8 Obsidium Software - www.obsidium.de
375. nPack v1.1.800.2008, by NEOx (03.03.2008) - www.uinc.ru *ACM
376. eXpressor PE Packer v1.6.0.1 (08.03.2008) - www.cgsoftlabs.ro
377. Smart Install Maker v5.0x www.sminstall.com (delphi stub)
378. morph EXECryptor v.2.2-3 (IAT) (www.strongbit.com)
379. UPX-Scrambler Release Candidate 1.03 by ©OnT®oL (2001.04.08) exe
380. STL Packer 1.3 - By Stel128 *ACM
381. tElock 0.99 - 1.0 private -> tE!
382. Borland Delphi DLL (2.0 - 3.0) *ACM 1992 - www.borland.com
383. mPack - mario PACKer version 0.0.3 (c) DeltaAziz *ACM
384. Winlicense v.1.9.x.x (compress) -> Oreans Technologies - www.oreans.com
385. MPRESS v0.77 - MATCODE comPRESSor for executables (C) 2007,2008, MATCODE Software - www.matcode.com
386. MPRESS v0.75b - MATCODE comPRESSor for executables (C) 2007,2008, MATCODE Software - www.matcode.com
387. Microsoft Visual C++ v9.0 (e8) www.microsoft.com
388. ActiveMARK 5.x -> Trymedia Systems - www.trymedia.com *ACM
389. (E8) Microsoft Visual C++ 9.0 - Visual Studio 2008
390. Microsoft Visual C#/Basic.NET/MS Visual Basic 2005/2008
391. TTProtect 1.0 - 2007/2008 - www.ttprotect.com (.net/dll)
392. TTProtect 1.0 - 2007/2008 - www.ttprotect.com (exe)
393. MPRESS v1.05 - MATCODE comPRESSor for executables (C) 2007,2008, MATCODE Software - www.matcode.com
394. MPRESS v1.07 - MATCODE comPRESSor for executables (C) 2007,2008, MATCODE Software - www.matcode.com
395. EncryptPE V2.2008.6.18 China Cracking Group - www.encryptpe.com
396. Empathy 2.1 Exe password 2007.08 (using: PE-Inject Engine 1.0 by M.Strechovsky ) (pass decode max.12 char)
397. Microsoft Visual Basic v4.0-6.0 DLL (5A)
398. Microsoft Visual C#/Basic.NET/MS Visual Basic 2005 (4xFF25)
399. Borland C++ Copyright (No Copyr. sign)
400. !EPack 1.4 lite final - by 6aHguT/Team-X 2006.08
401. Securom 7.3x.xxxx -> Sony DADC - www.securom.com
402. Securom 7.xx.xxxx * -> Sony DADC - www.securom.com
403. *Safedisc V4.50.000 -> Macrovision Corporation
404. X-Crypter 2.0 by X-zero (Delphi stub) 2008.07 - WL-group.net
405. AT4RE Protector v1.0 By Mouradpr *ACM
406. Russian_Cryptor_v1.0 by master3 (2007.05)
407. Obsidium v1.3.6.3 - www.obsidium.de (used in emule 0.49b BigBang newer versions)
408. RLPack v.1.20.1 Full Edition stub (EXE - aPLib 0.43/LZMA 4.3x) http://ap0x.jezgra.net *ACM
409. RLPack v.1.20.1 Full Edition stub (DLL - aPLib 0.43/LZMA 4.3x) http://ap0x.jezgra.net
410. Generic check: RLPack 1.20 with fake signature
411. Flashback Protector v1.0 beta3 (no fake sign) build 2008.08.17 - http://www.team-x.ru/Fashback/Protector
412. Flashback Protector v1.0 beta3 (with FAKE sign) build 2008.08.17 - http://www.team-x.ru/Fashback/Protector
413. SecurePE 1.5 RC4 - www.deepzone.org?
414. Morphnah Beta2 (c) puccxak.com (2007.05)
415. EXECryptor v2.1x (No protEP) *** -> softcomplete.com
416. Aspack Scrambler v0.2 KuNgBiM/[CCG] - 08.01.2008
417. Cobol compiler (417) exe
_______________________________________________________________________

www.exeinfo.go.pl
_______________________________________________________________________
2008.09.10 (c) A.S.L.

Download: exeinfope0.0.1.9.C.zip 441.20 KB

...more eXe T00ls:
ДОБРО ПОЖАЛОВАТЬ НА САЙТ flashback soft
НОВОСТИ
21.08.08 - Flashback Potector 1.0 build 08.17 beta 3
21.08.08 - Сайт переделан
31.07.08 - DETECTi0N remover 0.45, X3 0.1, DDeM RT 0.4
13.06.08 - DETECTi0N remover 0.3, GuiSD 1.4
21.04.08 – Сайт обновлен
04.04.08 – Сайт переехал
http://www.team-x.ru/Flashback/

16 June 2008

Author:

Armageddon v1.3.3 by CondZero

0 comments

Armageddon is an Armadillo unpacking tool designed specifically to deal with the many protection features available in versions 3.78 thru 5.42

This Tool can strip Armadillo Protection from protected Exe's / Dll's

Tested on
---------
Various applications protected by versions 3.78 through 5.42
under Win2k, win2k3 Server, XP SP1 & SP2 and vista 32 bit. If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86) available here: http://www.microsoft.com/downloads/details.aspx?familyid=32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en

Supported Features
------------------
Standard Protection
Minimum Protection
Memory Patching
Debugblocker
CopyMemII
Import Elimination
Import Redirection (Emulation)
Strategic Code Splicing
Nanomites
Shockwave Flash + applications that utilize overlays (minimize size option required)
Hardware locking (Standard / Enhanced Fingerprint support)

DLL support
-----------
Requires included dll loader.exe to load the target dll
Open / Save dialogs updated for exe / dll.

Full imports rebuilding
-----------------------
ARTeam Import Reconstructor 1.1.2 (ARImpRec.dll) by Nacho_dj
Coded in Delphi 7 Enterprise.
It performs the task of rebuilding the import table in a new section.
The main feature is that it ignores all thunks not valid found between valid ones, and then it rearranges the imports found, rebuilding for every module an only array of thunks. Thus, it can rebuild shuffled IAT.

* New - Reduce size of a dumped module
--------------------------------------
Now ARImpRec includes ARMinSiz code:
Tool designed for reducing drastically the size of Armadillo targets.
It deletes all sections added by the wrapper, adjusting the PE header.
It rebuilds the resources section.
It fixes relocation data in PE header. --> Only working for Armadillo,
in this release. When it exists, appends the overlay at the end of the optimized file.

* New
-----
It detects, when possible, the exact offset of the import table of virgin.exe. Then , the import table could be rebuilt in the same place where it was created in the first compilation by the developer.
This involves getting uniquely the functions used by the code section. So, it filters the imports found, choosing only the needed by the code section.
In this way the tool is providing a complete unwrapped target, free of protector code.
The import table gets rebuilt inside the existing sections.
These should have been fixed previously by the ARMinSiz.dll module.
It fixes relocation data in PE header, whatever the function called is.

* New dump .pdata section
-------------------------
Have you ever been curious about the internal data contained in this section?
This new option will decrypt / decompress this section and dump it. You will notice the security.dll (a.k.a ArmAccess.dll) plus a whole lot more.
Check it out!

Known issues
------------
When using the SearchAndRebuildImportsNoNewSection@24 it takes considerably more time than using the SearchAndRebuildImports@24 function, because of the process of filtering all needed apis among all the ones found.

Better don't use it in DLL. Some issues should be fixed before that.
In DLLs, The wrapper inserts some code in the .text section, and all targets contain references to some code in deleted Armadillo sections, so they won't get loaded properly.

To be done
----------
Rebuilding import table by ordinal.
Fixing DLLs issue to get reduced in size too.

* New
* Code Splicing:
----------------
Now the default option, although can be overridden by selecting Redirect CS
code splices (original default behaviour).
Integrated ArmInline revirgin's code protected by 'Strategic Code Splicing' by recursively identifying and removing the redundant opcodes, rather than dumping and patching in a VirtualAlloc. It is very clean and adds nothing to the size of your dump.

------ Code Splicing Specific:
Armageddon automatically detects the VM address and size and sends
this information to the Remove Code Splicing engine.
The log will display a running total of fixed splices. Once Armageddon has identified a splice, it will remove the redundant instructions, reassemble it, and patch directly into where it should be (over the redirecting JMP). Once Armageddon says it's done the resulting 'Target Code' memory is (in theory) identical to what it would be if the app was built without code-splicing. Hence the 'splices' segment is now redundant and need not be retained. The module is now ready to dump.

If Armageddon reports any warnings or errors, it may indicate that
there is a problem and you should either rerun the target or elect to use
the redirect code splices option (which used to be the default).

Occasionally the Code Splicing engine will fail when supplied with some code that contained a redundant opcode before Armadillo even got to it (and hence it doesn't know how much dead code to remove). Often (but not always) you will be alerted of any such failures, so make sure you check the log window before assuming everything went okay. Very occasionally Armageddon will think everything has gone okay when one or more code splices is incorrect. In either case, the number of remaining problem splices should be small and manual repair shouldn't take much effort.
The location of any such residues can usually be found by running the process after Armageddon has worked on it again (after you're finished dumping it) via the redirect code splices option and saving the dump to another name. Open this dump in your debugger to analyze the problem addresses and check for any exceptions that don't otherwise occur.

* New
Detach from (child) process
---------------------------
You can elect to detach from the running child process by selecting the radio button for the type of detach (DebugBlocker vs CopyMemII).
You must have WinXP or greater OS to use this option!!
Click "Cancel" to bypass creating a dump.
Note: If using Ollydbg to attach, make sure you invoke a fresh instance of Ollydbg AFTER Armageddon issues the detach message.
DO NOT CLOSE ARMAGEDDON when detaching!!!
Make sure no other instances of the target process are running prior to invoking Armageddon.
You may have to manually kill any "Active" target processes after using this option!!
SPECIAL NOTE:
You can elect to resolve nanomites prior to detaching. Very Useful!!
A messagebox will appear asking to resolve nanomites to continue.
Press OK to resolve or Cancel to bypass this feature.
This will resolve nanomites directly to the target process's memory.
Make sure you check the "Log" nanomites option prior to detaching if you wish
to resolve nanomites.

Known issues when detaching
---------------------------
Some applications are resistant to detaching. Because of this, Armageddon
sets the PAGE_GUARD protection attribute on the .text (Code) section.
When attaching to a process consider the following:
1. After attaching with a new instance of Ollydbg and reaching the system breakpoint (NTDLL.DLL), go into Olly's Threads window and "Resume" activate the main thread which is suspended.
You may have to do one of two things if the target application does not
respond normally after RUN:
1. Set a memory breakpoint on access to the .text section prior to running
the attached target, or
2. Set the .text section to "Full Access" in Olly's Memory Map window

* New
Override Hardware Fingerprint
-----------------------------
Use this feature to specifically change your machine's:
1. Standard HW Fingerprint
2. Enhanced HW Fingerprint

Enter a valid value in the appropriate text box, or use both if necessary,
in the format: XXXX-XXXX.
This value will be patched (changed) to the target process memory.

Nanomites processing
--------------------
Admiral's nanolib.dll, Rwb32.bin (handler), NanoView.exe (viewer)
* Nanomites:
Locates all of the Nanomites in a dump and uses the packed exe to analyse them, generating a Nanomite table containing all the necessary information to produce a working dump. Appends a small piece of vector exception handling code at the end of your dump which will deal with the Nanomites on the fly.

* New - Resolve Nanomites
-------------------------
This feature will automatically assemble instructions from the saved *.nan file which match the logged nanomites and patch the saved dump file (optionally patch the target process when option detached is selected)
for all recorded (logged) nanomites + certain nanomites that follow
any "TEST" instructions. Your sucess rate of resolving nanomites is dependant on the level of nanomites encountered while "Testing" (logging) the application. Any additional unresolved nanomites will need to be patched manually using your debugger plus the saved (*.nan) nanomite file for reference. Keep in mind that a dumped file may behave slightly differently from the packed / protected target. Nanomites that executed for the target, may not execute for the dumped file and vice versa!!

To use, do the following:
Dump application + analyze nanomites as normal (1st pass). If necessary,
you may need to rerun the target to specifically analyze nanomites. In
this case, skip creating the dump (press cancel).
Note: If redirecting code splices, then this option s/b checked
when analyzing nanomites!!
Save the analyzed nanomites to a *.nan file.
Rerun Armageddon for the target application skipping the create dump request.
check log nanomites option (2nd pass). Target application will launch.
Use all features / functions of the target application that may contain sections of code with imbedded nanomites. Do this as much as possible
before exiting the application. The nanomites processed are saved to
an internal sorted / unique address array. The log window displays the
number of logged nanomites encountered.
Make sure that "Log" nanomites option is checked.
Now load your saved *.nan file and press the "Resolve" button.
Armageddon will automatically apply the necessary assembled jmp instructions to their respective addresses based on the logged entries.
Make sure you select the fixed (IAT) dump.
You can choose to use the Resolve feature as many times as you want
to the same fixed dump file. The instructions (if already exist) are simply
overwritten.
You can also choose to repair the dump after resolving.

NanoView.exe
------------
Admiral's tool to view a *.nan file. Shows entire nano table
in listview that is appended to repaired dump file.

Unsupported Features
--------------------
Hardware locking (Standard / Enhanced Fingerprint support)
Security/Temporary keys
Expired Application (need to use Trial-Reset or TrashReg to
delete expired key)
Secured Sections
Custom Implementations

Nanomites
---------
This functionality was borrowed from Admiral's excellent Arminline
tool (latest Final build) and integrated into this tool. Some of the words
that follow are included from his Readme.txt file:
A separate external dll (Nanolib.dll) does the work of analyzing the target
process to determine valid vs invalid nanomites and generates an
internal table of valid nanomites which can be saved for later
use and/or loaded from a previous save.
The repair dump function appends a small piece of vector exception handling code into your dump which will deal with the Nanomites on the fly as well as
appending the internal nanomite table to produce a working dump.
If you suspect nanomites or want to troubleshoot existing nanomites, check the
log nanomites checkbox. This will log all actual nanomites as they are processed in a running target.
If you know or aren't sure of nanomites, check the analyze nanomites checkbox
which locates all of the Nanomites in a dump and uses the packed exe to analyse them on the fly (most accurate).

Nanomite File Format (*.nan)
----------------------------
Each Nanomite is described by the following structure:

struct Nanomite {
long Address
long Destination
long Size
long JumpType
}

The first dword in the file is the number of Nanomites described in the rest of the file. It is immediately followed by an array (with that number of elements) of the above structure. Once you've extracted this array you should be at EOF. Here are the details on the structure:

Address: The virtual address of the Nanomite. Each one of these should point to a 0xCC in your dump.

Destination: The virtual address to which the Jcc jumps (if the jump is taken).

Size: The size of the instruction in bytes (including the Jcc opcode and the relative/absolute address). I'm not entirely sure how this made it into the structure, if it's useful or even valid. On examining a few .nan files, this field seems to contain some strange-looking values. You shouldn't need to use this field, but if you choose to, be careful.

JumpType: An enumeration that describes what type of Jcc you're looking at. The values are:

JUnknown = 0
NotNanomite = 1
JMP = 2
JNZ = 3
JZ = 4
JB = 5
JBE = 6
JA = 7
JNB = 8
JG = 9
JGE = 10
JL = 11
JLE = 12
JP = 13
JPE = 14
JNP = 15
JPO = 16
JS = 17
JNS = 18
JCXZ = 19
JNCXZ = 20
JC = 21
JNC = 22
JO = 23
JNO = 24

A word of warning: Don't be tempted to iterate through the array, assemble the jumps and patch them into the dump. Although this will fix all the Nanomites, it will also destroy some other instructions (namely 0xCCs that weren't put there by Armadillo). This is because the array contains information for every occurrence of the 0xCC byte, not only ones which are Nanomites. Unfortunately it is impossible to determine (from a dead-listing) which Nanomites are genuine, so you're gonna have to either use a loader or dabble in VEH (unless you can think of a better way).
I'm aware that this file format could have been made a lot cleaner and smaller, but I had my reasons for sticking to unsigned longs.

* New DLL only - "DLL Use CreateThread API"
-------------------------------------------
For most dll's, the internal default logic should work (i.e. a memory
breakpoint on access to the .text section directly. No Software BP
is set on the CreateThread API.) Some dll's will not respond to this
treatment (i.e. They may hang on "Tracing to OEP" and simply do
nothing). In these cases, check the option for "DLL Use CreateThread"
and the problem should be resolved.

Other considerations
--------------------
Make sure all supplied components reside in the same folder!
You cannot use the minimize size option with the redirect code splices
option (mutually exclusive). Nor should you use the repair dump (nanomite VEH stub option) when using the minimize option.

The tool works fairly fast and efficiently,
but should the target application hang, you can terminate it gracefully,
since the GUI launches a separate thread to run the target process.

Some Notes
----------
As with any tool that removes protection, the resultant dump may
still not work properly. You may need to include the ArmAccess.dll in
the target application's folder. You also may need to consider custom protections and implementations.

Known Issues
------------
You are encouraged to use tools like ArmaDetach or ArmadilloFindProtected to determine version / features/ protection options.
While much effort has been made to determine Armadillo PE section names, it may be necessary to rename some of them before using this tool.
Should the Import Reconstructor fail, i.e. return code > 0, a workaround is (Rerun the program, when the program asks you to dump / save, press "Cancel")
to perform the dump and IAT yourself using a 3rd party dump tool (LordPE or similar) and ImpREC (or Magic_h2001's Universal Import fixer - UIF) to rebuild the imports.
Should the application appear to hang (do nothing) it could be that the process is taking some time to unpack, a resource conflict, a compatibility issue with your OS or, the version of Armadillo is not supported! In some cases, if you try again, it may work due to available resources (memory).
In some cases, it may be necessary to rerun the target application again
for strategic code splicing.
Note: Make sure there are no other instances of the target program running in Windows Task manager before proceeding.

Version History
---------------
June 2008 - v1.3.3
+ hotfix to resolve strategic code splicing issue
for last inactive MOV EDI,EDI instructions and
issue a warning message
===========================================
May 2008 - v1.3.2
+ hotfix to resolve nanomites
+ relocate base address of Nanolib.dll
===========================================
May 2008 - v1.3.1
+ hotfix to resolve CreateProcess API problem
in Nanolib.dll for target work directory
===========================================
May 2008 - v1.3
+ resolve relocations for dll files (Nacho_dj)
+ added new option to minimize the size of a dumped file (Nacho_dj)
Particulary useful for Shockwave Flash + applications that make use of an overlay. Of course this will also rebuild a normal target's PE structure.
+ improved import rebuilder v1.1.2 (Nacho_dj)
+ added new option to "Resolve" nanomite INT3 instructions with their original
jmp instructions and patch directly to the dumped target. Requires use of the nanomite "Analyze" + "Log" options. Note: you can also elect to resolve nanomites directly to a target process's memory if you elect to detach!!
+ integrated Admiral's Strategic Code Splicing removal engine into the tool.
This is now the (default) behaviour and can be overridden with new option to
redirect CS (code splices) instead
+ new option to dump / decrypt / decompress the .pdata section to a binary file
+ new option to detach from a process (choose: DebugBlocker or CopyMemII)
+ resolve problem for ArmAccess dll function:Installkey missing error msg
+ add support for UPX compressed single process targets
+ new option to change your Standard / Enhanced Hardware Fingerprint ID
+ resolve some minor bugs
===========================================
March 2008 - v1.2g [gabor edition]
+ add warning message for OEP call return VA not from Armadillo VM
Note: Informational, not usually relevant for dll's or exe's with copymem2,
but may be useful for troubleshooting invalid OEP's resulting
from custom implementations and/or packing / compressing of a file
prior to being protected by Armadillo
+ fix problem with copymem2 search string error
+ fix problem with createdump on error
===========================================
March 2008 - v1.2
+ improved PE section name resolution for internal use (thank's Ghandi)
+ improved ARTeam Import Reconstructor v1.2
===========================================
February 2008 - v1.1
+ added dll support (dll loader.exe)
+ added option "Use OpenMutext trick" to force a single process. Use only if normal "debug blocker" processing fails. This would occur when a parent process launches the child process, but doesn't debug the child process (i.e. use the WaitForDebugEvent API)
+ improve IAT elimination functionality
+ includes updated ARTeam Import Reconstructor
===========================================
February 2008 - v1.0 (initial release)
Born - 11/13/2007

Download: Armageddon_v133_by_CondZero.rar 340.91 KB

11 June 2008

Author:

ASPack unpacker v1.13 ALL Versions by PE_KILL

0 comments

Software:

∥ software name: All versions ASPack unpacker
∥ version information: 1.13
∥ file size: 218 KB (223,682 bytes)
∥ Software Category: Shelling tools
∥ nature of the software: free software
∥ storage space: HTTP
∥ in the culture: YoYo

■ Software:

Shelling ASPack the tools, is perfect; have been tested in ASPack version: 1.00 b, 1.01b, 1,02 b, 1.03b, 1.05b, 1.06b, 1.061b, 1.07b, 1.08, 1.08.01, 1.08.02 , 1.08.03, 1.08.04, 2.000, 2.001, 2.1, 2.11, 2.11c, 2.11d, 2.12.

■ Downloads Version Chinese:

MD5:
74014CA2BDCE551DA11443DC1303B28D

decompression Code:
CENTURYS 網際論壇中文化開發團隊

Homepage: forum.slime.com.tw/thread228878.html - http://centurys.net/

Older Version:

ASPack Shelling on the automatic machines, has passed the test for versions: 1.00 b, 1.01b, 1,02 b, 1.03b, 1.05b, 1.06b, 1.061b, 1.07b, 1.08,1.08.01,1.08.02, 1.08.03,1.08.04,2.000,2.001,2.1,2.11,2.11 c, 2.11d, 2.12.

In this peaceworld brother to give special thanks to the technical guidance and amendments, for 288 owner, DD greatly, King greatly, OSK greatly, OPEN greatly help test.

Download: http://www.4shared.com/file/1232117/ab43e916/unpack_all_aspack.html
or: http://www.fileden.com/files/4091/Unpack%20All%20ASPack.rar

Archive Password: CENTURYS 網際論壇中文化開發團隊

Trojan.Win32.Agent.sk is false positive as by many unpacking and hack tools

Original Version English by PE_Kill:

(Special for china crackers: this is a joke!)
All versions ASPack unpacker v1.13 by PE_Kill
From Forum: http://www.cracklab.ru/

All versions ASPack unpacker by PE_Kill
------------------------------------
It is checked up on versions: 1.00b, 1.01b, 1,02b, 1.03b, 1.05b, 1.06b, 1.061b, 1.07b, 1.08, 1.08.01, 1.08.02, 1.08.03, 1.08.04, 2.000, 2.001, 2.1, 2.11, 2.11c, 2.11d, 2.12

Распаковывает exe,dll файлы
Отрезает секцию пакера
Сохраняет оверлей
Делает ребилд ресурсов, релоков, TLS, импорта.
Оптимизирует заголовок
Делает реалигн секций

Проверено на версиях: 1.00b, 1.01b, 1,02b, 1.03b, 1.05b, 1.06b, 1.061b, 1.07b, 1.08, 1.08.01, 1.08.02, 1.08.03, 1.08.04, 2.000, 2.001, 2.1, 2.11, 2.11c, 2.11d, 2.12

PS На Win98 100% не работает.

New version 1.13
Fixed suspend unpacker on "Trace to OEP..."

Unpack better as manual unpacking!

Download: all.versions.aspack.unpacker.1.13-pe_kill.rar

stripper by syd

ASProtect unpacker

stripper v2.07 (final with HT) - last stable release, use it to unpack aspack 2.xx and aspr 1.2x..

stripper v2.11 (rc2) - unpacker for aspr 1.3 - 2.0, use it on your own risk..

stripper v2.13 (last beta) - unfortunaly someone released stripper 2.13beta8 and I have only to say if you dont want me working on stripper I close this project.. good luck..

Homepage: http://syd.nightmail.ru/stripper.dhtml

All Versions:
Download: Stripper.7z

PE Explorer v1.99 R3 NEW !!!

Программа для редактирования Win32 PE, возможность добавления секций, изменения характеристик секций и прочего, также имеются встроеный дизасемблер, UPX и Upack анпакеры.

Homepage: http://www.cracklab.ru/english.php - http://www.cracklab.ru/download.php?action=list&n=MzU=
Download: PE.Explorer.v1.99.R3.zip DDL2

AoRE Unpacker 0.4

-Tested Tools
!EP_(EXE_Pack)_1.2
antiOllyDBG
ASDPack 2.0
ASPack v2.12
AverCryptor 1.0
CryptX 1.0
dePack
DexCrypt 2.0
eXPressor 1.2.0/1.3.0.1
GHF Protector (packing Only)
HidePE
HidePX
JeyJey_UPX_Protector
MEW_1.1
Molebox 2.2.4
Morphnah 0.2
NsPack 2.9/3.0/3.3/3.4/3.6/3.7
Packman V0.0.0.1/Packman V1.0
PC Shrinker 0.71
PE_Lock_NT_2.04
PE Pack 1.0
PeCompact 1.30/1.50/1.84
Pohernah 1.0.1/1.0.3 (standard)
PolyEnE_0.01
RCryptor 1.1
ReCrypt_0.15
SimplePack 1.0X/1.11/1.21
Ste@lth PE 2.10
The Best Cryptor
Mucki's Protector 2
UPX 1.25/1.91/2.00/2.01/2.02/2.90/3.00/3.01
UPXScramb_2.2

Download: AoRE_Unpacker_0.4.rar
Download: AoRE UnPackTools 2.0: AoRE_UnPackTools_2.0.exe

VMUnpacker V1.5 Licensed - DSW Lab Anti Spyware Toolkit VMUnpacker Build 20080317, v1.2.5.5 Main

This tool based on the technology of virtual machine, it could unpack various known & unknown packers. It is suitable for unpacking the protected Trojan horse in virus analyses, and because all codes are run under the virtual machine, so they will not take any danger to your system..

This product is free software; you can download it, install it, copy it and distribute it noncommercially; If you want use it for commercial sale, copy and distribute, you must get the warranty and permission of DSWLAB before(for example, if the anti-virus company want to use it to analyses the Trojan horse in batches, he must get mandate and permission of DSWLAB before).
VM Unpack Engine SDK£º

The commercial VM Unpack Engine SDK will be provided solemnly (VM Unpack Engine SDK).

Use VM Unpack Engine SDK, the developer does not need to care about the unpacked course and method, only needs to transmit the data to VMUE SDK, VMUE will finish analyzing and unpacking automatically. VMUE supports to send the result of unpacking to the file and memory at the same time, and returns OEP after unpacking directly, It help you unpack packers in your products and tools.

Rebuild PE file after unpacking, such as repair the import table, Overlay, etc. offer the essential condition that rebuilding can running EXE program.

VMUE SDK includes the following part mainly:

Relevant dynamic or static link libraries
VMUE SDK technological white paper and the document about the interface of SDK
Codes of calling VMUE SDK
Packer's signature library in binary
Other auxiliary routines and codes

Dieses Tool basiert vollständig auf der Virtual Machine-Technologie, die alle Schälen bekannt unbekannt Shell zur Verarbeitung. Analyse eines Viruses oder Trojaner, Jiake Proben Schalerbsen Behandlung. Da der gesamte Code ausgeführt werden in einer virtuellen Maschine (VM). Das System wird sich nicht nachteilig verhalten in diesen Verfahren. Für die erste offizielle öffentliche Version die interne Verwendung von Super-erweiterte Version des unpack.avd der patrolmen identifizieren können mehrere Arten von allen bekannten Jiake Verfahren mit mehr injekzierten betroffenen Beschuss Code erkenen. Lesen Sie die Anleitungen im Kabinett.
v1.4 wichtigsten Änderungen:
1. 24 neue Shell Schalerbsen Programm.
2. die Änderung von Morphin Schalerbsen Methoden, Änderungen eine Datei zu dumpen ihren Weg.
3. verbesserte Import-Tabelle des Voll-Backups.
4. die Einführung von PE-Optimierung Funktion, erheblich verringern die Größe des Dokuments/Datei nach dem Beschuss.

Test-Version herunterladen 1,3 klicken Sie auf die folgende Adresse:
http://www.sucop.com/download/20.html

Universal Unpacker VMUnpack v1.5 + Lic
include Antivirus Database.T.(c)dswlab 2006-2008
2008/03/15 16:53:19 and VUnpackSDK.dll Anti Spyware Toolkit VM & unpackSDK v1.2.5.5 Build 20080317

Download: VMUnpacker_1.5.rar - VMUnpacker-all.zip
Public Version 1.3: http://update4.dswlab.com/vmunpacker.zip

Supercop (r) Kill various kinds of Trojan horse completely, protect the security of system in an all-round way.
more free tools download: http://www.dswlab.com
Specialized desktop and safe products of content: http://www.unnoo.com

PECompact v2.86.1 Final (June 9. 2008)

This release adds better support for image base randomization (ASLR) in Vista and above. If your executable crashed after compression in previous versions, it may have been simply due to the fixups/relocations being removed. This version fixes the default behavior so it'll work without tweaking.

Changes since v2.82 final

Change.Core: Added support for ASLR (randomized image basing) executables in PECompact, PEC2GUI, and PETrim. Specifically, fixups/relocations are no longer stripped by default on ASLR enabled EXEs. In previous versions, the user had to set /StripFixups:No for these EXEs to work in Vista and above.
Change.Installer: Updated to NSIS 2.37.

Download Team CzW
Bitsum.PECompact.v2.86.1.Final.WinALL.Retail-CzW.rar
czpc2861.zip

Zeta Debugger v1.4

Zeta Debugger is a stand-alone source level debugger and code profiler for Windows 98/2000/XP applications written in C/C++ or assembly languages. Source level debugging is allowed when symbolic debug information emited by your compiler is one of those supported by our debugger or external plug-in modules. Otherwise, when this information is absent or not recognized, you can only debug at machine level. At this moment the debugger supports a several number of debugging formats used by compilers of two most known companies - Borland and Microsoft. In the future we plan to add more formats to support.
Download: Zeta.Debugger.v1.4..-CFF.rar

more tools: http://bbs.cracktool.com/archiver/?fid-24.html

21 February 2008

Author:

Censored by AntiVirus Packer.FSG - FALSE POSITIVE

4 comments

FSG - F[ast] S[mall] G[ood]
Perfect compressor for small exes, eg. 4k,64kb intros, asm appz etc.(upx sux)

features:
+ designed for asm executable files (kg, cracks, trojans :) - IN HOPE NO ONE PACK TROJANS WITH IT
+ small loader size (but if u know how to improve it, mail me)
+ imports handling
+ support for executables with export tables
+ TLS support (delphi, bcc exes)
+ overlays support (flash, director, shockwave etc.)
+ aPLib compression (LZMA is too big and NRV from z0mbie's site is soo sloow)
+ command line support, eg. "fsg.exe notepad.exe" (drag&drop also works)

changes v2.0
+ 100% recoded (pure win32asm)
+ 158 bytes of loader code, gee its so cute :), can you make it smaller?
+ support for exports and overlays (flash and co.)
+ strip unused resources option (version info, delphi's resources)
+ configuration file (fsg.ini), read it for more info
+ it wasnt my intention, but you can pack executable from vb-shit too :)
+ fixed command line handling for Windows Server 2003
+ fixed Windows95 compatibility problems (command line support)
- 32x32 icon isnt removed anymore

changes v1.33
+ smaller loader code (again??), this time its 197bytes long (u cant stop us)

changes v1.32 (internal release)
+ smaller loader code (206 bytes)
+ ms-dos header optimization (PE header at 0Ch offset)
! shitty Web3000 claims that FSG is a trojan, dont use this cheap Web3000
crapware, anyway if you still think FSG is a trojan, reverse it and
tell me about your worries

changes v1.31
+ smaller loader code (thnx Jibz for aplip optimization tips), 239 bytes
+ compatibility with FASM exe files

changes v1.3
+ nice GUI
+ FSG saves its import strings in PE header, just like TLS table if detected
+ PE header moved 32bytes up (40h), i dont give a fuck about dos message
+ heavily tested under XP (yeah rite...)
+ detection of invalid PE files (signatures, packers flags at PE+F4h)
+ error handling (seh requested :P)
- polymorphic encryption (you didnt like it, am i rite?)

changes v1.2
+ now FSG loader is placed correctly in the PE header (always on 200h)
+ tested under XP (but still i wont pay 500$ for this shit :P)
- disabled compression of RT_FONTDIR & RT_FONT & RT_MANIFEST resources
- disabled compression of RT_VERSION resource (shit, now you can compress
all those little shitty VB appz)

bugs
- no .NET executables support (what can be worst than VB for .NET? :)
- no DLL support (who needs it anyway?)
- no TLS callbacks support
- no delay imports support
- and much more :)

FSG v1.33 , FSG v1.2 , FSG v2.0
Homepage: http://www.xtreeme.prv.pl/

Hit this link and see the stupidness of all wannabe security forums, AntiVirus advisor's and many more http://www.google.com/search?num=100&hl=en&newwindow=1&safe=off&q=Packer.FSG
They discuss since years because maybe some people have packed with FSG viruses into files that now the exe packer by self is a Trojan virus. Please use unlisted packer such as upx, pecompact whatsonever and pack your shit trojans into files because this packers are possible less good in compression ratio but will never be listed as trojan as name of the compressor/packer but AV Researcher will have a little bit more work to do and find the real virus inside packed files, no matter what packer have been used.

used by many and ... /CORE - not a typical keygen or scene packer, Intros and small files to get even smaller is always welcome

Packer is detected as Trojan in most AV's
disambled it up to its substance, sandbox it, no trojan there. - FALSE POSITIVE - if the packed file have no trojan, it will show positive cause some AV's have list the whole packer.

applies by those AV's which detect it as positive to all packed files with this packer.

according to PEiD its done with: FSG v1.33
I knew PEiD isn't the best it lakes on signature updates and doesn't have a anti cheat mechanism if stick some other signatures inside.
Testing with Exeinfo Pe its well updated and show some more:
Image is 32bit executable FSG v1.33 F[ast] S[mall] G[ood] - www.xtreeme.prv.pl

There is the advice to use: VMUnpacker V1.2 by www.dswlab.com (why not V1.3)
I use another one now

KAV engine in G Data detect Trojan /by the way latest WinXP SP3, a system file, genuine signed by MS is detected as virus. - Restore from quarantine failed. G Data Firewall looks not bad. AV engine slow down system same as latest Outpost Firewall. Always good that there Archive sites in the net to get older versions.

result original: http://www.virustotal.com/analisis/3e05a9dd741ca42f5001195652311a54
14/32 AV's have listed Packer FSG as virus - false positive -
unpacked: http://www.virustotal.com/analisis/3a1ba1a7606e681a11d5e6f32fb98202
by 6 from this 8 I'm sure I get the false positive alert out if I clean the unpacked file from the rest signs that it was packed before with FSG.

http://www.virustotal.com/analisis/72757bef29b2add1d564ee86ad450cd8
TheHacker 6.2.9.225 lost the virus W32/Behav-Heuristic-061
already by removing the word " FSG! " in the pe header with a hexeditor.

Webwasher-Gateway 6.6.2 changed his meaning from Packer.Dumped to Win32.Malware.gen (suspicious) by removing the word: " FSG! " in a hexeditor

looks like signs from MEW, overseen...
however if pack it again come to this:
http://www.virustotal.com/analisis/9646f7ae36603fa580408549bc12f7ae
from original 14/32 to 9/32 while Sophos show another false positive from repacking follow by Panda, eSafe, Sunbelt and Webwasher-Gateway = minus 5! It will stay 4/32
Im little bit worry if Avast have right with: Win32:Agent-QXQ

I didn't clean the unpacked file, F-Secure found signs that it was before packed with FSG and shown the file unpacked/not cleaned like before, same as by Avast. Ikarus ????
Webwasher found as well the rest signs that it was packed before. eSafe don't know anything cause it shows unpacked another virus as packed from Trojan/Worm mutated to dont know = Suspicious File. ! Packer listed !?
About CAT-QuickHeal just for laughing it show by most exe packed files independence from the packer have been used upx/Xcomp/pecompact very often: (Suspicious) - DNAScan

Norman, Sophos, FileAdvisor, AhnLab-V3, Prevx1 lost the virus (false positive alert) in unpacked conditions same as VirusBuster. Proof for me that those AV's have list just the packer as virus - no analysis or unpacking have been done.

MZ� PE L FSG!

The whole thing again, better test twice now with VM Unpack V1.4 (we have the sdk)
Info:
FSG v1.33 (Eng) -> dulek/xt <===> Support
Unpacked successfully! (in less than a second)

The default DOS MZ Header / DOS stub will be always missing by FSG there will be written
MZ� PE L FSG!....
That means AntiVirus will see that it was packed with FSG unless its replaced.
See: http://win32assembly.online.fr/pe-tut1.html

The unpacking engine VM Unpack which is done for trojan research from a Chinese AV Data Security Company adds the word À.dswlab in the PE header

here the result analysis:
http://www.virustotal.com/analisis/e3c6628a12b66853f400750d31037977
same as the first unpacking solution: 8/32
For me it confirms twice that the packed file with 14/32 have lost by 6 scanner the Viruses in unpacked conditions complete > 6x proved false positive from exe packer!!!

I will say these AV's can put the result in Minus:
- Webwasher-Gateway
- TheHacker
- Sunbelt
- maybe F-Secure cause it shows by most signs from packed files done by all possible packer the same
- eSafe
- CAT-QuickHeal see F-Secure

= 2/32 scanners:
Avast report Win32:Agent-QXQ and
Ikarus report Trojan.Win32.Obfuscated.ex
while Ikarus possible get the info from other scanners as it was to seen by Packer XComp maybe from VirusTotal via Google search on that site or get the files delivered and is possible orientated on other AV's but reports different given Virus names. However about Avast Win32:Agent-QXQ Im unsure.

Rebuild and MS Dos Header + Stub added
http://www.virustotal.com/analisis/72757bef29b2add1d564ee86ad450cd8
Result: 7/32
same as above: Webwasher-Gateway changed his meaning from Virus detection Packer.Dumped to Win32.Malware.gen (suspicious).
TheHacker lost the Virus W32/Behav-Heuristic-061 and says clean just by adding a DOS MZ Header / DOS stub MZ.EXE. Sunbelt, F-Secure, eSafe, CAT-QuickHeal + Webwasher-Gateway will possible show nothing anymore if do changes by ms dos header + stub in file.

Webwasher-Gateway seems to scan focused by PE Id Sig. This sample was packed before with ASPack+Scrambler. Unpacking left rest from ASPack strings. Its packed with XComp. Ikarus was shown the same scanned file a few days ago, as Packer.XComp.A but changed virus name matching to the application and report now, cause it's utorrent.exe packed: Worm.Win32.Downloader.fb (utorrent + XComp packed = Downloader + Uploader for Win32 but no worm inside). Bitdefender cached it once wrong and don't correct them mistakes they let it as virus: Packer.XComp.A - False Positive - Hit Reanalyse change Proxy Ip's use anonym Proxys - test with ipid.shat.net/ - be sure your real IP is not under 'HTTP Forwarded For:' written by submition
Permalink: analisis/bdc253e8b7f1fa414dcfb152f7e6ef80
Anyhow for Romania its a new Packer since 13. Feb 2008. Austria did follow the old news. Checksum + MD5 of packer is since a year the same - no virus - false positive! - . It's a shame

-------------------------------------------------------------------------------------

Real viruses they don't want found such as the trojan:
%windir%/Media/csrss.exe + MSWINSCK.OCX (same filenames as the old backdoor but new md5)
start from registry
"Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe" and connect to a server, found in a Forum site, not sure possible Patch Making Tools ALL IN ONE Patchmkers.exe or any other from them (posted end Jan/Feb 08.) cause they looking on the wrong places.
=====================================================================================

After many testing:

- McAfee
- Microsoft
- Symantec
- NOD32v2 (limited) Program don't like unpackers

have the best False Positive detection. - No Virus founded - if no Virus have been packed into files or can handle all packers and scan inside/unpack files...

My own meaning is that the oldest AV Companies from the early 90's / late 80's MS DOS / Windows 3.x times for example: Symantec (=Norton), McAfee have the most experience. Kaspersky I remember before year 2000 as it was once not in English Language available. The Gui language says nothing I don't care about Design and GUI, Languages. About BitDefender I have no words for them anymore as I've seen that they get the false positive packer detail info from VirusTotal.com maybe using Google search on VirusTotal sites or the files direct by submit to that site in hand cause by some testing with packer Xcomp they put the whole packer in them database as positive virus. Xcomp is analyzed already since a year and have not changed since that time. There is no Virus in XComp nor by the packer not by the packed output files done with it. BitDefender's auto submission and integrated email in the AV program by self is in my eyes a trojan. New is now that a pop up window force the user to give in personal info. If have it retail obtained or not. I have isolate all online connections to and from BitDefender AV products cause of the hidden random ISP servers. These server connection details are not to see with the Total Security Suite and Internet Security with the integrated Firewall. It scares me and I easy get paranoid about security privacy and trust to some places on earth. Especially when the product uninstallation let the half on harddisk and many registry entries after running uninstall. Not only on one computer.

If you programed a packer, protector and it's listed as Virus wrong, please contact as Author the AV Firms per email, Fax, post letter. Clear the things up, if you really did develop a clean packer. Send it for re-testing analyze to them in original same as you host it on your homepage. Otherwise it will be listed there forever. It is possible that the same packer was pick up injected with a virus and is in the virus database listed cause of this. Xcomp was listed as a Virus in a mistake by AntiVirus scanner. If you pack files with it and it still shown up as Virus, it should be resolved with coming AV signature updates.

Theoretical you can use every 30 days for testing another antivirus program. There are so many that you can a few years long protect your system for free. After all, remember your experience about Antivirus programs. You can as well every 6 months install the OS new and do a total clean up that you can test it all over again, free as trial version before you buy any Antivirus software which remove a lot files on your harddisk by detecting false positive and let you thinking that you these are all true viruses. Even more each Antivirus soft can find, you will think, even better is the antivirus cause you don't know which files are false positive and which are real viruses.
Some AV's can delete as well all your filtered ip's and urls in the windows hosts file if you did block with it unwanted websites and advertising, website counter and others to 127.0.0.1.
It will mean that this guys from: http://www.hosts-file.net/?s=Download and: http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=10 are wrong with them blacklists of bad hosts.

Sorry for bad english
programmerstools.org

15 February 2008

Author:

ExeInfo PE ver. 0.0.1.8 E - ( 360 sign ) by A.S.L.

0 comments

packer, compressor detector + unpack info + internal exe tools

Last update : 2008-02-12

www.exeinfo.go.pl

ExeInfo PE

ver. 0.0.1.8 E - ( 360 sign )

MADE IN POLAND

Freeware version for Windows XP

Windows 32 PE executable file checker , compilators, exe packers ....

with solve hint for unpack / internal exe tools / rippers

Internal Tools Menu :

- overlay remover - generate new file without overlay data
- save overlay as external file
- Rolo Lamer Protector v0.1c - work on standalone exe 1MB
- EP Corrector ( for Delphi ) - generate many exe file with Entry Point
- XoR permutator - create one file with xor data ( 255x2000 bytes )
- Section splitter - save exe sections as files & exe header
- 8 / 16 bit string finder - enter 8 bit string = searching 16 bit strings & 8 bit ( F7 key )
- REGistry call finder + CLSID - find registry call & regedit.exe strings

File Menu:

+ Rename file
+ Copy file As.. *.bak
+ Execute - create executable process ( exe )
+ Execute - windows ext. associate ( dll ,zip ... )
+ Delete file ( ALt+Del) - work in multiscan mode
+ Run multifile scanner mode ( Directory scan )
+ - view global log file ( c:\Raport-exeinfo-log.txt )
- delete global log file ( no confirm )

Rippers Menu:

- www address searcher inside exe - work on any file
- ExE inside ExE ( Win32 Pe windows executable) - work on any file
- Zip archives inside ExE www.winzip.com - work on any file
- Rar archives inside ExE www.rarlab.com - work on any file
- CAB MS archives inside ExE (for MSI installers ) - work on any file
- SWF flash Adobe animation files ( internal length fixer for non exe files )
- ( All in one ) - for lazy boys ( without 'www address' )

keys :

F1 key - keyboard help
F2 key - Multiple file scanner for *.exe files
F3 key - external view ( hiewdemo.exe or hiew32.exe ) path directory
F4 key - external test ( peid.exe ) path directory
F5 key - external test RDG Packer Detector ( I read location from Win registry )
F6 key - external test DiE.exe Detect it Easy ( I read location from Win registry - shell integration req.)
F7 key - 8 / 16 bit String finder
F9 key - :-)
F10 key - :-)

Alt+Delete - delete file

"+" ,"-" - Numeric KEY = adjust transparent Form

Non executable file detection:

zip , 7zip , rar , msi , jpg , pdf , png , gif87 , gif89 , bmp ,
avi , mpg , mp3 ID3 , noID mp3 , xml ,wma , wmv, fws , cws ,
Ogg , php , html.

Overlay detector :

01. zip archives
02. cab archives
03. SWF Flash object ( packed & unpacked format )
04. Executable PE file
05. 7zip archives
06. RAR archives

- Plugins like a Peid.exe ( 70 % compatible :-( )

ACM* - anti cheat mechanism

ExeInfo detection list :

001. RealArcade Wrapper ( Microsoft Visual C++ ) 50%
002. Borland Delphi ( 2.0 - 7.0 )
003. Microsoft Visual C++ ver. 5.0 ~ 6.0 ( exe )
004. Microsoft Visual C++ ver. 7.x ( exe ,dll)
005. PEtite 2.x Ian Luck
006. UPX exe 0.89.6 - 1.02 / 1.05 - 1.93B -> Markus & Laszlo
007. UPX dll file - 1.93Beta -> Markus & Laszlo
008. Aspack v2.12 -> Alexey Solodovnikov
009. EXECryptor v.2.3.1-6 ( www.strongbit.com )
010. Morphine ver.2.7b ( plugin Peid.exe )
011. AC protect 2.0 by RIScO Software Inc. ( www.ultraprotect.com )
012. ASprotect 2.1 reg ( www.aspack.com/asprotect.htm ) only exe files DLL files detect as ASpack :)
013. AHTeam EP Protector ver.0.3 priv
014. WinUpack 0.39 final by Dwing ( http://dwing.51.net ) :-((
015. Software Compress ver. 1.2 Lite - www.bgsopt.com
016. PEcompact ver.2.78a - 2.80 - www.bitsum.com
017. nsPack ver.2.3 unreg - by North Star - www.nsdsn.com
018. nsPack ver.3.0 - 4.1 reg - by North Star - www.nsdsn.com
019. Mole Box 2.5.7 by Teggo. - www.molebox.com
020. Microsoft Visual C++ ver. 8 ( ??? )
021. EXE Guarder 1.8 - 2.1 (2006/2008 unreg) www.exeicon.com/exeguarder
022. EXE Wrapper ver. 2.3-2.5 ( www.533soft.com/exewrapper ) - how to remove password
023. Exe password protector 1.0.5.100 (protect/unprotect)
024. TASM / MASM
025. MS Visual Basic 5.0-6.0 dll
026. MS Visual Basic 5.0-6.0 exe
027. Armadillo 4.4x - 4.62 32bit - www.siliconrealms.com ( effectiveness = 60% )
028. Enigma protector v1.1x - www.enigma.izmuroma.ru © Sukhov Vladimir 2004-2006
029. SVK-Protector v1.32 demo - Pavol Cerven - www.anticracking.sk
030. Generic check : ASprotect 1.? old version ( www.aspack.com/asprotect.htm ) exe only
031. Generic check - AC protect 1.? by RIScO Software Inc. ( www.ultraprotect.com )
032. Packman v1.0 Brandon LaCombe ( http://packman.cjb.net )
033. modified exe , EP code = Borland Delphi ( 2.0 - 7.0 )
034. ExeStealth V2.76 www.webtoolmaster.com
035. FSG v2.0 F[ast] S[mall] G[ood] - www.xtreeme.prv.pl
036. Generic check - Aspack v2.1x -> Alexey Solodovnikov
037. Aspack v2.12b? -> Alexey Solodovnikov
038. Program protector v2.1unreg ( exe password - DECODE PASS ! ) - www.blumentals.net
039. Obsidium v1.3 software protection system (demo) - www.obsidium.de
040. ARMprotector v0.1 by SMOKE 2004
041. ARMprotector v0.3 by SMOKE 2004
042. SDProtector Profesional Edition v1.12 ( 2003 ) - www.sdprotector.com
043. Themida 1.0 -1.3? - Adv.Win.Software Protection System (c) 2004-2005 Oreans Technologies - www.oreans.com
044. yodas Protector v1.03.3 - http://yodap.has.it 2004-2006
045. yoda's Crypter v1.3 - Ashkbiz Danehkar 2004-2005
046. PE-Pack v0.99 (c) 1998 by ANAKiN
047. WATCOM C/C++ 1988-1995
048. Microsoft CAB SFX module
049. Generic check : Microsoft Visual C++ vx.x
050. UPX -> Markus & Laszlo ver. [ 2.00 ] <- version info from file 051. PeSpin v1.304 public by CyberBob - http://pespin.w.interia.pl 052. UPX -> Markus & Laszlo ver. [ ] - EXE modified!!!
053. UPX -> with extra sections - Real EP resolver ( [ ] - required Fast scan unchecked )
054. PolyEnE v0.01+ Polymorphic Encryptor (c) 2001 Lennart Hedlund ( [ ] - required Fast scan unchecked )
055. Nullsoft PiMP Stub - ( read from Ovl : NullsoftInst3" )
056. eXpressor PE Packer v1.4.5.1 - www.cgsoftlabs.ro ( exe , dll )
057. Thinstall 2.4x - 2.5x -> Jitit Software - www.thinstall.com
058. Thinstall 2.7x -> Jitit Software - www.thinstall.com
059. Nullsoft scriptable install system 2.xx - ( read from Ovl : NullsoftInst )
060. Inno Setup Module [SFX] - Borland Delphi Inno Setup Module [unknown]
061. Private EXE Protector 1.7 ( 2003-2006 ) www.setisoft.com
062. Excalibur v1.03r (c) by forgot -> read from file [ Excalibur (c) DFCG ] , http://www.breezer.ful.cn
063. MSLRH v.032a - SISTEMA DE PROTECCION ANTICRACKEO
064. ShareGuard Loader V3.6 Zapper Software - www.zapperSoftware.com
065. Borland C++ 1999
066. Zip Sfx Archive
067. Rar Sfx Archive
068. 7-Zip Sfx Archive
069. WinZip Sfx ver. 8.x www.winzip.com
070. Zylom Game Installer zip Sfx ( MS Visual C++ 7.0 )
071. Borland C++ 2002 /2005 - Copyright 200X Borland Corporation
072. WinZip Sfx ( generic check ) www.winzip.com
073. Lock Express 2.0 Build 9.2 - 1997-2006 Sciensoft Research Inc
074. FreeBASIC Compiler v0.14-0.17 (c) 2004-2006 Andre Victor T.Vicentini - console App.
075. generic check : InstallShield 2003 ( MS Visual C++ 5/6.0 )
076. InstallAware Setup Squeezer InstallShield - www.installaware.com ( 7zip archive )
077. Installer Nullsoft PiMP Stub ( UPX pack )
078. Generic check : Nullsoft PiMP Stub installer
079. ASprotect 1.1c old version ( www.aspack.com/asprotect.htm )
080. Microsoft Visual C# / Basic.NET
081. Setup Dev INSTALLER – Version 1.3 © Shere Khan – November 2005 ( MS Visual C++ 5/6.0 )
082. Dev-C++ Compiler v4.9.9.2 - Bloodshed Software ( www.bloodshed.net )
083. Generic check : EXE STICKER like DotFix FakeSigner
084. DotFix FakeSigner v3.4 ( ASPR Stub ) http://fakesigner.dotfix.net
085. PeLock v.1.x Bartosz Wójcik www.pelock.prv.pl
086. MS IExpress 2.0 - Win32 Cabinet Self-Extractor
087. generic check : MS IExpress x.x - CAB installer ( in section II )
088. InstallShield (R) Setup Launcher v.7.x CAB file ( MS Visual C++ 5/6.0 )
089. PEcompact ver.1.41 - v1.84 - www.bitsum.com
090. ORiEN ver.2.11~2.12 - ( 1994-2003 http://zalexf.narod.ru )
091. VMProtect v.1.2x (demo) 2003-2006 PolyTech - www.polytech.ural.ru ( only EP protection )
092. FASM ver. 1.67 50% detection
093. Private exe Protector v1.9x - www.setisoft.com ( morph )
094. Krypton The Krypter ver.0.3 by Yado - www.lockless.com
095. MEW 11 SE 1.2 by Northfox (2004) - Northfox.uw.hu
096. PEncrypt 4.0 Public Release / 4.0 Phi junkcode - www.junkcode.cjb.net
097. SDProtector Pro Edition v.1.16 ( 1.1 SDP! ) info from file. www.sdprotector.com
098. PE Diminisher v.0.1 ( 1999 ) - www.phrozencrew.com/~teraphy
099. !EP (EXE Pack) v1.0 g-l-u-k [TeaM - X] 2005 - www.softprot.cjb.net
100. [G!X]'s Protector v1.2 - http://breezer.ys168.com
101. Active PE Scrambler / APES / v. 1.0 (2005) [TeaM - X] - www.team-x.ru
102. (UPX) PowerArchiver 2006 [ ZIP/ CAB/ unknown ] SFX v.9.63.x - www.powerarchiver.com
103. GameHouse.com installer ( MS Visual C++ ) inside Wise Installer
104. Dev-C++ Compiler v4.9.9.2 ( MINGW 32 v5.x.x ) - Bloodshed Software ( www.bloodshed.net )
105. Hide&Protect v1.0x ( 2005 ) - www.SoftWar-protect.com
106. WWPack32 ver 1.xx ( 1997,98 ) by P. Warezak and R.Wierzbicki
107. CHAOS Self Extractor 3.9 (1998-2006) ( WWPack-ed ) http://safeSofthome.com !
108. Xtreme-Protector v.1.08 (c) 2003 www.oreans.com/xprotector/xprot.htm
109. LCC Win32 v1.x ( Jacob Navia ) http://www.cs.virginia.edu/~lcc-win32/
110. LCC Win32 v1.x DLL ( Jacob Navia ) www.cs.virginia.edu/~lcc-win32
111. Hmimys-Packer v1.0
112. ExeFog v.1.1x - 2005 - www.bagie.xost.ru
113. PolyCrypt PE v.2.1.x ( 2004-2005 ) - www.jlabsoftware.com (exe/dll) 114. SimplePack v1.0 - 1.2 ( LZMA / APLIB - Packman compression library 1999-2005 Igor Pavlov )
115. SimplePack v1.11 - 1.2x ( Method 2 NT )
116. Unopix Version 1.10 Final 2006 Scrambler for PE files ( exe/dll ) !
117. PPC PROTECT ver 1.1 ( 2006 ) Alexey Gorchakov www.ppc-protect.com
118. Inno Setup Uninstaller - Borland Delphi
119. Armadillo v2.5x - v2.6x - www.siliconrealms.com
120. DotFix NiceProtect v1.2 by GPcH Soft ( 2006 ) - www.niceprotect.com
121. CreateInstall v4.x Gentee ( 2004 - 2006 ) - www.createinstall.com 122. Gentee Programming Language © 2004-2006 www.gentee.com
123. RLPack v.1.11 BasicEdition ( uses aPLib 0.42 ) http://ap0x.jezgra.net
124. ReversingLabsProtector 0.7.4beta http://ap0x.headcoders.net
125. Install Creator Pro ver.2.0 ( 2003 ) - www.clickteam.com
126. PowerBasic /CC 3.0x/CC 4.0/Win 7.0x/Win 8.0x - www.powerbasic.com
127. WinUHA ver.2.0 Sfx Archive - www.winuha.com ( UPX )
128. ZipGenius 6.0.x Sfx Archive - www.zipgenius.it ( Borland Delphi )
129. PEbundle ver.3.20 ( 2003 ) Jeremy Collake - www.bitsum.com Alloy Executable Compressor v.4.x- Copyright © 2000-2006 PGWARE - www.pgware.com
130. Lazy Assembler Version 0.53 (26 Sep 2006) Freeware (c) 2000-2006 Stepan Polovnikov
131. nPack v1.1.300 (aPlib ) by NEOx ( 2006 ) www.uinc.ru
132. Installer - Setup Factory 6.0 - 7.0 Indigo Rose Corporation ( 2006 ) MS V C++ 6.0
133. dePack by deNULL - www.ooooQ.cn
134. Goat's PE Mutilator v.1.6 ( 2005 ) - www.geocities.com/killereaglesoftware
135. RLPack v.1.14-1.18 BasicEdition ( uses aPLib 0.43 / LZMA 4.30 ) ap0x.jezgra.net
136. VBOWatch protector v2.0 Copyright [c] 2006 MoonLight - www.ooooQ.cn
137. Generic check : build like - Private exe Protector v2.0 - www.setisoft.com
138. Easy Code v.1.0x ( GUI for assembler ) Ramon Sala - www.easycoder.org
139. Mole Box 2.6.1 by Teggo. - www.molebox.com
140. SLVcOdeProtector v.1.12 by SLV - www.ooooQ.cn
141. Exewrap MFC Application v.1.0 ( 2003 ) 142. Microsoft Visual C++ 8 compiler ( 2006 )
143. RosAsm -V2.039c - betov.free.fr ( effectiveness 80 % ) 144. Software Compress ver. 1.4 Lite - www.bgsopt.com
145. Intel (R) C++ Compiler 146. FreePascal ver : FPC 1 - 2 Win32 -> (Berczi Gabor, Pierre Muller & Peter Vreman)
147. Open WATCOM C/C++32 Portions Copyright (c) Sybase 1988-2002
148. File2Pack SFX v.2.0 2006 (F2P Self Extractor ) SHOW PASSWORD! - www.mental9production.com ( MS VB5/6 )
149. PV Logiciels dotNet Protector 4.0 2003-2005 http://dotnetprotector.pvlog.com
150. ReflexiveArcade Game wrapped file ( *.RWG )
151. DAStub Dragon Armor (BamBam0.0.4.1) from Orient 2006 www.ooooQ.cn
152. Akala EXE Lock ver.3.20 www.zero2000.com (Aspack v2.12 -> Alexey Solodovnikov) - PASSWORD DECODER(N) OR HOW TO REMOVE PASSWORD
153. BeRoEXEPacker - Version 1.00 - Copyright (C) 2006, Benjamin BeRo Rosseaux ( Exe/DLL )
154. EXE Password Protector v.1.1 (MSV C++ v7) - www.eltima.com/products/exe-password - INFO HOW TO REMOVE PASSWORD
155. AGInstaller 1.9.12 ( UPX pack ) Copyright (c) 2001-2006 Agentix Software - www.aginstaller.com
156. CreateInstall v2003.3.5 www.createinstall.com/www.gentee.com ( EP check & OVL )
157. Protection PLUS - Instant plus (software key) 2.0.98.0 (2005) - www.softwarekey.com Concept Software
158. Wise Installation System! std/pro 9.02 (c) Wise Solutions Inc. - www.wise.com
159. Wise Installation System! ver. ?.? (c) Wise Solutions Inc. - www.wise.com
160. Wise Uninstaller Wizard (sec3) - www.wise.com - MS Visual C++ ver.6
161. m9P Editor Plus v.1.0.300 Distributable Executable Rich Text - DERT™ X ©mental9Production, 2005 - www.mental9Production.com - INFO HOW TO REMOVE PASSWORD
162. Nullsoft uninstaller - www.nullsoft.com - ( UPX packed )
163. Nullsoft uninstaller - www.nullsoft.com
164. Softwrap (XTREAMLOK) ver. 1.x~3.x - www.softwrap.com ( exe/dll )
165. RLPack v.1.14-16 Full Edition - False signatures unichecker
166. RLPack v.1.14-16 Full Edition ( uses aPLib 0.43 / LZMA 4.3x ) http://ap0x.jezgra.net
167. Salfeld Computer EXE Password 2004 v 7.114.0.0 trial - www.salfeld.com ( Borland Delphi )
168. Wise for Windows Installer pro 4.21 ( CAB ) - www.wise.com
169. Tarma Installer ver. 2.99.2156 (2005) Tarma Software Research Pty Ltd. - www.tarma.com ( MS Visual C++ )
170. NTkrnl Secure Suite v.01 packer or protector - www.ntkrnl.com ( exe )
171. NTkrnl Secure Suite v.01 packer or protector - www.ntkrnl.com ( dll )
172. [dUP2 -> diablo2oo2] v.2.1x patchengine ( patch ) - Mircosoft MacroAssembler - http://diablo2oo2.cjb.net
173. [dUP2 -> diablo2oo2] v.2.1x patchengine ( loader installer ) - Mircosoft MacroAssembler - http://diablo2oo2.cjb.net
174. PE password encryptor 31-01-2000 by SMT ( asm ) - [ OEP finder included ]
175. WinUDA 0.271 sfx ( 2004 ) by Dwing http://dwing.51.net
176. kkrunchy 0.1x >> radical exe packer - www.farbrausch.de/~fg/kkrunchy
177. kkrunchy 0.23 alpha 2 >> radical exe packer (c) f. giesen 2003-2005 - www.farbrausch.de/~fg/kkrunchy
178. CyberInstaller Suite 2006 1.1 - SilverCyberTech 2003-2007
179. Eurora3D - free installator - www.extramedia.co.yu/eurora3d ( ASM )
180. Microsoft Visual C++ ver. 7.1 [DEBUG] exe
181. Fucking Fake File 1.0 by wspomagacz 2005.11( EXE Binder exe,jpg hidden inside] )
182. Anskya Polymorphic Packer V 1.3 Code By Anskya
183. Self-Extracting Archive Utility (SEAU) ver. 15.0 2006 ( Aspack v2.12 -> Alexey Solodovnikov ) - http://gammadyne.com
184. PE-Pack v 1.0 (c) 1998 by ANAKiN
185. PKLITE32(tm) - Version 1.1 02-15-1999 ( exe )
186. PKLITE32(tm) - Version 1.1 02-15-1999 ( DLL )
187. EncryptPE V2.2006.10.25 China Cracking Group - www.encryptpe.com
188. CC386 Version 3.28.1.6 Copyright (C) (GPL) LADSoft 1994-2006
189. PC Guard for Win32 V5.01 - www.sofpro.com
190. JDPack ver 1.01 ( 2005 ) - www.tlzj18.com ???
191. Netopsystems AG INSTALLER FEAD(R) SFX (MS C++) - www.netopsystems.com ( packed UPX & not packed )
192. Borland C++ 1995~1998 - www.borland.com
193. eXpressor PE Packer v1.5.0.1 - www.cgsoftlabs.ro
194. Excelsior Installer v1.0 2003-2007 ( MS Visual C++ 6.0 ) - www.excelsior-usa.com
195. tElock v0.98 Freeware PE-Compressor/Encryptor (c) 2000-2001 by tE!
196. UPX Lock v1.02 (2007.02) - www.team-x.ru
197. softSENTRY 3.00 1999 - 20/20 Software Inc. www.twenty.com ( site closed )
198. DxPack ver 0.86 ( 2001.06 )
199. Neolite 2.0 -> Neoworx Inc. ( 1999.03.20 ) - www.neoworx.com ( site closed )
200. ZipWorx SecureEXE v3.0 (2004-2007) www.zipworx.com (Neolite packed)
201. [ PE-DIY Tools V1.10 2004 ] by A.Young (PoJieYong) - www.w-yong.com ( how to unprotect,oep info )
!202. aUS v0.5 beta ( upx scrambler 2005.08 ) - http://ap0x.headcoders.net ( bad link? )
203. EXE protector 2.01a Eyhab Hillail ( 1998-2003 )- http://oxygen72.tripod.com ( how unprotect pass )
204. 32Lite 0.03a -> Oleg Prokhorov www.????
205. aPackage SFX v.1.14 2001-2002 Joergen Ibsen [32Lite v0.03a packed]
206. NTPacker V2.1 by ErazerZ (2005.12) ErazerZ@gmail.com ( zPlib / XOR / aPlib+xor )
207. WinHKI v1.77 SFX 2000-2007 by Hanspeter Imp ( hki archive only ) www.winhki.com (packed PEcompact ver.2.7x)
208. nBinder 5.1.0 ( 24.03.2007 MSV C++ 8.0 ) NKProds Software - www.nkprods.com
.209. (Basic check) : Securom 7.1 -> Sony DADC - www.securom.com
210. Cexe Executable Compressor v1.0b Copyright 1999, Tinyware, Inc. - www.tinyware.com by Scott Ludwig
211. ASprotect 2.3 SKE ( www.aspack.com/asprotect.htm ) 25%
212. Easypano Virtual Tour player ( MSV C++ ) - www.easypano.com
213. PeX v0.99 bart/CrackPl (2000) (APLib 0.26 by J.Ibsen) - longdiy.myrice.com
214. YZPack v.2.0b.aplib (c) UsAr ( 2007.03 )
215. YZPack v.1.1 LZMA (c) UsAr ( 2006.08 )
216. YZPack v.1.2 aplib/LZMA (c) UsAr ( 2007.03 )
217. ExeStealth V2.72 (Share.ver) - www.webtoolmaster.com
218. Generic check : ExeStealth V?.? (share.ver) - www.webtoolmaster.com
219. ExeStealth V2.x (Regg.ver) - www.webtoolmaster.com
220. nsPack ver.1.x - x.x by North Star - www.nsdsn.com
221. Microsoft Visual C++ 6 DLL
222. exe32pack 1.42 Copyright 1999-2004 www.SteelBytes.com
223. Protect Exe 0.4 Beta ( PROEX ) 2002 - www.dpaehl.de.cx ( UPX packed )
224. SexyPacker v.1.0.1.0 ( c ) 2001 - www.smalleranimals.com ( SFX ) MSV C++ 5.0
225. ID Executable Password 1.2 (c) 2005 Fastlink2 Build: 08/08/2005 - www.idsecuritysuite.com - !SHOW PASSWORD!
226. ID Application Protector v.1.2 Unreg (c) 2005 Fastlink2 - www.idsecuritysuite.com ( OEP info ,how to clear TRIAL)
227. Pelles C for Windows v2.xx - 4.50 ExE ( 1999-2006 ) - www.smorgasbordet.com/pellesc
228. Wise for Windows Installer pro ?.?? ( CAB in section 4 ) MS C++ - www.wise.com
229. WinUtilities 5.2 EXE Protector 1.0 ( 2002-2007 ) YL Computing Inc. - www.ylcomputing.com - ( Info how Pass remove/unprotect )
230. [section protection] VMProtect v.1.25 - 1.x (demo) 2003-2006 PolyTech - www.polytech.ural.ru
231. REALbasic 2007 R2 Standard Edition ( 1997-2007 REAL Software ) - www.realbasic.com ( exe only )
232. UPX 3.0 -> Markus & Laszlo ver. [ 3.00 ] <- info from file. ( sign for DEV C++ compiler ) 233. Microsoft Visual C++ ver. 7.1 EXE/DLL (3 bytes sign - easy to false) 234. Beria v0.07 public WIP ( 2005 ) - symbiont ( aPlib ) 235. NoodleCrypt version 2 by NoodleSpa ( 2000.08 ) 236. VPacker v0.02.10 by tt.t (exe only 2006.04 aPlib) 237. Private exe Protector v.2.00-2.15 ( 18.04.2007 ) www.setisoft.com 238. Free Pascal Compiler v.2.1.4 i386 GUI APP ( 11.05.2007 ) Berczi Gabor - www.freepascal.org 239. Free Pascal Compiler v.2.1.4 i386 CON APP ( 11.05.2007 ) Berczi Gabor - www.freepascal.org 240. Free Pascal Compiler v.2.1.4 i386 DLL APP ( 11.05.2007 ) Berczi Gabor - www.freepascal.org 241. Installshield v.12 (MSV C++ ) www.installshield.com / www.macrovision.com 242. generic check2 : InstallShield v.12-14 2008 ( MS Visual C++) www.installshield.com / www.macrovision.com 243. FASM ( 1.3x -1.67 ) 2004-2007 http://flatassembler.net - Tomasz Grysztar 244. Thinstall VS 3.0.x -> Jitit Software - www.thinstall.com
245. Astrum InstallWizard v2.24.20 ( 1999-2006 ) - www.thraexsoftware.com ( MS Visual C++ )
246. WinZip SelfExtractor 3.0 ( MSV C++ v7 ) 1996-2006 WinZip Int. LCC - www.winzip.com
247. Wise Instalation Express v7.0 2006 (SFX CAB) MSV C++ - wise.com / ALTIRIS
248. VisageSoft Installer ? WISE for Win/.msi ( MSCF CAB ) Borland C++ - www.visagesoft.com
249. ST Protector v1.5 SE ( 2006 ) - Silent Software - www. ???
250. (exe) Visual Protect v2.5.7 ( 2000.12 www.visagesoft.com
251. (dll) Visual Protect v2.5.7 ( 2000.12 www.visagesoft.com
252. eXpressor PE Packer v1.5.0.1 (MODE: Protection) - www.cgsoftlabs.ro
253. The Enigma Protector 1.31 unreg (2007.06.15) - Vladimir Sukhov - www.enigmaprotector.com ( exe/dll )
254. generic check: (exe) Visual Protect ( 2000? ) www.visagesoft.com
255. RCryptor 1.6d by Vaska ( 2007.01 ) only exe file protector - ( OEP info )
256. Polymorph Crypter,Beta Morphnah (c) puccxak.com ( 2007.05 ) - ( OEP info )
257. Pohernah v1.0.3 puccxak.com ( 2007.03 )
258. QIP[Crypt] ( 2007.06 ) Borland Delphi Crypter
259. SimbiOZ (RUS) ! Rootkit exe hider ! ( OEP info - for C++/Delphi )
260. AsdPack2 ( EP overflow exe - Delphi or C++ detector ) [ detection 75% ]
261. QSetup Instalation Suite 8.5.0.4 - 26.05.2007 - www.pantaray.com
262. Perplex PE-protector v1.01devel 2002-2003 by [tc] GiveMe5/BliZZaRD
263. Mole Box 2.6.4 by Teggo. - www.molebox.com
264. !EP (exe pack) v1.4 (lite) final - Team-X ( 2007.04 ) www.team-x.ru , http://exetools.blog.com.cn
265. DalKrypt 1.0 by DalKiT - www.dalkit.fr.st (26.10.2003) Anti-SI, Anti-Debug, Anti-Dump
266. NackedPacker v1.0 by BigBoote ( 2004.01-2007.06? )- www.PEArmor.com
267. WATCOM C/C++32 Run-Time system (c) Sybase Inc, 1988-2000
268. MS Visual C++ v.5 DLL Method 1 ( MS VBasic kit library ) ACM*
269. Open Source Code Crypter 1.0 by p0ke (9.06.2007) - www.swerat.com - http://unnamed.bot.nu ( Borland Delphi )
270. Private Personal Packer (PPP) Version 1.0.2 (13.03.2007) - www.ConquestOfTroy.com ACM*
271. Wise for Windows Installer v.?.?? ( CAB in section 4 ) MS C++ 7.0
272. Inteli check : unknown Installer - MSCF Cab file
273. Armadillo x.x ~ 5.0 32bit [exe -low protection only]
274. Armadillo x.x ~ 5.0 32bit [Dll-std protection]
275. Inteli check : MASM assembler ( no signature )
276. Inteli check : unknown ver. WATCOM C/C++32 (c) Sybase 1988-200?
277. inteli check : Dev - ( MINGW 32 v ?.?.? ) - Bloodshed Software ( www.bloodshed.net )
278. Borland Delphi 2006 ? - www.borland.com
279. Borland C++ - ( DLL ) Copyright 1994/96 , 1999 Borland Intl.
280. CRYPToCRACk's PE Protector 0.9.3 (2007.01) Lukas Fleischer - cryptocrack.de
281. Break-Into-Pattern, a.k.a BIP, v0.1 (2006.01) - http://n0name.exmuros.net http://undergroundkonnekt.net
282. DotFix NiceProtect 2.5 (with internal packer) GPcH Soft - www.niceprotect.com
283. DotFix NiceProtect 2.5 (Krypton sign) GPcH Soft - www.niceprotect.com
284. DotFix NiceProtect 2.5 (SVKP 1.3x sign) GPcH Soft - www.niceprotect.com
285. DotFix NiceProtect 2.5 (Visual C++ sign) GPcH Soft - www.niceprotect.com
286. Borland Delphi ( Component ) xxxx - www.borland.com
287. Microsoft Visual C++ ver. x.x DLL (5-8)
288. Microsoft Visual C++ ver. 8.0 DLL ( 83 ) ACM*
289. Microsoft Visual C++ ver. 7.xx DLL ( 83 )
290. Private exe Protector v.2.25 ( 28.06.2007 ) www.setisoft.com
291. Microsoft Visual C++ ver. 9.0 exe ( E8 )
292. Microsoft Visual C++ ver. 9.0 DLL ( 8B )
293. PEiD Plugin -> Exe Converter v.1.00 ( BobSoft )
294. MarjinZ EXE-Scrambler SE ( MS Visual C++ 8.0 )
295. Microsoft Visual C++ v7.10/8.0/9.0 DLL ( 8B )
296. Borland VCL Component for .NET ( Borland Developer Studio 4 (c) 2006 v.10.0.2 )
297. PDF2EXE v1.0 CoolPDF Software - www.pdf2exe.com ( 2006.10 ) - PASSWORD DECODER :-)
298. RealBasic v.?.? ExE - www.realbasic.com
299. RealBasic v.?.? DLL - www.realbasic.com
300. Generic check - Aspack vx.x -> Alexey Solodovnikov
301. generic ckeck : FreePascal ver : FPC 1.x.x
302. UPX -> (exe) Markus & Laszlo ver. 0.72 OBSOLETE VER. ( 12.05.1999 ) ACM*
303. UPX -> (dll) Markus & Laszlo ver. 0.72 OBSOLETE VER. ( 12.05.1999 ) ACM*
304. ScanTime UnDetectable by MarjinZ ( STUD RC4 1.0 ) Marjinz-Crypter.exe
305. Free Pascal Compiler version 2.0.4 [2006/08/21] for i386 ACM*
306. Active Basic v4.24.00 © 2006.04.08 (exe) Discoversoft - www.activebasic.com ( Japan ) *ACM
307. Aspack v2.0 -> Alexey Solodovnikov - www.aspack.com
308. Play Basic v.1.0x - 1.63 ( 2D game creator ) www.playbasic.com
309. (exe) UPX obsolete ver. 0.50 - 0.72 -> Markus & Laszlo
310. ANDpakk2 v0.06 (Jul 18 2006) Dmitry "AND" Andreev - http://and.intercon.ru
311. ANDpakk2 v0.18 (Jul 16 2007) 2006,2007 Dmitry "AND" Andreev - http://and.intercon.ru
312. PEiD-Bundle v1.03 by BoB (2007.03.30) - www.secretashell.com/BobSoft
313. Exe Stealth Packer or Protector v.3.16 - www.webtoolmaster.com (NTkrnl)
314. 20to4 v2004.04.18 Copyright 2001-2004 20to4.net
315. Borland C++ 1995 DLL *ACM
316. nBinder LIMITED v4.0 2006 - www.nkprod.ro ( MSV C++ 8.0 )
317. mkfpack llydd (aPlib) 28.05.2007
318. KByS 0.28 beta EXE ( shoooo ) china 2006.05.23 *ACM
319. KByS 0.28 beta DLL ( shoooo ) china 2006.05.23 *ACM
320. Microsoft Visual C++ ver. 8.0 DEBUG / Visual Studio 2005 (FF) *ACM
321. mPack - mario PACKer version 0.0.2 (c) DeltaAziz
322. WinUDA 0.291 clasic sfx 2005 by Dwing http://dwing.51.net
323. Cryptic v2.1 - EXE Crypter Copyright [c] 2007.09.26 Tughack ( MS Visual Basic exe stub )
324. aSm Protector v1.0 Copyright [c] 2007.09.29 AT4RE
325. AverCryptor v.1.02beta by Sec|Null os1r1s ( 2007.08.23 ) - www.secnull.org
326. Muckis Protector 2 coded 2007 by Mucki *ACM
327. Rewolf DLL packager v1.0 V.2007 http://rewolf.prv.pl ( OEP info )
328. x86 Virtualizer ReWolf ( VIII.2007 ) - http://rewolf.pl
329. BeRo Tiny Pascal Compiler ( EXE ) http://bero.0ok.de
330. CDS SS V1.0 beta1 (c) CyberDoom [Team-X member] ( 2005.12.18 ) *ACM
331. [dUP2 -> diablo2oo2] v.2.16 patchengine ( loader installer ) - Microsoft MacroAssembler - http://diablo2oo2.cjb.net
332. Borland C++ 2002 & 2005 DLL - www.borland.com
333. WinUpack 0.37-0.39 by Dwing --- http://dwing.51.net (BE&60 sign)
334. Flash2X EXE Packager ver.2.1.0 2007 - http://flash2x.net/exepackager ( Borland Delphi ) - RIP HINTs
335. D1S1G PEiD Plugin by D1N ( 10-24-2007 ) PEiD Signature and PE Overlay Tool ( only OVL protection )
336. WinUtilities EXE Protect 2.1 - www.ylcomputing.com (MS C++ 6.0) ( how to pass remove )
337. Hacker's Patcher version 0.07 Veacheslav Patkov ( 2007.09.21 ) - http://patkov-site.narod.ru/eng.html
338. Enigma Protector 1.35 (2007.10.12)- www.enigmaprotector.com ,Vladimir Sukhov
339. FSG v1.33 F[ast] S[mall] G[ood] - www.xtreeme.prv.pl *ACM
340. FishPE Shield v.1.1x Crypt by HellFish ( http://hellfish.ys168.com ) - sign NOT TESTED trojan
341. Microsoft Visual C++ v4.2 DLL *ACM
342. 32lite DLL [32Lite v0.03a]
343. FishPE Shield v.2.0.x Crypt by HellFish ( http://hellfish.ys168.com )
344. SmartE protection -> Microsoft ( trial/CD check/...)
345. Microsoft Visual Basic v6.0 DLL
346. Dev-C++ Compiler v4 old - Bloodshed Software ( www.bloodshed.net )
347. Dev-C++ DLL ( MINGW 32 v x.x.x )- Bloodshed Software ( www.bloodshed.net ) ASLsign
348. PhrozenCrew PE Shrinker (c)1999 by Virogen version 0.71 beta 06/27/99
349. DarkCrypt v1.2 priv by DMX (2007.12.25)
350. yoda's Crypter 1.2 http://yodap.has.it ( 2001.01.14 ) *ACM
351. yoda's Crypter 1.1 http://yodap.has.it ( 2000.12.29 ) *ACM
352. XPack : freeware packer (c)2007 JoKo, Version 0.98 02/18/2007 - www.soft-lab.de/joko/ExePack.htm
353. XComp : freeware packer (c)2007 JoKo, Version 0.98 02/18/2007 - www.soft-lab.de/joko/ExePack.htm
354. Microsoft Visual C++ ver. 8.0 DLL (83_II)
355. VMProtect v.1.6x (demo) 2003-2008 PolyTech - www.vmprotect.ru
356. SIS-Crypt ( 2005.10.29 )
357. Microsoft Visual C++ ver. 3.x (3~4)
358. ExeSax v.0.9.1 EXE encryptor ( CAVE Method only ) 2006.09.18
359. Luck007 2.7 GUI (exe) by Luckliuliu@yahoo.com ( 2007.06.07 ) str( 60%)
360. WinKrypt v1.0 Copyright © 1999 MrCrimson/[WkT!99] *ACM

Homepage: http://www.exeinfo.go.pl/

Download: exeinfope0.0.1.8.E.zip - Mirror1 - Mirror2 - Mirror3

Best Freeware Download - Best freeware downloads available everyday on one site

Subscribe to: Posts (Atom) ↑Scroll back to Top

04 October 2008

Unpacking StuFF

13 September 2008

ExeInfo PE ver. 0.0.1.9 C by A.S.L

16 June 2008

Armageddon v1.3.3 by CondZero

11 June 2008

ASPack unpacker v1.13 ALL Versions by PE_KILL

stripper by syd

PE Explorer v1.99 R3 NEW !!!

AoRE Unpacker 0.4

VMUnpacker V1.5 Licensed - DSW Lab Anti Spyware Toolkit VMUnpacker Build 20080317, v1.2.5.5 Main

PECompact v2.86.1 Final (June 9. 2008)

Zeta Debugger v1.4

21 February 2008

Censored by AntiVirus Packer.FSG - FALSE POSITIVE

15 February 2008

ExeInfo PE ver. 0.0.1.8 E - ( 360 sign ) by A.S.L.

Tags Cloud

Archive