Collaborative RCE Tool Library - Unpacking Tools (including sub-categories)

Tool Updated: CodeDoctor

2009-11-12T16:24:49Z

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: Radare

2009-11-04T09:18:47Z

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.4.1

Most recent release date:
November 3, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Updated: LordPE

2009-09-30T14:24:12Z

Listed in categories: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers

Most recent version:
1.41 (Deluxe b)

Most recent release date:
September 30, 2009

Description:
LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Tool Updated: ArmaGeddon

2009-09-07T17:51:03Z

Listed in categories: Automated Unpackers

Most recent version:
1.7

Most recent release date:
September 7, 2009

Description:
Armageddon is an ©Armadillo unpacking tool designed specifically to deal with the many protection features available in versions 3.78 thru 6.62 32-bit Professional Edition.

This Tool can strip Armadillo Protection from protected Exe's / Dll's

Tested on:
Various applications protected by versions 3.78 through 6.62.
Limited or no support for Win2k (due to use of DebugActiveProcessStop API)
Support for win2k3 Server, XP SP1/SP2/SP3 and Vista 32 bit. If you experience any problems running the program, you may need to download and install Microsoft Visual C++ 2005 Redistributable Package (x86) available here: http://www.microsoft.com/downloads/details.aspx?familyid=32bc1bee-a3f9-4c13-9c99-220b62a191ee&displaylang=en

What's New

The program has been recoded to the extent possible to increase stability and reduce maintenance and errors.
+ A new option for ignoring the PE header 2nd .text section, that, if exists, the tool will sometimes use for finding the OEP which may cause problems.
+ All known bugs have been corrected.
+ A new bitmap caption replaces the Window text.
+ The process of logging nanomites has been modified to include loading / saving logged entries. This is necessary for detaching from a process using the copymem2 option when "Resolving" any nanomites. This is optional for "Resolving" nanomites in a dumped file.
+ Fixed some problems related to using the nanomite "Repair" and "Resolve" options for targets rebuilt using the "Minimize size" option.
+ A new option "ArmAccess.dll" allows for the loading of the ArmAccess.dll in the process (if required) to resolve import issues due to ArmAccess functions being called by the target application. This option is rarely needed.
+ hide tool from PEB NTGlobalFlags.
The nanolib.dll is now a fully external process. No more does it use the OpenProcess API to open the existing child process from Armageddon, but instead, gets passed the number of potential nanomites found with a pointer to an array which is used in the analyze process. Armageddon terminates the father / child processes before calling the nanolib.dll. The nanolib.dll has been further enhanced for security.
Special thanks to NeVaDa UnReal-RCE PersianCrackers for finding a bug in the nanolib.dll specifically as relates to the IdentifyNano() function.
+ The condition table of possible jumps reflected inaccurate information resulting in incorrect jump determination. This has been resolved and should produce more accurate analysis of nanomites.
+ The parsing of potential nanomites has been improved.
Special thanks to Nacho_dj for improving upon the ARTeam ARImpRec.DLL which includes:
+ Fixed a bug when rebuilding imports by using relocations
+ Added overlay detection for newest version of Armadillo
+ Fixed a couple of bugs when searching for any possible overlay
+ Improved code when rebuilding imports using relocations data
+ Fixed bug when rebuilding imports using relocations data
+ Fixed some bugs when rebuilding Visual Basic targets
+ Fixed a bug when rebuilding imports using relocations data
+ Added analysis of imports using relocations data
+ Fixed some bugs when rebuilding imports
+ Added support for zlib packed overlays
+ Improved rebuilding of imports, now based on relocations data, if they exist
+ Added rebuilding of VC++ 3.0 targets
+ Fixed rebuilding of Export Table
+ Improved the speed of processing imports, changed the way of accessing the data and the algorithms.
+ Improved the rebuilding of section names for Armadillo 6 when using MinimizeSection.
+ Fixed some bugs for overlay targets.
Special thanks to Admiral for improving his Nanoviewer tool and his VEH loader for Vista. Armageddon contains both the original Rwb32.bin file plus the newer Rwb32_vista.bin file for the "Repair" option. Armageddon will choose the appropriate file based on your OS, if used.
+30/11/08 - v0.96ff
+Bugfix: A couple of bug reports filtered in over the years, all pertaining to the Nanomite loader. Two fairly important fixes were made, so I thought I'd publish the minor changes that were necessary to make the Nanomite handler Vista compatible.

Key features

Standard Protection
Minimum Protection
Memory Patching
Debugblocker
CopyMemII
Import Elimination
Import Redirection (Emulation)
Strategic Code Splicing
Nanomites
Randomized PE section names
Shockwave Flash + applications that utilize overlays (minimize size option required)
Hardware locking (Standard / Enhanced Fingerprint support)
DLL support:
Requires included dll loader.exe to load the target dll
Open / Save dialogs updated for exe / dll, plus,
resolve relocations.

Full imports rebuilding:
ARTeam Import Reconstructor ARImpRec.DLL - 1.4.6 by Nacho_dj
---- Updated 2009 July. Coded in Delphi 7 Enterprise.
It rebuilds imports in a file previously dumped. IAT gets rebuilt in the same place where it has been found, and Import Table is built in a new section, pasted at the end of the file.
The PE header is fixed for some needed data.
The main feature is that it ignores all thunks not valid found between valid ones, and then it rearranges the imports found, rebuilding for every module an only array of thunks. Thus, it can rebuild shuffled IAT.

Tool Updated: WinHex

2009-08-30T15:59:59Z

Listed in categories: Binary Diff Tools, Hex Editors, Memory Dumpers, Memory Patchers, Memory Search Tools

Most recent version:
15.4 SR-5

Most recent release date:
August 30, 2009

Description:
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. Features include (depending on the license type):

* Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ...
* Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF
* Built-in interpretation of RAID systems and dynamic disks
* Various data recovery techniques
* RAM editor, providing access to physical RAM and other processes' virtual memory
* Data interpreter, knowing 20 data types
* Editing data structures using templates (e.g. to repair partition table/boot sector)
* Concatenating and splitting files, unifying and dividing odd and even bytes/words
* Analyzing and comparing files
* Particularly flexible search and replace functions
* Disk cloning (under DOS with X-Ways Replica)
* Drive images & backups (optionally compressed or split into 650 MB archives)
* Programming interface (API) and scripting
* 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
* Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
* Import all clipboard formats, incl. ASCII hex values
* Convert between binary, hex ASCII, Intel Hex, and Motorola S
* Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
* Instant window switching. Printing. Random-number generator.
* Supports files >4 GB. Very fast. Easy to use. Extensive online help.

Tool Updated: Explorer Suite

2009-08-19T15:45:19Z

Listed in categories: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors

Most recent version:
III

Most recent release date:
August 19, 2009

Description:
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Tool Added: Imp64

2009-08-14T16:30:40Z

Listed in categories: IAT Restore Tools

Most recent version:

Most recent release date:
2008

Description:
Here is one tool to fix imports on x64 target (and to dump them as well). This tool was done almost a year ago. GUI really sucks as I'm not very experienced with GUI programming. However import fixing code should do just fine as it uses 1API = 1IID technique which I described in one of my Blog entries. Good thing is that import scanning/fixing code can be extracted from source without a problem as those are held in separate files.

Hope that someone will find this tool useful, at least source code.

Tool Updated: Ap0x Unpack Engine SDK

2009-08-08T10:29:34Z

Listed in categories: Unpacking Tools

Most recent version:
1.5

Most recent release date:
May 20, 2009

Description:
This unpack engine covers everything one unpacker needs.

Features:

Integrated x86/x64 debugger
Integrated x86/x64 disassembler
Integrated memory dumper
Integrated import tracer & fixer
Integrated relocation fixer
Integrated file realigner
Functions to work with TLS, Resources, Exports,…

SDK is free and can be used by anyone but make sure you mention my name or include logo.bmp somewhere in About dialog.

Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn’t evolved much. We are limited to writing our own code for every scenario in the field.

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst’s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method.

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

SDK v.1.5
- Added C SDK
- Updated Delphi and MASM SDK
- Fixed all .dll LIB files in Engine folder
- Fixed memory problems for all modules
- Tested on over 100+ unpackers build on it!
- Listing major changes only...

v.1.7 [Debugger.dll]
- Added new API: GetExitCode
- Added new API: DebugLoopEx
- Added new API: GetDebugData
- Added new API: AttachDebugger
- Added new API: DetachDebugger
- Added new API: GetTerminationData
- Added new API: LengthDisassembleEx
- Added new API: GetDebuggedDLLBaseAddress
- Added new API: GetDebuggedFileBaseAddress
- Fixed: CommandLine parameter passing for InitDebug
- Fixed: Wrong hex to dec conversion for some numbers
- Fixed: LengthDisassemble crashing while getting length for some addresses
- Fixed: Not releasing open handles for some files

v.1.6 [Dumper.dll]
- Added new API: IsFileDLL
- Added new API: DumpProcessEx
- Added new API: PastePEHeaderEx
- Added new API: DeleteLastSection
- Added new API: SetSharedOverlay
- Added new API: GetSharedOverlay
- Added new API: StaticLengthDisassemble
- Fixed: Crashes releated to overlay when trying to extract the overlay
- Fixed: ConvertVAtoFileOffset not converting addresses correctly with some files
- Fixed: Crashes with PastePEHeader when PE32 header is not below 0x1000
- Fixed: Not releasing open handles for some files

v.1.6 [Importer.dll]
- Added new API: ImporterAutoSearchIATEx
- Added new API: ImporterGetRemoteAPIAddress
- Added new API: ImporterRelocateWriteLocation
- Added new API: ImporterGetDLLNameFromDebugee
- Fixed: ImporterGetAPINameFromDebugee not returning names for APIs
- Fixed: ImporterFindAPIWriteLocation returning wrong values if API is not found

v.1.1 [Tracer.dll]
- Added support for following redirections: SVK Protector 1.x, tELock 0.8x-0.99
- Fixed: Memory leak for tracing large ammount of data in the same session
- Improved tracing for all levels (added a trace into near jumps)

v.1.0 [Realigner.dll]
- Added new API: RealignPE
- Added new API: IsPE32FileValid

v.1.0 [Relocater.dll]
- Added new API: RelocaterInit
- Added new API: RelocaterAddNewRelocation
- Added new API: RelocaterExportRelocation
- Added new API: RelocaterChangeFileBase
- Added new API: RelocaterEstimatedSize
- Added new API: RelocaterMakeSnapshoot
- Added new API: RelocaterCompareTwoSnapshots
- Added new API: RelocaterGrabRelocationTable
- Added new API: RelocaterGrabRelocationTableEx

v.1.1 [HideDebugger.dll]
- Added check for Windows version before patching APIs
- Fixed: ASLR and Vista compatibility (Importer must be present)

v.1.2 [Updater.dll]
- Added return value to UpdateEngine
- Added support for Tracer.dll updating
- Added support for Realigner.dll updating
- Added support for Relocater.dll updating
- Changed update location to http://www.reversinglabs.com/

Tool Updated: PEBrowse Professional

2009-07-18T23:05:32Z

Listed in categories: .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers, Memory Dumpers

Most recent version:
10.0.1

Most recent release date:
July 12, 2009

Description:
PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.

Tool Added: XTracer

2009-06-17T00:08:44Z

Listed in categories: OEP Finders, Tracers

Most recent version:
1.0

Most recent release date:
May 25, 2009

Description:
xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

To use this code simply type:

xtracer.exe <applicaton to trace>

wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.

Tool Updated: Wildtangent unwrapper

2009-06-07T21:19:24Z

Listed in categories: Automated Unpackers

Most recent version:
2.4

Most recent release date:
June 7, 2009

Description:
Release URL
-----------
http://xchg.info/ARTeam/Tutorials/index.php?dir=ARTeam_Releases/&file=WildTangent_Unwrapper_v24_by_Nieylana.rar

WildTangent Unwrapper v2.4 by Nieylana
-------------------------------------

Features:
---------

- Applies patch at runtime to bypass multiple protection schemes (At layer 2).
- Able to unwrap WildTangent based games.
- Note: All games are now supported by the Unwrapper
- Automatically detects if overlay is present.
- Supports 3 types flash overlay (no game has been found to have the 4th type)
- FWS
- CWS
- 10JP
- Appends overlay to dumped file (if present)
- Compresses dumped file using UPX if required (10JP Overlays)
- Checks for delayed decryption of layer 3 (.pccode)
- Note: No games are known to have this ability, but a WT game is easily modable
(one byte) to allow the decryption of layer 3 to not occur until the play button
is pressed. WTLoader can detect this and will attempt to load these games as well.
- Automatically Generates a SKUInfo.ini file for each unwrapped game to ensure playability of the Dumped File

Tool Updated: DotFuckScator

2009-05-09T17:34:28Z

Listed in categories: Automated Unpackers

Most recent version:
v1.3

Most recent release date:
May 9, 2009

Description:
DotFuckScator.V1.3

DotFuckScator is a reversing engineering tool used to remove string encryption
from dotfuscator protected files

If the original file was strong name signed DotFuckScator will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to DotFuckScator.snk
now DotFuckScator will use this key for the re-sign process.

Hope this tool is of any use

Changes:
* v1.1 has a minor bugfix that prevented some strings from proper decrypting
* v1.2 small bugfix in re-signing, added indicator to show the amount of
strings decrypted so far
* v1.3 Fixed royal fuck-up in string decryption code replacement function
meaning the output will now run after string decryption removal ;x

Tool Updated: Universal Import Fixer

2009-03-04T20:46:38Z

Listed in categories: IAT Restore Tools

Most recent version:
1.2

Most recent release date:
December 31, 2008

Description:
Use this tool for fixing Import Elimination, Directly Imports, Shuffled, Disordered, Scattered and Hashed Imports.

So you can use this tool for changing IAT Base Address and Sorting IATs.

Tested on:

Armadillo
ASProtect
Enigma
ExeCryptor
eXPressor
PeSpin
RlPack
TheMida
WinLicense
HyperUnpackMe

and any protector with Import Elimination, Directly Imports and Hashed Imports.

A Flash tutorial for unpacking eXPressor with Universal Import Fixer is included in the local download package.

Use this tool for fixing Import Elimination, Directly Imports and Shuffled, Disordered, Scattered Imports.

So you can use this tool for changing IAT Base Address and Sorting IATs in New (other) Address.

Tested on:

Armadillo
ASProtect
Enigma
ExeCryptor
eXPressor
PeSpin
RlPack
TheMida
WinLicense

and any protector with Import Elimination, Directly Imports and Shuffled, Disordered, Scattered Imports.

Notes:
======
This tool is an Import Fixer (not Import Rebuilder ImpRec etc) and Just work in memory of target process.

Always first use UIF then Dump target process.

UIF can fix actual APIs, dont use it for fixing Emulated/Redirected APIs to protector's stub.you must use UIF After fixing Magic IAT jump (or use any methods) to convert Emulated/Redirected APIs to Actual APIs.

Samples:

Armadillo : Import Elimination
ASProtect : Directly Imports
Enigma : Shuffled, Disordered, Scattered Imports
ExeCryptor : Scattered Imports in Protector Stub
eXPressor : Directly Imports
PeSpin : Directly, Shuffled, Disordered, Scattered Imports
RlPack : Shuffled, Disordered, Scattered Imports
TheMida : Directly Imports
WinLicense : Directly Imports

Tool Added: Memoryze

2009-02-05T11:58:01Z

Listed in categories: Kernel Hook Detection Tools, Memory Dumpers

Most recent version:

Most recent release date:

Description:
MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze can:

* image the full range of system memory (not reliant on API calls).
* image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
* image a specified driver or all drivers loaded in memory to disk.
* enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
+ displaying all loaded DLLs.
+ displaying all allocated portions of the heap and execution stack.
o list all network sockets that the process has open, including any hidden by rootkits.
o output all strings in memory on a per process basis.
* identify all drivers loaded in memory, including those hidden by rootkits.
* report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
* identify all loaded kernel modules by walking a linked list.
* identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Tool Updated: Reflexive games Unwrapper

2009-01-26T20:47:22Z

Listed in categories: Automated Unpackers

Most recent version:
1.3

Most recent release date:
January 23, 2009

Description:
unWrapper for the games protected by 'ReflexiveGameWrapper'
created by eraser, May/2007

http://www.reflexive.com/

devoted to ARTeam, thx anorganix and Shub-Nigurrath [ARTeam]

Version 1.3:
------------
The new v1.3 (TASM) of Reflexive Unwrapper is distributed with a special one (MASM) v1.0 which also supports Win9x/ME. Win9x is dead but not for everyone and of course the source code is included so anyone can take a look how to set BP on API in Win9x/ME, hmm an educational purpose.
File doc\history.txt included in both the two versions.

--- TEST notes ---

Win9x/ME supported!

tested on: MS Windows 2000 SP4, thx Arab3h
tested on: MS Windows XP Professional SP2

05-22-2007
games: Scrubbles, War Chess, Rocket Bowl, Alien Shooter, Sheeplings,
Scavenger, Egyptoid, Aztec Bricks

05-23-2007
games: Naval Strike, Mirror Magic, Wild West Billy, After The End, Brickquest,
Devastation Zone Troopers, Law And Order The Vengeful Heart

Dungeon Scroll Gold Edition
unwrap and replace the bytes with 0100 0001 100E 0000 at offset 0x4DF9C

05-25-2007
games: Pizza Panic, Magic Ball 2, Magic Ball 3, Magic Ball 2 New Worlds,
Mystery Case Files Ravenhearst, Zombie Smashers X2, Pipeline, Westward

05-29-2007
games: Little Shop Of Treasures, Big Kahuna Reef, Slingo, Temple of Bricks,
Bricks of Egypt, Bricks of Atlantis, WW2 Pacific Heroes, Yahtzee

06-03-2007
games: Mysteriwille, Death on The Nyle

06-05-2007
games: Amazonia, AstroAvenger, Jets N Guns GOLD, Project Xenoclone,
Rage Of Magic 2, Rikki And Mikki To The Rescue, Roman Bowl,
Age of Castles (thx GEEK)

06-21-2007
games: The Dark Legions (thx npad69), Alice Greenfingers, Bullet Candy,
FastCrawl (MS .NET Framework), Ancient Hearts And Spades, Neon Wars

07-01-2007
games: Puzzle Detective (thx Ghandi),
80 days, Venice, Secrets of Great Art, The Magicians Handbook,
Chocolatier (thx SSlEvIN), Mexican Motor Mafia

04-16-2008
games: Yahtzee Texas Hold Em (RWG file is replaced with Raw_001.exe), Penguins Journey,
Westward II Heroes Of The Frontier, Astro Avenger 2

usage (default)
1. run unwrapper.exe and select a target/game
2. click on 'Play Game' button within 10 seconds
3. run *.RWG.exe file in the game's folder

note: .RWG file can also be replaced by, e.g., an .exe file (supported)

example (Alien Shooter)
1. install the game e.g. into "D:\games\Alien Shooter"
2. run unwrapper.exe
3. select "D:\games\Alien Shooter\AlienShooter.exe"
4. click on 'Play Game' button
5. delete/move/backup files AlienShooter.exe and AlienShooter.RWG
6. rename AlienShooter.RWG.exe to AlienShooter.exe
7. delete all files from "D:\games\Alien Shooter\ReflexiveArcade"
folder except unins000.exe and unins000.dat
8. run AlienShooter.exe

example (Yahtzee Texas Hold Em)
1. install the game e.g. into "D:\games\Yahtzee Texas Hold Em"
2. run unwrapper.exe
3. select "D:\games\Yahtzee Texas Hold Em\YahtzeeTexasHoldEm.exe"
4. click on 'Play Game' button
5. delete/move/backup files YahtzeeTexasHoldEm.exe and Raw_001.exe
6. rename Raw_001.exe.exe to YahtzeeTexasHoldEm.exe
7. delete all files from "D:\games\Yahtzee Texas Hold Em\ReflexiveArcade"
folder except unins000.exe and unins000.dat
8. run YahtzeeTexasHoldEm.exe

--- RE notes ---

game.exe - loader/decrypter
game.rwg - encrypted game (optional)

CreateProcess, game.rwg, CREATE_SUSPENDED
ReadProcessMemory, read encrypted chain from game.rwg at BaseAddress
decryption...
WriteProcessMemory, write decrypted chain into game.rwg at BaseAddress
ResumeThread, execute game.rwg

----------------

Tool Updated: DotNet Sniffer Win32

2009-01-26T14:39:45Z

Listed in categories: .NET Tools, .NET Unpackers

Most recent version:
2.0

Most recent release date:
November 8, 2008

Description:
dotNet Sniffer 2 uses the .NET profiler API to save assemblies loaded from memory. Once a module is handled by the .NET Framework, dotNet Sniffer saves it to disc if it was loaded from memory. Some tools are changing the module (decrypt methods ...) after loading; dotNet Sniffer allows you to save the module again during the execution of the first method (JIT). The profiler will be active only for the process to start; installing dotNet Sniffer will not affect the performance of other .NET programs. dotNet Sniffer 2 is available for 32-bit and 64-bit processors. 64-bit versions also install the 32-bit profiler and can save indifferently 32-bit and 64-bit processes. If you use 64-bit Windows, install only the 64-bit version suitable for your processor.

Tool Updated: PvLog LicenseManagerKiller Win32

2009-01-26T14:37:27Z

Listed in categories: .NET Tools, .NET Unpackers

Most recent version:
1.0

Most recent release date:
November 8, 2008

Description:
The purpose of PvLog LicenseManagerKiller is to warn against the inefficiency of managing licenses in 100% managed code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly. This tool is rudimentary and releases only most naive protections, but you can imagine that PvLog DeObfuscator and Reflector would allow a determined attacker to remove more sophisticated license controls.

Tool Updated: DotNetTools Win32

2009-01-26T14:36:10Z

Listed in categories: .NET Deobfuscation Tools, .NET Tools, .NET Unpackers

Most recent version:
1.0

Most recent release date:
November 8. 2008

Description:
dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.

Tool Updated: ArmInline

2009-01-26T14:31:34Z

Listed in categories: Automated Unpackers

Most recent version:
0.96ff

Most recent release date:
November 30, 2008

Description:
ArmInline is an Armadillo unpacking tool designed specifically to deal with the many antidump features available with private builds of Armadillo v3.5-4.4, including Code Splicing, Nanomites and Import Elimination. For more details see the readme.

ArmInline was officially discontinued on 23/07/06.

Update (30/11/08):
In spite of the official 'dicontinued' status, I thought it wasteful not to publish the minor changes that were necessary to make the Nanomite handler Vista compatible.

Tool Updated: MSIL Dumper

2008-12-30T00:04:33Z

Listed in categories: .NET MSIL Dumpers, .NET Tracers, Tracers

Most recent version:
0.4

Most recent release date:
December 12, 2008

Description:
The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799