RLKit - Reversing Labs (first aid) Kit
----------------------------------------
After seeing a lot of so called crackers kits being spread around which weight overcomes 10 and sometimes 20 MB. I decided to create a real minimum reverser kit. That kind of first aid kit would contain only the most used applications by all crackers. So this is a bear bone kit that proves that all you can need during reversing of 90% of applications can be packed in one package that weighs lesser than 2 MB. This kit contains:
Reversing Labs RL!dePacker has a build in option to detect OEP. However this option does not work with VB (always use FindOEP! function with VB applications and Force to manual OEP?) and some packers. So if RL!dePacker can not unpack the file use FindOEP! function to detect correct OEP, but use it only as a second resort since it can be jammed!
° Option Force OEP to manual address is used to force stopping on manual OEP address, use this option ONLY if packer can not be unpacked (the target runs instead of breaking at OEP or dumps at wrong OEP).
° Option Correct OEP to manual address is used correct OEP in PE header of the unpacked file.
° Option Hide unpacker from detection is used hide debugger from being detected by antiTricks. Option Use tracer to correct IAT is used to remove all known redirection types.
° Option Fix Import elimination is used on applications that relocate import table in memory outside PE32 file. This option has been tested with AlexProtector 1.0 and RLPack TE 1.18. Please note that even dow this option is in testing it should give good results on all known redirection types (see ap0x unpacker SDK).
Generic unpacker can unpack ONLY packers that do not use IAT redirection, that don’t steal APIs and which fill out IAT table in correct order. All ordinals that can be converted to API names are converted, others are inserted into IAT as ordinals! Designed for NT systems, Windows 2000 or later but it should work on Windows 9x if you have psapi.dll file!
If you don’t want to update the software and therefore wait few seconds before you can use this program delete Updater.dll file.
This unpack engine covers everything what unpacker needs. It has debugger, dumper and importer modules which enable coding unpackers with ease. SDK is free and can be used by anyone but make sure you mention my name or include logo.bmp somewhere in About dialog.
SDK v.1.4 - Updated Delphi and MASM SDK
- Fixed memory problems for all modules
v.1.6 [Debugger.dll] - Added new ldex86
- Rewritten DebugLoop
- Added new API: ForceClose
- Added new API: SehGoneWildProtection
- Fixed: Handling custom exceptions
- Fixed: In case breakpoint is fired in second thread context doesn't get read
- Fixed: Not releasing loaded .dll file handles on process terminate
- Fixed: Find crashing on some searches with an access violation
v.1.5 [Dumper.dll] - Fixed: PastePEHeader not writting header on some files
- Fixed: DumpProcess crash on file with PE header moved above SectionAligment
- Fixed: DumpProcess not rebuilding header correctly on files which have larger...
- Fixed: ConvertVAtoFileOffset on files which have code inside PE header
- Fixed: AddNewSection resizing the new section size to fit FileAligment
- Fixed: AddNewSection not aligning raw offset correctly
v.1.0 [Tracer.dll] (just for internal use by RL!dePacker, next version will be public!)
- Added support for following redirections: SLVc0deProtector 1.1x...
- Added support for following redirections: tELock 0.8x-0.99, PeX 0.99, ReCrypt 0.74
- Added support for following redirections: yC 1.x, Goat's PE Mutilator 1.6...
- Added support for following redirections: RLP 0.7x, ACProtect 1.x...
- Added new API: TracerGetAPIAdressByHashing
- Added new API: TracerAutoFixImportElimination
- Added new API: TracerDetectRedirection
- Added new API: TracerAutoFixIAT
- Added new API: HashTracerLevel1
- Added new API: TracerLevel1
- Added new API: TracerInit
v.1.5 [Importer.dll] - Fixed: StrToInt conversion
- Added new API: ImporterCleanup
- Added new API: ImporterMoveIAT
- Added new API: ImporterGetAddedDllCount
- Added new API: ImporterGetAddedAPICount
- Added new API: ImporterFindAPIWriteLocation
- Fixed: ImporterAddNewAPI ordinal import handleing
- Fixed: ImporterAutoFixIAT check already loaded .dll files code
- Fixed: ImporterAutoSearchIAT to correctly find IAT in case of invalid near jumps
- Fixed: Not unloading loaded .dll files with ImporterAutoFixIAT
- Fixed: ImporterGetAPINameOrOrdinal API...
- Fixed: Ordinal processing in ImporterGetAPIName, ImporterGetAPINameEx...
- Fixed: ImporterAutoFixIAT to get all .dll files(s) libraries and calculate relative...
- Fixed: ImporterGetAPINameFromDebugee to get API names from all libraries....
- Fixed: ImporterAutoFixIAT to get all .dll files(s) libraries not just the system ones
This tool based entirely on the virtual machine technology, the various known to the unknown shell Shelling treatment for the virus in the analysis or unpacking protected exe and dll files of samples Trojan Shelling processing. Since all code are running in a virtual machine, the system will not cause any harm. VMUnpacker for the first official public version of the current use of internal enhanced version of the Super unpack.avd the patrolmen can identify more species of all types of exe / file protectors procedures, with more Shelling code. See Note compression package.
V1.4 main changes:
1. new 24 kinds of shell Shelling program.
2. the amendment morphine Shelling, that the dump its methods.
3. perfected the introduction of full-backup function.
4. the introduction of PE optimization function, significantly reduced the volume of documents after Shelling.
Contact Developer for Version 1.4 Download!
ExeInfo PE ver. 0.0.1.7 B by A.S.L
freeware version for Windows XP
Windows 32 PE executable file checker , compilators, exe packers ....
with solve hint for unpack / internal exe tools Internal Tools Menu :
- overlay remover - generate new file without overlay data
- save overlay as external file
- Rolo Lamer Protector v0.1b - work on standalone exe < 1MB
- EP Corrector ( for Delphi ) - generate many exe file with Entry Point
- XoR permutator - create one file with xor data ( 255x2000 bytes )
- Section splitter - save exe sections as files & exe header
- 8 / 16 bit string finder - enter 8 bit string = searching 16 bit strings & 8 bit ( F7 key )
- REGistry call finder - find registry call & regedit.exe strings
File Menu :
+ Rename file
+ Copy file As.. *.bak
+ Execute - create executable process ( exe )
+ Execute - windows ext. associate ( dll ,zip ... )
+ Delete file
+ view log file ( c:\Raport-exeinfo-log.txt )
Rippers Menu :
- www address searcher inside exe - work on any file
- ExE inside ExE ( Win32 Pe windows executable) - work on any file
- Zip archives inside ExE www.winzip.com - work on any file
- Rar archives inside ExE www.rarlab.com - work on any file
- CAB MS archives inside ExE (for MSI installers ) - work on any file
keys :
F1 key - keyboard help
F3 key - external view ( hiewdemo.exe or hiew32.exe ) path directory
F4 key - external test ( peid.exe ) path directory
F5 key - external test RDG Packer Detector ( I read location from Win registry )
F6 key - external test DiE.exe Detect it Easy ( I read location from Win registry - shell integration req.)
F7 key - 8 / 16 bit String finder
Alt+Delete - delete file
"+" ,"-" - Numeric KEY = adjust transparent Form
Non executable file detection :
zip , 7zip , rar , msi , jpg
Overlay detector ( added on ver. 0.0.1.3 A - 0.0.1.4 H ) :
01. zip archives
02. cab archives
03. SWF Flash object ( packed & unpacked format )
04. Executable PE file
05. 7 zip archives
06. RAR archives