==========================================================================================
        PeUNlock v1.0x - by ^DAEMON^ [UG2002] - we execute - we emulate - we decrypt
==========================================================================================




			      ATTENTION (PLEASE KEEP IT IN MIND!)

  THIS IS AN INTERNAL UNPACKING GODS RELEASE! SPREADING IT WILL BE PROSECUTED BY DEATH!
  	      (evil vladimir will decide how to sentence u to death then :] )
			
				        -=BE AWARE=-




==================== WHAT THE FUCK IS "PEUNLOCK" ????? ======================================================================
again a new unpacker for a new protection system (the base is similiar to asprotect / svkp)
this unpacker was made for fun...

==================== WHAT'S SUPPORTED ? =====================================================================================
	          	  - pelock v1.00 FULL
			  - pelock v1.00 DEMO
			  - pelock v1.01 FULL
			  - pelock v1.01 DEMO
			  - pelock v1.02 FULL - fails at finding call to decrypt sections
			  - pelock v1.02 DEMO - decrypts until resource section

==================== WHATSNEW SINCE LAST REL. ? =============================================================================
			  - added support for demo versions (bug fixed!) works now 100%!
			  - emulation of entry_point decryption is done!
		          - it puts the entry_point @ pelock_loader_section
			  - import rebuilder (sorry mackou, i was too stupid to use yours... coded my own one)
		          - realigning stuff (not much to do this time.... iam lazy :)

==================== HOW IT WORKS ===========================================================================================
			  - coded a small routine (engine) that does analysis on
   			    the polymorphic layer and defeats it by setting breakpoints
			    into it / execution afterwards
		          - the section decryption is REALLY nice cause it's FULL
 			    polymorphic, idea was to search static points, when found copy
			    (and modify) it (a bit) ->
 			    inject it into process space let it emulate the decryption 		
			    process...
			  - he uses aplib 0.36 for (de)crunching (tag removed - against copyright!)

==================== FUTURE PLANS / FOR WHAT I'VE BEEN TOO LAZY :) ==========================================================
	                  - adding support for v1.02
			  - when i've got too much time i'll rebuild the entry_point up to 100%!		
			  - improving ipcde to handle X layers (it's not really needed but would be nice!)	  


==================== KNOWN PROBLEMS =========================================================================================
			  - 1.02 has MORE internal layers (polymorphic call fails!)
			  - @ least on windows xp it fails to retrieve a lot of api_names and goes into
			    nirvana (dunno why that happens) -> i've ripped the loader code!
			  - winspool.drv.dll <--- hehehehehhe :) well if u've got this prob
			    of course just nuke the ".dll"


(for you hypno :)
history:       02.09.2002 - started coding / reversing pe_lock in depth
                          - coded ipcde (a nice routine :) not finished yet
                            but works with every file so far
                          - ripped unpacking code (apack)
                          - first layer is getting decrypted
               03.09.2002 - found a evil-bug!
                            affected: unpacking routine!
                            (to start decrunching @ wrong position)
                          - analyzed loader more
                          - static shit found to obtain polymorphic decryptor
                          - v1.02 has more internal layers
                            and isn't yet supported
			  - released very first beta
               04.09.2002 - code injecting stuff :)
                          - decrunching sections now... heheheh
                          - next part will be the .idata poly decryptor
                            and the import rebuilding stuff!
			  - released again a new beta
		          - noticed that parts of the .rsrc are encrypted/crunched
			  - found a way to find start of .idata decryption
			  - fuck... iam powered out... need to sleep
	       05.09.2002 - finally managed the idata decryption :)))) weeeeeee
	       		  - too lazy to go on :/
	       06.09.2002 - parts of the resources are encrypted/crunched (again polymorphic!) <-- done ;)
			  - hehehehe bartosz had the same idea i had (ripping the entryproint)   
	       10.09.2002 - ripped import table loader
			  - noticed that v1.01 has somehow a messed up import table decryption
			  - after some tracing i saw that it's randomly shifted by 01
			    coded a small routine that fucks that up
			    works now again.... :)	
			  - after debugging again i saw that i was NOT strict enough
			    with the size_detection -> this caused the demo protected
			    files to crash (fixed immediately)!
			  - this sucker encrypted the raped_entry_point too!
			    (running line decryption :)
	       11.09.2002 - analysed decryption more
			  - entry_point is getting decrypted now! (only in memory!)
			  - added opcode filtering by using ADE32 v2.02
			  - it puts the old entrypoint @ pelock section
			  - added routines to setup a rebuilding buffer for the import table
		          - coded a full rebuilder
			  - FUCK OFF! that's enough for today
			    (unwrapped files are running already on 9x!)
	       12.09.2002 - puuhhhhh *G* 
						
					   !GAME OVER!

	       		  - thx to Hypnz for pointing out a few bugs!
			  - fixed a bug where call rva -> 0
			    again detection wasn't strict enough!
			  - ordinal import rebuilder bug fixed!
			  - another problem occoured : hehehe this time
			    i wasn't generic enough... somehow 1 layer
			    shrinked down to 200h bytes instead of
			    normally 400h bytes :/






~~~~~~~~~~~~ just for those who are interested ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
explaining structure of import buffer:

dll_string          | example KERNEL32.DLL
byte 0		    | terminate string
byte 0/1	    | is import ordinal ???? 0 = ordinal 1 = by name
byte 0		    | just to keep space between it ;)
api_string/ord_value| api_string or ordinal value
byte 0		    | terminate string
dword 		    | final rva where to put the loaded value
....
....



that's all so far ;)
^DAEMON^
	   