----------------------------------------------------------------------- unROSE/386 (80386+, DOS 5.0+) ----------------------------------------------------------------------- An unpacker for some COM and EXE packers/protectors that are not supported by common unpackers like Tron 1.30, UNP 4.12 or X-Tract 1.51a Run unROSE to see a list of currently supported packers. Based on code from IUP 0.6.7 ----------------------------------------------------------------------- APack ----- Tested on a bunch of 0.7x, 0.8x and 0.9x packed COM and EXE files. Should work fine, if entry point is detected, because APack files doesn't use anti debugging tricks. Also able to unpack modified APack versions. Note on CryptLS --------------- When unpacking, you'll see a lot of tracing information that are needed for unpacking. If I omit these informations then the unpacker will hang (strange...). Tested with 1.15 (works well), 1.20 (seems to be buggy) and 1.21 (works well). WWPack + WWPMutator ------------------- WWPMutator is a program that can be used to fake WWPack unpackers by inserting an own startup code for WWPack. unROSE detects and unpacks the WWPMutator startup code. Currently those versions exists: - 1.00 adds "standard" startup code to WWPacked files - 1.10 uses an encrypted startup code using a poly engine - 1.10b bug fixed 1.10 with changed mutation engine Due to the fact that I am the author of different antivirus programs I have developed a correlation scanner I use to add detection of highly polymorph viruses to VirScan Plus. This scanner managed it to pick up (10 sec.) an constant search string for WWP-Mutator 1.10 - so for unROSE it's an easy job to detect this kind of "poly engine". To remove WWPack completely you must run unROSE twice: First run will remove the compression, the second run will remove the compressed relocation (PR). WWPack PU/Hard 3.04a and 3.05á5 can not be expanded. PU/Soft can be removed easyly. For this reason WWPMuta with WWPack 3.05á5 can not be removed (currently :). ProtEXE 2.11 ------------ Unpacks both versions: Shareware and Registered. The file size calculation is a little bit buggy, but who cares about it? Protect! -------- Currently unROSE can detect the versions 5.0, 5.5, 5.6 and 6.0 Unpackable are only versions 5.5 and 5.6 :) ComprEXE -------- COM & EXE packer found in the ProtEXE 3.11 package. I have added it to unrose, because the is currently no unpacker (besides generic unpackers) availiable. UCEXE ----- Was long unpacked as AVPack. Tested versions: 2.3, 2.4 and 2.unk ----------------------------------------------------------------------- Please note that unROSE is a tracer thus sometimes tracing trough the code under the protector. This will result often in a removing of the compressor below the protector, just try it on the original PROTEXE.EXE file :) ----------------------------------------------------------------------- (C)opyright 1987-2001 (ALL RIGHTS RESERVED!) ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ROSE Softwareentwicklung ³Û ³ Dipl.-Ing. Ralph Roth ³Û ³ Finkenweg 24 ³Û ³ ³Û ³ D 78658 Zimmern o. R. ³Û ³ ³Û ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß http://come.to/rose_swe Refer to the ROSEBBS.TXT file for PGP key, FAX, EMail address etc.