Packer/protector tested :


 I tested with success depacking of :

   PELOAD - My own tool ;) Don't ask.
   ENC 0.1 - A basic PE encrypter.
   WWPACK 32 Beta - after a fucking while.. Nearly 4,000,000 lines executed !
   WWPACK 32 1.0 - 4,300,000 lines !!!!!!!!!
   Shrinker 32 3.3 (version <3.3 use instable code) (305,000 lines).
   Stone's PE Encrypter up to 1.13.
   PESHiELD in fast unpacking mode for every version.
   Some few version of PeCrypt (not the version >0.8).
   May be some others I haven't tried ;)

 Packer/Protector tested but not working (yet ?):

   Shrinker 3.2 : This one has a fucking bad loader. For Example:

     xor eax,eax
     mov byte ptr [eax],20  <- Fault !

    is a part of the loader. Later in the loader such crap occurs too.
    Tips : Try to use J0B unshrinker for version 3.2.
  	   OR do it by the hand : BPX .LOAD+2672h  (.LOAD RVA)

   PECRYPT32 : Ahem... I talked much with Random and told him many tips
    like how my import detection work, etc... Moreover there are several
    MTE in the code and Some IDT manipulations which cause the loader to
    not be traced totally. I personnally tested trace of 10 MILLIONS  of
    lines with an access violation error at the end. IN CONCLUSION : you
    can't trace it by using ProcDump... At least you can analyze a dump.
    The full support of PECRYPT32 will be done one day.... When I got or
    did a fully featured tracer or, may be if a  crazy guy can try to do
    it with the script language ;).

 Generally, always use specific unpackers/deprotectors because they handle
 perfectly the PE and restore it to its EXACT state before protection.

To be done :


  Implement some anti ADT.... 				     (in progress)
  Stronger tracer.					     (in progress)
  Add Break on Register value function as suggested by Stone.   (project)
  Secure the script engine (no check actually !!).              (project)
  Process Range dumper (easy to code... not found the time).    (project)
  Add some new commands to script engine.                       (project)
  Reloc Table scanner & rebuilder.                              (project)
  Module unpacker.					         (project)
  Implement an API breakpoint system.  		         (project)
  Import Table Full Rebuilder.... when I got enough time.       (stalled)
  More fast unpacking. 			      (waiting feedback ;)
  Fix some obvious bugs =)                           (waiting feedback ;)

 These points are in development... Any help would be appreciated.

 Especially if u can code :

  Visual ASM32 / ASM Builder or any ASM Win32 IDE tool like that (I dream ;)
   Obviously it seems not !! Mammon is working on this !!!! (see fravia.org)
   I am fed up of delphi weird bugs !!
  A Better tracer code .... With Anti ADT and Fault filtering.
  A reloc detector - not an object name scanner please.

History :


version 1.0 Beta 1  [05-26-1998] - Public

  Added Script Tracer (95%).					   (04-23)
  Finished the script tracer ;)                                   (05-05)
   Check script.[ini|txt] for details.
  Added support for PESHiELD due to script tracer ;)		   (05-05)
  Added NT<5.0 support (not exactly the same as 95,98&NT5)        (05-07)
  Added some unpacking options for experts.	         	   (05-07)
  Added an option manager (option button). [for expert !]	   (05-03)
   Actually it means me ;) U should never change advanced options !
  Added IAT recomputer and Improved Import Scanner                (05-24)
  Changed the way of unpacking (trace & fast). More convenient.   (04-28)
   check doc about trace & fast unpacking.
  Changed About box activation - by click on Logo now.   	   (05-03)
  Disabled the maximize button (thanx Nop ;)			   (05-04)
  Disabled all button for all dialogbox.			   (05-16)
  Started the anti SEH things.					   (04-30)
  Optimized some functions calls and code.			   (05-21)
  Fixed a little bug in import rebuilder.      		   (05-22)
  Fixed an index in name scanner (OOOooooppps !!!)		   (05-26)
  Fixed the Process Termination after trace/unpacking.		   (05-07)
  Fixed the Process Kill Command (now we wait full death)  	   (05-07)
  Fixed Process Display after a KILL				   (05-20)
  Fixed a Code Fault that may have occurred (never got it anyway) (05-07)
  Fixed the temporary dump delete if unpack failed		   (05-16)
  Fixed in module view a cosmetic bug				   (05-20)
  Fixed the Write error pb when Trace was canceled		   (05-20)
  Fixed the kill message (app name was missing)		   (05-20)
  Cleaned up resource file					   (05-26)
  Updated the whole documentation due to many changes.  	   (05-05)
  Updated the script documentation. Someone Asked me ;)           (04-27)

version 1.0 Alpha 9 [04-20-1998] - Public (04-23).

  Added some sanity check about non PE header.                    (04-10)
  Added Module lister for a given process.                        (04-12)
  Added Module Dumper.                                            (04-12)
  Added Header Full rebuilder when destroyed.                     (04-13)
  Added Fast unpacker for a few packers.                          (04-15)
  Import Rebuilder 100% working [many things fixed]               (04-20)
   Rebuild ordinal for crashed import table at runtime.
  On successfull unpack, display EIP before Jump.                 (04-15)
  Some cosmetic changes.			                   (04-13)
  Source code cleaned up a little.                                (04-13)
   I know, I know : u don't care ;)
  Optimized a little the code size.                               (04-12)
  Helped a little the garbage collector...ooopps ;)               (04-20)
  Updated the documentations			                   (04-20)

version 1.0 Alpha 8 [04-06-1998] - Public

  "Public" version ;) For those who knows how/why to use this.
  Changed a bit the object size updater.
  On failure, Display EIP we where.
  Terminate correctly in all cases now (Trace)... except if Win crash ;)
  Exe Size reduced.
  New GFX added ;)

version 1.0 Alpha 7 [03-27-1998]

  Changed the debug tracing interception mode.
  Eip no more destroyed in dump & reload mode.
  First version WITH a working PE unpacker !!
  Fixed a little bug in import rebuilder.
  Removed "always on top" feature... was annoying.

version 1.0 Alpha 6v[03-26-1998]

  Visual Progression of the tracer so that u can know if we are killed or
   not.
  Some others minor things.

version 1.0 Alpha 6 [03-24-1998]

  Tracer Code fixed and more secure - no more Reboot32 code ;).
  Traps for ACCESS_VIOLATION
  Traps when Process is out of itself !!

version 1.0 Alpha 5 [03-23-1998]

  Tracer Code added [TO DEBUG] !!Don't use if u don't know what u do!!
   Means : Only if u are called Stone or G-RoM ;).
   Actually it is nearly a Reboot32 Code ;).

version 1.0 Alpha 4 [03-20-1998]

  DLL export analyzer enhanced.
   -> ordinal export supported in import rebuilder [Ex: kernel32.1 allowed].
  Memory leak fixed.
  Load External option fixed (ahem....forgot a boolean test !).
  Mangled import function restore. See Special Section.

version 1.0 Alpha 3 [03-19-1998]

  DLL name autorestore.
  IAT special entry pb solved.

version 1.0 Alpha 2 [03-18-1998]

  New import section detector (generic).
  Header rebuild 100% okay now [bss always 0 !]
  Some checks were added just in case.

version 1.0 Alpha   [03-13-1998]

  Import loader now rebuild a valid import table, import by Name is always
   tried before by ordinals.

version prealpha    [03-08-1998]

  External Buffer conversion added.

version 0           [03-03-1998]

  Interface done
  Translated my win32 asm prototype in inline asm under delphi.
  File dump at exact size works now.
