Introduction:
-------------
Well,
this fine release is a Dll version of the already released QUnpack program, from FEUERRADER of AHTeam.
What I did is to transform it into a DLL and to improve the whole code..
The main purpose of such a dll is to create complex patcher that would unpack on the fly the programs on the target PC, then apply byte changes to crack the program. Of course is much more useful where inline patching is not possible
But not only you can use this dll also as a base of any unpacker program you want to create.
I included a basic client just to give a try on the fly.
What it does:
-------------
The Dll works almost as the original Qunpack program. Essentially what is done is:
?set some hardware breakpoint into the debugged process
?find the OEP, using some custom method (if the target program is packed by FSG 1.33,
ASPack 2.12 or UPX 1.2x, the OEP is found using an own technology) or the code of the
GenOEP.dll (included inside, so no need of external dlls)
?dump process to previously allocated buffer.
?rebuild dump and realign it.
?rebuild the import table (using some code taken from ImpRec)
How to use in your own program:
------------------------------
This is the protototype of the main function
Here below instead a code sniplet of how to use the DLL in you programs:
char *infile_buff=NULL; // it's the buffer pointing to the file to be unpacked
char *outfile_buff=NULL; // it's the buffer pointing to the file where to store unpacked file.
char *log_buff=NULL; // it's the buffer storing the log.
BOOL autoOEP=TRUE;
DWORD realOEP=FALSE;
//TODO: Init above buffers and values as you want..
// Writes to a file the log_buff filled and allocated by the UnpackFile API!
// Note that the main program has to wait untill the threads launched by
// UnpackFile() is terminated.
// GetLog() returns a not NULL value only when the hard work is finished.
// You might consider placing this loop into a separate thread of the main
// application, just not to block the user interface too long.
// NB. Remember to free the allocated buffer!
while(GetLog(NULL)==NULL) ;
FILE *fp=NULL;
if(log_buff!=NULL)
if((fp=fopen(".\\Unpacking_log.txt","w"))!=NULL) {
fprintf(fp,log_buff);
free(log_buff); //really important, remember to free the buffer!
log_buff=NULL;
fclose(fp);
fp=NULL;
}
Help function:
--------------
whenever you choose to pass the OEP to the function directly, usually you might have to convert it from a string representation to a real HEX value (usually it's inserted from an edibox).
Just for reference you might use this function that converts an hex value from string representation
int hexstr2int(char *hexstr) {
register unsigned int length, i, value, shift;
for (length = 0; length < 9; length++) if (!hexstr[length]) break;
shift = (length - 1) * 4;
for (i = value = 0; i < length; i++, shift -= 4) value += HEX_2_INT_TABLE[(unsigned int)hexstr[i] & 127] << shift;
return value;
}
Belongs and Greetings:
----------------------
The DLL contains the code coming from some already existing DLLs. Those DLLs have been transformed into library files and directly linked to the Qunpack.dll to reduce external files dependency.
Those files are
?NDump.dll and RebPE32.dll which belongs to NEOx [uinC].
?GenOEP.dll by snaker
?Force.dll by FEUERRADER
Thanks again to FEUERRADER and to AHTeam members..
Distribution:
-------------
You may redistribute as you want the DLL, but please remember to give credits to the guys I mentioned and to me also!
If you witsh you can also include the present documentation and header files.
History:
--------
1.0 [+] initial release
1.1 [-] fixed a bug when realOEP is given
[+] added some details in the log file
[+] modified the little client
[+] modified the readme and added some more explanations
1.2 [+] eliminated the need for any external dll, now it's an unique dll
---------------------------------------------------------------------------
(`?_.粉?服-.__.-~*?&8~) Shu?N扃?rath [ARTeam] ?服-.__,.-~*ㄝ?_.粪)
There are only 10 types of people in the world: Those who understand binary, and those who don't http://cracking.accessroot.com
