26 September 2007

The myth of emule mods based on Apple Juice unpacked by Ekliptor

3 comments


undercover Apple Juice based emule mods (ExeStealth V2.x and later)

Not many unpackers can handle it but finally if you dont want follow the tutorial for ollydbg
here the right tool:
http://www.cdw.de.vu/UnExeStealth.zip
Mirror - Mirror


Test Object
eMule.v0.48a.Applejuice.v2.1.2.bin

target:
emule.exe
(ExeStealth V2.76 webtoolmaster.c0m
try CDW's Dark Side Stealth Detector & Shield Destroyer UnExeStealth - www.cdw.de.vu)

result unpacked and clean:
dump.exe - (mirror) - rename to emule.exe

(not packed , try disassemble OllyDbg ( www.ollydbg.de ) or WD32dsm89.exe (http://www.exetools.com/disassemblers.htm) )

feel free to make your changes!

Target eMule.v0.48a.ROCKFORCE.Mod.v1.2.bin
emule.exe

Log:
start unpacking
trying to open file...
ok
reading address of entry point value: 00000140
reading imagebase: 00400000
reading size/address of SizeOfImage value: 00000168
reading address of Import Directory VA value: 00000198
reading address of Import Directory Size value: 0000019C
reading section alignment: 00001000
calculating dumpsize (virtual size sum of all sections): 00776000
reading VirtualSize value of last section: 000002B8
reading SizeOfRawData value of last section: 000002C0
have all needed values, closing file

creating process: 00000734
reserving memory for import table ...
trying to get the IAT (where is your mojo ;) ?) ...
placing bp on 'LoadLibrary' in: 7C801D77
lets fight! (runnig application, placing BP in LoadLibraryA call etc.)...
...
found OEP: 0029315C
entry point value corrected!

got some import stuff,now writing last IMAGE_IMPORT_DESCTIPTOR...
calculating new section table values

Name: VSize: RawSize: VAddress: RawAddress: Flags:
.text 00304DB6 00304DB6 00001000 00001000 E0000060
.rdata 000A8092 000A8092 00306000 00306000 E0000060
.data 00234F58 00234F58 003AF000 003AF000 E0000060
.rsrc 0018F5C0 0018F5C0 005E4000 005E4000 E0000060
rsrr 00002000 00002000 00774000 00774000 E0000060

new Import Table RVA: 00776000
new Import Table size: 00000140
new imagesize: 00777000
extend last section to: 00001000

dumping file ... done, bytes dumped(decimal value): 7827456
File unpacked!



Object: eMule.v0.48a.Fireball.v2.2.bin
target: emule.exe


Log:
start unpacking
trying to open file...
ok
reading address of entry point value: 00000140
reading imagebase: 00400000
reading size/address of SizeOfImage value: 00000168
reading address of Import Directory VA value: 00000198
reading address of Import Directory Size value: 0000019C
reading section alignment: 00001000
calculating dumpsize (virtual size sum of all sections): 007A5000
reading VirtualSize value of last section: 000002B8
reading SizeOfRawData value of last section: 000002C0
have all needed values, closing file

creating process: 00000B0C
reserving memory for import table ...
trying to get the IAT (where is your mojo ;) ?) ...
placing bp on 'LoadLibrary' in: 7C801D77
lets fight! (runnig application, placing BP in LoadLibraryA call etc.)...
...
found OEP: 002A08B0
entry point value corrected!

got some import stuff,now writing last IMAGE_IMPORT_DESCTIPTOR...
calculating new section table values

Name: VSize: RawSize: VAddress: RawAddress: Flags:
.text 003133B6 003133B6 00001000 00001000 E0000060
.rdata 000A9EC2 000A9EC2 00315000 00315000 E0000060
.data 002350B8 002350B8 003BF000 003BF000 E0000060
.rsrc 001AD898 001AD898 005F5000 005F5000 E0000060
rsrr 00002000 00002000 007A3000 007A3000 E0000060

new Import Table RVA: 007A5000
new Import Table size: 00000140
new imagesize: 007A6000
extend last section to: 00001000

dumping file ... done, bytes dumped(decimal value): 8019968
File unpacked!


36BB20 8B A9 6C 00 40 8C 6D 00 C9 7F 6C 00 60 05 64 00 ‹©l.@Œm.Él.`.d.
36BB30 D0 B1 43 00 E0 B1 43 00 36 8A 6D 00 5A BF 6C 00 бC.à±C.6Šm.Z¿l.
36BB40 06 82 6C 00 AA B4 6C 00 82 7F 6C 00 70 7F 6C 00 .‚l.ª´l.‚l.pl.
36BB50 EA BD 6C 00 90 D2 6C 00 43 8B 6C 00 69 8B 6C 00 ê½l.Òl.C‹l.i‹l.
36BB60 76 8B 6C 00 D8 CE 6C 00 90 7E 49 00 A9 D7 6C 00 v‹l.ØÎl.~I.©×l.
36BB70 03 D8 6C 00 93 D7 6C 00 72 D5 6C 00 40 47 64 00 .Øl.“×l.rÕl.@Gd.
36BB80 44 CF 6C 00 E0 89 6D 00 E0 89 6D 00 70 7F 6C 00 DÏl.à‰m.à‰m.pl.
36BB90 C0 4A 64 00 D8 89 6D 00 E1 89 6D 00 E0 01 64 00 ÀJd.؉m.á‰m.à.d.
36BBA0 05 8A 6D 00 09 8A 6D 00 09 8A 6D 00 0C 8A 6D 00 .Šm..Šm..Šm..Šm.
36BBB0 46 00 52 00 49 00 45 00 4E 00 44 00 00 00 00 00 F.R.I.E.N.D.....
36BBC0 42 00 4F 00 4F 00 53 00 54 00 53 00 4F 00 55 00 B.O.O.S.T.S.O.U.
36BBD0 52 00 43 00 45 00 53 00 00 00 00 00 43 00 4F 00 R.C.E.S.....C.O.
36BBE0 4D 00 50 00 52 00 45 00 53 00 53 00 49 00 4F 00 M.P.R.E.S.S.I.O.
36BBF0 4E 00 00 00 00 00 00 00 68 00 74 00 74 00 70 00 N.......h.t.t.p.
36BC00 3A 00 2F 00 2F 00 66 00 69 00 72 00 65 00 62 00 :././.f.i.r.e.b.
36BC10 61 00 6C 00 6C 00 2E 00 66 00 75 00 74 00 75 00 a.l.l...f.u.t.u.
36BC20 72 00 65 00 6D 00 6F 00 64 00 73 00 2E 00 64 00 r.e.m.o.d.s...d.
36BC30 65 00 2F 00 6C 00 6F 00 67 00 69 00 6E 00 69 00 e./.l.o.g.i.n.i.
36BC40 6E 00 66 00 6F 00 5F 00 65 00 6E 00 67 00 2E 00 n.f.o._.e.n.g...
36BC50 68 00 74 00 6D 00 00 00 68 00 74 00 74 00 70 00 h.t.m...h.t.t.p.
36BC60 3A 00 2F 00 2F 00 66 00 69 00 72 00 65 00 62 00 :././.f.i.r.e.b.
36BC70 61 00 6C 00 6C 00 2E 00 66 00 75 00 74 00 75 00 a.l.l...f.u.t.u.
36BC80 72 00 65 00 6D 00 6F 00 64 00 73 00 2E 00 64 00 r.e.m.o.d.s...d.
36BC90 65 00 2F 00 6C 00 6F 00 67 00 69 00 6E 00 69 00 e./.l.o.g.i.n.i.
36BCA0 6E 00 66 00 6F 00 2E 00 68 00 74 00 6D n.f.o...h.t.m

follow up >CPPgRelease
http://fireball.futuremods.de/logininfo.htm
http://fireball.futuremods.de/crewmember.html

Ekliptor,RSVCD-Forum-Testversion,laraspa59,Muio,DCON Crew
make the release features free for all or someone patch it. Its the same as if u create 'kind of powerseed' but limit it to a few people only to use .

----------------------------------------------------------------------------------


for communities:
apple juice, eMule.0.48a.Titandonkey.v4.11-Bin all versions, eMule.0.48a.Razorback3.Next.Generation.v4.11 all versions, eMule.v0.48a.Wikinger-Mod all versions, sun power mod all versions, rockforce mod all versions, fireball mod all versions,... and the all the rest of apple juice factory leecher coder productions

required unpacking of ExeStealth V2.76

you can process the unpacked apple juice mods with reshacker and put your splashscreen, your logos, icons and graphic stuff in, also you can change all dialogues. Change the URL's, the Applejuice Startpage,... change razorback and titandonkey community strings and the default dual servers connect of your choice.
You can Hexedit, ollydbg etc... and do some credits by self.

eMule 0.48a Razorback3 Next Generation v4.11 Mod-Binary fast and xtreme unpacked emule.exe

Easy to unpack Ekliptor's c++ stuff but can he unpack this unpackme Ekeliptor???

25 September 2007

AntiARP-DNS Ver:3.6.3 Green landscaping stable version

0 comments
In your campus network, your network is always dropping? Does not frequently visited Web pages or very slow? IP is often conflict? Your speed of the network is limited by the network management software Traffic sharping, throttled by ISP? (ARP attack is common software: Poly Health Network, Terminator P2P, network agents, network scissors in hand, LAN Terminator and so on ...)
These issues belong to deceive the ARP attack. ARP attack in the absence of fraud, data flow: Gateway; the machine. ARP spoofing attacks, the flow of data into: Gateway; attacker; this machine, this machine and all communications gateway between the data will flow through the attacker, subjugation; of the inevitable. So there will be a AntiARP - DNS, Hei hei. Strongly recommend the use of a campus network, can effectively solve these problems, its effectiveness.

AntiARP - DNS [plug]
It includes the right to deceive ARP and DNS attacks real-time monitoring and defense, the attack will prompt record tracing and control of the attacker to the lowest level of attacks. LAN can effectively prevent the illegal DNS deception or ARP attack, especially applied to the campus network. It can be resolved after the attack a "conflict IP; annoying boxes. If your machine is in the ARP like virus, please download worm to solve this procedure only auxiliary use. (ARP mandatory anti-deception, please refer to the official related article.)



Detect if ISP begins to throttle speed also by p2p

IP-Mac Scan [Auxiliary scanning procedure]
For its corresponding IP LAN batch scanning the real MAC, MAC to ensure access to accurate information. And also provide convenient batch conversion bundled IP-MAC to facilitate the network management needs.
Ps: The software is free software pure green, the driver does not need any support, not the underlying operating system, using them more stable and convenient. I will continue to update that a lot of home support.



Gui: Chinese Language
Homepage: http://www.yulv.net/jiajia/article.asp?id=3

Downloads:
AntiARP-DNS 免费用户交流群1 号码:5068122

快速下载:(喜欢看说明的继续往下拉,有些人不喜欢看老说找不到下载地址。)
下载文件 3.1.0 Beta 点击下载
下载文件 3.3.3 Beta <无样式> 点击下载
下载文件 3.3.4 Beta <有样式> 点击下载
下载文件 3.4.0 Beta <有样式> 点击下载
下载文件 Ver:3.6.3 绿色美化稳定版 点击下载
压缩包大小:330 KB (338,362 字节)
文件MD5:9803667A76F9CE54552DCCAC4F27A632 ◇ AntiARP-DNS.exe
活动:喜欢3.6.6 Versions of friends after this version will be issued to the public.


Tips:
Some machines use old problems, the specific reasons for the system cause problems. There is too much garbage system, plug-in too much, and so on... can be considered to reinstall System! After testing the system in a clean environment is running very stable. 2000/NT/XP/2003/Vista pure version of the test if this message to the author Bug

History update records / Changelog :
2007-09-24 Version 3.6.3 Green landscaping stable version
1. done interface rewrite and re-typeset
2. Rewrite code, optimized code
3. Increased Stability
4. Increased different states of different icon
5. added a number of other small functions

2007-09-21 Ver: 3.6.2 Compact Green stable version
1. custom hotkey
2. New IP conversion WWW
3. Increased IP-ScanMac a call button

2007-09-20 Ver: 3.6.1 Compact Green stable version
1. Code restructuring package
2. Numerous amendments BUG
3. the IP Gateway
4. definition of new hotkey

mirrors http://greendown.cn/soft/7819.html

Universal Extractor

0 comments
Skip setups and extract them.
Skip / bypass setup installer passwords and all other crap what installer do in background.

Universal Extractor is a program do to exactly what it says: extract files from any type of archive, whether it's a simple zip file, an installation program, or even a Windows Installer (.msi) package. This is still a work in progress (see details below), but so far it's proven quite useful and I feel others can also benefit from it.

I should stress that this application is not intended to be a general purpose archiving program. It will never replace WinRAR, 7-Zip, etc. What it will do is allow you to extract files from virtually any type of archive, regardless of source, compression method, etc. The original motivation behind this project was that I wanted an easy, convenient way to extract files from installation packages, such as Inno Setup or Windows Installer packages, without pulling up a command line every time. In the process I got a little carried away and ended up throwing in support for every kind of archive format I possibly could find.

Universal Extractor, like most of my Windows programs, is written in AutoIt, a powerful open source scripting language. Universal Extractor itself, however, is just a front-end that uses many other programs to do the dirty work. Please see the Credits section below for additional information.

UniExtract Application
Universal Extractor file/destination GUI

Homepage: http://www.legroom.net/software/uniextract

Latest Version: http://uniextract.c1pher.com/

UniExtract Installer (4.8 MB) - This is the recommended download. The installer will automatically install the application and optionally integrate with the Windows Explorer context menu. This package does not contain source code.

UniExtract Binary Archive (4.6 MB) - This archive contains the binaries. Download this if you don't want to use the installer.

1.6 beta (08/09/2007):

Added support for individual user preferences for better Vista support;
by default, this is enabled for standalone, disabled for installed
when enabled, UniExtract uses single .ini file as with previous version
when disabled, individual prefs/history are saved to registry in HKCU
this can be changed by modifying globalprefs setting in .ini file
Added menu bar to main GUI;
includes options to quit, edit preferences, and visit UniExtract website
Added separate preferences GUI to provide easy access to all options;
can be invoked through Edit menu or through '/prefs' argument
Added support for FEAD Optimizer packages (eg, Adobe Reader installers)
Added support for LZMA compressed files
Added support for Nero NRG CD-ROM images (data only) via nrg2iso
Added support for Reflexive Arcade installer wrapper via RAIU
Added support for WIM (Windows Imaging Format) images via 7-Zip
Added "Not an InstallShield installer" option to InstallShield method select
dialog to force UniExtract to handle TrID false positives
Added components section to installer; makes installation of
docs, languages, and certain (large) binaries optional
Added SendTo icon option to installer
Added internationalization support for decompressed ASPack and UPX files
Added Hungarian, Portuguese, Romanian, Turkish, and Valencian (Catalan)
translations
Added return codes to indicated status of extraction (actually added in 1.5):
0 = successful exit or user-initiated cancel
1 = supposedly supported file, but extraction failed
2 = debug file is not writable, aborted
3 = unknown executable - cannot be extracted
4 = unknown filetype - cannot be extracted
5 = invalid output directory specified
Fixed bug that displayed debugging message box during Inno Setup extraction
Fixed support for Microsoft hotfixes (again)
Fixed support for relative paths
Fixed support for UNC paths
Fixed missing Spanish language option during installation
Removed Adobe-specific report (now handled by generic FEAD support)
Updated UniExtract to prompt user before executing files for extraction;
can be disabled via warnexecute option
Updated UniExtract to make ACE, KGB, Pea, and StuffIt support optional
Updated UniExtract to read English.ini from root install directory
Updated UniExtract to output debug files to %temp% by default
Updated UniExtract to verify that debug file location can be written to;
user's temp directory will be used if selected dir fails test
Updated UniExtract to disable appendext option by default
Updated UniExtract changelog to add notice of Vietnamese translation in 1.5
Updated TrID detection of MS Self-Extracting CAB (Type 1) archives
Updated TrID detection of Windows Installer (MSI) packages
Updated TrID detection of Zip Self-Extracting archives
Updated CD-ROM image support to bypass TrID detection and rely on extensions
Updated Windows Install patch (.msp) to include pure 7-zip option
Updated installer to use Start Menu icons page and include uninstall icon
Updated installer language initialization code for simplicity
Updated installer to require administrative privileges;
non-admin users should use binary archive (portable) version,
or use a copy installed by the system administrator
Updated installer to prevent association with CHM files under Vista
Updated installer to support new /nowarnexecute paramater
Updated installer to support reversed appendext default preference;
now use /appendext to enable instead of /noappendext to disable
Updated installer to add {app} in addition to {app}\bin to %PATH% if enabled;
restores ability easily to call UniExtract.exe from command line
Updated 7-Zip to 4.52 beta *for 4.55 see instructions
Updated innounp to 0.19 *to 0.20 see instructions
Updated Inno Setup to 5.1.13 *see instruction
Updated Pea to 1.6 (cannot use newer version due to broken GUI controls)
Updated UnRAR to 3.70 *see instruction for 3.71
Updated UPX to 3.01

To update extractor modules
1. go to
Universal Extractor\docs read info of extracting program (almost sourceforge) for example Inno Setup later versions: http://innounp.sourceforge.net/ look under forums /extractor/installer for betas e.g. http://innounp.sourceforge.net/test020.rar (http://innounp.sourceforge.net/test020.rar
should extract 5.2.0) and DVDFab latest done installer with Inno Setup 5.1.13 support can be extracted http://sourceforge.net/forum/forum.php?forum_id=353235
2. Download the later version to Universal Extractor\bin

example:
inno setup later versions extract support for universal extractor:
download:
http://innounp.sourceforge.net/test020.rar
extract and replace under Universal Extractor\bin
the file: innounp.exe

by winrar 3.71
replace from winrar 3.71 the freeware included file unrar.exe
Inno Setup 5.2.0 support follow soon!

updated September extractor modules: Universal Extractor 1.6 updated 09.zip (5.44 MB)

For updating 7zip extractor, please replace from 4.55 the 7z.dll and 7z.exe found in your 7zip installation folder to \bin.
in userdb.txt can be more signatures integrated such as PE Compact 2.x - 2.79 extractor...

how to port the rest
http://ap0x.jezgra.net/unpackers.html
http://ap0x.jezgra.net/UnStealthPE.zip
PeCompact 2.x
Unpacking Armadillo v3.78 to v5.00

Exeinfo for Win32 by A.S.L.

0 comments





To see what is what and how its done.
www.exeinfo.go.pl - exeinfo PE Win32 identifier BY A.S.L. ,packers,compilers

ExEinfo PE by A.S.L.

Last update : 2007-09-08

www.exeinfo.go.pl

ExeInfo PE

ver. 0.0.1.7 A - ( 289 sign )

Download Freeware version

( for Windows XP, ... )

Click to get ZIPPed versionSERVER 1

Click to get ZIPPed versionSERVER 2

Mirrors:
www.geocities.com/Exeinfo_pe ( USA California ) -

download limit

www.exeinfo.cjb.net ( mirror USA Ohio )

Quick Unpack v2.0 Final

1 comments
At last I decided to release 2.0 final. Maybe there are still several bugs left but that what support is needed for In plans for future I want to change the engine for something astonishing (not sure if it will be public) and to make existing OEP-finders also work with DLLs. So stay tuned


v2.0 final
[!] fixed many bugs like missed import functions
[!] fixed several driver bugs like the one which didn't allow to pass some exceptions
[!] improved export feature now supports invalid functions
[!] many improvements (like 256x256 icon for Vista, thanks to Feuerrader ) and optimizations (like better memory handling)
[!] now Force.dll doesn't use GenOEP.dll, though some code was borrowed
[+] added so long-waited ability to use scripts. before using scripts it's strongly recommended to read the manual (Scripts.eng.txt file). script examples may be taken from Scripts folder (*.lua files), scripting language LUA manual also can be found there (LUA Manual.html), which parser was embedded in the program. BTW I know that Step button doesn't work like a charm but I wasn't able to make it better
[+] passing parameters to the application added
[+] import list from imprec feature added (now Quick Unpack supports both export and import of import functions in imprec-compatible files this allows to edit some functions or add new ones. keep in mind this option works with normally created files but if you put some garbage or format this file in unusual manner this may cause crash I was too lazy to parse the file with care)
[+] attach process feature added (this option allows to choose any module in a process for unpacking and has some features. if in processes listbox a process name is a full path with name you can attach to this process. if it is only name of the file you don't have enough rights to attach. you can't specify the OEP, the instruction the program was stopped is treated as the OEP. to use attach process feature one should load the program in any debugger and manually get to the OEP, when attach to that process with Quick Unpack. keep in mind that for smart import recovery you don't need the program to run, it can just be left in the debugger standing at the breakpoint. but to use smart import recovery with tracer you should put it in the infinite loop (EB FE) and run the program because the tracer uses current thread for tracing. if the program was put in the infinite loop don't forget to restore these two bytes in the dump. when attached tracing import is unreliable and very slow, so it's not recommended to use it). this feature allows to use Quick Unpack as a dumper and import recoverer (my attempt to replace PETools and ImpRec with one program )
[+] imprec plugin support added (this feature allows to use imprec tracer plugins in Quick Unpack to restore import functions. keep in mind when using attach to process feature the program must be run for the tracer to work)
[+] added UsAr's generic OEP finder. I modified it a bit
[+] added Human's generic OEP finder. I modified it a bit
[+] added deroko's generic OEP finder. I modified if a bit and took the GUI from Human's generic OEP finder. it's sometimes slow but rather powerful and be warned that this finder uses driver and the driver is unloadable till next reboot. uses deroko's Dream of every reverser engine so incompatible with win2k3 and kaspersky. for more information about this engine visit http://deroko.phearless.org
[-] no more old non-generic OEP finders

Download:
http://qunpack.ahteam.org/wp-content/uploads/2007/09/qunpack20.zip

Mirrors: http://www.hacker.com.cn/down/view_14702.html

Info: http://www.3800hk.com/Soft/zhly/19567.html
http://www.hacker.com.cn/down/view_14702.htm
http://www.0wei.com/thread-23679-1-1.html


Quick Unpack 2.0 final for Windows 2000/XP/2003/Vista
(c) stripper engine by syd
founded by FEUERRADER [AHTeam]
(c) coded by Archer

19:35:56 - Opened utorrent 1.7.5_fake2x_leecher.exe
Quick self analyze.... PECompact 2.xx
PESniffer EP Scan: PECompact v2.xx
PEiD scanning... PECompact 2.x -> Jeremy Collake

if 2 difficult: Unpecomp2.exe

so some mods can look and see now that the files there and in history by all known coders do not have any call homes integrated/added but in the original uT/bT the stats.domain.com is disappeared in the later builds or we are all blind and do not more found it since all builds beginning from late August.

apple juice, eMule.0.48a.Titandonkey.v4.11-Bin, eMule.0.48a.Razorback3.Next.Generation.v4.11, eMule.v0.48a.Wikinger-Mod, sun power,... and the rest of apple juice
based ExeStealth V2.76 to prepare plugin required.

copy OEPFinders files from the older version in addition for full support of known unpacking types

more tools:
Homepage: http://qunpack.ahteam.org/
http://www.hacker.com.cn/down/list_232.html

VMUnpacker V1.3

1 comments

VMUnpacker V1.3

This tool based on the technology of virtual machine, it could unpack various known & unknown packers. It is suitable for unpacking the protected Trojan horse in virus analyses, and because all codes are run under the virtual machine, so they will not take any danger to your system..

This product is free software; you can download it, install it, copy it and distribute it noncommercially; If you want use it for commercial sale, copy and distribute, you must get the warranty and permission of DSWLAB before(for example, if the anti-virus company want to use it to analyses the Trojan horse in batches, he must get mandate and permission of DSWLAB before).

By testing, this version could support 61 kinds packers (include more than 300 versions).
¡¡¡¡The detailed list:
¡¡¡¡
upx 0.5x-3.01 All Version
BeRoEXEPacker
aspack 1.x--2.x All Version
PEcompact 0.90--1.76 2.06--2.79 All Version
fsg v1.0 v1.1 v1.2 v1.3 v1.31 v1.33 v2.0 All Version
vgcrypt v0.75
nspack 1.4--4.1 All Version
expressor v1.0 v1.1 v1.2 v1.3 v1.4 v1.501
npack v1.5 v2.5 v3.0
dxpack v0.86 v1.0
!epack v1.0 !epack v1.4
bjfnt v1.2 v1.3
mew5 mew v1.0 v1.1
packman v1.0
PEDiminisher v0.1
pex v0.99
petite v1.2 v1.3 v1.4 v2.2 v2.3 All Version
winkript v1.0
pklite32
pepack v0.99 v1.0
pcshrinker v0.71
wwpack32 1.0--1.2
upack 0.1--0.399
rlpack 1.11--1.19
exe32pack v1.42
kbys v0.22 v0.28
yoda's protector v1.02 v1.025 v1.03.2 v1.03.3
yoda's crypt v1.1
yoda's crypt v1.2 v1.3 v1.xModify
XJ
exestealth 2.72--2.76
hidepe v1.0 v1.1
jdpack v1.01 v2.1 v2.13
jdprotect 0.9b
PEncrypt v3.0 v3.1 v4.0
Stone's PE Crypt v1.13
telock v0.42 v0.51 v0.60 v0.70 v0.71 v0.80 v0.85 v0.90 v0.92 v0.95 v0.96 v0.98 v0.99
ezip
hmimys_pack v1.0
lamecrypt v1.0
depack
polyene v0.01
dragonArmour
EP Protector v0.3
PackItBitch
trojan_protect
anti007 v2.5 v2.6
mkfpack
yzpack v1.1 v2.0
spack method1 spack method2
naked packer v1.0

upolyx v0.51
stealthPE v1.01 stealthPE v2.2
mslrh v0.31 v0.32
mslrh v0.2 == [G!X]'s Protect
morphine v1.3 morphine v1.6 morphine v2.7
rlpack full edition
EXEFog v1.1
ASDPack
PEBundle
Neolite


VM Unpack Engine SDK£º

The commercial VM Unpack Engine SDK will be provided solemnly (VM Unpack Engine SDK).

Use VM Unpack Engine SDK, the developer does not need to care about the unpacked course and method, only needs to transmit the data to VMUE SDK, VMUE will finish analyzing and unpacking automatically. VMUE supports to send the result of unpacking to the file and memory at the same time, and returns OEP after unpacking directly, It help you unpack packers in your products and tools.

Rebuild PE file after unpacking, such as repair the import table, Overlay, etc. offer the essential condition that rebuilding can running EXE program.

VMUE SDK includes the following part mainly:

Relevant dynamic or static link libraries
VMUE SDK technological white paper and the document about the interface of SDK
Codes of calling VMUE SDK
Packer's signature library in binary
Other auxiliary routines and codes

Homepage: http://www.dswlab.com/d3.html

Download: http://download.pchome.net/utility/antivirus/trojan/download_66883.html
(required IE, website will reject Firefox DL requests)

old Version VMUnpacker V1.2

1237905 Bytes
MD5 :9ae1be34ca2926e276c80d6c304ca25e
www.dswlab.com


upx 0.5x-3.00 All Version
BeRoEXEPacker
aspack 1.x--2.x All Version
PEcompact 0.90--1.76 2.06--2.79 All Version
fsg v1.0 v1.1 v1.2 v1.3 v1.31 v1.33 v2.0 All Version
vgcrypt v0.75
nspack 1.4--4.1 All Version
expressor v1.0 v1.1 v1.2 v1.3 v1.4 v1.501 / 网友称闪电壳
npack v1.5 v2.5 v3.0
dxpack v0.86 v1.0
!epack v1.0 !epack v1.4
bjfnt v1.2 v1.3
mew5 mew v1.0 v1.1
packman v1.0
PEDiminisher v0.1
pex v0.99
petite v1.2 v1.3 v1.4 v2.2 v2.3 All Version
winkript v1.0
pklite32
pepack v0.99 v1.0
pcshrinker v0.71
wwpack32 1.0--1.2
upack 0.1--0.32 0.33--0.399
rlpack 1.11--1.14 1.15--1.18
exe32pack v1.42
kbys v0.22 v0.28 / 网友称涛涛压缩器
yoda's protector v1.02 v1.025 v1.03.2
yoda's crypt v1.1
yoda's crypt v1.2 v1.3 v1.xModify / 网友修改版
XJ / 国产仙剑望海潮壳
exestealth 2.72--2.76
hidepe v1.0 v1.1
jdpack v1.01 v2.1 v2.13
jdprotect 0.9b
PEncrypt v3.0 v3.1 v4.0
Stone's PE Crypt v1.13
telock v0.42 v0.51 v0.60 v0.70 v0.71 v0.80 v0.85 v0.90 v0.92 v0.95 v0.96 v0.98 v0.99
ezip
hmimys_pack v1.0
lamecrypt v1.0
depack
polyene v0.01
dragonArmour
EP Protector v0.3
PackItBitch
trojan_protect / 木马彩衣 //国内常用的木马伪装工具
anti007 v2.5 v2.6
mkfpack
yzpack v1.1 v2.0
spack method1 spack method2
naked packer v1.0

upolyx v0.51
stealthPE v1.01 stealthPE v2.2
mslrh v0.31 v0.32
mslrh v0.2 == [G!X]'s Protect
morphine v1.3 morphine v1.6 morphine v2.7
rlpack full edition

download

Testfile sarim's x1000 Leecher mod yoda's Protector V1.03.3 -> Ashkbiz Danehkar Support
Unpack successfully!
Output path: .... /1000x_unpacked.exe
File before: 1000x.exe (268 KB)
File unpacked: 1000x_unpacked.exe (580 KB)

Welcome to use this software and feedback the question to support#dswlab.com

If you have any question in using, send us email and we will try to help; please post the unpacked program in mail; it is better that you post the packed tool of the program.
Email: support#dswlab.com.


Supercop£ºKill various kinds of Trojan horse completely, protect the security of system in an all-round way.
more free tools download£ºhttp://www.dswlab.com
Specialized desktop and safe products of content http://www.unnoo.com

Archived older unpacking goods: http://www.xfocus.net/tools/

Tool download contains english and chinese version. Tool unpacking is done for check if virus inside exe protected files.
see intro: http://scheinsicherheit.pytalhost.de/procedure2.htm
PCHOME download1 download2

http://wordpress.com/tag/unpacking/

Archive