From Collaborative RCE Tool Library

Jump to: navigation, search

Automated Unpackers


Tool name: ArmaGeddon
Rating: 5.0 (2 votes)
Author: ARTeam                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.9
Last updated: November 30, 2010
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.262
License type: Free
Description: Armageddon is an Educational "Armadillo" unpacking tool designed specifically for testing Unpackmes' using the many protection features available in versions 3.78 thru 8.00 32-bit Professional Edition.

Tested on:
Various Unpackmes' protected by versions 3.78 through 8.00.
Limited or no support for Win2k (due to use of DebugActiveProcessStop API)
Support for win2k3 Server, XP SP1/SP2/SP3, Vista 32 bit, Windows 7 32 bit. If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86) available here: http://www.microsoft.com/downloads/details.aspx?familyid=32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en

The following updates have been included in this (v1.9) release:

Minor updates and bug fixes for newest Armadillo versions
Windows 7 32 bit compatibility
Option to turn Window Caption on / off as needed
Drag and Drop support
Display actual version info [tested back to v5.42]
The about button has been modified to show the version bitmap too
New option in options group box "Cmdline" added for commandline arguments to be passed to a target *exe

Armadillo Nanomites Fixer v1.2 [Public Release] and v1.2 ArmNF.dll from NeVaDa. Updated to issue error message when encountering uneven nano markers.

ARImpRec.DLL - 1.7.5 by Nacho_dj with many updates over the previous versions.
+ Fixed rebuilding of sections for minimized MinGW compiled executables
+ Added an exported function for rebuilding imports without modifying code
+ Improved detection of possible code sections
+ Removed the backup of rebuilt file
+ Improved relocations analysis and rebuilding performance
+ Improved extraction of files of pdata section
+ Improved rebuilding of overlay for big ones
+ Fixed a bug for import table bigger than the section where it should lay
+ Fixed a bug when realigning sections
+ Fixed an error when rebuilding overlay
+ Fixed several bugs for relocations, imports retrieving and minimize size option
+ Added support for newest Armadillo versions
+ New algo for rebuilding overlay
+ Decryption of some files within pdata
+ Fixed several bugs

Special Advisory

It is strongly recommended that you disable any antivirus programs and game managers running in the background prior to using this tool.

Key features

Standard Protection
Minimum Protection
Memory Patching
Debugblocker
CopyMemII
Import Elimination
Import Redirection (Emulation)
Strategic Code Splicing
Nanomites
Randomized PE section names
Shockwave Flash + applications that utilize overlays (minimize size option required)
Hardware locking (Standard / Enhanced Fingerprint support)
DLL support:
Requires included dll loader.exe to load the target dll
Open / Save dialogs updated for exe / dll, plus,
resolve relocations.

Full imports rebuilding:
ARTeam Import Reconstructor ARImpRec.DLL - 1.7.5 by Nacho_dj
---- Updated 2010 November. Coded in Delphi 7 Enterprise.
It rebuilds imports in a file previously dumped. IAT gets rebuilt in the same place where it has been found, and Import Table is built in a new section, pasted at the end of the file.
The PE header is fixed for some needed data.
The main feature is that it ignores all thunks not valid found between valid ones, and then it rearranges the imports found, rebuilding for every module an only array of thunks. Thus, it can rebuild shuffled IAT.

Nanomites:
There are (2) choices for analyzing / patching nanomites. The original built-in version, and the Armadillo Nanomites Fixer v1.2 [Public Release] and ArmNF.dll version 1.2 by NeVaDa which is supported internally. The choice is yours.
Also listed in: Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUnPacker
Rating: 5.0 (1 vote)
Author: HI.GUnPacker@Gmail.COM                        
Website: N/A
Current version: 0.4
Last updated:
Direct D/L link: Locally archived copy
License type:
Description: Generic unpacker supporting packers below

ACProtect 1.09, 1.32, 1.41, 2.0
AHPack 0.1
ASPack 102b, 105b, 1061, 107b, 1082, 1083, 1084, 2000, 2001, 21, 211c, 211d, 211r, 212, 212b212r
ASProtect 1.1, 1.2, 1.23RC1, 1.33, 1.35, 1.40, SKE.2.11, SKE.2.1, SKE.2.2, 2.3.04.26, 2.4.09.11
Alloy 4.1, 4.3
alexprot 1.0b2
Beria 0.07
Bero 1
BJFNT 1.2, 1.3
Cexe 10a, 10b
DragonArmor 1
DBpe 2.33
EPPort 0.3
eXe32Pack 1.42
EXECrypt 1
eXeStealth 2.75a, 2.76, 2.64, 2.73, 2.76, 3.16
ExeSax 0.9.1
eXPressor 1.4.5.1, 1.3
FengYue'Dll unknow
FSG 1.33, 2.0, fsg2.0bart, fsg2.0dulek
GHF Protector v1.0
Krypton 0.2, 0.3, 0.4, 0.5
Hmimys Packer UnKown
JDProtect 0.9, 1.01, 2.0
KByS unknow
MaskPE 1.6, 1.7, 2.0
MEW 11, 1.0/1.2, mew10, mew11_1.2, mew11_1.2_2, mew5
molebox 2.61, 2.65
morphine 2.7
MKFpack 1
Mpress UnKown
Mucki 1
neolite 2
NCPH 1
nsapck 2.3, 2.4, 3.1
Obsidium 1.0.0.69, 1.1.1.4
Packman UnKown
PCShrink 0.71
PC-Guard v5.0, 4.06c
PE Cryptor 1.5
PEBundle 2.3, 2.44, 3.0, 3.2
PE-Armor 0.46, 0.49, 0.75, 0.765
PECompact 1.x
PEDiminisher 0.1
PELock 1.06
PEncrypt 4
pepack 0.99, 1.0
PELockNt 2.01, 2.03, 2.04
PEtite 1.2, 1.3, 1.4, 2.2, 2.3
PKlite32 1.1
PolyCryptA UnKown
peshield 0.2b2
PESpin 0.3, 0.7, 1.1, 1.3
PEX 0.99
PolyCrypt PE 1.42
PUNiSHER 1.5
RLPack 1.1, 1.6, 1.7, 1.8
Rubbish 2
ShrinkWrap 1.4
SDProtector 1.12, 1.16
SLVc0deprotector 0.61, 1.12
SimplePack 1.0, 1.1, 1.2
SoftSentry 3.0
Stealth PE 1.01, 2.1
Stone's PE Encryptor 1.13
SVKP 1.11, 1.32, 1.43
ThemidaDemo 1.0.0.5
teLock 0.42, 0.51, 0.60, 0.70, 0.71, 0.80, 0.85, 0.90, 0.92, 0.95, 0.96, 0.98, 0.99
Upc All
Upack 0.1, 0.11, 0.12, 0.20, 0.21, 0.22, 0.23, 0.24, 0.25, 0.26, 0.27, 0.29, 0.30, 0.31, 0.32, 0.33, 0.34, 0.35, 0.36, 0.37, 0.38, 0.39, 0.399″
UPolyX 0.2, 0.5
UPX 0.51, 0.60, 0.61, 0.62, 0.71, 0.72, 0.80, 0.81, 0.82, 0.83, 0.84, 0.896, 1.0w, 1.03, 1.04, 1.25w, 2.0w, 2.02, 2.03, 3.03, UPX-Scrambler RC1.x
V2Packer 0.02
VisualProtect 2.57
Vprotector 1.2
WindCrypt 1.0
wwpack32 v1.20, v1.11, v1.12
WinKript 1
yoda's cryptor v1.1, v1.2
YZPACK 2.0
yoda's Protector v1.02, v1.03.2, v1.03.3, v1.0b
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wildtangent unwrapper
Rating: 5.0 (1 vote)
Author: Nieylana                        
Website: http://www.accessroot.com
Current version: 2.4
Last updated: June 7, 2009
Direct D/L link: Locally archived copy
License type: Freeware
Description: Release URL
-----------
http://xchg.info/ARTeam/Tutorials/index.php?dir=ARTeam_Releases/&file=WildTangent_Unwrapper_v24_by_Nieylana.rar

WildTangent Unwrapper v2.4 by Nieylana
-------------------------------------


Features:
---------

- Applies patch at runtime to bypass multiple protection schemes (At layer 2).
- Able to unwrap WildTangent based games.
- Note: All games are now supported by the Unwrapper
- Automatically detects if overlay is present.
- Supports 3 types flash overlay (no game has been found to have the 4th type)
- FWS
- CWS
- 10JP
- Appends overlay to dumped file (if present)
- Compresses dumped file using UPX if required (10JP Overlays)
- Checks for delayed decryption of layer 3 (.pccode)
- Note: No games are known to have this ability, but a WT game is easily modable
(one byte) to allow the decryption of layer 3 to not occur until the play button
is pressed. WTLoader can detect this and will attempt to load these games as well.
- Automatically Generates a SKUInfo.ini file for each unwrapped game to ensure playability of the Dumped File
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malzilla
Rating: 4.5 (2 votes)
Author: Boban bobby Spasic                        
Website: http://malzilla.sourceforge.net
Current version: 1.2.0
Last updated: November 2, 2008
Direct D/L link: http://malzilla.sourceforge.net/downloads.html
License type: Free / Open Source
Description: Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
Also listed in: Javascript Debuggers, Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Generic Unpacker
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://ntcore.com/netunpack.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/NETUnpack.zip
License type:
Description: This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.
Also listed in: .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)
Rating: 0.0 (0 votes)
Author: Nacho-Dj/ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.1
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=43
License type: Free
Description: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)

Released Summer/2008

Features:
- Provides information about ActiveMARK protection on any file.
- Identifies the protection version.
- Unpacks & decrypts the content of any ActiveMARK protected file.
- Extraction of the main key
- Now it shows information about Only Buy / Trial Limited Version
- Information messages
- Allows an internal analysis of the content of every compressed file within the encrypted container.
- It works statically (none executable is launched).
- Detects automatically the language in your system. :)

How to use:
Select first any executable. Then you can decrypt any external file associated to it, using the Uncompress key.

Note: Any ActiveMARK encrypted file is similar to a .zip or .rar file, containing several files in its inside.

Coded & designed by Nacho_dj/ARTeam
Also listed in: Protection Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmInline
Rating: 0.0 (0 votes)
Author: Admiral                        
Website: N/A
Current version: 0.96ff
Last updated: November 30, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: ArmInline is an Armadillo unpacking tool designed specifically to deal with the many antidump features available with private builds of Armadillo v3.5-4.4, including Code Splicing, Nanomites and Import Elimination. For more details see the readme.

ArmInline was officially discontinued on 23/07/06.

Update (30/11/08):
In spite of the official 'dicontinued' status, I thought it wasteful not to publish the minor changes that were necessary to make the Nanomite handler Vista compatible.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmaGUI
Rating: 0.0 (0 votes)
Author: Spec0p                        
Website: N/A
Current version: 1.5.3
Last updated: August 16, 2006
Direct D/L link: N/A
License type: Free
Description: Armadillo unpacker.

Supported Armadillo options:
Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing


Main features:
Complete automatic recover and validation of nanomites, even the fake ones in the tables;
Complete automatic reinsertion of Strategic Spliced Code at the original location before exe was protected by Armadillo;
Complete rebuild of the dumped file, cleaning all the trash;
Complete rebuild of the IAT without the use of any extern tool;


Introduction & Disclaimer:
ArmaGUI unpacking tool for the commercial protector Armadillo from Silicon Realms Toolworks (http://siliconrealms.com/index.shtml), it supports most of the protection options offered by Armadillo since version 3.
It's coded in VC++ with MFC for GUI support with some inline asm, MFC is the explanation to the over bloated 212kb exe file, and its only tested on XP SP2, maybe it works on w2k3 too, forget anything bellow XP.
This project was started based on a "challenge" by crUsAdEr on the Woodmann excellent forum: http://www.woodmann.com/forum/showthread.php?t=6365
crUsAdEr said: "hopefully u wont spread it to everyone though cos unpackers itself doesnt teach ppl much.", and I agree with that, you DON'T learn by using unpackers. This tool is working for 1+ year now as private but suffered big and important updates along the way.
This tool WASN'T created to harm SRT in any way, Armadillo is a good product with some nice ideas.
It WAS created in the sequence of my desire to see if I was able to create an unpacker to some packer more complex than UPX, together with the challenge from crUsAdEr, learning was and will always be my main purpose.
I know the GUI isn’t very user friendly, but really I don't care, don't bother bashing me with that;
I know it crash's alot, my coding sucks, the code it's crappy and non optimized, really it's a mess, eventually it will hang ur PC;
I know it doesn't automatic detect the protection options, this happens because it wasn't my main objective. I focused on getting the hard stuff like Nanomites and IAT Elim, and when I was over, I realized that I had made the engine based on the options I specified and couldn't change it, and so it stays like that, and I actually don't care. If you don't like it, start writing a Options detector (its easy stuff), or keep the opinion to yourself;
If all this isn't a problem to you, then I hope you enjoy using the tool almost as I enjoyed creating it.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmaRaider
Rating: 0.0 (0 votes)
Author: Nieylana                        
Website: http://www.accessroot.com/arteam/site/download.php?view.315
Current version: 3.3
Last updated: January 22, 2010
Direct D/L link: N/A
License type: Free
Description: "Thanks to the virtual ArmAccess.DLL built into every copy of SoftwarePassport/Armadillo, this [patching the dll] is no longer even a theoretical threat,as long as you use it instead of the external file.", Chad Nelson.

ArmaRaider is designed to assist in the extraction and replacement of the Security.DLL built into each Armadillo protected application

Why? :
By being able to expose the Security DLL there are many things we can patch that will change the way the Armadillo shell reacts.

Possible Patches:
* Force an application to never 'expire'.
* The removal of HWID from keys,
* Re-enabling of the REGISTER/INFO command line parameters.
* Disabling ClockBack detection.

This is only a very small list of the patches made possible by ArmaRaider
What Raider Does Do:
1. ArmaRaider will statically unpack the security dll for you and save to disk
2. If the version of Armadillo does integrity checks on the DLL, these checks will be patched automatically by ArmaRaider (not static)
3. ArmaRaider will also statically replace the existing security DLL with a patched one

What Raider Doesn't Do:
ArmaRaider doesn't turn a person into a 'cracker' most of the work must still be done yourself (all the patches). ArmaRaider was built to assist in that process not do it for you. Therefore we are not responsible for evil usage you will do of this tool.

Versions known to Work:
ArmaRaider has been tested and found working on the following Armadillo versions:
* Tested version 3.75 (working)
* Tested version 4.30 (working)
* Tested version 4.40 (working)
* Tested version 4.43 (working)
* Tested version 4.66 (working)
* Tested version 5.02 (working)
* Tested version 7.00 (working)

This is not an all inclusive list, ArmaRaider may also work on version not listed above, these are just the ones that have been tested by the author.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dilloDIE
Rating: 0.0 (0 votes)
Author: mr_magic                        
Website: http://cip-re.6x.to
Current version: 1.6
Last updated: July 26, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This Tool can strip Armadillo Protection from protected Exes/Dlls.

Supports 3.xx and 4.xx versions.


Supported features:
-------------------

Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing


Known Issues:
-------------

VB Applications protected with the Import Elimination feature are not
supported.


Rebuilding:
-----------

Dumps are 100% working, but for aesthetic reasons one might want to remove
Armadillo Sections from Section header and its Data physically. This can
be done quite comfortable with the CFF Explorer or any simmilar PE Editor.

Armadillo Sections are usually called:

.text1
.adata
.data1
.pdata


Nanomites:
----------

Some things about Nanomites: dilloDIE will resolve all Nanomites correctly
for most Applications. There _might_ be apps though, which are somehow
obfuscated in some parts and dilloDIE will fail in properly detecting all
Nanomarkers, which are used to except Fake Nanomites. In this case one
should use the "Emulate" Option, which will cause dilloDIE not to resolve
Nanomites at unpacking time, but to inject a handler which resolves them at
execution time. Dumps using this handler will work on Windows XP and above
only though.

If Nanomites arent processed correcty, try to activate "Unpack in high
priority class". This should fix some windows internal timing issues.


Options:
--------

If a Dump ain't working correctly, you can try to change some Options.

Deactivate the Disassembler for any protection part if not everything gets
fixed properly (e.g. there are not all import references/nanomites/spliced
jumps fixed/resolved due to code obfuscation which will make the disassmbler
fuck things up).
Decrease or set the Max. Size for Spliced Code sections to 0 if a section
gets wrongly detected as spliced (just in case... or increase it to make
a bigger Spliced Code section to be detected properly.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotFuckScator
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: v1.3
Last updated: May 9, 2009
Direct D/L link: http://reteam.org/tools/tf35.zip
License type: Free
Description: DotFuckScator.V1.3

DotFuckScator is a reversing engineering tool used to remove string encryption
from dotfuscator protected files

If the original file was strong name signed DotFuckScator will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to DotFuckScator.snk
now DotFuckScator will use this key for the re-sign process.

Hope this tool is of any use

Changes:
* v1.1 has a minor bugfix that prevented some strings from proper decrypting
* v1.2 small bugfix in re-signing, added indicator to show the amount of
strings decrypted so far
* v1.3 Fixed royal fuck-up in string decryption code replacement function
meaning the output will now run after string decryption removal ;x
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNet Sniffer Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 2.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetSnifferWin32.msi
License type: Free
Description: dotNet Sniffer 2 uses the .NET profiler API to save assemblies loaded from memory. Once a module is handled by the .NET Framework, dotNet Sniffer saves it to disc if it was loaded from memory. Some tools are changing the module (decrypt methods ...) after loading; dotNet Sniffer allows you to save the module again during the execution of the first method (JIT). The profiler will be active only for the process to start; installing dotNet Sniffer will not affect the performance of other .NET programs. dotNet Sniffer 2 is available for 32-bit and 64-bit processors. 64-bit versions also install the 32-bit profiler and can save indifferently 32-bit and 64-bit processes. If you use 64-bit Windows, install only the 64-bit version suitable for your processor.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNetTools Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8. 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi
License type: Free
Description: dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.
Also listed in: .NET Deobfuscation Tools, .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dumbassembly
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?13739-smartassembly-protection-analysis-unpacker-(with-source)
Current version: 0.5.8
Last updated: January 14, 2012
Direct D/L link: http://www.mediafire.com/?lunow30hx22wao1
License type: Open source
Description: DumbAssembly is an automatic unpacker for the RedGate SmartAssembly .NET protector. It supports versions of SmartAssembly up to 6.5.1 and removes the following protections:
* Code flow obfuscation
* Import obfuscation
* String encryption
* Resource encryption
* Assembly embedding and encryption
* Tamper detection

If the input assembly was signed, the unpacked assembly is automatically re-signed with a randomly generated (or manually specified) strong name key pair.

All occurrences of the original public key or public key token in the binary are replaced by the new ones.

The archive contains binaries and the complete source code.
Also listed in: .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FREN
Rating: 0.0 (0 votes)
Author: LLXX                        
Website: N/A
Current version: 1.0
Last updated: July 27, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: SWF Encrypt unprotector
Also listed in: Flash Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Game-music-extractor
Rating: 0.0 (0 votes)
Author: __sk                        
Website: N/A
Current version: 0.9
Last updated: February 24, 2009
Direct D/L link: Locally archived copy
License type: Who cares
Description: this will try to extract game music from any uncompressed clump files.
useage is gamemusi megafile
it works on dos and may take anywhere from 1-5 min to 1-5 hour
Also listed in: Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GenericUnpacker
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: GenericUnpacker is fully featured unpacker for some
simple packers. It uses driver to hook int 0E and
trace execution of the program silently.

Driver also installs hook in ntos!SwapContext to
know when to activate/deactivate memory breaks.
Due to this hook driver is system specific, and
supports only win2k and winxp.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: jsunpack
Rating: 0.0 (0 votes)
Author:                         
Website: http://jsunpack.jeek.org
Current version: 0.3.2c
Last updated: June 2, 2010
Direct D/L link: N/A
License type: Free / Open Source
Description: A Generic JavaScript Unpacker.

jsunpack emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities.

It accepts many different types of input:

* PDF files - samples/sample-pdf.file
* Packet Captures - samples/sample-http-exploit.pcap
* HTML files
* JavaScript files
* SWF files
Also listed in: Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pokas x86 Emulator for Generic Unpacking
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://sourceforge.net/projects/x86emu/
Current version: 1.0.0.0
Last updated: July 18, 2010
Direct D/L link: Locally archived copy
License type: GPL
Description: Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon ith the help of your feedback.

It still doesn't support multithreading and doesn't support Linux ELF executables.
It's still working only on windows but the Linux version will be available soon.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog LicenseManagerKiller Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/LicenseManagerKillerWin32.zip
License type: Free
Description: The purpose of PvLog LicenseManagerKiller is to warn against the inefficiency of managing licenses in 100% managed code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly. This tool is rudimentary and releases only most naive protections, but you can imagine that PvLog DeObfuscator and Reflector would allow a determined attacker to remove more sophisticated license controls.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Quick Unpack
Rating: 0.0 (0 votes)
Author: Feuerrader / Archer                        
Website: http://qunpack.ahteam.org
Current version: 2.2
Last updated: July 14, 2009
Direct D/L link: http://tport.org/releases/tools/Quick_Unpack_2.2.Tool.tPORt.rar
License type: Free
Description: The program is intended for fast (in a few seconds) unpacking of packers and simple protectors.

Quick Unpack tries to bypass all possible scramblers/obfuscators and restores redirected import. From the version 1.0 the opportunity of unpacking dll is added. From the version 2.0 the attach process feature added which allows to use Quick Unpack as a dumper and import recoverer. Scripts are also supported from version 2.0 which allows unpacking of more complicated protections. This makes Quick Unpack a unique software product which has no similar analogues in the world!

Use force unpacking tick. When the application is run QuickUnpack waits for the OEP breakpoint to trigger. But sometimes this breakpoint may be triggered several times but only the last one is the correct OEP. Using ForceMode option solves this problem. With this option after the application is run QuickUnpack counts breapoint hits and dumps the application only at the last stop. For DLL-files this option is always ticked and allows to restore relocs.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: QuickUnpack DLL
Rating: 0.0 (0 votes)
Author: Shub-nigurrath                        
Website: http://www.woodmann.com/forum/showthread.php?t=6295
Current version: 1.2
Last updated: August 31, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: This fine release is a Dll version of the already released QUnpack program, from FEUERRADER of AHTeam (http://www.exetools.com/forum/showthread.php?t=4611&page=1&pp=15).

What I did is to transform it into a DLL and to improve the whole code robustness and functionality.

The main purpose of such a DLL is to create complex patchers that would unpack on the fly the programs on the target PC, then apply byte changes to crack the program. Of course is much more useful where inline patching is not possible.

What it does:
-------------
The Dll works almost as the original Qunpack program. Essentially what is done is:

• set some hardware breakpoint into the debugged process
• find the OEP, using some custom method (if the target program is packed by FSG 1.33, ASPack 2.12 or UPX 1.2x, the OEP is found using an own technology) or the code of the GenOEP.dll (included inside)
• dump process to previously allocated buffer.
• rebuild dump and realign it.
• rebuild the import table (using some code taken from ImpRec)

How to use in your own program:
-------------------------------
This is the protototype of the main function:

int __stdcall UnpackFile(char* InName, char* OutName, BOOL AutoOEP, DWORD realOEP, char **pLog_buff);


Here below instead a code sniplet of how to use the DLL in you programs:

#################################################
char *infile_buff=NULL; // it's the buffer pointing to the file to be unpacked
char *outfile_buff=NULL; // it's the buffer pointing to the file where to store unpacked file.
char *log_buff=NULL; // it's the buffer storing the log.
BOOL autoOEP=TRUE;
DWORD realOEP=FALSE;

//TODO: Init above buffers and values as you want..

UnpackFile(infile_buff, outfile_buff, autoOEP, realOEP, &log_buff);

// Writes to a file the log_buff filled and allocated by the UnpackFile API!
// Note that the main program has to wait untill the threads launched by
// UnpackFile() is terminated.
// GetLog() returns a not NULL value only when the hard work is finished.
// You might consider placing this loop into a separate thread of the main
// application, just not to block the user interface too long.
// NB. Remember to free the allocated buffer!

while(GetLog(NULL)==NULL);

FILE *fp=NULL;
if(log_buff!=NULL)
if((fp=fopen(".\\Unpacking_log.txt","w"))!=NULL) {
fprintf(fp,log_buff);
free(log_buff); //really important, remember to free the buffer!
log_buff=NULL;
fclose(fp);
fp=NULL;
}
#################################################

Help function:
--------------
whenever you choose to pass the OEP to the function directly, usually you might have to convert it from a string representation to a real HEX value (usually it's inserted from an edibox).
Just for reference you might use this function that converts an hex value from string representation:

#################################################
//added to convert an exadecimal string to an hex value
unsigned char HEX_2_INT_TABLE[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

int hexstr2int(char *hexstr) {
register unsigned int length, i, value, shift;
for (length = 0; length < 9; length++) if (!hexstr[length]) break;
shift = (length - 1) * 4;
for (i = value = 0; i < length; i++, shift -= 4) value += HEX_2_INT_TABLE[(unsigned int)hexstr[i] & 127] << shift;
return value;
}
#################################################

Belongs and Greetings:
----------------------
The DLL contains the code coming from some already existing DLLs. Those DLLs have been transformed into library files and directly linked to the Qunpack.dll to reduce external files dependency.
Those files are
• NDump.dll and RebPE32.dll which belongs to NEOx [uinC].
• GenOEP.dll by snaker
• Force.dll by FEUERRADER

Thanks again to FEUERRADER and to AHTeam members.

History:
--------

* 1.0 [+] initial release
* 1.1
o [-] fixed a bug when realOEP is given
o [+] added some details in the log file
o [+] modified the little client
o [+] modified the readme and added some more explanations
* 1.2 [+] eliminated the need for any external dll, now Qunpack.dll can works without any external dll
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: REZiriz
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 2.0
Last updated: August 28, 2007
Direct D/L link: http://www.reteam.org/tools/tf33.zip
License type: Free
Description: REZiriz is a unpacker for Eziriz .NET Reactor > v3.1.x.x

Also added support to remove NecroBits protection that prevents
the decompilation of unpacked assemblys
And support to unpack v3.3.1.1 of Eziriz .NET Reactor

Unpacker features:
---------------------------
[*] Unpacking Eziriz .NET Reactor v3.3.1.1
[*] Unpacking Eziriz .NET Reactor v3.3.0.1
[*] Unpacking Eziriz .NET Reactor v3.2.4.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.0
[*] Unpacking Eziriz .NET Reactor v3.1.0.0

[*] Versions < v3.1.0.0 are not supported

[*] Added NecroBit Protection Remover
Also listed in: .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflexive games Unwrapper
Rating: 0.0 (0 votes)
Author: eraser                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.3
Last updated: January 23, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: unWrapper for the games protected by 'ReflexiveGameWrapper'
created by eraser, May/2007

http://www.reflexive.com/

devoted to ARTeam, thx anorganix and Shub-Nigurrath [ARTeam]

Version 1.3:
------------
The new v1.3 (TASM) of Reflexive Unwrapper is distributed with a special one (MASM) v1.0 which also supports Win9x/ME. Win9x is dead but not for everyone and of course the source code is included so anyone can take a look how to set BP on API in Win9x/ME, hmm an educational purpose.
File doc\history.txt included in both the two versions.

--- TEST notes ---

Win9x/ME supported!

tested on: MS Windows 2000 SP4, thx Arab3h
tested on: MS Windows XP Professional SP2

05-22-2007
games: Scrubbles, War Chess, Rocket Bowl, Alien Shooter, Sheeplings,
Scavenger, Egyptoid, Aztec Bricks

05-23-2007
games: Naval Strike, Mirror Magic, Wild West Billy, After The End, Brickquest,
Devastation Zone Troopers, Law And Order The Vengeful Heart

Dungeon Scroll Gold Edition
unwrap and replace the bytes with 0100 0001 100E 0000 at offset 0x4DF9C

05-25-2007
games: Pizza Panic, Magic Ball 2, Magic Ball 3, Magic Ball 2 New Worlds,
Mystery Case Files Ravenhearst, Zombie Smashers X2, Pipeline, Westward

05-29-2007
games: Little Shop Of Treasures, Big Kahuna Reef, Slingo, Temple of Bricks,
Bricks of Egypt, Bricks of Atlantis, WW2 Pacific Heroes, Yahtzee

06-03-2007
games: Mysteriwille, Death on The Nyle

06-05-2007
games: Amazonia, AstroAvenger, Jets N Guns GOLD, Project Xenoclone,
Rage Of Magic 2, Rikki And Mikki To The Rescue, Roman Bowl,
Age of Castles (thx GEEK)

06-21-2007
games: The Dark Legions (thx npad69), Alice Greenfingers, Bullet Candy,
FastCrawl (MS .NET Framework), Ancient Hearts And Spades, Neon Wars

07-01-2007
games: Puzzle Detective (thx Ghandi),
80 days, Venice, Secrets of Great Art, The Magicians Handbook,
Chocolatier (thx SSlEvIN), Mexican Motor Mafia

04-16-2008
games: Yahtzee Texas Hold Em (RWG file is replaced with Raw_001.exe), Penguins Journey,
Westward II Heroes Of The Frontier, Astro Avenger 2




usage (default)
1. run unwrapper.exe and select a target/game
2. click on 'Play Game' button within 10 seconds
3. run *.RWG.exe file in the game's folder

note: .RWG file can also be replaced by, e.g., an .exe file (supported)

example (Alien Shooter)
1. install the game e.g. into "D:\games\Alien Shooter"
2. run unwrapper.exe
3. select "D:\games\Alien Shooter\AlienShooter.exe"
4. click on 'Play Game' button
5. delete/move/backup files AlienShooter.exe and AlienShooter.RWG
6. rename AlienShooter.RWG.exe to AlienShooter.exe
7. delete all files from "D:\games\Alien Shooter\ReflexiveArcade"
folder except unins000.exe and unins000.dat
8. run AlienShooter.exe

example (Yahtzee Texas Hold Em)
1. install the game e.g. into "D:\games\Yahtzee Texas Hold Em"
2. run unwrapper.exe
3. select "D:\games\Yahtzee Texas Hold Em\YahtzeeTexasHoldEm.exe"
4. click on 'Play Game' button
5. delete/move/backup files YahtzeeTexasHoldEm.exe and Raw_001.exe
6. rename Raw_001.exe.exe to YahtzeeTexasHoldEm.exe
7. delete all files from "D:\games\Yahtzee Texas Hold Em\ReflexiveArcade"
folder except unins000.exe and unins000.dat
8. run YahtzeeTexasHoldEm.exe


--- RE notes ---

game.exe - loader/decrypter
game.rwg - encrypted game (optional)

CreateProcess, game.rwg, CREATE_SUSPENDED
ReadProcessMemory, read encrypted chain from game.rwg at BaseAddress
decryption...
WriteProcessMemory, write decrypted chain into game.rwg at BaseAddress
ResumeThread, execute game.rwg

----------------
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Smartassassin
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 1.0
Last updated: September 4, 2008
Direct D/L link: http://www.reteam.org/tools/tf34.zip
License type: Free
Description: {smartassassin} is a reversing engineering tool used to remove string encryption from {smartassembly} protected files, its also possible to decompress resources compressed by {smartassassin}.

If the original file was strong name signed {smartassassin} will create a new keypair and re-sign the file with this pair, be carefull since file depending on this file will need to be edited manaualy to support the new strong name signature. You can use RE-Sign for this and the editor of your choice.

Also if you like the file re-signed with a specific key place your key in the same folder as the file you are about to process and rename it to {smartassassin}.snk now {smartassassin} will use this key for the re-sign process.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: swfdecrypt
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?t=11720
Current version: 1.1
Last updated: September 28, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Unpacker for the commercial SWF Encrypt 4.0 Flash protection program (http://www.amayeta.com/software/swfencrypt).
Also listed in: Flash Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: The Xenocode Solution
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 2.0
Last updated:
Direct D/L link: http://www.reteam.org/tools/tf32.zip
License type: Free
Description: The Xenocode Solution is a unpacker that works for all Xenocode products.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: UnPECompact2 (MadMickael version)
Rating: 0.0 (0 votes)
Author: MadMickael                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Automatic unpacker for files protected with PECompact 2.x.

There is a similar tool with the same name, created by smola.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: UnPECompact2 (smola version)
Rating: 0.0 (0 votes)
Author: smola                        
Website: N/A
Current version: 0.2
Last updated: April 15, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Automatic unpacker for files protected with PECompact 2.x.

There is a similar tool with the same name, created by MadMickael.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Windows Script Decoder
Rating: 0.0 (0 votes)
Author: Mr Brownstone                        
Website: http://www.virtualconspiracy.com/content/scrdec/intro
Current version: 1.8
Last updated: April 10, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: The Windows Script Encoder (screnc.exe) is a Microsoft tool which can be used to encode your scripts (i.e. JScript, ASP pages, VBScript). Yes: encode, not encrypt. The use of this tool is to be able to prevent people from looking at, or modifying, your scripts. Microsoft recommends using the Script Encoder to obfuscate your ASP pages, so in case your server is compromised the hacker would be unable to find out how your ASP applications work.

The Windows Script Decoder is a tool that I wrote which can be used to decode all scripts that have been encoded with the Windows Script Encoder.

Please note that this program was originally written to demonstrate the ease of a cryptoanalysis attack against a tool like the Windows Script Encoder. Nowadays, script encoding is used often to hide malicious scripting commands and the script decoder can be very useful to uncover the original code. Do not use this tool to violate copyright. That's not what it is meant for.
Also listed in: Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 2 subcategories to this category.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:Automated_Unpackers"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (235)
   Categorized by Tool Type  (1196)
   Anti Anti Test Tools  (16)
   Assemblers  (19)
   Code Coverage Tools  (13)
   Code Injection Tools  (35)
   Code Ripping Tools  (2)
   Crypto Tools  (13)
   Data Extraction Tools  (24)
   Debuggers  (47)
   Decompilers  (27)
   Deobfuscation Tools  (16)
   Dependency Analyzer Tools  (5)
   Diff Tools  (44)
   Disassemblers  (65)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (39)
   Executable File Editors & Patchers  (92)
   Firefox Extensions  (3)
   GUI Manipulation Tools  (18)
   Hardware Reversing Tools  (24)
   Helper Tools  (3)
   Hex Editors  (12)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (13)
   Memory Data Tracing Tools  (7)
   Memory Patchers  (6)
   Memory Search Tools  (7)
   Monitoring Tools  (130)
   Network Tools  (19)
   Packers  (18)
   Patch Packaging Tools  (12)
   Profiler Tools  (11)
   Programming Libraries  (45)
   Regular Expression Tools  (3)
   Resource Editors  (13)
   Reverse Engineering Frameworks  (8)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (9)
   Technical PoC Tools  (8)
   Test and Sandbox Environments  (22)
   Tool Extensions  (169)
   Tool Hiding Tools  (7)
   Tool Signatures  (17)
   Tracers  (19)
   Unpacking Tools  (80)
   Automated Unpackers  (33)
   Dump Fixers  (4)
   IAT Restore Tools  (6)
   Memory Dumpers  (23)
   OEP Finders  (6)
   Needs New Category