лллплл лллплл лллплл ллл лл ллл ллл лл лл лллллм лллпп лллп пппплл лл лл лл лл ллл ллл ллл лл пллллл лл лл ллл лллмлл лллмлл v2.6 PESHiELD 0.1b, 0.1c, 0.1d, 0.2b, 0.2b2 and 0.25 unpacker Intro ~~~~~ This is unpacker for the famous and one of the best protectors for it's time called PESHiELD versions 0.1b, 0.1c, 0.1d, 0.2b, 0.2b2 and 0.25. The files that are encrypted by these versions of the protector are automaticaly decrypted. What's new ~~~~~~~~~~ v2.6 - bypassing of simple entry point faking via JMP which prevent the old versions to recognize the protection layer - fixed some small bugs - source code is no more available. It seems that no one is interested in it. That means - unPES is dead from now. Don't expect any new version since there is no new version of PESHiELD or someone send me some registered or very old versions like 0.1 beta. v2.5 (unreleased to public) - added support for PESHiELD 0.26 registered to TEAM CLASS. Actually it is version 0.25 with some changes which bypass the available unpackers. Thanks to the Egoiste who sent it to me. - fixed the bug with the Open file dialog box which is now modal (you cannot access the main window of the program without exiting this dialog box). Many thanks to Hutch for the help. v2.4 - added support for PESHiELD 0.1b and 0.1c versions and now every version of this protector I found on the web can be unpacked. If anyone have the first (0.1 beta) version of PESHiELD and want to make it public please mail me. BTW the engine that decrypts the polymorph layer I coded for version 0.1d works OK with the old versions too without any changes. Probably it will decrypt the first version (0.1 beta) and you will get a message for unknown PESHiELD 0.1 version. If you find such file, please mail it to me. - added option to clear (remove) the PESHiELD 0.1x layer from file which results in smaller size. Use this option with caution (read below)! v2.3 - added support for PESHiELD v0.1d (really harder to make decryptor than all other protectors I messed with - this is my first decryptor for polymorph layer). As I said, the decryptor for PESHiELD layer is mutated and it is polymorph one. The weak attack point is that it doesn't use the junk/garbage instructions to change decryption key (ANAKiN only uses constant values and the counter as decrypt values). v2.2 (unreleased to public) - added support for PESHiELD v0.25 (Iczelion's unpacker has the same problem as I had before in decrypting twice encrypted w32dasm.exe so I simply added the support to mine with few changes only. Greetings to Iczelion!) v2.1 (unreleased to public) - displaying of information about unpacking process - coded relocations decompression (still not written in output file) v2.0 - now it is win32asm version - file size limit does not exist anymore - nice looking GUI added (thanks tARG0N/[cRO] for the gfx :) - added support for PESHiELD 0.2b - PE file checksum calculation (credits to tE! for his sources) v1.0 - it is DOS version of PESHiELD 0.2b2 unpacker - support for files smaller than 60KB Usage ~~~~~ Using the unpacker is really easy (who does not know how to use GUI? ;): - select the file to unpack - press Unpack button and there is created OUT.EXE file which is the decrypted EXE file Multiple encryption layers are supported and decrypted automaticaly. There are available few options that affect the decrypting process: - Confirm multiple layers - asks to continue decrypting when finish current layer. It can be used for studying the PESHiELD code or when the unpacker cannot recognize and decrypt an unknown/patched/cracked PESHiELD version. - Recalculate PE checksum - this options uses a procedure written by tHE EGOiSTE that calculate the new PE checksum and writes it in PE header. The checksum is unused in Win9x systems but it is used on drivers that run on WinNT and Win2000 (that's what I know of). Most linkers left this checksum to zero. This PE header manipulation can cause problems because PESHiELD layer can use heuristic antivirus checks which include PE header and object table (sections headers) and if another PESHiELD layer left (using Confirm multiple layers option or just unsupported version) then the file may stop running (the protector will stop execution due to false alarm). - Change code section flags - when you want to get working disassembleable file (at least for w32dasm) you can change code section flags to make that possible. Again this can cause problems running the file if there left another PESHiELD layer with turned ON heuristic antivirus checks. - Remove PESHiELD 0.1x section from the file - removes the currently decrypted PESHiELD layer and ALL layers after it. The result is smaller file but this may cause problems if a layer which contains redirected resources is removed and the file will become unworking. For example if you have file encrypted with several PESHiELD layers: 0.1d - 0.2b2 - 0.1b, if you turn on this option and unpack the file the section with PESHiELD v0.2b2 will be removed too and if it contains redirected resources (icons, version info) the file probably will not run! - Confirm PESHiELD section removing - by turning this option to ON you will be asked on every PESHiELD 0.1x layer if you want to remove it. In the example shown above you can safely remove the v0.1b layer and keep the rest without any problems and the file will be working because in the old 0.1x versions of PESHiELD no resources redirection is done. For now this option affects only PESHiELD 0.1x layers. If the unpacker doesn't work with your file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I received e-mails from some people who had encountered problems with unpacking some files. They told me that my unpacker does not unpack fully the files. The problem is that my unpacker is ONLY for PESHiELD! It doesn't support other protectors/packers so you have to use another unpacker. The best thing is to get many file identifiers (FileInfo, File Scanner, PEiD, UN-PACK, GetTyp and others that are spread on the web) and after decrypting the file with unPES to scan if it is packed/protected by another program. Then find unpacker for it and there you go. I recommend to use PEiD by snaker and Qwerton because it recognizes the latest PE packers/protectors. And after all checks you did with the file analyzers you are still sure it is protected by unsupported or wrongly supported PESHiELD version then send me an e-mail about it. To do (discontinued) ~~~~~~~~~~~~~~~~~~~~ - rebuilding the resources allowing to remove the PESHiELD layer(s) from file - heuristic section rename - adding support for other PESHiELD versions (if anyone has unsupported by this unpacker versions, please mail them to: unknone@mail.com) - creating .DLL with exported unpacker procedure (guess why ;) - .reloc section rebuilding - adding support for the other ANAKiN's packer - PE-PACK Greetings ~~~~~~~~~ Everyone :) Special greetings ~~~~~~~~~~~~~~~~~ ANAKiN, Iczelion, tHE EGOiSTE, totnak, VAG, r!sc, Daemon, DaFixer, darkgrey, hutch, snaker Many thanks fly out to The Archivist (www.suddendischarge.com) who gave me PESHiELD v0.1b and v0.1c. Thank you! Group greetings ~~~~~~~~~~~~~~~ TMG, DTG, ECL, uCF, CORE, DSA, PHM, PCT, AOI, #win32asm and #ug2000 dudes! Contacts ~~~~~~~~ Who cares anymore about me? ;) Anyway my e-mail is written somewhere in this text. Best regards, Unknown One/[TMG]