ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º              UNPCPECa by Prophecy [tNO '99] (04/09/1999)              º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

1. Intro
2. User guide
3. Misc notes
4. Acknowledgements

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄ ÄÄÄ Ä
³ 1. INTRO
ÀÄÄÄÄÄÄÄÄÄÄÄ

UNPCPECa will decrypt any PE executable/dll which has been encrypted
with PCPEC "alpha - preview" or PCPECa for short.  PCPEC stands for
Phrozen Crew PE enCrypter.

It is a passive decrypter, it does not require the executable/dll to
be loaded.

This is the first unpacker of any sort I have ever done.  Fortunately
I had a gentle start, as PCPECa is probably the easiest most lame ass
PE crypter to unpack you will ever come across.

At the time of this release, the latest version of Procdump (v1.40.0)
could not unpack PCPECa.


ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄ ÄÄÄ Ä
³ 2. USER GUIDE
ÀÄÄÄÄÄÄÄÄÄÄÄ

UNPCPECa is simple to use...:

      unpcpeca <file_u_want_to_decrypt.exe> <output_file.exe>

   eg unpcpeca pcpec.exe out.exe


ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄ ÄÄÄ Ä
³ 3. MISC NOTES       
ÀÄÄÄÄÄÄÄÄÄÄÄ

The biggest thing that sux about PCPECa is that it relies purely on the
name of sections.  I was trying to determine without tracing how PCPECa
decided which sections to crypt.  I did not consider the possibility of
using the section names... it is common knowledge that section names
are arbitary, and should not be used in the crypting process.  Here is
how PCPECa determines what to crypt... if section starts with:
.ida,.rda,.eda,.deb or .ico it will NOT crypt.  If section starts with
.rsr it will crypt if encrypt resources is checked.  Relying purely
on section name shows a pretty poor understanding of PE structure.  Eg,
PCPEC will automatically crypt the .tls section, which it cant handle,
causing nearly all apps i tested to GPF.  And if your resource section
aint called ".rsrc" and you choose not to crypt it, it will crypt it
anyway.

Also, it always assumes the first section is the code section, thus
when you say use CRC of code to encrypt, it will always use the
first section.  Thus it will automatically encrypt the first section, if
you say use CRC of code.

Even thought this is an alpha, it's suppose to be a base for future
versions.  If you build your house on a shitty foundation, it won't
be any good... if your PE crypter has a shit core, any future versions
built upon the same core will be shit too.

I guess the only good point about PCPECa is it still defeats Procdump
at time of this release... I spose the authors of Procdump are too busy
examining decent PE crypters/packers, otherwise PEPECa would have been
unpackable by Procdump a long time ago.

Personally, I would be embarassed to have released a PE crypter which
relies on section names... actually, I would have been embarassed to
release anything that is alpha.  At the end of the day, why did I even
bother writing this unpacker... nobody even uses PCPECa haha.  Oh well,
better luck next time boys, looks like you need it.

PS: a viola is a fucking musical instrument.

PPS: bugs reports... join #tno99, EFNET


ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄ ÄÄÄ Ä
³ 4. ACKNOWLEDGEMENTS
ÀÄÄÄÄÄÄÄÄÄÄÄ

Cheers to Iczelion for helping me out on some points about PE header.
Iczelion... you have so much knowledge and you are always willing
to share it... my undue respect to you and your kick ass chan #win32asm.