How to unpack CRACKSTOP 1.03BETA MainProg with GTR 1.B0 latest beta =================================================================== (This is meant to be a little tutorial on how to use GTR. If you are interested in an other crypter to be unpacked mail to hendrix_@gmx.net) Hit these keys: What they are for: ------------------------------------------------ - - - - I) Load GTR, set it up and load a program: GTR /go load GTR. It is resident now and watches everything. [ScrollLock] GTR pops up ANY TIME when you press [ScrollLock] Have a look at the info-window! (F-key definitions) [F1] Have the Fkey-defs displayed again [O] Go to the [O]ptions-menu [+] Change the "sensitivity" when trying to detect an unpacked program. Change it to [su0007] [J] Toggle the JmpFAR-detection (turn it on) [X] e[X]it the options-menu [C] [C]ontinue (go back to DOS) PL CS.EXE ProgramLoad means load the program and begin tracing it. GTR will execute the program step by step Unpacked? Have a look at the hex-dump. It looks wild, so letīs [C] Continue... Unpacked? The dump still looks messy, but: it looks kind of structured II) Let CS "uncrypt" itself [O] Go to the options-menu and set up for tracing: [T] [D] Turn on Tracer and Disass (Run is auto-disabled) [X] [C] Exit options and continue tracing [Ctrl] Hold it down and you will see the structured wild chars turn into CSs mainscreen! [ESC]/[ScrollLock] Interrupt tracing and set a breakpoint: [B] [A] 3F81 Turn on Breakpoint and set the Address to 3F81 (right after the LOOP-instruction) [J] [-] We dont need the Jmpf-detection anymore, so lets turn it off, and we set the SU-value to su0000, because we want GTR to break there everytime [T] [D] [R] Turn off the Tracer and the Disass, turn on the Run- option, because we dont want output while decryption [X] [C] Exit options and Continue III) Save an unpacked program [S] [S]ave mem: the memory-dumper is activated. It runs in DOS-mode, meaning we have to go back to DOS.. [C] Continue and let the dumper do its work Helper quit The dumper has finished. We are back at the old Unpacked? program (CS.EXE which was dumped as a COM:) [<--] or [C] Quit GTR or continue to run Crackstop... do what you like Now you can analyze the dumped memory OUT.COM. I know these texts are always the same, but, hey, I have to offer you something besides a bugfix, dont I? Is CS completely unpacked? I dont know, and I dont have time to analyze it, may be you? Greetings, Hendrix^UCF