CandyMan
30.03.2023, 19:08 |
CandyMan's Tracer (Announce) |
CandyMan's Tracer (CT) is another tool (after Dark Debugger DD) that allows you
to unpack 16-bit exe files. This is a real mode CPU emulator. It can be used
where other tools fail. Thanks to it, I was able to unpack, among others,
HackStop protector.
Before running CT it is recommended to install "emulmode.com" TSR which
emulates vesa video mode.
If the program does not respond for a long time, press the Esc key to
stop the emulation process.
Up to Pentium CPU instructions are emulated.
Download directly from here:
https://drive.google.com/file/d/1RipLglzOBw_SxxmsEJ9ESK7OzhqrqIQg/view?usp=share_link
or search CT.7Z here:
https://drive.google.com/drive/folders/0B_wEiYjzVk...ENENzF1Nms?resourcekey=0-sanKRVNJrVNVW1O50JaurA |
Laaca
Czech republic,
30.03.2023, 21:37
@ CandyMan
|
CandyMan's Tracer |
Hm, do you have an example of software which can be unpacked only using this way? What is so heavy protexted? Maybe some game, for example? ---
DOS-u-akbar! |
CandyMan
30.03.2023, 22:19
@ Laaca
|
CandyMan's Tracer |
> Hm, do you have an example of software which can be unpacked only using
> this way? What is so heavy protexted? Maybe some game, for example?
Today I unpacked HackStop protector.
https://megawrzuta.pl/download/30c3c4bb93fe321651ce1ca7f4c6e3b4.html |
rosegondon
C:\DOS,
31.03.2023, 07:07
@ CandyMan
|
CandyMan's Tracer |
> CandyMan's Tracer (CT) is another tool (after Dark Debugger DD) that allows
> you
> to unpack 16-bit exe files. This is a real mode CPU emulator. It can be
> used
> where other tools fail. Thanks to it, I was able to unpack, among others,
> HackStop protector.
Hi,
Will it unpack EXEs protected by famous Trap 1.26 by Christoph Gabler? ---
echo g=ffff:0|debug>nul |
CandyMan
31.03.2023, 13:03
@ rosegondon
|
CandyMan's Tracer |
> Will it unpack EXEs protected by famous Trap 1.26 by Christoph Gabler?
Yes, below is the link to unpacked Trap 1.26
https://megawrzuta.pl/download/e3ea79fe3a9016d39e567833c1cdf03a.html
I still changed a few things. This is not the final version. |
Zyzzle
01.04.2023, 02:57
@ CandyMan
|
CandyMan's Tracer |
Thanks for this new tool. Looks excellent.
Two that I was never able to get unpacked back in the day included Game Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are obviously obfuscated and contain multiple traps and also probably packed multiple times with different schemes. |
rosegondon
C:\DOS,
01.04.2023, 09:25
@ Zyzzle
|
CandyMan's Tracer |
> Thanks for this new tool. Looks excellent.
>
> Two that I was never able to get unpacked back in the day included Game
> Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are
> obviously obfuscated and contain multiple traps and also probably packed
> multiple times with different schemes.
I remember that years ago I unpacked TEU executable in few stages, using iceunp and cup386.
Also I vaguely remember EliCZ's EDump was able to unpack TEU file, but I also remember workflow was complicated (it required windows 9x and working in multiple stages).
Those beautiful years of DOS executable (un)protectors... and protectors vs. unprotectors wars ;) ---
echo g=ffff:0|debug>nul |
CandyMan
01.04.2023, 17:58
@ CandyMan
|
CandyMan's Tracer |
Today I added displaying changed interrupt vectors like in DarkDebugger (Ctrl-V hotkey) and fixed some bugs.
For now, I will not change the version number, only the date displayed at startup. |
CandyMan
02.04.2023, 21:39
@ Zyzzle
|
CandyMan's Tracer |
> Thanks for this new tool. Looks excellent.
>
> Two that I was never able to get unpacked back in the day included Game
> Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are
> obviously obfuscated and contain multiple traps and also probably packed
> multiple times with different schemes.
I managed to unpack also TEU v1.82 (link below) but only with Dark Debugger because it's too complicated for CT. 
https://megawrzuta.pl/download/c96ea81e1d7b579df75260ff5d6e882d.html |
CandyMan
02.04.2023, 21:39
@ CandyMan
|
CandyMan's Tracer |
> > Thanks for this new tool. Looks excellent.
> >
> > Two that I was never able to get unpacked back in the day included Game
> > Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are
> > obviously obfuscated and contain multiple traps and also probably packed
> > multiple times with different schemes.
>
> I managed to unpack also TEU v1.82 (link below) but only with Dark Debugger
> because it's too complicated for CT.
>
> https://megawrzuta.pl/download/c96ea81e1d7b579df75260ff5d6e882d.html |
rosegondon
C:\DOS,
03.04.2023, 09:19
@ CandyMan
|
CandyMan's Tracer |
> > Will it unpack EXEs protected by famous Trap 1.26 by Christoph Gabler?
>
> Yes, below is the link to unpacked Trap 1.26
>
> https://megawrzuta.pl/download/e3ea79fe3a9016d39e567833c1cdf03a.html
>
This is seriously impressive. Trap was one of the best DOS executable protectors back in a day. I will spread the word about CT. Keep the good work! ---
echo g=ffff:0|debug>nul |
Zyzzle
05.04.2023, 08:34
@ CandyMan
|
CandyMan's Tracer |
> > I managed to unpack also TEU v1.82 (link below) but only with Dark
> Debugger
> > because it's too complicated for CT.
> >
> > https://megawrzuta.pl/download/c96ea81e1d7b579df75260ff5d6e882d.html
Very impressive work on getting these unpacked. This is quite magical. Your skills are unequalled. Unpacking complicated and obfuscated packers obviously requres a lot of work, and isn't possible to automate. |
CandyMan
05.04.2023, 09:25
@ Zyzzle
|
CandyMan's Tracer |
> Very impressive work on getting these unpacked. This is quite magical. Your
> skills are unequalled. Unpacking complicated and obfuscated packers
> obviously requres a lot of work, and isn't possible to automate.
The hardest part is finding the program's original entry point. The second time it will be the same place but shifted (segment) by 4096/16 and the offset will be the same. You can track interrupts (usually int 0..5) and find when the old values are restored. It is especially difficult to unpack programs like (HackStop) which are written in such a way that their code after unpacking contains many jumps and looks like it is still coded.
Like any tool, mine can be bypassed, but I won't tell you how. |
rosegondon
C:\DOS,
06.04.2023, 07:08
@ CandyMan
|
CandyMan's Tracer |
> CandyMan's Tracer (CT) is another tool (after Dark Debugger DD) that allows
> you
> to unpack 16-bit exe files. This is a real mode CPU emulator. It can be
> used
> where other tools fail.
Can you add scripting support as in TR (Super Tracer) by LiuTatoTao ?
(available, for example, at https://www.sac.sk/files.php?d=17&l=T ) ---
echo g=ffff:0|debug>nul |
CandyMan
06.04.2023, 10:24
@ rosegondon
|
CandyMan's Tracer |
> Can you add scripting support as in TR (Super Tracer) by LiuTatoTao ?
Unfortunately, probably not, all the work has to be done by hand. Although in the future maybe... |
CandyMan
16.07.2023, 21:11
@ CandyMan
|
CandyMan's Tracer |
Here is unpacked new HackStop v1.30 (for 8086 & 80386 CPU)
https://megawrzuta.pl/download/23fd6e19294fa76cfda4a95939160b10.html |
Thread view
Mix view
Order