--------------------------------------------------------------------------- UNPROT/EXE - Unprotector for EXE files.... --------------------------------------------------------------------------- Notes about some protectors: Protect 4.0/5.0/5.1 ~~~~~~~~~~~~~~~~~~~ This protector is so lame that I can unpack COM files with a batch file using DEBUG.EXE. For this reason no COM support is added. See also notes about 5.5/5.6. Unprot is the only unpacker I know which is able to handle Protect 4.0/Registered protection. Even UNP, X-Tract, XOpen etc. fails on 4.0/Reg! Protect 5.5/5.6 ~~~~~~~~~~~~~~~ 5.6 is a modified 5.5 version (done by UCF). Due to the fact that there are floating enough 5.6 unpackers around I haven't waste my time adding 5.5/5.6 support yet. Use X55, Tron or X-Tract 1.51a instead. Unprot can detect 5.5/5.6 protection as well - using the 5.0 unencryptor engine - resulting in a memory dump of the protector - one level unencrypted (MEM!DUMP.COM). Interesting under a debugger. ;-) Currently I'm testing ROSE COM UNPACKER which can unpack ALL current Protect/COM version from 1.00 up to 5.6 - Wait4it! BTW: All versions from 1.00 'til 2.00 are so lame that EVERY tracer can unpack them! Protect 6.0 ~~~~~~~~~~~ Released about August 1996. Nothing of great interest. Now protected files can have a so called AV envelope with is easy to detect. If no AV envelope is present unPROT detetects generic Protect, saying i could be 5.5/5.6 or 6.0/unAV. COM files still sucks and can be unpacked with CUNP and every intelligent tracer like iup, tron, cup etc. SuckStop ~~~~~~~~ An impressive and short protector from KA0T. There are more than seven versions availiable: Most of them have the ASCII remark "SuckStop 1.00 by DOSE" ... Unprot can detect and patch in this version only the first versions (499/618/???). The third version is a little bit polymorph encrypted. If I have the time I'll code an unpacker too. :-) My virus scanner finds the first two polymorph versions, saying the file is infected by a BWME/RME virus! This has been fixed in later versions! Meantime CUP 386/3.0b with the option /7 can unpack SuckStop version 1-4. Due to this fact Ka0t as released a new version with 386 anti-debugger code. Unfortunaetly I haven't got my hands on it! Meanwhile i got it! Superb! Due to the fact SuckStop disables the keyboard and the inline code for enableing the keyboard under TP doesn't work, it's recommended to use the supplied batch file UNSSTOP.BAT which automaticly calls KEYB_ON.COM. The protector is only unencrypted and the antidebugging code overNOPed. So afterwards you can unpack the file with an generic (tracing) unpacker. This is done 'cause I'm a lazy bone! Here I have discovered an interesting bug in allmost all generic unpackers: None of them is unable to unpack the patched file except TRON! Why: SuckStop doesn't use a jmp far xxxx:yyyy to return control back to the host. Instead push seg, push offset, retf instructions are used. It seams that unp t (4.12ß) tsup (1.6) uup (1.4) cup (1.2 + 386/3.2) are waiting to reach the jmp far instruction thus running the program or stoping with the first interrupt call... so you must use tron... From SuckStop I have meanwhile about 10 different versions, the latest are CUP 3.2 aware! Closing ~~~~~~~ If you have another generic unpacker other than mentoined above I would be glad to receive a copy of! Additionally I have XOpen, AutoHack 4.1 & II/1.0b, Intruder 1.30 and SnapShot 3.0 which are not recommened to unpack the SuckStop protector. .....and a lot more, like Tron 1.3x, Foto, UPC 1.06 etc.... Credits ~~~~~~~ Dutch, Ralf L., Ka0t, Random, Hann0, Retro, Ghostbuster ... Enough written for this version. Greetx to all who use the account Martin Beutlin :-)