Quick Unpack 全集

Quick Unpack v1.0 Readme ======================== Description ----------- The program is intended for fast (in 2 seconds) unpacking simple packers (UPX, ASPack, PE Diminisher, PECompact, PE-PACK, PackMan, WinUPack and many others). Quick Unpack tries to bypass all possible scramblers/obfuscators. From the version 1.0 the opportunity of unpacking dll is added. This opportunity makes Quick Unpack unique software product which has no similar analogues in the world! Technology of import recovery ----------------------------- I recommend to look through the list of import rather attentively.. There can be fake functions in it!! So the unpacked program can be unable to work because of them.. The import recovery with syd's method works so: after loading the program, the dlls which it loads are hooked. The export is scanned from them. Then the program will be dumped and the addresses which coincide with the address from that dlls will be searched for. If coincides, this address will be called Record RVA and will be included in a cycle of creation the table of import further. If addresses casually concides with the addresses from hooked dlls, they will be added in the list of import too but if you are rather experienced in unpacking to find them, they can be removed (for this purpose numbers of the sections and their names are showed). More often import lays in one section so be very attentive please. There are some records in the file replace.ini according to which you should replace some functions in the import list. The matter is that e.g if you call GetProcAddress(GetModuleHandle("kernel32"), "HeapFree"), your system will return the address in ntdll.dll and it will be the address of api-function RtlFreeHeap. I have added in this list the api I met earlier. If you will notice some records from ntdll.dll in the list of import, try to find the replacement for them in your system. If it will be impossible, simply try to remove them. In the Quick Unpack there is the opportunity of marking possible invalid records is added, for their removing please press the button "Delete invalid". The license and rights ---------------------- The list of sources used in coding Quick Unpack 1.0. GenOEP.dll by Snaker ImpREC.dll by MackT stripper asprotect unpacker by syd History of the versions ----------------------- v1.0 beta7 [+] Improved interface [+] Fixed small bugs v1.0 beta6 [!] Internal build v1.0 beta5 [+] Support of unpacking UPX 2.0 [+] New signature list [+] New ingine from stripper 2.13 b9 v1.0 beta4 internal [!] bugfixes v1.0 [+] the opportunity of unpacking dlls [+] the Opportunity of using plug-ins and own OEP finders is added. v0.7 [!] Based on updated stripper 2.11 rc3 engine => new features [+] Force mode added v0.6 [!] Final build v0.5 [+] Quick Unpack now uses new engines and works through external tracer engine.sys. No debug API is used. [+] Dump and PE header is very clean after unpacking [+] Cool OEP finder for packers v0.43. [+] The opportunites of ImpREC.dll were added. It will be useful, I think. [+] Protection from IsDebuggerPresent was added (a tick " Hide unpacker ") [!] This version is last, I think, as the opportunities of Debug API are fully used. v0.41. [!] Fixed the bug with the unpacked programs compatiblity on the different OS (the bug with RestoreLastError) v0.4 final. Final bild. All the mistakes were fixed. v0.3. [+] The engine working with the dump is �ompletely re-coded. Now the engine from PE Tools by NEOx [uinC] is used. [+] The system of "clever" dump rebuilding and optimizing its size is supported. The engine of the dump rebuilding from PE Tools by NEOx [uinC] was used. [!] Picture of Quick Unpack was removed :) [+] Packers with damaged headers (e.g. FSG) are supported. [+] The bugs in the operations with PE files were fixed. v0.2. The first version. All as is. Greetz and thanks ----------------- Thanks to: AHTeam, TSRh, KpTeam, REVENGE, CRACKLAB, ICU members, CoaxCable^CPH, Wild-Wolf and all CPH members on #cph, LaFarge [ICU] for nice music, syd, Aster!x, MozgC [TSRh], Sten, PolishOX, NEOx [uinC], WELL, GPcH, newborn, Funbit, sl0n, Ms-Rem, Bad_guy...