Tuesday, September 25, 2007

Quick Unpack v2.0 Final

At last I decided to release 2.0 final. Maybe there are still several bugs left but that what support is needed for In plans for future I want to change the engine for something astonishing (not sure if it will be public) and to make existing OEP-finders also work with DLLs. So stay tuned

v2.0 final
[!] fixed many bugs like missed import functions
[!] fixed several driver bugs like the one which didn't allow to pass some exceptions
[!] improved export feature now supports invalid functions
[!] many improvements (like 256x256 icon for Vista, thanks to Feuerrader ) and optimizations (like better memory handling)
[!] now Force.dll doesn't use GenOEP.dll, though some code was borrowed
[+] added so long-waited ability to use scripts. before using scripts it's strongly recommended to read the manual (Scripts.eng.txt file). script examples may be taken from Scripts folder (*.lua files), scripting language LUA manual also can be found there (LUA Manual.html), which parser was embedded in the program. BTW I know that Step button doesn't work like a charm but I wasn't able to make it better
[+] passing parameters to the application added
[+] import list from imprec feature added (now Quick Unpack supports both export and import of import functions in imprec-compatible files this allows to edit some functions or add new ones. keep in mind this option works with normally created files but if you put some garbage or format this file in unusual manner this may cause crash I was too lazy to parse the file with care)
[+] attach process feature added (this option allows to choose any module in a process for unpacking and has some features. if in processes listbox a process name is a full path with name you can attach to this process. if it is only name of the file you don't have enough rights to attach. you can't specify the OEP, the instruction the program was stopped is treated as the OEP. to use attach process feature one should load the program in any debugger and manually get to the OEP, when attach to that process with Quick Unpack. keep in mind that for smart import recovery you don't need the program to run, it can just be left in the debugger standing at the breakpoint. but to use smart import recovery with tracer you should put it in the infinite loop (EB FE) and run the program because the tracer uses current thread for tracing. if the program was put in the infinite loop don't forget to restore these two bytes in the dump. when attached tracing import is unreliable and very slow, so it's not recommended to use it). this feature allows to use Quick Unpack as a dumper and import recoverer (my attempt to replace PETools and ImpRec with one program )
[+] imprec plugin support added (this feature allows to use imprec tracer plugins in Quick Unpack to restore import functions. keep in mind when using attach to process feature the program must be run for the tracer to work)
[+] added UsAr's generic OEP finder. I modified it a bit
[+] added Human's generic OEP finder. I modified it a bit
[+] added deroko's generic OEP finder. I modified if a bit and took the GUI from Human's generic OEP finder. it's sometimes slow but rather powerful and be warned that this finder uses driver and the driver is unloadable till next reboot. uses deroko's Dream of every reverser engine so incompatible with win2k3 and kaspersky. for more information about this engine visit http://deroko.phearless.org
[-] no more old non-generic OEP finders


Mirrors: http://www.hacker.com.cn/down/view_14702.html

Info: http://www.3800hk.com/Soft/zhly/19567.html

Quick Unpack 2.0 final for Windows 2000/XP/2003/Vista
(c) stripper engine by syd
founded by FEUERRADER [AHTeam]
(c) coded by Archer

19:35:56 - Opened utorrent 1.7.5_fake2x_leecher.exe
Quick self analyze.... PECompact 2.xx
PESniffer EP Scan: PECompact v2.xx
PEiD scanning... PECompact 2.x -> Jeremy Collake

if 2 difficult: Unpecomp2.exe

so some mods can look and see now that the files there and in history by all known coders do not have any call homes integrated/added but in the original uT/bT the stats.domain.com is disappeared in the later builds or we are all blind and do not more found it since all builds beginning from late August.

apple juice, eMule.0.48a.Titandonkey.v4.11-Bin, eMule.0.48a.Razorback3.Next.Generation.v4.11, eMule.v0.48a.Wikinger-Mod, sun power,... and the rest of apple juice
based ExeStealth V2.76 to prepare plugin required.

copy OEPFinders files from the older version in addition for full support of known unpacking types

more tools:
Homepage: http://qunpack.ahteam.org/


Anonymous said...

Quick Unpack 2.0 final for Windows 2000/XP/2003/Vista
(c) stripper engine by syd
founded by FEUERRADER [AHTeam]
(c) coded by Archer

19:48:23 - Opened utorrentstealth.exe
Quick self analyze.... unknown
PESniffer EP Scan: PECompact v2.xx
PEiD scanning... PECompact 2.x -> Jeremy Collake
19:48:40 - Force mode activated...
19:48:40 - Loading target...
0x00340000 - module ntdll.dll export hooked..
0x00350000 - module kernel32.dll export hooked..
19:48:41 - Close target, when it will be loaded...
19:48:41 - 0x7C800000 - module kernel32 loaded
0x00370000 - module user32.dll export hooked..
0x00380000 - module gdi32.dll export hooked..
0x00390000 - module imm32.dll export hooked..
0x003A0000 - module advapi32.dll export hooked..
0x003B0000 - module rpcrt4.dll export hooked..
0x003C0000 - module secur32.dll export hooked..
0x003D0000 - module lpk.dll export hooked..
0x003E0000 - module usp10.dll export hooked..
0x00A20000 - module comctl32.dll export hooked..
0x00A30000 - module msvcrt.dll export hooked..
0x00A40000 - module shlwapi.dll export hooked..
0x00A70000 - module comdlg32.dll export hooked..
0x00A80000 - module shell32.dll export hooked..
19:48:46 - 0x773D0000 - module comctl32.dll loaded
19:48:46 - 0x71AB0000 - module ws2_32.dll loaded
0x00A90000 - module ws2_32.dll export hooked..
0x00AA0000 - module ws2help.dll export hooked..
19:48:48 - 0x774E0000 - module ole32.dll loaded
0x009A0000 - module ole32.dll export hooked..
19:48:49 - 0x5AD70000 - module c:\winxp\system32\uxtheme.dll loaded
0x009B0000 - module uxtheme.dll export hooked..
19:48:49 - 0x5AD70000 - module uxtheme.dll loaded
19:48:49 - 0x5AD70000 - module c:\winxp\system32\uxtheme.dll loaded
19:48:50 - 0x5AD70000 - module c:\winxp\system32\uxtheme.dll loaded
19:48:50 - 0x5AD70000 - module c:\winxp\system32\uxtheme.dll loaded
19:48:50 - 0x7C9C0000 - module c:\winxp\system32\shell32.dll loaded
19:48:50 - 0x77920000 - module setupapi.dll loaded
0x009C0000 - module setupapi.dll export hooked..
19:48:51 - 0x77E70000 - module rpcrt4.dll loaded
19:48:52 - 0x7C9C0000 - module shell32.dll loaded
19:48:53 - 0x774E0000 - module ole32.dll loaded
19:49:13 - 0x5AD70000 - module uxtheme.dll loaded
19:49:13 - 0x77C00000 - module version.dll loaded
0x009D0000 - module version.dll export hooked..
0x009F0000 - module msctfime.ime export hooked..
19:49:14 - 0x755C0000 - module c:\winxp\system32\msctfime.ime loaded
19:49:15 - 0x76390000 - module imm32.dll loaded
19:51:47 - 0x77120000 - module oleaut32.dll loaded
0x00C90000 - module oleaut32.dll export hooked..
19:51:48 - 0x774E0000 - module ole32.dll loaded
19:51:48 - 0x76FD0000 - module clbcatq.dll loaded
0x00CB0000 - module clbcatq.dll export hooked..
0x00CC0000 - module comres.dll export hooked..
19:51:49 - 0x76FD0000 - module clbcatq.dll loaded
19:51:49 - 0x662B0000 - module c:\winxp\system32\hnetcfg.dll loaded
0x00CE0000 - module hnetcfg.dll export hooked..
19:52:28 - False breaks detected: 0
Force mode deactivated. No false breaks found.
0x00340000 - module ntdll.dll export hooked..
0x00350000 - module kernel32.dll export hooked..

19:52:29 - Target loaded at 0x00400000
19:52:29 - EntryPoint: 00401000
19:52:29 - OEP: 00485A28
19:52:29 - Breaked at 00485A28
19:52:29 - Dumping...
19:52:29 - Processing import... be patient, it may take some time...
19:53:17 - Import thunks not found! Processing original import...
19:53:48 - Used smart import recovery
19:53:49 - Unpacked file saved as C:\utorrent 1.7.5 EMU 1.6 LP\µtorrent 1.7.5 LP EMU 1.6 extra\utorrentstealth__.exe
0x7C900000 - module ntdll.dll unhooked..
0x7C800000 - module kernel32.dll unhooked..
19:53:49 - Done

Anonymous said...


Post a Comment