How to unpack PCRYPT 3.51 MainProg with GTR 1.B0 latest beta ============================================================ (This is meant to be a little tutorial on how to use GTR. If you are interested in an other crypter to be unpacked mail to hendrix_@gmx.net) Hit these keys: What they are for: ------------------------------------------------ - - - - I) Load GTR, set it up and load a program: GTR /go load GTR. It is resident now and watches everything. [ESC] GTR pops up ANY TIME when you press ESCape Have a look at the info-window! [O] Go to the [O]ptions-menu [-] Change the "sensitivity" when trying to detect an unpacked program. Change it to [su0004] [B] Toggle the [B]reakpoint (turn it on) the default setting is CS:0100 - PCRYPT-main is a COM-file, so we have to break at CS:0100 [X] e[X]it the options-menu [C] [C]ontinue (go back to DOS) PL PCRYPT.COM ProgramLoad means load the program and begin tracing it. GTR will execute the program step by step Unpacked? Have a look at the memory-dump. It doesnt look [C] unpacked, so lets continue... Unpacked? The dump still looks weird... [C] Continue!! Unpacked? The dump still looks weird... [C] Continue!! Unpacked? Hmm, looks better now. Clear texts, lets save that sucker... II) Save an unpacked program [S] [S]ave mem: the memory-dumper is activated. It runs in DOS-mode, meaning we have to go back to DOS.. [C] Continue and let the dumper do its work Helper quit The dumper has finished. We are back at the old Unpacked? program. You will find the dump as OUT.COM on your disk. [<--] Exit GTR. III) Analyze the OUT.COM -mem-dump Load it with any viewer hex or text. You will see at the end of the file there is the PCRYPT-signature. And some bytes up there it is again. Those were the layers we unpacked (Unpacked?). You can cut off those bytes at the end. The packed and the unpacked main run sometimes, sometimes not. I think it had something to do with int 1 or 3 not always pointing to an IRET. Maybe somebody likes to analyze the proggy again... I include fixints.com with source, so those packers will run. Just put it into your AUTOEXEC.BAT and run it after you used TASM and TLINK because they mess up those vectors, too... Hope you liked it, Hendrix / UCF