From Collaborative RCE Tool Library

Jump to: navigation, search

Unpacking Tools


Tool name: ap0x Unpack Engine SDK
Rating: 5.0 (1 vote)
Author: ap0x                        
Website: http://ap0x.jezgra.net/sdk.html
Current version: 1.5
Last updated: May 20, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This unpack engine covers everything one unpacker needs.

Features:

Integrated x86/x64 debugger
Integrated x86/x64 disassembler
Integrated memory dumper
Integrated import tracer & fixer
Integrated relocation fixer
Integrated file realigner
Functions to work with TLS, Resources, Exports,…

SDK is free and can be used by anyone but make sure you mention my name or include logo.bmp somewhere in About dialog.

Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn’t evolved much. We are limited to writing our own code for every scenario in the field.

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst’s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method.

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.


SDK v.1.5
- Added C SDK
- Updated Delphi and MASM SDK
- Fixed all .dll LIB files in Engine folder
- Fixed memory problems for all modules
- Tested on over 100+ unpackers build on it!
- Listing major changes only...

v.1.7 [Debugger.dll]
- Added new API: GetExitCode
- Added new API: DebugLoopEx
- Added new API: GetDebugData
- Added new API: AttachDebugger
- Added new API: DetachDebugger
- Added new API: GetTerminationData
- Added new API: LengthDisassembleEx
- Added new API: GetDebuggedDLLBaseAddress
- Added new API: GetDebuggedFileBaseAddress
- Fixed: CommandLine parameter passing for InitDebug
- Fixed: Wrong hex to dec conversion for some numbers
- Fixed: LengthDisassemble crashing while getting length for some addresses
- Fixed: Not releasing open handles for some files

v.1.6 [Dumper.dll]
- Added new API: IsFileDLL
- Added new API: DumpProcessEx
- Added new API: PastePEHeaderEx
- Added new API: DeleteLastSection
- Added new API: SetSharedOverlay
- Added new API: GetSharedOverlay
- Added new API: StaticLengthDisassemble
- Fixed: Crashes releated to overlay when trying to extract the overlay
- Fixed: ConvertVAtoFileOffset not converting addresses correctly with some files
- Fixed: Crashes with PastePEHeader when PE32 header is not below 0x1000
- Fixed: Not releasing open handles for some files

v.1.6 [Importer.dll]
- Added new API: ImporterAutoSearchIATEx
- Added new API: ImporterGetRemoteAPIAddress
- Added new API: ImporterRelocateWriteLocation
- Added new API: ImporterGetDLLNameFromDebugee
- Fixed: ImporterGetAPINameFromDebugee not returning names for APIs
- Fixed: ImporterFindAPIWriteLocation returning wrong values if API is not found

v.1.1 [Tracer.dll]
- Added support for following redirections: SVK Protector 1.x, tELock 0.8x-0.99
- Fixed: Memory leak for tracing large ammount of data in the same session
- Improved tracing for all levels (added a trace into near jumps)

v.1.0 [Realigner.dll]
- Added new API: RealignPE
- Added new API: IsPE32FileValid

v.1.0 [Relocater.dll]
- Added new API: RelocaterInit
- Added new API: RelocaterAddNewRelocation
- Added new API: RelocaterExportRelocation
- Added new API: RelocaterChangeFileBase
- Added new API: RelocaterEstimatedSize
- Added new API: RelocaterMakeSnapshoot
- Added new API: RelocaterCompareTwoSnapshots
- Added new API: RelocaterGrabRelocationTable
- Added new API: RelocaterGrabRelocationTableEx

v.1.1 [HideDebugger.dll]
- Added check for Windows version before patching APIs
- Fixed: ASLR and Vista compatibility (Importer must be present)

v.1.2 [Updater.dll]
- Added return value to UpdateEngine
- Added support for Tracer.dll updating
- Added support for Realigner.dll updating
- Added support for Relocater.dll updating
- Changed update location to http://www.reversinglabs.com/
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmaGeddon
Rating: 5.0 (2 votes)
Author: ARTeam                        
Website: http://arteam.accessroot.com/releases.html
Current version: 2.2 for win 7 32 bit
Last updated: November 25, 2014
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.262
License type: Free
Description: Armageddon is an Educational "Armadillo" unpacking tool designed specifically for testing Unpackmes' using the many protection features available in versions 4.66 thru 9.64 32-bit Professional Edition.

Tested on:
Various Unpackmes' protected by versions 4.66 through 9.64.
Support for Windows 7 32 bit. If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2013 Redistributable Package (x86) available here: Visual C++ Redistributable Packages for Visual Studio 2013

New BeaEngine.dll replaces RDisasm.dll for disassembling instructions.
Win 7 support 32 bit applications.
Window Caption (EnumWindows) Hide Window Support provided automatically.
Armadillo Version support has been removed.

Special Advisory

It is strongly recommended to run this tool with Administrative privileges.
It is strongly recommended that you disable any antivirus (AV) programs, possibly Malware programs and game managers running in the background prior to using this tool.
Alternately, you may try excluding this tool's process (Armageddon.exe) AND any target Unpackme.exe process from your AV / Malware application before using!!

Alternately, you may try to run this application in Safe Mode due to anti-virus / malware programs.

Key features

Standard Protection
Minimum Protection
Memory Patching
Debugblocker
CopyMemII
Import Elimination
Import Redirection (Emulation)
Strategic Code Splicing
Nanomites
Randomized PE section names
Shockwave Flash + applications that utilize overlays (minimize size option required)
Hardware locking (Standard / Enhanced Fingerprint support)
DLL support:
Requires included dll loader.exe to load the target dll

Full imports rebuilding:
ARTeam Import Reconstructor ARImpRec.DLL - 1.8.0 Beta by Nacho_dj.

Nanomites:
Armadillo Nanomites Fixer v1.2 [Public Release] and ArmNF.dll version 1.2 by NeVaDa which is supported internally.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.4.1 with 902+35 signatures
Last updated: December 15, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,GFX-bmp/jpg/png/gif,cab,msi,bzip, ...
Colored Disassembler,Delphi Form viewer , .Zlib unpacker v1.2.8 , .NET exe info
Internal detector for non executable files.
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUnPacker
Rating: 5.0 (1 vote)
Author: HI.GUnPacker@Gmail.COM                        
Website: N/A
Current version: 0.4
Last updated:
Direct D/L link: Locally archived copy
License type:
Description: Generic unpacker supporting packers below

ACProtect 1.09, 1.32, 1.41, 2.0
AHPack 0.1
ASPack 102b, 105b, 1061, 107b, 1082, 1083, 1084, 2000, 2001, 21, 211c, 211d, 211r, 212, 212b212r
ASProtect 1.1, 1.2, 1.23RC1, 1.33, 1.35, 1.40, SKE.2.11, SKE.2.1, SKE.2.2, 2.3.04.26, 2.4.09.11
Alloy 4.1, 4.3
alexprot 1.0b2
Beria 0.07
Bero 1
BJFNT 1.2, 1.3
Cexe 10a, 10b
DragonArmor 1
DBpe 2.33
EPPort 0.3
eXe32Pack 1.42
EXECrypt 1
eXeStealth 2.75a, 2.76, 2.64, 2.73, 2.76, 3.16
ExeSax 0.9.1
eXPressor 1.4.5.1, 1.3
FengYue'Dll unknow
FSG 1.33, 2.0, fsg2.0bart, fsg2.0dulek
GHF Protector v1.0
Krypton 0.2, 0.3, 0.4, 0.5
Hmimys Packer UnKown
JDProtect 0.9, 1.01, 2.0
KByS unknow
MaskPE 1.6, 1.7, 2.0
MEW 11, 1.0/1.2, mew10, mew11_1.2, mew11_1.2_2, mew5
molebox 2.61, 2.65
morphine 2.7
MKFpack 1
Mpress UnKown
Mucki 1
neolite 2
NCPH 1
nsapck 2.3, 2.4, 3.1
Obsidium 1.0.0.69, 1.1.1.4
Packman UnKown
PCShrink 0.71
PC-Guard v5.0, 4.06c
PE Cryptor 1.5
PEBundle 2.3, 2.44, 3.0, 3.2
PE-Armor 0.46, 0.49, 0.75, 0.765
PECompact 1.x
PEDiminisher 0.1
PELock 1.06
PEncrypt 4
pepack 0.99, 1.0
PELockNt 2.01, 2.03, 2.04
PEtite 1.2, 1.3, 1.4, 2.2, 2.3
PKlite32 1.1
PolyCryptA UnKown
peshield 0.2b2
PESpin 0.3, 0.7, 1.1, 1.3
PEX 0.99
PolyCrypt PE 1.42
PUNiSHER 1.5
RLPack 1.1, 1.6, 1.7, 1.8
Rubbish 2
ShrinkWrap 1.4
SDProtector 1.12, 1.16
SLVc0deprotector 0.61, 1.12
SimplePack 1.0, 1.1, 1.2
SoftSentry 3.0
Stealth PE 1.01, 2.1
Stone's PE Encryptor 1.13
SVKP 1.11, 1.32, 1.43
ThemidaDemo 1.0.0.5
teLock 0.42, 0.51, 0.60, 0.70, 0.71, 0.80, 0.85, 0.90, 0.92, 0.95, 0.96, 0.98, 0.99
Upc All
Upack 0.1, 0.11, 0.12, 0.20, 0.21, 0.22, 0.23, 0.24, 0.25, 0.26, 0.27, 0.29, 0.30, 0.31, 0.32, 0.33, 0.34, 0.35, 0.36, 0.37, 0.38, 0.39, 0.399″
UPolyX 0.2, 0.5
UPX 0.51, 0.60, 0.61, 0.62, 0.71, 0.72, 0.80, 0.81, 0.82, 0.83, 0.84, 0.896, 1.0w, 1.03, 1.04, 1.25w, 2.0w, 2.02, 2.03, 3.03, UPX-Scrambler RC1.x
V2Packer 0.02
VisualProtect 2.57
Vprotector 1.2
WindCrypt 1.0
wwpack32 v1.20, v1.11, v1.12
WinKript 1
yoda's cryptor v1.1, v1.2
YZPACK 2.0
yoda's Protector v1.02, v1.03.2, v1.03.3, v1.0b
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 0.9.7
Last updated: March 3, 2014
Direct D/L link: http://www.radare.org/get/radare2-0.9.7.tar.xz
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflexil
Rating: 5.0 (1 vote)
Author: Sebastien Lebreton                        
Website: http://reflexil.net
Current version: 1.2
Last updated: March 7, 2011
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, a great tool for .NET developers. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection.
Also listed in: .NET Disassemblers, .NET Executable Editors, .NET MSIL Dumpers, .NET Signature Changers, .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rohitab API Monitor
Rating: 5.0 (1 vote)
Author: Rohitab Batra                        
Website: http://www.rohitab.com/apimonitor
Current version: v2 (Alpha-r13)
Last updated: March 14, 2013
Direct D/L link: http://www.rohitab.com/downloads
License type: Freeware
Description: API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 15,000 API’s from 200 DLL’s and over 17,000 methods from 1,800+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Instant monitoring of any API from any DLL without requiring any definitions
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call
* Process detection and notification
Also listed in: API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Dumpers, Memory Patchers, Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Universal Import Fixer
Rating: 5.0 (1 vote)
Author: Magic_h2001                        
Website: http://magic.shabgard.org
Current version: 1.2
Last updated: February 23, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Universal Import Fixer
======================
Use this tool for fixing Import Elimination, Directly Imports and
Shuffled, Disordered, Scattered Imports (Just for 32 bit processes).

So you can use this tool for changing IAT Base Address and Sorting IATs
in New (other) Address.

Tested on:
==========
Armadillo
ASProtect
Enigma
ExeCryptor
eXPressor
PeSpin
RlPack
VMProtect
TheMida
WinLicense

and any protector with Import Elimination, Directly Imports and
Shuffled, Disordered, Scattered Imports.

Notes:
======
This tool is an Import Fixer (not Import Rebuilder ImpRec etc) and Just work
in memory of target process. dont tell me how to use this Tool...if you can
not use this Simple Tool plz DRAG IT TO THE RECYCLE BIN ok?

Always first use UIF then Dump target process.

UIF can fix actual APIs, dont use it for fixing Emulated/Redirected APIs to
protector's stub.you must use UIF After fixing Magic IAT jump
(or use any methods) to convert Emulated/Redirected APIs to Actual APIs.

Samples:
========
Armadillo  : Import Elimination
ASProtect  : Directly Imports
Enigma  : Shuffled, Disordered, Scattered Imports
ExeCryptor : Scattered Imports in Protector Stub
eXPressor  : Directly Imports
PeSpin  : Directly, Shuffled, Disordered, Scattered Imports
RlPack  : Shuffled, Disordered, Scattered Imports
VMProtect  : Directly Imports
TheMida  : Directly Imports
WinLicense : Directly Imports



How to use :
============
1.fill <Process ID> with target Process ID

2.fill <Code Start> with start address (Virtual Address) of code that you want to fix it.
if you fill it with ZERO, UIF will fill it automatically.

3.fill <Code End> with End address (Virtual Address) of code that you want to fix it.
if you fill it with ZERO, UIF will fill it automatically.

4.fill <New IAT VA> with address (Virtual Address) of Empty or unused area
(in Code section or Data section or any...) that IAT will repair to it.
if you fill it with ZERO, UIF will fill it automatically.

so you can fill <code Start> , <Code End> with a Dll address area, UIF will
detect it automatically.


for Fast Speed:
===============
-After Click on <Start> you can Minimize UIF to the taskbar.
-Just enter Code section start and end (.text section etc).
-Dont check "Fix Directly Imports" if you dont need to it.

History:
========
v1.2 FINAL update (2009.02.23):
===============================
+Speed Optimized again.
+Some methods added for better detecting ImageBase and ImageSize.
+UIF disassembler updated for other MOV opcodes (C7Cx). (Thx to LCF-AT)

v1.2 FINAL update (2008.12.31):
===============================
+Code improved for better processing invalid ImageBase,ImageSize and invalid PE.
+Some small changes for more Compatibility/Stability.
-PSAPI library removed from UIF engine (shit library with many bugs).

v1.2 FINAL update (2008.06.15):
===============================
+Code Optimized again for better result.
+UIF.dll released (for using UIF in other applications).
Coded with pure Api,very fast and small size.

v1.2 FINAL update (2008.04.24):
===============================
+Fast Speed option added.

v1.2 FINAL (2008.04.19):
========================
+Now UIF can process Ring0 Hooked APIs (KAV,ZoneAlarm,... etc).
-Minor Bugs fixed.

v1.2 Stable (2008.04.04):
=========================
+Algorithm improved for Fast Speed.
-Option 'Main exe Exports' removed (now UIF can detect it automatically)
-Option 'Fix NtDll to Kernel32' removed (now UIF can detect it automatically)
-Minor Bugs fixed.

v1.0 Final+ (2008.03.21):
=========================
+Code Optimized for Fast Speed.
+Always OnTop Added.
+Tested again on many targets:
(TheMida,WinLicense,Armadillo,ASProtect,Enigma,eXPressor,PeSpin,...)
-Bug fixed in Fixing Directly Imports in Delphi,BCB,VC(MFC) Applications.

v1.0 Final update (2008.02.23):
===============================
+Algorithm improved for better fixing Directly imports.
+Show modules count and progress in StatusBar.
-GUI bug fixed on large fonts >=120 dpi.

v1.0 Final update (2008.01.15):
===============================
-Some small bugs fixed.
+Algorithm improved for very big IAT size.
+Auto fill improved for detecting dlls correctly.

v1.0 Public (2008.01.12):
=========================
First public release...

v1.0 Private (2005.02.23):
==========================
For personal use...
Also listed in: IAT Restore Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wildtangent unwrapper
Rating: 5.0 (1 vote)
Author: Nieylana                        
Website: http://www.accessroot.com
Current version: 2.4
Last updated: June 7, 2009
Direct D/L link: Locally archived copy
License type: Freeware
Description: Release URL
-----------
http://xchg.info/ARTeam/Tutorials/index.php?dir=ARTeam_Releases/&file=WildTangent_Unwrapper_v24_by_Nieylana.rar

WildTangent Unwrapper v2.4 by Nieylana
-------------------------------------


Features:
---------

- Applies patch at runtime to bypass multiple protection schemes (At layer 2).
- Able to unwrap WildTangent based games.
- Note: All games are now supported by the Unwrapper
- Automatically detects if overlay is present.
- Supports 3 types flash overlay (no game has been found to have the 4th type)
- FWS
- CWS
- 10JP
- Appends overlay to dumped file (if present)
- Compresses dumped file using UPX if required (10JP Overlays)
- Checks for delayed decryption of layer 3 (.pccode)
- Note: No games are known to have this ability, but a WT game is easily modable
(one byte) to allow the decryption of layer 3 to not occur until the play button
is pressed. WTLoader can detect this and will attempt to load these games as well.
- Automatically Generates a SKUInfo.ini file for each unwrapped game to ensure playability of the Dumped File
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordPE
Rating: 4.5 (4 votes)
Author: y0da                        
Website: N/A
Current version: 1.41 (Deluxe b)
Last updated: September 30, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...
Also listed in: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malzilla
Rating: 4.5 (2 votes)
Author: Boban bobby Spasic                        
Website: http://malzilla.sourceforge.net
Current version: 1.2.0
Last updated: November 2, 2008
Direct D/L link: http://malzilla.sourceforge.net/downloads.html
License type: Free / Open Source
Description: Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
Also listed in: Javascript Debuggers, Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinHex
Rating: 4.5 (2 votes)
Author: Stefan Fleischmann                        
Website: http://www.x-ways.net/winhex
Current version: 15.6
Last updated: March 1, 2010
Direct D/L link: http://www.x-ways.net/winhex.zip
License type: Shareware
Description: WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. Features include (depending on the license type):

* Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ...
* Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF
* Built-in interpretation of RAID systems and dynamic disks
* Various data recovery techniques
* RAM editor, providing access to physical RAM and other processes' virtual memory
* Data interpreter, knowing 20 data types
* Editing data structures using templates (e.g. to repair partition table/boot sector)
* Concatenating and splitting files, unifying and dividing odd and even bytes/words
* Analyzing and comparing files
* Particularly flexible search and replace functions
* Disk cloning (under DOS with X-Ways Replica)
* Drive images & backups (optionally compressed or split into 650 MB archives)
* Programming interface (API) and scripting
* 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
* Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
* Import all clipboard formats, incl. ASCII hex values
* Convert between binary, hex ASCII, Intel Hex, and Motorola S
* Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
* Instant window switching. Printing. Random-number generator.
* Supports files >4 GB. Very fast. Easy to use. Extensive online help.
Also listed in: Binary Diff Tools, Hex Editors, Memory Dumpers, Memory Patchers, Memory Search Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anolis Resourcer
Rating: 4.0 (1 vote)
Author: AnolisFX                        
Website: http://anol.is/
Current version: 0.9.0 Beta
Last updated: September 1, 2009
Direct D/L link: http://www.deviantart.com/download/116235998/Anolis_Resourcer_by_AnolisFX.zip
License type: GPL
Description: Anolis Resourcer is a flexible Resource Hacker that exceeds the venerable ResHacker's capabilities in many areas, including support for x64 executables, Vista and Windows 7's MUI files, and 256x256 PNG icon support.


On 2009-05-21 -- The release fixes a number of issues and adds a Batch Export feature which will be of use to people wanting to make custom resources for programs like Windows Media Player.

On 2009-05-26 -- This fixes a critical race condition in the 3428 build. The zip archive now contains a command-line reference text file.
Also listed in: PE EXE Signature Tools, PE Executable Editors, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ImpREC
Rating: 4.0 (3 votes)
Author: MackT                        
Website: http://files.planet-dl.org/Cw2k/Tools/Import%20REConstructor%20v1.7f.7z
Current version: Official version 1.6 - Unofficial version with misc. fixes 1.7f
Last updated: June 1, 2011
Direct D/L link: Locally archived copy
License type: Free (^-Note: 'Direct D/L URL' is V1.7e !)
Description: The world's most famous IAT rebuilder tool.

The last official version from MackT is still 1.6. The 1.7f update is a third-party patched version of 1.6, which contains the following patches:

v1.7f FINAL (PUBLIC VERSION) fixes by cw2k
- Clean unpack of 'v1.6 FINAL (PUBLIC VERSION)'(UPX) + restoring header & imports
as close as possible to the original header
Short/stripped dos-Stub and other crap & dump grabage that make it to most AntiVirus proggies suspect
virustotal.com before: 33/42 hits now: 0/42 hits

- Reappling and documenting of patches (Scroll to the end of that file)
Improve patch #1 "RestoreLastError" -> SetLastError bugfix

- Adding Fly's GUI-modification

- doing some clean up of the plugins (unpack/removing duplicates)

--------
Also included in the archive:

CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

--------


NOTE:
V1.7a

- Fixed RestoreLastError API set to SetLastError for WinXP/Vista compatibility (MaRKuS_TH-DJM)
- user32.dll is always read from the system, prevents a crash from corrupted PE of user32.dll (MaRKuS_TH-DJM)
- Latest version of psapi.dll (6.0.6000.16386) included
- Fixed Vista64 crash bug (jstorme)
- GUI modified and improved (based upon Fly's modification)
- Updated/corrected plugins and deleted dups

v. 1.7a added the following fixes:

- Misc
- Fixed Win2K crash, AllocConsole was replaced with ActivateActCtx (jstorme)

The local download here contains the last unofficial patch, 1.7e. In addition to that, it also contains a big bunch of plugins, and also source code for many of these plugins (in all well-known programming languages, which is good for use as templates for new plugins etc).

Changes in Version 1.7b:

- Misc
- Fixed invalid API bug in user32.dll on Windows 98 (jstorme)
- Modified code to improve support for discardable/unreadable sections (jstorme)
- Fixed ImageBase problem with DLL's when "Use PE Header from Disk" is checked (jstorme)
- Added an "ImpREC Classic" looking version

Changes in 1.7c:

- Fixed bug introduced in 1.7b when DLL's have discardable sections (jstorme)

Changes in 1.7d:

- Misc
- Fixed bug introduced in 1.7b which destroys IAT Autosearch feature in some packed targets, like eXpressor 1.8 (Newbie_Cracker).
- Fixed crash introduced in 1.7b when DLL's PE header has "NO Access" flag (Newbie_Cracker).


Changes in Version v1.7e

- Misc
- Fixed a bug which avoids ImpREC to fix JMP DWORD [...] if it is located at the end of code section (Newbie_Cracker)
( Thanks to Nexus6 for report the bug and provide samples)
Also listed in: IAT Restore Tools, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Memoryze
Rating: 4.0 (1 vote)
Author: Mandiant                        
Website: http://www.mandiant.com/software/memoryze.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Free
Description: MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze can:

* image the full range of system memory (not reliant on API calls).
* image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
* image a specified driver or all drivers loaded in memory to disk.
* enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
+ displaying all loaded DLLs.
+ displaying all allocated portions of the heap and execution stack.
o list all network sockets that the process has open, including any hidden by rootkits.
o output all strings in memory on a per process basis.
* identify all drivers loaded in memory, including those hidden by rootkits.
* report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
* identify all loaded kernel modules by walking a linked list.
* identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Also listed in: Kernel Hook Detection Tools, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SysAnalyzer
Rating: 4.0 (2 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: March 21, 2011
Direct D/L link: http://sandsprite.com/CodeStuff/SysAnalyzer_Setup.exe
License type: GPL2
Description: Update: This tool is no longer available for download through the iDefense website. An updated installer has been made available by the author.

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.
Also listed in: API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Memory Dumpers, Network Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ultimate Aspacker Unpacker
Rating: 4.0 (2 votes)
Author: Pnluck                        
Website: http://spin.quequero.org/Category:Pn
Current version:
Last updated: July 19, 2007
Direct D/L link: http://spin.quequero.org/uicwiki/images/Uau_rar.zip
License type: GNU GPL v2
Description: The Ultimate Aspacker Unpacker is an Aspack 2.12 offline unpacker extension for the CFF Explorer which supports any kind of PE file. Includes GPLv2 licensed source & binaries (DLL) for x86, x86_64 and Intel Itanium.

Authored by: Luciano Giuseppe 'Pnluck' and aCaB
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Generic Unpacker
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://ntcore.com/netunpack.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/NETUnpack.zip
License type:
Description: This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.
Also listed in: .NET Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ACProtect 2.0 OEP Finder + IAT Repair OllyScript
Rating: 0.0 (0 votes)
Author: ColdFever                        
Website: N/A
Current version:
Last updated: February 10, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: ACProtect 2.0 OEP Finder + IAT Repair
Also listed in: OEP Finders, OllyScript Scripts, IAT Restore Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AMDUMPV6.2
Rating: 0.0 (0 votes)
Author: CondZero                        
Website: http://arteam.accessroot.com
Current version: 2.2
Last updated: September 18th, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=3
License type: Free / Open Source
Description: The archive includes full sources and two tutorials.

Note: the included pdf overview (from previous release).
Still applies to this version with the caveat that import rebuilding is. Included in this release for targets that don't use the delayed import Option!!

Info:
* New noninvasive loader engine to run & dump activemark v6.2x targets.
* Run program from its own folder, no need to copy Amdumpv62 to target folder to run.
* Amdumpv62 will dump activemark v6.2x executables and, if necessary, Rebuild imports automatically for targets with delayed imports not enabled and finally append the overlay data to the end of the dumped file.

Special note:
* The import rebuilder will append an '_' suffix to the end of the dumped File. (i.e. dumped.exe >> dumped_.exe similar to imprec). In these cases, the overlay data will be appended to the new dump name Automatically.
* Sometimes it may be necessary to view the sections in a pe editor Program (i.e. lordpe or similar) because the dumper is Dependant on finding:
(4) .text/.text/.code/.code/etc sections in the executable
For delayed import targets
(3) for non delayed import targets.
If (3/4) sections are not found, then the executable may not be an activemark v6.2x application!!
* Note: also dependent on finding (2) .bss/bss sections in The executable! These sections are used for storing needed data To run dump successfully!

Limitations:
* In order to insure the stability of your dumped.exe, it may be necessary to manually hexedit the dumped file and insert an instruction which moves hi-values to a dword hi-value variable used in the gettickcount api within the 3rd layer (2nd .text) in the executable. Please refer to the tutorial on dumping and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

History:
--------------------------------------------
Amdumpv62 - version 2.2 (September 2008)
1. Updated arteam import rebuilder v1.2.1 (nacho_dj) for targets that don't use the delayed imports option

Amdumpv62 - version 2.0 (march 2008)
1. New noninvasive loader engine based on Deroko's nonintrusive loader (i.e. nodebug)
2. New arteam import rebuilder v1.1 (nacho_dj) for targets. That don't use the delayed imports option
3. New log progress and results of the dump process
4. Separate threads for main gui and process
Also listed in: Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AMDUMPV66 V1.0
Rating: 0.0 (0 votes)
Author: CondZero                        
Website: http://www.accessroot.com/arteam/site/news.php
Current version: v 1.0
Last updated: January 18, 2011
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.230
License type: Freeware
Description: Amdumpv66 v1.0 - CondZero [ARTeam]
(see history below for details)

Note: This is a complete replacement for former AMDUMPV6.2!!

Tested under winxp sp3
Should work under w2k, wxp, Vista, Win 7 32 bit

Info:
* new noninvasive loader engine to run & dump activemark v6.2x - 6.6x
Targets.
* Drag & drop capability
* run program from its own folder, no need to copy
Amdumpv66 to target folder to run.
* amdumpv66 will dump activemark v6.2x - v6.6x executables for targets
with both delayed and non delayed imports. For targets with non delayed imports,
the built-in ARTeam ARImpRec (Import Rebuilder) will automatically fix any imports in the dumped file and append a '_' suffix to the end of the dumped file (i.e. dumped.exe >> dumped_.exe).

This program expects this suffix when appending the overlay data automatically for targets that don't use delayed imports. If using a different IAT rebuilding tool, it may be necessary to rename the resultant fixed dump file as described above, or the overlay data will not be appended automatically and you will be required to do this step manually.
* sometimes it may be necessary to view the sections in a pe editor
Program (i.e. lordpe or similar) because the dumper is
Dependent on finding:
(4) .text/.text/.code/.code/etc sections in the executable for delayed import targets and,
(3) .text/.text/.code/.code/etc sections for non delayed import targets.
If (3/4) sections are not found, then the executable may not
Be an Activemark v6.2x - 6.6x application!!

Limitations:
* in order to insure the stability of your dumped.exe, it may
be necessary to manually hexedit the dumped file and insert
an instruction which moves hi-values to a dword hi-value variable
used by the GetTickCount api within the 3rd layer (2nd .text)
in the executable. Please refer to the tutorial on dumping
and analyzing activemark v6.2x on the [arteam] tutorial
Link: http://arteam.accessroot.com/tutorials.html?fid=211

Disclaimer:
Not responsible for any damages that result from using this Tool!!

History:
--------------------------------------------
Amdumpv66 - version 1.0 (November 2010)
1. Updated ARTeam import rebuilder v1.7.5 (Nacho_dj) for targets
that don't use the delayed imports option
2. More elaborate search and replace scheme used for allocated and referenced
VM DWORDS used in the target process
3. Drag & drop AM protected executable file to application
4. Log file is saved to your target folder
Also listed in: Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ASProtect 1.3x - 2.xx OEP Finder OllyScript
Rating: 0.0 (0 votes)
Author:                         
Website: N/A
Current version: 0.1
Last updated: September 26, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: ASProtect 1.3x - 2.xx OEP Finder
Also listed in: OEP Finders, OllyScript Scripts
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)
Rating: 0.0 (0 votes)
Author: Nacho-Dj/ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.1
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=43
License type: Free
Description: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)

Released Summer/2008

Features:
- Provides information about ActiveMARK protection on any file.
- Identifies the protection version.
- Unpacks & decrypts the content of any ActiveMARK protected file.
- Extraction of the main key
- Now it shows information about Only Buy / Trial Limited Version
- Information messages
- Allows an internal analysis of the content of every compressed file within the encrypted container.
- It works statically (none executable is launched).
- Detects automatically the language in your system. :)

How to use:
Select first any executable. Then you can decrypt any external file associated to it, using the Uncompress key.

Note: Any ActiveMARK encrypted file is similar to a .zip or .rar file, containing several files in its inside.

Coded & designed by Nacho_dj/ARTeam
Also listed in: Automated Unpackers, Protection Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmInline
Rating: 0.0 (0 votes)
Author: Admiral                        
Website: N/A
Current version: 0.96ff
Last updated: November 30, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: ArmInline is an Armadillo unpacking tool designed specifically to deal with the many antidump features available with private builds of Armadillo v3.5-4.4, including Code Splicing, Nanomites and Import Elimination. For more details see the readme.

ArmInline was officially discontinued on 23/07/06.

Update (30/11/08):
In spite of the official 'dicontinued' status, I thought it wasteful not to publish the minor changes that were necessary to make the Nanomite handler Vista compatible.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmaGUI
Rating: 0.0 (0 votes)
Author: Spec0p                        
Website: http://www.woodmann.com/forum/showthread.php?9307-ArmaGUI-Yet-another-arma-tool
Current version: 1.5.4
Last updated: August 27, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Armadillo unpacker.

Supported Armadillo options:
Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing


Main features:
Complete automatic recover and validation of nanomites, even the fake ones in the tables;
Complete automatic reinsertion of Strategic Spliced Code at the original location before exe was protected by Armadillo;
Complete rebuild of the dumped file, cleaning all the trash;
Complete rebuild of the IAT without the use of any extern tool;


Introduction & Disclaimer:
ArmaGUI unpacking tool for the commercial protector Armadillo from Silicon Realms Toolworks (http://siliconrealms.com/index.shtml), it supports most of the protection options offered by Armadillo since version 3.
It's coded in VC++ with MFC for GUI support with some inline asm, MFC is the explanation to the over bloated 212kb exe file, and its only tested on XP SP2, maybe it works on w2k3 too, forget anything bellow XP.
This project was started based on a "challenge" by crUsAdEr on the Woodmann excellent forum: http://www.woodmann.com/forum/showthread.php?t=6365
crUsAdEr said: "hopefully u wont spread it to everyone though cos unpackers itself doesnt teach ppl much.", and I agree with that, you DON'T learn by using unpackers. This tool is working for 1+ year now as private but suffered big and important updates along the way.
This tool WASN'T created to harm SRT in any way, Armadillo is a good product with some nice ideas.
It WAS created in the sequence of my desire to see if I was able to create an unpacker to some packer more complex than UPX, together with the challenge from crUsAdEr, learning was and will always be my main purpose.
I know the GUI isn’t very user friendly, but really I don't care, don't bother bashing me with that;
I know it crash's alot, my coding sucks, the code it's crappy and non optimized, really it's a mess, eventually it will hang ur PC;
I know it doesn't automatic detect the protection options, this happens because it wasn't my main objective. I focused on getting the hard stuff like Nanomites and IAT Elim, and when I was over, I realized that I had made the engine based on the options I specified and couldn't change it, and so it stays like that, and I actually don't care. If you don't like it, start writing a Options detector (its easy stuff), or keep the opinion to yourself;
If all this isn't a problem to you, then I hope you enjoy using the tool almost as I enjoyed creating it.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ArmaRaider
Rating: 0.0 (0 votes)
Author: Nieylana                        
Website: http://www.accessroot.com/arteam/site/download.php?view.315
Current version: 3.3
Last updated: January 22, 2010
Direct D/L link: N/A
License type: Free
Description: "Thanks to the virtual ArmAccess.DLL built into every copy of SoftwarePassport/Armadillo, this [patching the dll] is no longer even a theoretical threat,as long as you use it instead of the external file.", Chad Nelson.

ArmaRaider is designed to assist in the extraction and replacement of the Security.DLL built into each Armadillo protected application

Why? :
By being able to expose the Security DLL there are many things we can patch that will change the way the Armadillo shell reacts.

Possible Patches:
* Force an application to never 'expire'.
* The removal of HWID from keys,
* Re-enabling of the REGISTER/INFO command line parameters.
* Disabling ClockBack detection.

This is only a very small list of the patches made possible by ArmaRaider
What Raider Does Do:
1. ArmaRaider will statically unpack the security dll for you and save to disk
2. If the version of Armadillo does integrity checks on the DLL, these checks will be patched automatically by ArmaRaider (not static)
3. ArmaRaider will also statically replace the existing security DLL with a patched one

What Raider Doesn't Do:
ArmaRaider doesn't turn a person into a 'cracker' most of the work must still be done yourself (all the patches). ArmaRaider was built to assist in that process not do it for you. Therefore we are not responsible for evil usage you will do of this tool.

Versions known to Work:
ArmaRaider has been tested and found working on the following Armadillo versions:
* Tested version 3.75 (working)
* Tested version 4.30 (working)
* Tested version 4.40 (working)
* Tested version 4.43 (working)
* Tested version 4.66 (working)
* Tested version 5.02 (working)
* Tested version 7.00 (working)

This is not an all inclusive list, ArmaRaider may also work on version not listed above, these are just the ones that have been tested by the author.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Armadillo 4.30a Dumping Script
Rating: 0.0 (0 votes)
Author: Nieylana                        
Website: N/A
Current version: 1.0
Last updated: December 27, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Run this script using the OllyScript plugin, will automatically patch the OutputDebugStringA exploit, the IsDebugger API, Prevents PE header destruction, Prevents IAT from being messed with, And dumps the file to 'C:\D_File_Unpacked.exe'

Note: I am not the original author, I simply took the Armadillo 4.30a script I had and added some features to it allowing it to produce a working dump by itself. Thanks to the original author.

Enjoy!
Also listed in: OllyScript Scripts, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Armadillo 5.xx OEP Finder OllyScript
Rating: 0.0 (0 votes)
Author: Fly                        
Website: N/A
Current version:
Last updated: September 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Armadillo 5.xx OEP Finder (Standard Protection + Debug Blocker)
Also listed in: OEP Finders, OllyScript Scripts
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CHimpREC
Rating: 0.0 (0 votes)
Author: Sébastien Doucet (TiGa)                        
Website: http://www.iitac.org
Current version: ReCon Edition
Last updated: June 23rd, 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: CHimpREC: The Cheap Imports Reconstructor
by TiGa of ARTeam
IITAC (http://www.iitac.org)

This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal.
Made for the best compatibility with WoW64 on x64-based Windows XP or Vista.

This is the same version that was used at the conference.
The first official release will come soon.

+Features
The first universal 64-bit imports rebuilder
32-bit version included
Interface similar to ImpREC
Integrated 32/64-bit process dumper
IAT AutoSearch from ImageBase or OEP
Unshuffle thunks function
Manual imports editor

-Limitations
No plugin support yet
No AutoTrace feature
No disassembler

The Visual Studio 2005 SP1 redistributable package might be necessary too:
x86:
http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en
x64:
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en
Also listed in: Dump Fixers, IAT Restore Tools, Import Editors, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CodeDoctor
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.90
Last updated: November 12, 2009
Direct D/L link: see details
License type: freeware
Description: <nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B
Also listed in: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dilloDIE
Rating: 0.0 (0 votes)
Author: mr_magic                        
Website: http://cip-re.6x.to
Current version: 1.6
Last updated: July 26, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This Tool can strip Armadillo Protection from protected Exes/Dlls.

Supports 3.xx and 4.xx versions.


Supported features:
-------------------

Standard Features
Debugblocker
CopyMemII
Nanomites
Import Elimination
Strategic Code Splicing


Known Issues:
-------------

VB Applications protected with the Import Elimination feature are not
supported.


Rebuilding:
-----------

Dumps are 100% working, but for aesthetic reasons one might want to remove
Armadillo Sections from Section header and its Data physically. This can
be done quite comfortable with the CFF Explorer or any simmilar PE Editor.

Armadillo Sections are usually called:

.text1
.adata
.data1
.pdata


Nanomites:
----------

Some things about Nanomites: dilloDIE will resolve all Nanomites correctly
for most Applications. There _might_ be apps though, which are somehow
obfuscated in some parts and dilloDIE will fail in properly detecting all
Nanomarkers, which are used to except Fake Nanomites. In this case one
should use the "Emulate" Option, which will cause dilloDIE not to resolve
Nanomites at unpacking time, but to inject a handler which resolves them at
execution time. Dumps using this handler will work on Windows XP and above
only though.

If Nanomites arent processed correcty, try to activate "Unpack in high
priority class". This should fix some windows internal timing issues.


Options:
--------

If a Dump ain't working correctly, you can try to change some Options.

Deactivate the Disassembler for any protection part if not everything gets
fixed properly (e.g. there are not all import references/nanomites/spliced
jumps fixed/resolved due to code obfuscation which will make the disassmbler
fuck things up).
Decrease or set the Max. Size for Spliced Code sections to 0 if a section
gets wrongly detected as spliced (just in case... or increase it to make
a bigger Spliced Code section to be detected properly.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotFuckScator
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: v1.3
Last updated: May 9, 2009
Direct D/L link: http://reteam.org/tools/tf35.zip
License type: Free
Description: DotFuckScator.V1.3

DotFuckScator is a reversing engineering tool used to remove string encryption
from dotfuscator protected files

If the original file was strong name signed DotFuckScator will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to DotFuckScator.snk
now DotFuckScator will use this key for the re-sign process.

Hope this tool is of any use

Changes:
* v1.1 has a minor bugfix that prevented some strings from proper decrypting
* v1.2 small bugfix in re-signing, added indicator to show the amount of
strings decrypted so far
* v1.3 Fixed royal fuck-up in string decryption code replacement function
meaning the output will now run after string decryption removal ;x
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNet Sniffer Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 2.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetSnifferWin32.msi
License type: Free
Description: dotNet Sniffer 2 uses the .NET profiler API to save assemblies loaded from memory. Once a module is handled by the .NET Framework, dotNet Sniffer saves it to disc if it was loaded from memory. Some tools are changing the module (decrypt methods ...) after loading; dotNet Sniffer allows you to save the module again during the execution of the first method (JIT). The profiler will be active only for the process to start; installing dotNet Sniffer will not affect the performance of other .NET programs. dotNet Sniffer 2 is available for 32-bit and 64-bit processors. 64-bit versions also install the 32-bit profiler and can save indifferently 32-bit and 64-bit processes. If you use 64-bit Windows, install only the 64-bit version suitable for your processor.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNetTools Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8. 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi
License type: Free
Description: dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.
Also listed in: .NET Deobfuscation Tools, .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dumbassembly
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?13739-smartassembly-protection-analysis-unpacker-(with-source)
Current version: 0.5.8
Last updated: January 14, 2012
Direct D/L link: http://www.mediafire.com/?lunow30hx22wao1
License type: Open source
Description: DumbAssembly is an automatic unpacker for the RedGate SmartAssembly .NET protector. It supports versions of SmartAssembly up to 6.5.1 and removes the following protections:
* Code flow obfuscation
* Import obfuscation
* String encryption
* Resource encryption
* Assembly embedding and encryption
* Tamper detection

If the input assembly was signed, the unpacked assembly is automatically re-signed with a randomly generated (or manually specified) strong name key pair.

All occurrences of the original public key or public key token in the binary are replaced by the new ones.

The archive contains binaries and the complete source code.
Also listed in: .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FREN
Rating: 0.0 (0 votes)
Author: LLXX                        
Website: N/A
Current version: 1.0
Last updated: July 27, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: SWF Encrypt unprotector
Also listed in: Automated Unpackers, Flash Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FUU (Faster Universal Unpacker)
Rating: 0.0 (0 votes)
Author: nahuelriva & rcerage                        
Website: http://code.google.com/p/fuu/
Current version: 0.1.1b
Last updated: July 14, 2010
Direct D/L link: http://code.google.com/p/fuu/downloads/detail?name=FUU%20v0.1%20Beta.rar
License type: GPLv3
Description: FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.

The GUI was designed using RadASM and MASM. Every plugin included in the official release was written in ASM using MASM.

The core of every plugin use TitanEngine SDK from ReversingLabs under the hood, this help to the developer to write plugins very easy and very fast without the need to worry about some repetitive and boring functions like dump, fix the iat, add sections, etc. You can develop a plugin for FUU in a very easy way using TitanEngine.

Also, FUU include some extra tools like:

* Generic OEP Finder
* Cryto Signature Detector
* Generic Unpacker
* Signatures Detector (by marcianito at gmail dot com)

Generic OEP Finder, Cryto Signature Detector and Generic Unpacker are from PEiD's team.



FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.

Version 0.1 Beta

Plugins
UPX Unpacker for UPX v1.x - 3.x (DLL and EXE - x86)
BeRoExEPacker Unpacker (EXE - x86)
FSG Unpacker for v1.x - 2.x (EXE - x86)
ASPack Unpacker for ASPack 2.x (EXE - x86)

Tools
Generic OEP Finder (GenOEP.dll)
Crytp Signatures Detector (kanal.dll)
Generic Unpacker
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Game-music-extractor
Rating: 0.0 (0 votes)
Author: __sk                        
Website: N/A
Current version: 0.9
Last updated: February 24, 2009
Direct D/L link: Locally archived copy
License type: Who cares
Description: this will try to extract game music from any uncompressed clump files.
useage is gamemusi megafile
it works on dos and may take anywhere from 1-5 min to 1-5 hour
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GenericUnpacker
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: GenericUnpacker is fully featured unpacker for some
simple packers. It uses driver to hook int 0E and
trace execution of the program silently.

Driver also installs hook in ntos!SwapContext to
know when to activate/deactivate memory breaks.
Due to this hook driver is system specific, and
supports only win2k and winxp.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDCDumpFix
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://labs.idefense.com/software/malcode.php
Current version:
Last updated:
Direct D/L link: N/A
License type: Free / Open Source
Description: Aids in quick RE of packed applications (including unclean dumps after OEP), where imports may have been destroyed etc.

What you do is execute the malware, dump the running image with i.e. LordPE, attach to the image with OllyDbg and have Olly search for all intermodular calls. Then you copy the table of intermodular calls into IDCDumpfix and have it produce an IDC file which you can apply to the dumped image disassembly. Many addresses and functions will then be identified in the disassembly.
Also listed in: Dump Fixers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: imp64
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://deroko.phearless.org/imp64.rar
Current version:
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Here is one tool to fix imports on x64 target (and to dump them as well). This tool was done almost a year ago. GUI really sucks as I'm not very experienced with GUI programming. However import fixing code should do just fine as it uses 1API = 1IID technique which I described in one of my Blog entries. Good thing is that import scanning/fixing code can be extracted from source without a problem as those are held in separate files.

Hope that someone will find this tool useful, at least source code.
Also listed in: IAT Restore Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: jsunpack
Rating: 0.0 (0 votes)
Author:                         
Website: http://jsunpack.jeek.org
Current version: 0.3.2c
Last updated: June 2, 2010
Direct D/L link: N/A
License type: Free / Open Source
Description: A Generic JavaScript Unpacker.

jsunpack emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities.

It accepts many different types of input:

* PDF files - samples/sample-pdf.file
* Packet Captures - samples/sample-http-exploit.pcap
* HTML files
* JavaScript files
* SWF files
Also listed in: Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MSIL Dumper
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11809
Current version: 0.4
Last updated: December 12, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799
Also listed in: .NET MSIL Dumpers, .NET Tracers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mdmp
Rating: 0.0 (0 votes)
Author: Vlad-Ioan Topan                        
Website: http://code.google.com/p/mdmp/
Current version: 0.2.5 beta
Last updated: May 2011
Direct D/L link: http://mdmp.googlecode.com/files/mdmp-0.2.5-beta-binaries.zip
License type: GPL V3
Description: mdmp - open-source x86 memory/process (command-line) dumper with Python bindings

libmdmp is a C library designed to dump process memory on Windows.

mdmp.exe is a command-line tool exposing most functionality in libmdmp (process/stack/heap/random-mem-address dumping).

pymdmp.pyd is a Python wrapper (only built for 2.7 as of now, trivial to adapt to any 2.x) exposing the memory-dumping functionality in Python.

Example usage:

mdmp:
mdmp.exe /n:explo /e:kernel
- will dump all modules (DLLs) whose name contains "kernel" from all the processes whose name contains "explo"

pymdmp:
import pymdmp
lst = pymdmp.dump(pymdmp.SEL_BY_NAME, pymdmp.DUMP_IMAGE_BY_NAME, 0, processName="explo", moduleName="kernel")
- will return in lst a list of tuples (<process_name>, <PID>, <dump-start-address>, <dump-data>)

Delphi bindings are planned. Feedback is welcome @ vtopan/gmail.

Requires the VC 2005 runtime.
Also listed in: Memory Dumpers, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OepFinder
Rating: 3.0 (1 vote)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version: X.Y.Z
Last updated: March 10, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Generic Oep finder, uses PAGE_GUARD to locate good range. Supports debugging using win32 debug subsystem, and nonintrusive traceing.
Also listed in: OEP Finders, Non-Intrusive Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyDumpEx
Rating: 0.0 (0 votes)
Author: low_priority                        
Website: http://low-priority.appspot.com/ollydumpex/
Current version: 0.90
Last updated: August 24, 2011
Direct D/L link: http://low-priority.appspot.com/ollydumpex/OllyDumpEx.zip
License type: Free
Description: This plugin is process memory dumper for OllyDbg and Immunity Debugger.
Very simple overview is
OllyDumpEx = OllyDump + PE Dumper - obsoluted + useful features
Features :
- OllyDbg version 2 plugin interface supported (EXPERIMENTAL)
- Select to dump debugee exe or loaded dll
- Dump any address space as section even if not in original section header
- Add dummy section to keep PE format consistency
- Fix RVA in DataDirectory to follow ImageBase change
- Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)
Also listed in: OllyDbg Extensions, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PEBrowse Professional
Rating: 0.0 (0 votes)
Author: SmidgeonSoft                        
Website: http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
Current version: 10.1.5
Last updated: April 14, 2011
Direct D/L link: http://www.smidgeonsoft.com/download/PEBrowseV10_1_5.zip
License type: Free
Description: PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.
Also listed in: .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PackerBreaker
Rating: 0.0 (0 votes)
Author: niucool                        
Website: http://www.sysreveal.com
Current version: 1.0.0.2
Last updated: October 12, 2012
Direct D/L link: http://www.sysreveal.com/download/PackerBreaker.zip
License type: FREE
Description: PackerBreaker is yet another universal unpacker tool to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.
PackerBreaker uses advanced emulation technology to unpack packed programs.

PackerBreaker could support following packers:
UPX
NSPACK
eXpressor
FSG
telock
ReCrypt
Orien
Aspack
telock
ReCrypt
AcProtect
MEW
Molebox
mpress
EXE STEALTH
VPacker
yoda’s cryptor 1.2
WinUpack 0.39 final
PECompact
PETITE 2.2
Morphnah Beta

PackerBreaker also includes a PE signature detector based on the PEiD Signatures Database.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pokas x86 Emulator for Generic Unpacking
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://sourceforge.net/projects/x86emu/
Current version: 1.2.0 and 1.21 visual C++
Last updated: December 28, 2012
Direct D/L link: http://sourceforge.net/projects/x86emu/files/1.2.0/x86emu-1.2.rar/download
License type: GPL
Description: Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon with the help of your feedback.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Dump, pd.exe
Rating: 0.0 (0 votes)
Author: Geoff McDonald                        
Website: http://www.split-code.com/
Current version: v1.4
Last updated: April 18, 2015
Direct D/L link: http://split-code.com/files/pd_latest.zip
License type: Freeware
Description: Process Dump is a 32 and 64 bit command-line tool for dumping malware code from memory back to disk.

Features:
* Dumps 32 and 64 bit modules back to disk
* Dumps code at a specific address back to disk with reconstructing a 32 and 64 bit PE header and building an import address table
* Reconstructs imports aggressively - linking any DWORD or QWORD in the image being dumped to the corresponding import
* Supports a clean library hashing approach, allowing for dumping of only unrecognized modules

The import reconstruction approach is aggressive and even reconstructs references to imports loaded by GetProcAddress:
1. Copies OriginalFirstThunk over FirstThunk array for each imported library. (original import reconstruction approach)
2. Looks at all modules loaded in the current process, and builds a list of the addresses of all exported functions.
3. Searches the region or module that is being dumped for any DWORD (x86) or QWORD (x64) matching an exported address in the process.
4. For each match, adds an imported library with FirstThunk pointing to the DWORD or QWORD to patch up, linking it to the exported function of the corresponding library.
5. The size of the last section is increased, and the extended original import table is placed here.

Dump code from a specific address, building a PE header and import table:
pd.exe -pid 0x1a7 -a 0x3e1000

Dump all modules from all processes (only unrecognized modules will be dumped):
pd.exe -system

Dump all modules from a specific process:
pd.exe -pid 0x18A

Dump all modules by process name:
pd.exe -p .*chrome.*

Build clean-hash database. These hashes will be used to exclude modules from dumping with the above commands:
pd.exe -db gen

Comes in .zip format and supports Windows x86 and x64:
- http://split-code.com/files/pd_latest.zip

Requires Microsoft Visual C++ 2008 Redistributable:
- http://www.microsoft.com/en-ca/download/details.aspx?id=29
- http://www.microsoft.com/en-ca/download/details.aspx?id=15336
Also listed in: Automated Unpackers, Dump Fixers, Malware Analysis Tools, Memory Dumpers, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog LicenseManagerKiller Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/LicenseManagerKillerWin32.zip
License type: Free
Description: The purpose of PvLog LicenseManagerKiller is to warn against the inefficiency of managing licenses in 100% managed code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly. This tool is rudimentary and releases only most naive protections, but you can imagine that PvLog DeObfuscator and Reflector would allow a determined attacker to remove more sophisticated license controls.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Quick Unpack
Rating: 0.0 (0 votes)
Author: Feuerrader / Archer                        
Website: http://qunpack.ahteam.org
Current version: 2.2
Last updated: July 14, 2009
Direct D/L link: http://tport.org/releases/tools/Quick_Unpack_2.2.Tool.tPORt.rar
License type: Free
Description: The program is intended for fast (in a few seconds) unpacking of packers and simple protectors.

Quick Unpack tries to bypass all possible scramblers/obfuscators and restores redirected import. From the version 1.0 the opportunity of unpacking dll is added. From the version 2.0 the attach process feature added which allows to use Quick Unpack as a dumper and import recoverer. Scripts are also supported from version 2.0 which allows unpacking of more complicated protections. This makes Quick Unpack a unique software product which has no similar analogues in the world!

Use force unpacking tick. When the application is run QuickUnpack waits for the OEP breakpoint to trigger. But sometimes this breakpoint may be triggered several times but only the last one is the correct OEP. Using ForceMode option solves this problem. With this option after the application is run QuickUnpack counts breapoint hits and dumps the application only at the last stop. For DLL-files this option is always ticked and allows to restore relocs.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: QuickUnpack DLL
Rating: 0.0 (0 votes)
Author: Shub-nigurrath                        
Website: http://www.woodmann.com/forum/showthread.php?t=6295
Current version: 1.2
Last updated: August 31, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: This fine release is a Dll version of the already released QUnpack program, from FEUERRADER of AHTeam (http://www.exetools.com/forum/showthread.php?t=4611&page=1&pp=15).

What I did is to transform it into a DLL and to improve the whole code robustness and functionality.

The main purpose of such a DLL is to create complex patchers that would unpack on the fly the programs on the target PC, then apply byte changes to crack the program. Of course is much more useful where inline patching is not possible.

What it does:
-------------
The Dll works almost as the original Qunpack program. Essentially what is done is:

• set some hardware breakpoint into the debugged process
• find the OEP, using some custom method (if the target program is packed by FSG 1.33, ASPack 2.12 or UPX 1.2x, the OEP is found using an own technology) or the code of the GenOEP.dll (included inside)
• dump process to previously allocated buffer.
• rebuild dump and realign it.
• rebuild the import table (using some code taken from ImpRec)

How to use in your own program:
-------------------------------
This is the protototype of the main function:

int __stdcall UnpackFile(char* InName, char* OutName, BOOL AutoOEP, DWORD realOEP, char **pLog_buff);


Here below instead a code sniplet of how to use the DLL in you programs:

#################################################
char *infile_buff=NULL; // it's the buffer pointing to the file to be unpacked
char *outfile_buff=NULL; // it's the buffer pointing to the file where to store unpacked file.
char *log_buff=NULL; // it's the buffer storing the log.
BOOL autoOEP=TRUE;
DWORD realOEP=FALSE;

//TODO: Init above buffers and values as you want..

UnpackFile(infile_buff, outfile_buff, autoOEP, realOEP, &log_buff);

// Writes to a file the log_buff filled and allocated by the UnpackFile API!
// Note that the main program has to wait untill the threads launched by
// UnpackFile() is terminated.
// GetLog() returns a not NULL value only when the hard work is finished.
// You might consider placing this loop into a separate thread of the main
// application, just not to block the user interface too long.
// NB. Remember to free the allocated buffer!

while(GetLog(NULL)==NULL);

FILE *fp=NULL;
if(log_buff!=NULL)
if((fp=fopen(".\\Unpacking_log.txt","w"))!=NULL) {
fprintf(fp,log_buff);
free(log_buff); //really important, remember to free the buffer!
log_buff=NULL;
fclose(fp);
fp=NULL;
}
#################################################

Help function:
--------------
whenever you choose to pass the OEP to the function directly, usually you might have to convert it from a string representation to a real HEX value (usually it's inserted from an edibox).
Just for reference you might use this function that converts an hex value from string representation:

#################################################
//added to convert an exadecimal string to an hex value
unsigned char HEX_2_INT_TABLE[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

int hexstr2int(char *hexstr) {
register unsigned int length, i, value, shift;
for (length = 0; length < 9; length++) if (!hexstr[length]) break;
shift = (length - 1) * 4;
for (i = value = 0; i < length; i++, shift -= 4) value += HEX_2_INT_TABLE[(unsigned int)hexstr[i] & 127] << shift;
return value;
}
#################################################

Belongs and Greetings:
----------------------
The DLL contains the code coming from some already existing DLLs. Those DLLs have been transformed into library files and directly linked to the Qunpack.dll to reduce external files dependency.
Those files are
• NDump.dll and RebPE32.dll which belongs to NEOx [uinC].
• GenOEP.dll by snaker
• Force.dll by FEUERRADER

Thanks again to FEUERRADER and to AHTeam members.

History:
--------

* 1.0 [+] initial release
* 1.1
o [-] fixed a bug when realOEP is given
o [+] added some details in the log file
o [+] modified the little client
o [+] modified the readme and added some more explanations
* 1.2 [+] eliminated the need for any external dll, now Qunpack.dll can works without any external dll
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RE-Dump
Rating: 0.0 (0 votes)
Author: SantMat                        
Website: http://www.reteam.org/tools.html
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free
Description: Process memory dumping utility
Also listed in: Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: REZiriz
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 2.0
Last updated: August 28, 2007
Direct D/L link: http://www.reteam.org/tools/tf33.zip
License type: Free
Description: REZiriz is a unpacker for Eziriz .NET Reactor > v3.1.x.x

Also added support to remove NecroBits protection that prevents
the decompilation of unpacked assemblys
And support to unpack v3.3.1.1 of Eziriz .NET Reactor

Unpacker features:
---------------------------
[*] Unpacking Eziriz .NET Reactor v3.3.1.1
[*] Unpacking Eziriz .NET Reactor v3.3.0.1
[*] Unpacking Eziriz .NET Reactor v3.2.4.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.0
[*] Unpacking Eziriz .NET Reactor v3.1.0.0

[*] Versions < v3.1.0.0 are not supported

[*] Added NecroBit Protection Remover
Also listed in: Automated Unpackers, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflexive games Unwrapper
Rating: 0.0 (0 votes)
Author: eraser                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.3
Last updated: January 23, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: unWrapper for the games protected by 'ReflexiveGameWrapper'
created by eraser, May/2007

http://www.reflexive.com/

devoted to ARTeam, thx anorganix and Shub-Nigurrath [ARTeam]

Version 1.3:
------------
The new v1.3 (TASM) of Reflexive Unwrapper is distributed with a special one (MASM) v1.0 which also supports Win9x/ME. Win9x is dead but not for everyone and of course the source code is included so anyone can take a look how to set BP on API in Win9x/ME, hmm an educational purpose.
File doc\history.txt included in both the two versions.

--- TEST notes ---

Win9x/ME supported!

tested on: MS Windows 2000 SP4, thx Arab3h
tested on: MS Windows XP Professional SP2

05-22-2007
games: Scrubbles, War Chess, Rocket Bowl, Alien Shooter, Sheeplings,
Scavenger, Egyptoid, Aztec Bricks

05-23-2007
games: Naval Strike, Mirror Magic, Wild West Billy, After The End, Brickquest,
Devastation Zone Troopers, Law And Order The Vengeful Heart

Dungeon Scroll Gold Edition
unwrap and replace the bytes with 0100 0001 100E 0000 at offset 0x4DF9C

05-25-2007
games: Pizza Panic, Magic Ball 2, Magic Ball 3, Magic Ball 2 New Worlds,
Mystery Case Files Ravenhearst, Zombie Smashers X2, Pipeline, Westward

05-29-2007
games: Little Shop Of Treasures, Big Kahuna Reef, Slingo, Temple of Bricks,
Bricks of Egypt, Bricks of Atlantis, WW2 Pacific Heroes, Yahtzee

06-03-2007
games: Mysteriwille, Death on The Nyle

06-05-2007
games: Amazonia, AstroAvenger, Jets N Guns GOLD, Project Xenoclone,
Rage Of Magic 2, Rikki And Mikki To The Rescue, Roman Bowl,
Age of Castles (thx GEEK)

06-21-2007
games: The Dark Legions (thx npad69), Alice Greenfingers, Bullet Candy,
FastCrawl (MS .NET Framework), Ancient Hearts And Spades, Neon Wars

07-01-2007
games: Puzzle Detective (thx Ghandi),
80 days, Venice, Secrets of Great Art, The Magicians Handbook,
Chocolatier (thx SSlEvIN), Mexican Motor Mafia

04-16-2008
games: Yahtzee Texas Hold Em (RWG file is replaced with Raw_001.exe), Penguins Journey,
Westward II Heroes Of The Frontier, Astro Avenger 2




usage (default)
1. run unwrapper.exe and select a target/game
2. click on 'Play Game' button within 10 seconds
3. run *.RWG.exe file in the game's folder

note: .RWG file can also be replaced by, e.g., an .exe file (supported)

example (Alien Shooter)
1. install the game e.g. into "D:\games\Alien Shooter"
2. run unwrapper.exe
3. select "D:\games\Alien Shooter\AlienShooter.exe"
4. click on 'Play Game' button
5. delete/move/backup files AlienShooter.exe and AlienShooter.RWG
6. rename AlienShooter.RWG.exe to AlienShooter.exe
7. delete all files from "D:\games\Alien Shooter\ReflexiveArcade"
folder except unins000.exe and unins000.dat
8. run AlienShooter.exe

example (Yahtzee Texas Hold Em)
1. install the game e.g. into "D:\games\Yahtzee Texas Hold Em"
2. run unwrapper.exe
3. select "D:\games\Yahtzee Texas Hold Em\YahtzeeTexasHoldEm.exe"
4. click on 'Play Game' button
5. delete/move/backup files YahtzeeTexasHoldEm.exe and Raw_001.exe
6. rename Raw_001.exe.exe to YahtzeeTexasHoldEm.exe
7. delete all files from "D:\games\Yahtzee Texas Hold Em\ReflexiveArcade"
folder except unins000.exe and unins000.dat
8. run YahtzeeTexasHoldEm.exe


--- RE notes ---

game.exe - loader/decrypter
game.rwg - encrypted game (optional)

CreateProcess, game.rwg, CREATE_SUSPENDED
ReadProcessMemory, read encrypted chain from game.rwg at BaseAddress
decryption...
WriteProcessMemory, write decrypted chain into game.rwg at BaseAddress
ResumeThread, execute game.rwg

----------------
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: scdbg
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=152
Current version:
Last updated: March 30, 2012
Direct D/L link: http://sandsprite.com/CodeStuff/scdbg.zip
License type: free
Description: scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

Additions include:
100+ new api hooks, 5 new dlls, interactive debug shell, memory dumping, rebuilt PEB, SEH support, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

Builds are available for Windows (native), Cygwin, and *nix variants.

See tool web page for more details.


**************************
New catagory Request: Shellcode Analysis

While other categories describe functions of this tool, its a really specialized niche field.
Not many people know specialized tools exist for it, a category of its own (probably
within the Malcode Analysis section?) would help people find it. I can think of two other applications to link into this new section. (libemu and sclog) and maybe shellcode_2_exe
***************************
Also listed in: API Monitoring Tools, Automated Unpackers, Debuggers, Malware Analysis Tools, Monitoring Tools, Needs New Category
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Scylla
Rating: 0.0 (0 votes)
Author: Aguila                        
Website: http://forum.tuts4you.com/forum/132-scylla-imports-reconstruction/
Current version: 0.9.6b
Last updated: April 1, 2014
Direct D/L link: Locally archived copy
License type: GNU GPL v3
Description: Scylla - x64/x86 Imports Reconstruction
=======================================

ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table,
but they all have some major disadvantages, so I decided to create my own tool for this job.

Scylla's key benefits are:

- x64 and x86 support
- full unicode support (probably some russian or chinese will like this :-) )
- written in C/C++
- plugin support
- works great with Windows 7

This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system.
But it may work with XP and Vista, too.

Source code is licensed under GNU GENERAL PUBLIC LICENSE v3.0


Known Bugs
----------

### Windows 7 x64

Sometimes the API kernel32.dll GetProcAddress cannot be resolved, because the IAT has an entry from apphelp.dll
Solution? I don't know

### Only Windows XP x64:

Windows XP x64 has some API bugs. 100% correct imports reconstruction is impossible.
If you still want to use XP x64, here are some hints:

* EncodePointer/DecodePointer exported by kernel32.dll have both the same VA.
Scylla, CHimpREC and other tools cannot know which API is correct. You need to fix this manually.
Your fixed dump will probably run fine on XP but crash on Vista/7.

### ImpREC plugin support:

Some ImpREC Plugins don't work with Windows Vista/7 because they don't "return 1" in the DllMain function.


Keyboard Shortcuts
------------------

- CTRL + D: [D]ump
- CTRL + F: [F]ix Dump
- CTRL + R: PE [R]ebuild
- CTRL + O: L[o]ad Tree
- CTRL + S: [S]ave Tree
- CTRL + T: Auto[t]race
- CTRL + G: [G]et Imports
- CTRL + I: [I]AT Autosearch


Changelog
---------

Version 0.9.6b

- fixed math problem with special sections
- fixed windows 8 bug
- fixed data export bug
- improved iat search
- fixed bug in api resolve engine
- new option: parse APIs always from disk -> slower, useful against pe header modifications

Version 0.9.5

- Fixed virtual device bug caused by QueryDosDeviceW bug
- improved process lister
- improved module lister
- improved dump name
- improved IAT parser

Version 0.9.4 Final

- direct import scanner (LEA, MOV, PUSH, CALL, JMP) + fixer with 2 fix methods
- create new iat in section
- fixed various bugs

Version 0.9.3

- new dll function: iat search
- new dll function: iat fix auto

Version 0.9.2

- Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project

Version 0.9.1

- Fixed virtual device bug
- Fixed 2 minor bugs

Version 0.9

- updated to distorm v3.3
- added application exception handler
- fixed bug in dump engine
- improved "suspend process" feature, messagebox on exit

Version 0.8

- added OriginalFirstThunk support. Thanks to p0c
- fixed malformed dos header bug
- NtCreateThreadEx added infos from waliedassar, thanks!

Version 0.7 Beta

- fixed bug Overlapped Headers: http://forum.tuts4you.com/topic/30213-scylla-overlapped-headers/
- fixed bug SizeOfOptionalHeader: http://forum.tuts4you.com/topic/30060-bug-when-fixing-dump/
- added feature: suspend process for dumping, more information: http://waleedassar.blogspot.com/2012/09/anti-dumping-part-3.html

Version 0.7 Beta

- improved disassembler
- fixed various bugs

Version 0.6b

- internal code changes
- added option: fix iat and oep

Version 0.6a

- fixed buffer to small bug in dump memory

Version 0.6

- added dump memory regions
- added dump pe sections -> you can edit some values in the dialog
- improved dump engine with intelligent dumping
- improved pe rebuild engine -> removed yoda's code
- fixed various bugs

Version 0.5a:

- fixed memory leak
- improved IAT search

Version 0.5:

- added save/load import tree feature
- multi-select in tree view
- fixed black icons problem in tree view
- added keyboard shortcuts
- dll dump + dll dump fix now working
- added support for scattered IATs
- pre select target path in open file dialogs
- improved import resolving engine with api scoring
- api selection dialog
- minor bug fixes and improvements

Version 0.4:

- GUI code improvements
- bug fixes
- imports by ordinal

Version 0.3a:

- Improved import resolving
- fixed buffer overflow errors

Version 0.3:

- ImpREC plugin support
- minor bug fix

Version 0.2a:

- improved disassembler dialog
- improved iat search

Version 0.2:

- improved process detection
- added some options
- new options dialog
- improved source code
Also listed in: Dump Fixers, IAT Restore Tools, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Debuggers, Disassembler Libraries, Disassemblers, Driver & IRP Monitoring Tools, Exe Analyzers, Kernel Filter Monitoring Tools, Kernel Tools, Low-level Development Libraries, Malware Analysis Tools, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Smartassassin
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 1.0
Last updated: September 4, 2008
Direct D/L link: http://www.reteam.org/tools/tf34.zip
License type: Free
Description: {smartassassin} is a reversing engineering tool used to remove string encryption from {smartassembly} protected files, its also possible to decompress resources compressed by {smartassassin}.

If the original file was strong name signed {smartassassin} will create a new keypair and re-sign the file with this pair, be carefull since file depending on this file will need to be edited manaualy to support the new strong name signature. You can use RE-Sign for this and the editor of your choice.

Also if you like the file re-signed with a specific key place your key in the same folder as the file you are about to process and rename it to {smartassassin}.snk now {smartassassin} will use this key for the re-sign process.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: swfdecrypt
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?t=11720
Current version: 1.1
Last updated: September 28, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Unpacker for the commercial SWF Encrypt 4.0 Flash protection program (http://www.amayeta.com/software/swfencrypt).
Also listed in: Automated Unpackers, Flash Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: The Xenocode Solution
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 2.0
Last updated:
Direct D/L link: http://www.reteam.org/tools/tf32.zip
License type: Free
Description: The Xenocode Solution is a unpacker that works for all Xenocode products.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: UnPECompact2 (MadMickael version)
Rating: 0.0 (0 votes)
Author: MadMickael                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Automatic unpacker for files protected with PECompact 2.x.

There is a similar tool with the same name, created by smola.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: UnPECompact2 (smola version)
Rating: 0.0 (0 votes)
Author: smola                        
Website: N/A
Current version: 0.2
Last updated: April 15, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Automatic unpacker for files protected with PECompact 2.x.

There is a similar tool with the same name, created by MadMickael.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Unpacker PECompact
Rating: 0.0 (0 votes)
Author: Nacho_dj / ARTeam                        
Website: http://www.accessroot.com/arteam/site/news.php
Current version: 1.2
Last updated: January 14, 2014
Direct D/L link: Locally archived copy
License type:
Description: This is a tool to unpack PECompact (2.X - 3.X) wrapped targets. Since this sort of packer is not difficult to unpack & dump, the goal of the tool is just to make your life a little bit easier when you are facing any PECompact target.

And of course it has been a good exercise about coding debuggers unsing Delphi environment.

Available for 4 known compilers -> The option 'Rebuild sections' allows a dump clean of any wrapper code, minimizes all sections and uncompresses also the resources section.
Unchecking this option makes a dump without any further processing (although resources are always rebuilt, not to be lost).

Supported dll files also. This tool rebuilds and entire relocations section whilst debugging the process.

drag&drop feature available.

All troubles found when unpacking any target, please let me know in any of the reversing forums where this tool could have been released.

Thanks to all! And I hope you enjoy it.

Nacho_dj/ARTeam

Credits go to:
Shub Nigurrath & ThunderPwr, for their wonderful tut about debuggers & loaders
condzero, some ideas applied to this tool have been based upon his sources of loaders
Ghandi, for his very useful loader for dlls used by this tool
and of course, to...
ARTeam, the most wonderful reversing team I have ever known...
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Virtual Section Dumper
Rating: 0.0 (0 votes)
Author: +NCR/CRC! [ReVeRsEr]                        
Website: http://code.google.com/p/virtualsectiondumper
Current version: v1.0 x64 & v1.1 x86
Last updated: February 21, 2012
Direct D/L link: http://code.google.com/p/virtualsectiondumper/downloads/list
License type: GPL v3
Description: VSD (Virtual Section Dumper) is intented to be a tool to visualize and dump the memory regions of a running 32 bits or a 64 bits process in many ways. For example, you can dump the entire process and fix the PE Header, dump a given range of memory or even list and dump every virtual section present in the process.
Also listed in: Memory Dumpers, Process Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Windows Script Decoder
Rating: 0.0 (0 votes)
Author: Mr Brownstone                        
Website: http://www.virtualconspiracy.com/content/scrdec/intro
Current version: 1.8
Last updated: April 10, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: The Windows Script Encoder (screnc.exe) is a Microsoft tool which can be used to encode your scripts (i.e. JScript, ASP pages, VBScript). Yes: encode, not encrypt. The use of this tool is to be able to prevent people from looking at, or modifying, your scripts. Microsoft recommends using the Script Encoder to obfuscate your ASP pages, so in case your server is compromised the hacker would be unable to find out how your ASP applications work.

The Windows Script Decoder is a tool that I wrote which can be used to decode all scripts that have been encoded with the Windows Script Encoder.

Please note that this program was originally written to demonstrate the ease of a cryptoanalysis attack against a tool like the Windows Script Encoder. Nowadays, script encoding is used often to hide malicious scripting commands and the script decoder can be very useful to uncover the original code. Do not use this tool to violate copyright. That's not what it is meant for.
Also listed in: Automated Unpackers, Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: xTracer
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://www.accessroot.com/arteam/site/download.php?view.309
Current version: 1.0
Last updated: May 25, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

To use this code simply type:

xtracer.exe <applicaton to trace>

wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.
Also listed in: OEP Finders, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 5 subcategories to this category.





Views
Category Navigation Tree
   Needs New Category  (3)