* opening PROTECT EXE/COM v5.5 * Packer's functions: 1) Encryption 2) Compression (optional) Anti-debugging used: 1) decryption routines via INT 3 2) (ab)uses Soft-ICE backdoors Jeremy is well known for advertising his program as uncrackable, absolutely secure etc. It's not all true, ofkorz. In fact, there's no automatic unpacker for v5.5 so far (10.95) <*>, but it can be fast and easily opened with any good debugger. I used Soft-ICE v2.80. How to open that fast? Assume that you have Soft-ICE and any code dumper (i recommend Bugsy's DumpExe) already loaded... 1) from DOS, call S-I and set breakpoint on INT 3 (BPINT 3); then X back to DOS 2) run the program you're trying to open 3) a few (7-9) instructions down from the place you landed from bpint there should be SUB CX,09. Set breakpoint on it, and disable previous breakpoint on INT 3; go. 4) trace through easy code until two jumps, one after another. Normally they should take you somewhere else, about 100h lines forward (go to 5.), bypassing decompression routines. But if compression was enabled, they will have no effect, ie. they look like this: E8 00 00 JMP $+1 E8 00 00 JMP $+1 There's no need to waste time for these routines. Look a few screens forward for code listed below, in 5.). Set a breakpoint there and go. 5) trace (dont't enter loops and procs) until you see this: MOV SI,4647 MOV AX,0911 INT 3 Before you enter INT 3, zero SI (RSI 0). Otherwise S-I will get stoned. 6) Enter (T) INT 3. Before going any further reset SI to 4647 (RSI 4647). Then go on. 7) Trace until far jump JMP xxxx:xxxx. This will take you to the beginning of the original (unencrypted) code. Now you can save it to disk. Remember that there can be more than one "layers" of PROTECT on the program. In such case, repeat above steps till code after far jump doesn't look like written when drunk ;) by kravietZ greetings for all #cracking friends <*> there is one now - marquis' X55; look for it on pipeta ftpsite or INTBP bot