How to unpack HACKSTOP 1.18 BETA 69 MainProg with GTR 1.B0 latest beta ====================================================================== (This is meant to be a little tutorial on how to use GTR. If you are interested in an other crypter to be unpacked mail to hendrix_@gmx.net) Hit these keys: What they are for: ------------------------------------------------ - - - - I) Load GTR, set it up and load a program: GTR /go load GTR. It is resident now and watches everything. [ESC] GTR pops up ANY TIME when you press ESCape Have a look at the info-window! (F-key definitions) [O] Go to the [O]ptions-menu [-] Change the "sensitivity" when trying to detect an unpacked program. Change it to [su0005] [J] Toggle the JmpFAR-detection (turn it on) [X] e[X]it the options-menu [C] [C]ontinue (go back to DOS) PL HS.EXE ProgramLoad means load the program and begin tracing it. GTR will execute the program step by step Unpacked? Have a look at the hex-dump. Press F10/F11 until you [F10]/[F11] see the dump at offset 0400. Well, this doesnt look unpacked, so lets continue. [C] Continue unpacking Unpacked? The dump still looks messy.. [C] Continue unpacking Unpacked? The dump still looks messy... [C] Continue unpacking Unpacked? The dump still looks messy.... [C] Continue unpacking Unpacked? The dump looks good... "UCF rules!" Yeah, sometimes the good old Rose tells some true things II) Save an unpacked program [S] [S]ave mem: the memory-dumper is activated. It runs in DOS-mode, meaning we have to go back to DOS.. [C] Continue and let the dumper do its work Helper quit The dumper has finished. We are back at the old Unpacked? program (HS.EXE which was dumped as a COM:) Now note the PSP and the CS. Write down the difference (CS=PSP+0707h) and the IP (IP=000Fh)! It will be important in the next step... You will find the dump as OUT.COM on your disk. [<--] or [C] Quit GTR or continue to run Hackstop... do what you like III) Do silly things with OUT.COM TD OUT.COM Yeah, load the dump with the good old TurboDebugger! Now change the CS to CS+0707h and change IP to 000Fh. [F9] Lets run it and see... it works! PS: It took 5 mins to unpack/write this stuff. Dont know if it is really unpacked or not. But you have it unscrambled and now you can analyze it... Greetings, Hendrix^UCF