jump to navigation

PEunLOCK PUBLiC v0.6 March 31, 2008

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment

+ support VB programs


+ suppress unidentified stolen code restoration

+ make all sections writable


+ support for victims whose apis are not redirected

+ fix exception for newer versions of PELock

PEunLOCK PUBLiC v0.1 by cyclotron

- Support unpacking PELock v1.06

- Based on ap0x’s unpack engine v1.4

- EXCLUSIVE support for FULLY protected victim under WinXP SP2

dl link:
dl it and rename to *.rar

Unpacker ExeCryptor 2.x.x. beta 2 October 30, 2007

Posted by reversengineering in TOOLS, UNPACKERS.



Armadillo Process Detach v1.3 October 7, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment

    Armadillo  Process  Detach  allows you to detach/decrypt child process
     from parent,in applications protected with Armadillo protection system
     Latest version was coded 2 years  ago  and  due  to  its functionality
     I decided to recode it again from  scratch,  this  time  with  a  nice
     GUI,CopyMem-II support and some protection detection  features. Tested
     with  several versions from Armadillo  v3.78  to  v5.00 and all worked
     perfectly, probably its the most compatible tool out there, enjoy :)

     Version history:
     v1.0 [??/??/05]
     – Initial release.

     v1.1 [05/16/05]
     – Minor code improvements.

     v1.2 [07/03/07]
     – Recoded from scratch.
     – Improved GUI.
     – Protection detection.
     – Copymem-II support.
     – Copymem-II PE Header fix.

     v1.3 [07/20/07]
     – Debug-Blocker IAT resolve.
     – DLL support.


Another tool to fix nanomites October 7, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment

“Hi. This is another tool to fix nanomites, i hope you like it. It’s from a friend of mine called Guan de Dio from CracksLatinoS! group.

Best Regards,



ACKiller 0.31 pre-release October 6, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment

ACKiller = unpacker  for Acprotect ,Ultraprotect

ACKiller 0.31 pre-release

- Signatures added: 1.06, 1.20, 1.22c, 1.30, 1.3b,
- Deleted bug of processing CR in version 1.30
- Added ability to continue unpacking if bad CR found (protector’s bug!)
- Improved determination of ACProtect’ed files
- Determination of library by the flag in headers (not by extention)


Unpacker ExeCryptor 2.x.x. beta 1 October 6, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment


nice tool ;)



Quick Unpack v2.0 final October 6, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
1 comment so far


for starting :)

History of the versions
v2.0 final
[!] fixed many bugs like missed import functions
[!] fixed several driver bugs like the one which didn’t allow to pass some exceptions
[!] improved export feature now supports invalid functions
[!] many improvements (like 256×256 icon for Vista, thanks to Feuerrader :)) and optimizations (like better memory handling)
[!] now Force.dll doesn’t use GenOEP.dll, though some code was borrowed
[+] added so long-waited ability to use scripts. before using scripts it’s strongly recommended to read the manual (Scripts.eng.txt file). script examples may be taken from Scripts folder (*.lua files), scripting language LUA manual also can be found there (LUA Manual.html), which parser was embedded in the program. BTW I know that Step button doesn’t work like a charm but I wasn’t able to make it better
[+] passing parameters to the application added
[+] import list from imprec feature added (now Quick Unpack supports both export and import of import functions in imprec-compatible files this allows to edit some functions or add new ones. keep in mind this option works with normally created files but if you put some garbage or format this file in unusual manner this may cause crash :) I was too lazy to parse the file with care)
[+] attach process feature added (this option allows to choose any module in a process for unpacking and has some features. if in processes listbox a process name is a full path with name you can attach to this process. if it is only name of the file you don’t have enough rights to attach. you can’t specify the OEP, the instruction the program was stopped is treated as the OEP. to use attach process feature one should load the program in any debugger and manually get to the OEP, when attach to that process with Quick Unpack. keep in mind that for smart import recovery you don’t need the program to run, it can just be left in the debugger standing at the breakpoint. but to use smart import recovery with tracer you should put it in the infinite loop (EB FE) and run the program because the tracer uses current thread for tracing. if the program was put in the infinite loop don’t forget to restore these two bytes in the dump. when attached tracing import is unreliable and very slow, so it’s not recommended to use it). this feature allows to use Quick Unpack as a dumper and import recoverer (my attempt to replace PETools and ImpRec with one program :))
[+] imprec plugin support added (this feature allows to use imprec tracer plugins in Quick Unpack to restore import functions. keep in mind when using attach to process feature the program must be run for the tracer to work)
[+] added UsAr’s generic OEP finder. I modified it a bit
[+] added Human’s generic OEP finder. I modified it a bit
[+] added deroko’s generic OEP finder. I modified if a bit and took the GUI from Human’s generic OEP finder. it’s sometimes slow but rather powerful and be warned that this finder uses driver and the driver is unloadable till next reboot. uses deroko’s Dream of every reverser engine so incompatible with win2k3 and kaspersky. for more information about this engine [-] no more old non-generic OEP finders


REZiriz v1.0 August 16, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment

REZiriz is a unpacker for Eziriz .NET Reactor > v3.1.x.x

First of all its *ONLY* a unpacker and not a deobfuscation tool.

Unpacker features:
[*] Unpacking Eziriz .NET Reactor v3.3.0.1
[*] Unpacking Eziriz .NET Reactor v3.2.4.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.0
[*] Unpacking Eziriz .NET Reactor v3.1.0.0

[*] Versions < v3.1.0.0 are not supported

Screenshot: Click To View
thanx fly out to:
LibX // RETeam

The Xenocode Solution v2.0 August 7, 2007

Posted by reversengineering in TOOLS, UNPACKERS.

The Xenocode Solution is a unpacker that works for all Xenocode products since
the release of Xenocode 2005.

First of all its *ONLY* a unpacker and not a deobfuscation tool.

It can also unpack the Virutal Machine and x86 compilation options that came with
Xenocode PostBuild 2006.

Unpacker features:
[*] Unpack Xenocode 2005 output compression
[*] Unpack Xenocode PostBuild 2006 output compression
[*] Unpack Xenocode PostBuild 2006 Virtual Machine
[*] Unpack Xenocode PostBuild 2006 x86 Compilation
[*] Unpack Xenocode PostBuild <= v5.1.x 2007 output compression
[*] Unpack Xenocode PostBuild <= v5.1.x 2007 Virtual Machine
[*] Unpack Xenocode PostBuild = v5.2.x 2007 Virtual Machine
[*] Unpack Xenocode PostBuild >= v5.2.x 2007 x86 Compilation
[*] Unpack Xenocode Virtual Appliance Studio = v5.2.x packages

By LibX [RET]



VMUnpacker V1.2 August 6, 2007

Posted by reversengineering in TOOLS, UNPACKERS.

This tool based on the technology of virtual machine, it could unpack various known & unknown shells. It is suitable for unpacking the shelled Trojan horse in virus analyses, and because all codes are run under the virtual machine, so they will not take any danger to your system..

This product is free software; you can download it, install it, copy it and distribute it noncommercially; If you want use it for commercial sale, copy and distribute, you must get the warranty and permission of DSWLAB before(for example, if the anti-virus company want to use it to analyses the Trojan horse in batches, he must get mandate and permission of DSWLAB before).

By testing, this version could support 57 kinds shells (include 300 versions).
The detailed list:

upx 0.5x-3.00 All Version
aspack 1.x–2.x All Version
PEcompact 0.90–1.76 2.06–2.79 All Version
fsg v1.0 v1.1 v1.2 v1.3 v1.31 v1.33 v2.0 All Version
vgcrypt v0.75
nspack 1.4–4.1 All Version
expressor v1.0 v1.1 v1.2 v1.3 v1.4 v1.501
npack v1.5 v2.5 v3.0
dxpack v0.86 v1.0
!epack v1.0 !epack v1.4
bjfnt v1.2 v1.3
mew5 mew v1.0 v1.1
packman v1.0
PEDiminisher v0.1
pex v0.99
petite v1.2 v1.3 v1.4 v2.2 v2.3 All Version
winkript v1.0
pepack v0.99 v1.0
pcshrinker v0.71
wwpack32 1.0–1.2
upack 0.1–0.32 0.33–0.399
rlpack 1.11–1.14 1.15–1.18
exe32pack v1.42
kbys v0.22 v0.28
yoda’s protector v1.02 v1.025 v1.03.2
yoda’s crypt v1.1
yoda’s crypt v1.2 v1.3 v1.xModify
exestealth 2.72–2.76
hidepe v1.0 v1.1
jdpack v1.01 v2.1 v2.13
jdprotect 0.9b
PEncrypt v3.0 v3.1 v4.0
Stone’s PE Crypt v1.13
telock v0.42 v0.51 v0.60 v0.70 v0.71 v0.80 v0.85 v0.90 v0.92 v0.95 v0.96 v0.98 v0.99
hmimys_pack v1.0
lamecrypt v1.0
polyene v0.01
EP Protector v0.3
anti007 v2.5 v2.6
yzpack v1.1 v2.0
spack method1 spack method2
naked packer v1.0

upolyx v0.51
stealthPE v1.01 stealthPE v2.2
mslrh v0.31 v0.32
mslrh v0.2 == [G!X]‘s Protect
morphine v1.3 morphine v1.6 morphine v2.7
rlpack full edition

VM Unpack Engine SDK

The commercial VM Unpack Engine SDK will be provided solemnly (VM Unpack Engine SDK).

Use VM Unpack Engine SDK, the developer does not need to care about the unpacked course and method, only needs to transmit the data to VMUE SDK, VMUE will finish analyzing and unpacking automatically. VMUE supports to send the result of unpacking to the file and memory at the same time, and returns OEP after unpacking directly, It help you unpack shells in your products and tools.

Rebuild PE file after unpacking, such as repair the import table, Overlay, etc. offer the essential condition that rebuilding can running EXE program.

VMUE SDK includes the following part mainly:

Relevant dynamic or static libraries
VMUE SDK technological white paper and the document about the interface of SDK
Codes of calling VMUE SDK
Shell’s signature library in binary
Other auxiliary routines and codes

Welcome to use this software and feedback the question to support@dswlab.com

If you have any question in using, send us email and we will try to help; please post the unpacked program in mail; it is better that you post the packed tool of the program.
Email: support@dswlab.com.

Supercop Kill various kinds of Trojan horse completely, protect the security of system in an all-round way.
more free tools download http://www.dswlab.com
Specialized desktop and safe products of content http://www.unnoo.com



ArmaDetach. v1.3 August 1, 2007

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment

new version:)




Get every new post delivered to your Inbox.

Join 41 other followers