Monday, January 28, 2008

ap0x R.C.E. RL!dePacker 1.41 (101+) Reversing Labs

ap0x R.C.E. RL! de Packer 1.41 unpackerap0x R.C.E. RL!dePacker 1.41 Unpacker EngineRLKit - Reversing Labs (first aid) Kit
After seeing a lot of so called crackers kits being spread around which weight overcomes 10 and sometimes 20 MB. I decided to create a real minimum reverser kit. That kind of first aid kit would contain only the most used applications by all crackers. So this is a bear bone kit that proves that all you can need during reversing of 90% of applications can be packed in one package that weighs lesser than 2 MB. This kit contains:

+ OllyDBG 1.10
+ LordPE 1.4
+ ImpRec 1.6
+ PeID 0.94
+ 32bit Calculator 1.7
+ RepairPE 0.4
+ FileMon 4.28
+ RegMon 6.06
+ FSG 2.0
+ WinUPack 0.39
+ R!SC`s Process Patcher 1.5.1
+ IIDKing 2.0
+ dUP 2.10
+ Tola`s Patching Engine 2.03

Reversing Labs RL!dePacker has a build in option to detect OEP. However this option does not work with VB (always use FindOEP! function with VB applications and Force to manual OEP?) and some packers. So if RL!dePacker can not unpack the file use FindOEP! function to detect correct OEP, but use it only as a second resort since it can be jammed!
° Option Force OEP to manual address is used to force stopping on manual OEP address, use this option ONLY if packer can not be unpacked (the target runs instead of breaking at OEP or dumps at wrong OEP).
° Option Correct OEP to manual address is used correct OEP in PE header of the unpacked file.
° Option Hide unpacker from detection is used hide debugger from being detected by antiTricks. Option Use tracer to correct IAT is used to remove all known redirection types.
° Option Fix Import elimination is used on applications that relocate import table in memory outside PE32 file. This option has been tested with AlexProtector 1.0 and RLPack TE 1.18. Please note that even dow this option is in testing it should give good results on all known redirection types (see ap0x unpacker SDK).

Generic unpacker can unpack ONLY packers that do not use IAT redirection, that don’t steal APIs and which fill out IAT table in correct order. All ordinals that can be converted to API names are converted, others are inserted into IAT as ordinals! Designed for NT systems, Windows 2000 or later but it should work on Windows 9x if you have psapi.dll file!
If you don’t want to update the software and therefore wait few seconds before you can use this program delete Updater.dll file.

RL!dePacker 1.41 is tested with 101+ packers
aUS [Advanced UPX Scrambler] 0.4 - 0.5
ASPack 1.x - 2.x
AHPack 1.x
AlexProtector 1.x
ARMProtector 0.x
BamBam 0.x
BeRoEXEPacker 1.x
CryptoPeProtector 0.9x
CodeCrypt 0.16x
dot Fake Signer 3.x
eXPressor 1.2.x - 1.5.x
EZip 1.0
EP Protector 0.3
ExeSax 0.x
EXEStealth 2.x
FSG 1.xx & 2.0
Goat's PE Mutilator 1.6
hmimys-Packer 1.x
HidePX 1.4
HidePE 2.1
JDPack 1.x
JDProtect 0.9
JeyJey UPX Protector
KByS Packer 0.2x
Krypton 0.x
LameCrypt 1.0
MEW 1.x
nSPack 2.x - 3.x
nSPack Scrambler
nPack 1.x
NeoLite 1.0 & 2.0
ORiEN 2.12
OrIEN 2.1x
PECompact 0.9x - 2.x
PeX 0.99
PC Shrink 0.71
Polyene 0.01
Pack 4.0
PackMan & 1.0
PE Diminisher 0.1
PolyCrypt PE 2.1.5
PeTite 1.x
PEStubOEP 1.6
PELockNT 2.x
PePack 1.0
PC PE Encryptor alpha
PEncrypt 4.0
PEnguinCrypt 1.0
PeLockNt 2.x
PeLock 1.0x
Perplex PE-Protector 1.x
RLP 0.6.9 - 0.7.x
RLPack Basic Edition 1.x
ReCrypt 0.15 - 0.80
Stone`s PE Encryptor 2.0
StealthPE 2.1
Software Compress 1.x
SPLayer 0.08
ShrinkWarp 1.4
SmokesCrypt 1.2
Simple UPX-Scrambler
SimplePack 1.x
SLVc0deProtector 1.x
tELock 0.x
UPX 0.8x - 2.x
UPolyX 0.4 & 0.5
UPX Inkvizitor
UPXFreak 0.1
UPolyX 0.x
UPXLock 1.x
UG Chruncher 0.x
UPX-Scrambler RC 1.x
UPX Protector 1.0x
UPXShit 0.06 & 0.0.1
UPXScramb 2.x
VirogenCrypt 0.75
WWPack32 1.x
WinUPack 0.2x - 0.3x
WinUPack Mutanter 0.1
Winkript 1.0
yC 1.x
32Lite 0.3a
!ExE Pack 1.x
!EP (ExE Pack) 1.x
[G!X]`s Protector 1.2

This unpack engine covers everything what unpacker needs. It has debugger, dumper and importer modules which enable coding unpackers with ease. SDK is free and can be used by anyone but make sure you mention my name or include logo.bmp somewhere in About dialog.

SDK v.1.4
- Updated Delphi and MASM SDK
- Fixed memory problems for all modules

v.1.6 [Debugger.dll]
- Added new ldex86
- Rewritten DebugLoop
- Added new API: ForceClose
- Added new API: SehGoneWildProtection
- Fixed: Handling custom exceptions
- Fixed: In case breakpoint is fired in second thread context doesn't get read
- Fixed: Not releasing loaded .dll file handles on process terminate
- Fixed: Find crashing on some searches with an access violation

v.1.5 [Dumper.dll]
- Fixed: PastePEHeader not writting header on some files
- Fixed: DumpProcess crash on file with PE header moved above SectionAligment
- Fixed: DumpProcess not rebuilding header correctly on files which have larger...
- Fixed: ConvertVAtoFileOffset on files which have code inside PE header
- Fixed: AddNewSection resizing the new section size to fit FileAligment
- Fixed: AddNewSection not aligning raw offset correctly

v.1.0 [Tracer.dll] (just for internal use by RL!dePacker, next version will be public!)
- Added support for following redirections: SLVc0deProtector 1.1x...
- Added support for following redirections: tELock 0.8x-0.99, PeX 0.99, ReCrypt 0.74
- Added support for following redirections: yC 1.x, Goat's PE Mutilator 1.6...
- Added support for following redirections: RLP 0.7x, ACProtect 1.x...
- Added new API: TracerGetAPIAdressByHashing
- Added new API: TracerAutoFixImportElimination
- Added new API: TracerDetectRedirection
- Added new API: TracerAutoFixIAT
- Added new API: HashTracerLevel1
- Added new API: TracerLevel1
- Added new API: TracerInit

v.1.5 [Importer.dll]
- Fixed: StrToInt conversion
- Added new API: ImporterCleanup
- Added new API: ImporterMoveIAT
- Added new API: ImporterGetAddedDllCount
- Added new API: ImporterGetAddedAPICount
- Added new API: ImporterFindAPIWriteLocation
- Fixed: ImporterAddNewAPI ordinal import handleing
- Fixed: ImporterAutoFixIAT check already loaded .dll files code
- Fixed: ImporterAutoSearchIAT to correctly find IAT in case of invalid near jumps
- Fixed: Not unloading loaded .dll files with ImporterAutoFixIAT
- Fixed: ImporterGetAPINameOrOrdinal API...
- Fixed: Ordinal processing in ImporterGetAPIName, ImporterGetAPINameEx...
- Fixed: ImporterAutoFixIAT to get all .dll files(s) libraries and calculate relative...
- Fixed: ImporterGetAPINameFromDebugee to get API names from all libraries....
- Fixed: ImporterAutoFixIAT to get all .dll files(s) libraries not just the system ones

w/o internal modules:
Tracer.dll & GenOEP.dll Downloads:
Mirror1 - Mirror2


Download all-in-on full (4.68 MB): RL!
AV's may report it as False Positive

No comments:

Post a Comment