How to unpack SNOOPSTOP 1.15 MainProg with GTR 1.B0 latest beta =============================================================== (This is meant to be a little tutorial on how to use GTR. If you are interested in an other crypter to be unpacked mail to hendrix_@gmx.net) Hit these keys: What they are for: ------------------------------------------------ - - - - I) Load GTR, set it up and load a program: FIXINTS Load FIXINTS. This will make int 1 and 3 point to IRETs. SNOOPSTOP calls int 3 without redirecting it, meaning if you just used TASM or TLINK or so you will crash... SNPSTOP We have to run SNOOPSTOP once before we can unpack it. I dont know why. It just works this way GTR /go load GTR. It is resident now and watches everything. [ScrollLock] GTR pops up ANY TIME when you press [ScrollLock] Have a look at the info-window! (F-key definitions) [F1] Have the Fkey-defs displayed again [O] Go to the [O]ptions-menu [-] Change the "sensitivity" when trying to detect an unpacked program. Change it to [su0005] [B] Toggle the Breakpoint (turn it on) [X] e[X]it the options-menu [C] [C]ontinue (go back to DOS) PL SNPSTOP.COM ProgramLoad means load the program and begin tracing it. GTR will execute the program step by step The screen will go dark for some seconds (PII 233), dont worry Unpacked? Have a look at the hex-dump. Wow, this is really a nice present for us. You can see it was packed with PKLITE. Do you know what that means? Yeah, we dont have to worry about finding the correct filesize. Lets dump this packed file... II) Save an unpacked program [S] [S]ave mem: the memory-dumper is activated. It runs in DOS-mode, meaning we have to go back to DOS.. [C] Continue and let the dumper do its work Helper quit The dumper has finished. We are back at the old Unpacked? program (SNPSTOP.COM which was just dumped as a COM:) [<--] or [C] Quit GTR or continue to run SNOOPSTOP... do what you like III) Finish Move Have a look at OUT.COM again (TXT viewer will do it). You will see the PKLITE signature at the top of the file. Well, then lets decompress it with PKLITE: PKLITE -x out.com -x means decompress it And voila: the program is unpacked. To avoid being killed you should pack the program before you spread it! Well, this text is a little different! Finally. Greetings, Hendrix^UCF