!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! FREELY REGISTER YOUR COPY AT MY HOMEPAGE: HOME.T-ONLINE.DE/HOME/ENOCH OR SEND AN E-MAIL TO: hendrix_@gmx.net INDEX Options Options for unpacking COMs Options for unpacking EXEs ############################################################################### OPTIONS <=======> default option Description ru+ No outputs (no screen-switching). 8e+ Use GTRs own, faster interrupt 8. jf+ Detect jumps to possible entrypoints of an unpacked EXE. When detected, check su-option... bp100+ Breakpoint at cs:XXXX. Detect possible entrypoint of unpacked COM at PSP:0100. When detected, check su-option... su8 X of 9 set up registers: Call this option 'sensitivity'. It depends on the protector how many registers are setup when the unpacked COM/EXE is executed. So whenever one of the above detectors alarms, the set up registers are counted. /su8 means that when 8 registers are correctly set up, you are asked to save. mp3F8 Mouseport: GTR will interrupt when you press the left mouse-button. This option will let you set the port-address. COM1:3F8 COM3:3E8 COM2:2F8 COM4:2E8 pq- GTR will watch for PrefetchQueue-Games and alert you, so you might turn PrefetchQueue-emulation on next time. Also you can force a Pentium with /pq+ to emulate a 80x86. pe10- PrefetchQueue-emulator, prefetchsize XX bytes (beta version). 486: pe10+ (16 bytes prefetch) 386: pe10+ 286: pe8+ ( 8 bytes prefetch) XT: pe4+ ( 4 bytes prefetch) cs+ interrupt, ask for this and that ONLY when CS:IP is in programs range (PSP:0000 <= CS:IP < A000:0000). This way the jumpf-detection will not ask you for an unpacked EXE inside the BIOS, the disassembler will skip the BIOS, and the breakpoint will be inside the programs code. da- Disassembler tr- Stepping: wait for keypress before tracing the next instruction, hold down the right [STRG] for 'slow-motion' ! cm+ Cut Memorycontrolblock: the programs mcb is shrunk to minimal size (most programs like to have all memory that is left). This will result in smaller dumps. mm- Allocate more memory: for making DUMPEXE-dumpfiles it is necessary to dump at different memory-locations to calculate the re-locations for EXEs. bg- Background trace: use this option to let GTR run in the background. Try this: GTR /bg+ /jf- /bp0- /pq- C:\COMMAND.COM will let you interrupt DOS with the left mouse-button. it- Trace only, when the int-flag is set. This is useful if you want to skip PrefetchQueue-Games, because they can (must) only be made, when interrupts are turned off. But you might miss the programs entrypoint when the crypter jumps there when the int-flag is clear (no control). Also: interrupts (08h,0ch,21h,...) are processed faster. rm- Run macro .COC/EXC to automatically unpack the file for the second dump. sa- Save All mem disables all attempts to find the correct length of the dump and dumps all memory above the PSP fmFFFF Fill Mem with XXXX pattern cr11 CR0 register value st- STop at every unwanted instruction (works with /ru-) ce- Check for DOS-Exit kb alternative KeyBoard routine fr- fill random-bytes into memory cl- CLock stopper (may mess up your BIOS check-sum) we[3/5/N] Windows 3.11/95/NT Emulation cy CYrix DR7 emulation ############################################################################### OPTIONS FOR UNPACKING COMs <==========================> þ General Options: /ru+ /8e+ /bp100+ /cs+ (but those are standard) þ You might turn off the EXE-detection with /jf- (faster) þ Since everybody wants his packer to run on pentiums+ also, you can turn the PrefetchQueue-alert off with /pq- (still faster) COM-HEADER OPTIONS RECOGNITION-STRING COMMENT ================----------------========================---------------- CC 2.61b /su5 /pq- COM2TXT 1.11 /su5 /pq- COMLOCK 0.1 /su9 /pq- COMPACK 4.5 /su4 /pq- (C) 1991 W Collisa not 1st requester COMPREXE 1.0 /su9 COMT 0.1d /su9 /pq- COMT_is_copyright_Alex COMSCRAMBLER0.1 /su8 /pq- CRYPT 2.0 /su4 DX=DS, not 1st requester CRYPTCOM 2.0 /su6 /pq- DEEPCRYPT 0.1b /su3 /pq- not 1st requester DOPCRYPTCOM1.04 /su8 /pq- ELITE 2.0 /su4 /pq- DX=DS SI=IP DI=SP FDS-CP 0.4a /su9 /pq- (c) fds0ft GUARDIAN AN1.0b /su8 /pq- HACKSTOP 1.10 /su7 Hackstop 1.10 HACKSTOP 1.11c /su7 Hackstop 1.11c HACKSTOP 1.13 /su7 Hackstop 1.13 HACKSTOP 1.14s /su7 Hackstop 1.14s HACKSTOP 1.15s /su6 Hackstop 1.15s HACKSTOP 1.17ás /su6 Hackstop 1.17ás HS386 1.17 /su7 Hackstop 1.17/386 ICE 1.00 /su8 SI=100 JMP-CP 0.5a /su9 /pq- KEVINFILEK1.15a /su9 /pq- MASK 2.3 /su4 /pq- MASK 2.3. Executable E DX=DS SI=IP DI=SP not 1st requester MESS 1.07 /su9 Stonehead's MESS v1.07 MESS 1.13 /su9 /pq- Stonehead's MESS v1.13 MESS 1.14 /su9 Stonehead's MESS v1.14 NETRUN 3.1 /su4 /pq- (c)1995.JIM.TUCKER PCRYPT 3.50 /su3 /pq- PCRYPT BX=CS not 1st requester PKLITE 1.50 /su9 /pq- PKLITE Copr. PKLITE 2.04g /su9 /pq- PKLITE Copr. 1990-1995 PROTECT! 5.5 /su9 /pq- Protect! EXE/COM v.5.5 SP=FFF8 PROTECT! 5.6 /su9 /pq- Text from Marquis SP=FFF8 PROTECT! 6.0 /su9 /pq- PROTEXE 3.0 /su4 /pq- run with option: ~~~ProtEXE-RegInfo~~~ PROTEXE 3.10 /su9 /pq- run with option: ~~~ProtEXE-RegInfo~~~ PROTEXE 3.11 /su9 /pq- rnu with option: ~~~ProtEXE-RegInfo~~~ RCC 1.10 MILD /su4 RCCþ1.10m not 1st requester RCC 1.12 MILD /su4 RCCþ1.12m not 1st requester RCC 1.12 HARD /su5 RCCþ1.12h not 1st requester RCC 1.13 MILD /su3 RCCþ1.13m not 1st requester RCC 1.13 HARD /su3 RCCþ1.13h not 1st requester RCC-II 1.06 /su4 RCC-IIþ1.06 RCC386 0.51 /su4 RCRYPT 0.91 /su4 /pq- SI=IP DI=SP 2nd requester ROSETINY 1.01 /su6 /pq- ROSETINY (C) DX=CS SI=IP RSCC 1.01 /su3 /pq- RSCC/1.01 SCRAM! 0.7c1 /su9 /pq- SCRAM! v0.7c1 by bushw SCRAM! 0.8a1 /su9 /pq- /jf- SCRAM! v0.8a1 by bushw SHRINK 1.0 /su7 XCOMOR 0.99h /su7 /pq- XcomOR ================----------------========================---------------- ############################################################################### OPTIONS FOR UNPACKING EXEs <==========================> þ General Options: /ru+ /8e+ /jf+ /cs+ (but those are standard) þ You might turn off the COM-detection with /bp0- (faster) þ Since everybody wants his packer to run on pentiums+ also, you can turn the PrefetchQueue-alert off with /pq- (still faster) EXE-HEADER OPTIONS RECOGNITION-STRING COMMENT ================----------------========================---------------- AINEXE 2.23 /su3 /pq- AIN2 ALEC 1.5 /su9 /pq- ALEC 1.5 (C) 1997! by Ra ALEC 1.6.386.pro/su9 /pq- ALEC 1.6.386.pro (C) 199 AVPACK 1.22 /su3 /pq- AVPACK AXE 2.0 /su5 /pq- /cm- SEA-AXE 2.0 BITLOK 3.1 /su9 /pq- /cr10 -----Yellow Rose------Ye CC 2.61b /su4 /pq- COMPREXE 1.0 /su9 CRACKSTOP 1.0b /su8 /pq- Crackstop 1.0b - (c) ES screwed up CRACKSTOP 1.01 /su9 Crackstop v1.01 - (c) CRACKSTOP 1.02 /su9 Crackstop v1.02 - (c) CRUNCH 1.0 /su4 CRUNCH CRYPT 2.0 /su3 AX=BP=CS DOP CRYPT 1.04 /su9 DoP not 1st requester ELITE 2.0 /su9 /pq- ELITE v. 2.00S EXECODE 1.0 /su9 /pq- ExeCode v1.0 Copyright EXEGUARD 1.3 /su4 /pq- EXEGUARD Ver 1.3 (c) 1 AX=SS BX=CS EXEHIGH 1.01 /su3 /pq- AX=SS CX=DS SI=CS EXELOCK666 1.03 /su4 EXEPACK 4.06 /su4 /pq- !Packed file is corrup AX=DS SI=SS DI=SP GUA. ANGEL 1.0b /su8 /pq- HACKSTOP 1.10 /su7 Hackstop 1.10 HACKSTOP 1.11c /su6 Hackstop 1.11c HACKSTOP 1.13 /su9 Hackstop 1.13 HACKSTOP 1.14s /su9 Hackstop 1.14s HACKSTOP 1.15s /su9 Hackstop 1.15s HACKSTOP 1.17ás /su9 Hackstop 1.17ás HS386 1.17 /su9 /cm- Hackstop 1.17/386 JMCE 0.7j /su9 /pq- not 1st requester LSCRYPT 1.21 /su9 Crypt by LIGHT SHOW LSTOP 1.0 /su6 /pq- LamerStop v1.0 LZEXE 91 /su4 /pq- LZ91 MEGALITE 1.20a /su3 /pq- Not enought memory$ BX=BP=DS DX=SP not 1st requester MESS 1.13b /su6 /pq- Stonehead's MESS v 1.13 DX=DS DI=SP MUTAWWP 1.0 /su2 WWP BX=BP=CS DX=SS 3rd requester PACK 2.01 /su6 /pq- PCRYPT 3.50 /su4 /pq- /cm- PCRYPT 3.50 by MERLiN DI=SP not 1st requester PKLITE 1.50 /su9 /pq- PKLITE Copr. PKLITE 2.04g /su9 /pq- PKlite(R) Copr. 1990-19 PKTINY 1.62 /su5 /pq- PKLITE Copr. DX=DS DI=SP PROTECT! 5.5 /su9 /pq- Protect! EXE/COM v.5.5 PROTECT! 5.6 /su9 /pq- Text from Marquis PROTECT! 6.0 /su9 /pq- PROTEXE 3.0 /su4 /pq- run with option: ~~~ProtEXE-RegInfo~~~ PROTEXE 3.10 /su9 /pq- run with option: ~~~ProtEXE-RegInfo~~~ PROTEXE 3.11 /su9 /pq- run with option: ~~~ProtEXE-RegInfo~~~ REC 0.32 /su7 /pq- DX=CS RELOCATION PACK /su3 /pq- BX=CS DX=DS ROSERELPACK 0.02/su2 /pq- BX=CS DX=DS ROSETINY 1.01 /su5 /pq- ROSETINY (C) DX=DS DI=SP RJCRUSH 1.10 /su9 RJS1 SECURE 0.27 /su9 /pq- Patch it! SECURE 0.28 /su9 /pq- Patch it! SECURE 0.29 /su9 /pq- Patch it! SUCKSTOP 1.08r /su4 /pq- Suckstop v1.08r (c) 19 SUCKSTOP 1.11r /su4 /pq- Suckstop v1.11r (c) 19 TINYPROG 3.9 /su6 /pq- TINYPROG says, "Bad pr VSD 2.00 /su4 Virus Self-Destructor ANTI-VIRUS-ENVELOPE WWP 3.04 /su4 WWP DS=FFFF WWP 3.05 /su5 WWP WWP 3.05b5 /su3 /pq- WWP BX=CS DX=SS BP=CS ================----------------========================----------------