--------------------------------------------------------------------------- unROSE/386 (80386+, DOS 5.0+) --------------------------------------------------------------------------- $Header: /home/CVS/asm/unROSE/unrose.txt,v 1.15 2005/02/01 23:08:24 ralproth Exp $ An unpacker for some COM and EXE DOS packers/protectors that are not supported by common unpackers like TRON 1.30, XOP, UNP 4.12 or X-Tract 1.51a unROSE doesn't use Hardware breakpoints, virtual mode etc., therefore unROSE runs on Win95-Win2000, WinME, WinNT, WinXP etc. with out problems. Run unROSE to see a list of currently supported packers. Also take a look at detpack.inc you will see there additional supported cryptors and packer that are not listed in unROSE´s help screen. Based on code from IUP 0.6.7 Documentation enhanced by Stephan --------------------------------------------------------------------------- APack ----- Tested on a bunch of 0.7x, 0.8x and 0.9x packed COM and EXE files. Should work fine, if entry point is detected, because APack files doesn't use anti debugging tricks. Also able to unpack modified APack versions. Note on CryptLS --------------- When unpacking, you'll see a lot of tracing information that are needed for unpacking. If I omit these information then the unpacker will hang (strange...). Tested with 1.15 (works well), 1.20 (seems to be buggy) and 1.21 (works well). Seperate unCryptLS is included into the rUPP. WWPack + WWPMutator ------------------- WWPMutator is a program that can be used to fake WWPack unpackers by inserting an own startup code for WWPack. unROSE detects and unpacks the WWPMutator startup code. Currently those versions exists: - 1.00 adds "standard" startup code to WWPacked files - 1.10 uses an encrypted startup code using a poly engine - 1.10b bug fixed 1.10 with changed mutation engine Due to the fact that I am the author of different antivirus programs I have developed a correlation scanner I use to add detection of highly polymorph viruses to VirScan Plus. This scanner managed it to pick up (10 sec.) an constant search string for WWP-Mutator 1.10 - so for unROSE it's an easy job to detect this kind of "poly engine". To remove WWPack completely you must run unROSE twice: First run will remove the compression, the second run will remove the compressed relocation (PR). WWPack PU/Hard 3.04a and 3.05ß5 can not be expanded. PU/Soft can be removed easily. For this reason WWPMuta with WWPack 3.05ß5 can not be removed (currently :). ProtEXE 2.11 ------------ Unpacks both versions: Shareware and Registered. The file size calculation is a little bit buggy, but who cares about it? Protect! -------- Currently unROSE can detect the versions 5.0, 5.5, 5.6 and 6.0 Unpackable are only versions 5.5 and 5.6 :) ComprEXE -------- COM & EXE packer found in the ProtEXE 3.11 package. I have added it to unrose, because the is currently no unpacker (besides generic unpackers) available. UCEXE ----- Was long unpacked as AVPack. Tested versions: 2.3, 2.4 and 2.unknown. The latest UCEXE package in Ultra Compressor II v237 is told to be very buggy in unpacking. UnPackStop ---------- Uses various anti-debug tricks (INT x, DRx and many other tricks ),full EXE and COM encryption, random encryption keys, multiple layer encryption, polymorphic layer, checksums and a generic dump prevention. Not as unknown as wanted and hard to decrypt. Coded by Szaszi in 1997. Vacuum Runtime Compressor ------------------------- Done in 1999 and buggy. Told to be not running on Pentium Systems. XoReR ----- Written in 1998 by Dr. No XoReR started its work as a file encryptor for MS-DOS executables. By using advanced technics it is very strong in encryption, meaning dumping is impossible and even generic tracing. It fools UNP, UPC, CUP386, TRON and currently also unROSE. But unROSE can detect XoReR. SDW386 ------ Also known as Shadow Com Cryptor and still in development. Uses some antidebug/antidumping code, converts EXE files to COM and encrypt it. Working only on MS-DOS COM files but still immune against UNP, CUP386, Autohack and COM dumpers based on check 100h. unROSE now detects version 1.80 but supports no decryption by now. TPack ----- Done by Norman Rudolph from Oranienburg, Germany it features LZ77 compression on small COM files and uses no encryption, but is very buggy. Two kinds of decompression codes: 69 bytes and 122 bytes. No unpacking so far. CauseWay Compressor ------------------- A few years old (1996 by Michael Devore) and very seldom. Nearly no usage meanwhile. That's why there aren't much unpackers available. CrackStop --------- CS is a 8086+ based .EXE protector without relocation handling. The big security hole CS has, is of course that there are so less 386+ instructions and anti debugging code. Hardware breakpoints (DRx) are needed to get rid of this crypter written some time ago by ANAKiN. ALIS & WUMPUScr --------------- AliS S0fT com file encryptor and Wumpus Soft Lab (?) com file encryptor in original were never released to the public. So someone called MANtiC0RE rewrote these crypters to make them more stable and known in 2000. Harder to extract and continued work of DarkStalker's Com Protector pack. WUMPUScr: 18 bytes, please use unCOM instead. LZEXE ----- I added LZEXE 0.91 (1.00 is the same) as i strucked into ASM.EXE from freedos. ASM.EXE seems to be packed with a modified version of LZEXE. --------------------------------------------------------------------------- Please note that unROSE is a tracer thus sometimes tracing trough the code under the protector. This will result often in a removing of the compressor below the protector, just try it on the original PROTEXE.EXE file :) --------------------------------------------------------------------------- (C)opyright 1987-2005 by (ALL RIGHTS RESERVED!) __________ ________ ____________________ ___________ _____________ \______ \\_____ \ / _____/\_ _____/ / _____/ \ / \_ _____/ | _/ / | \ \_____ \ | __)_ \_____ \\ \/\/ /| __)_ | | \/ | \/ \ | \ / \\ / | \ |____|_ /\_______ /_______ //_______ / /_______ / \__/\ / /_______ / \/ \/ \/ \/ \/ \/ \/ -------------------------------------=----------------------------------- ROSE SWE See ROSEBBS.TXT for Dipl.-Ing. Ralph Roth full address, FAX and PGP keys. http://come.to/rose_swe rose_swe@hotmail.com All Rights Reserved! -------------------------------------=-----------------------------------