
  --  Generic Unpacker Win32  -Ŀ
                                                                              
                  an open source project by Christoph Gabler
                           uses ImpREC by MackT/UCF
                       GUW32 v1.0 beta8 (c) UNPACKiNG GODS

                              visit unpack.cjb.net  

         introduction.............................................  1
                                                                     
         usage....................................................  2

         options..................................................  3

         performance..............................................  4

         tracer engine............................................  5

         plans....................................................  6

         support..................................................  7

         coders wanted............................................  7



   introduction............................................................

   The purpose of this little utility is to genericly and automatically
   unpack all kind of protections from portable executable files.
   The main idea behind GUW32 is to handle this type of encryption without
   knowing anything of the cryptors themselves, such as the used algorithm.
   This is performed by taking advantage of the trapflag, which can be used
   to do single stepping without having to know the size of the mnemonics
   to set valid breakpoints. If you use GUW32, you will not have to know
   anything about programming or the PE format, simply select your file and
   wait till everything is done automatically. GUW32 tries to create a 
   cpu-like environment for the traced thread, this is done by emulating
   the methods which are used for single stepping (e.g. TF, thread own
   exceptions etc.). The tracer engine is still far from beeing detect-proof,
   which means, there is still a lot stuff to be emulated and fixed.
   GUW32 offers two different possibilities to handle single step exceptions,
   a structured exception handler operating in ring3, beeing able to
   trace ring3 code only and a stronger and faster ring0 handler which is
   able to step tru pm16/pm32/v86 code such as APIs and interrupts.

   usage...................................................................

   Click onto "START" button at the GUW32 graphical user interface and
   select the file you want to unpack.

   The GUW32 dialogbox will now minimize and display ">T.R.A.C.I.N.G...".
   Wait till the tracer has finished tracing tru the specified executable.
   This might take up to some minutes according to the size of the file,
   your CPU speed and how many tasks are running at the same time.

   The tracer fails if the following happens:

   - GUW32 displays an error
   - A bluescreen or a GPF occours
   - The file you want to unpack suddenly runs

   If nothing of these things happen and the tracer still displays
   ">TRACING...", then GUW32 has NOT crashed, please wait!

   IMPORTANT: If SoftIce or another debugger is active, GUW32 will be
   a lot slower! Please also remember that cryptors which do not run
   under SoftIce (e.g. detect it or crash) *cannot* be unpacked while
   SoftIce is active!


   options.................................................................

   - "Show current EIP"

   Warning: This option should be left off usually! When turned on, it will
   decrease the tracing speed a lot!

   This option is used to determine the last successfully traced EIP if
   the tracer engine fails tracing tru a thread completely.
   This means it is useful only when finding bugs in GUW32 tracer engine.

   - "Report APIs"

   This will display information about APIs, when an call to one has been
   reached:
   Thread API call entry:  VA to the call or jmp to the API
   Thread API call return: VA to the return address after the API
   API entry:              VA to the actual API
   Function name:          Name of the called function (if known to tracer)

   This option should be left unchecked, except when you are interested
   in the API calls which are used by a cryptor.

   - "Remove last section"

   Cryptors and packers need to append code to the encrypted executable,
   in order to let them decrypt theirselves in memory.
   This code is usually stored in the last section of the PE file.
   Altlough there are other ways like realigning the file or code caving/
   resizing... nearly all cryptors/packers append a last section.
   For UPX, PECompact, PCGuard and PCShrinker however, you should better
   disable "Remove last section". (if this isn't already done automatically)

   - "Build new idata"

   This option makes use of MackT's ImpREC.dll which reconstructs the
   importtable (new image import descriptor, iat, and the ascii function
   name). ImpREC will append a new section to the unpacked file, which is
   the rebuilded importtable.
   It is highly recommended to leave this option turned on because most
   cryptors handle the crypted importtable and use an own IT, thus
   modifiying the size/pointer to original IT and overwriting parts of
   the old idata (for allocating purposes...etc.).

   - "Use ring0 tracer"
   
   If enabled, the tracer will set an own interrupt vector instead of using
   SEH to handle the single step exceptions. This way, it is a lot faster
   then the ring3 tracer and a lot stronger because it cannot be crashed by
   stack tricks and is able to trace ring0/v86 code such as APIs or
   interrupts.
   
   
   performance.............................................................

   If you disable "Use ring0 tracer", GUW32 will be pretty slow because
   SEH calls code from the kernel32 also everytime when an exception
   occours. That is why it is highly recommended to run GUW32 from Win95/98
   or Millenium and leave this option enabled.

   Notes about the tracer speed:
   - The more tasks are opened while tracing, the slower the tracing is
   - The bigger the file is you are unpacking, the longer it will take to
     unpack it
   - If you have "Show current EIP" turned on, the tracer will become about
     5x times slower

   Examples (on AMD Thunderbird 900 Mhz):

   Packer: WWPack32 1.20
   File size (packed): 267.264 bytes (261 kb)
   Required time (ring0 tracer): 3 seconds
   Required time (ring3 tracer): 17 seconds
   Required time (ProcDump): 54 seconds 

   Packer: PECompact 1.46
   File size (packed): 1005.056 bytes (1 MB)
   Required time (ring0 tracer): 39 seconds
   Required time (ring3 tracer): 3 min 51 seconds

   Cryptor: Asprotect 1.1 shareware
   File size: 47.616 bytes (46 kb)
   Required time for unpacking: 14 seconds

   Cryptor: PC Guard Win32 3.04d registered
   File size: 224.256 bytes (219 kb)
   Required time (ring0 tracer): 16 seconds
   Required time (ring3 tracer): 51 seconds

   Cryptor: Yoda's Crypter 1.2
   File size: 444.998 bytes (434 kb)
   Required time for unpacking: 9 seconds

   Cryptor: PE-PaCK 1.0
   File size: 536.576 bytes (524 kb)
   Required time for unpacking: 17 seconds


   tracer engine [SEH ring3]...............................................

   emulation modules

   - API emulation:
     Steps over API calls by using return VA at seg:ESP at API entry.
     TO DO: Add API tracing instead of emulating, to handle "jumping deeper
     into API call" (e.g. not to real entry of API)

   - Thread own SEH emulation:
     Checks for modifications to FS:0 handler pointer, then waits for an
     exception to occour, traces the current thread exception handler till
     freqasm is reached, then breakpoint on context_eip.
     TO DO: Emulating trapflagging in victim thread and nested exceptions.

   - Hiding trapflag from eflags:
     Emulates PUSHF, POPF, IRET to hide or reactivate the trapflag.

   - Recognizing opcodes:
     Detects any kind of opcodes which hide instructions which must be
     emulated.

   - Thread own stack emulation:
     Currently only done by resizing and checking for some ungeneric
     tricks.
     TO DO: Completely faking an own stack pointer + own stack area
     for the victim thread.

   - Generic OEP seeker:
     Sets BPM on sections and waits for other section to be reached.
     Does some checking on entrypoint faking, but of course not complete
     yet.
     TO DO: Include an option which will wait for the user to decide, every
            time a possible OEP was reached.


   tracer engine [PM_FAULT ring0]..........................................

   - API tracing:
     Traces tru APIs.

   - Thread own SEH emulation:
     Catches SEH hooking, uses own SE handler to emulate all exceptions
     handled by SEH. (int 0,3-6,B-F)

   - Hiding trapflag from eflags:
     Emulates PUSHF, POPF, IRET to hide or reactivate the trapflag.

   - Recognizing opcodes:
     Detects any kind of opcodes which hide instructions which must be
     emulated.

   - Thread own stack emulation:
     Actually does not touch the threads stack at all.

   - Generic OEP seeker:
     Sets BPM on sections and waits for other section to be reached.
     Does some checking on entrypoint faking, but of course not complete
     yet.
     TO DO: Include an option which will wait for the user to decide, every
            time a possible OEP was reached.


   plans...................................................................

   - Porting the ring0 tracer to a vxd/kdm
   - Fix bugs and write more emulation remaining in tracer to support all
     cryptors
   - Implementing hardcore realligning or dos-like pattern filling
   - Fix bugs in imprec.dll if there are any (MackT)
   - Add export and reloc reconstructing for dll support
   - Make ring0 tracer able to display current_api and current_eip
   - Support for unpacking DOS EXE/COM (from v86 env.)
   - Including a peeditor
   - VCD/CD/MP3/DIVX player for enjoyment during tracing ;)


   support.................................................................

   If you find a cryptor which causes a GPF or an GUW error box when
   trying to unpack with GUW32, please do the following before emailing me:
   1. check if the cryptor/packer you tried to unpack is not listed in
      support.txt as already tested to not work
   2. if the tracer reached the OEP... e.g. an unpacked.exe has been
      successfully created but the file does not run, you should report it
      to MackT@UCF2000.Com because this is most likely related to imprec.dll
      then (if unpacked.exe crashs, you could also disable "Build new idata"
      and try if it runs this way)

   Otherwise please write a bug report to Christoph@Unpacking.org with
   information where it crashed, what cryptor/packer you tried to unpack
   and where I can download the .exe (or just attach the file to the email).
   Thank you for your help!

   You can also meet us on EFNET:
   Christoph Gabler   nick: CHRiSTOPH, channel: #ug2000
   MackT              nick: MackT, channel: #ucf2000


   coders wanted...........................................................

   I am looking for coders who are willing to finish the GUW32 project,
   because I really don't any longer feel like wasting more time on it. ;)
   

  ----

