Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the board
Thread view  Mix view  Order
CandyMan

30.03.2023, 19:08
 

CandyMan's Tracer (Announce)

CandyMan's Tracer (CT) is another tool (after Dark Debugger DD) that allows you
to unpack 16-bit exe files. This is a real mode CPU emulator. It can be used
where other tools fail. Thanks to it, I was able to unpack, among others,
HackStop protector.

Before running CT it is recommended to install "emulmode.com" TSR which
emulates vesa video mode.

If the program does not respond for a long time, press the Esc key to
stop the emulation process.

Up to Pentium CPU instructions are emulated.

Download directly from here:

https://drive.google.com/file/d/1RipLglzOBw_SxxmsEJ9ESK7OzhqrqIQg/view?usp=share_link

or search CT.7Z here:

https://drive.google.com/drive/folders/0B_wEiYjzVk...ENENzF1Nms?resourcekey=0-sanKRVNJrVNVW1O50JaurA

Laaca

Homepage

Czech republic,
30.03.2023, 21:37

@ CandyMan

CandyMan's Tracer

Hm, do you have an example of software which can be unpacked only using this way? What is so heavy protexted? Maybe some game, for example?

---
DOS-u-akbar!

CandyMan

30.03.2023, 22:19

@ Laaca

CandyMan's Tracer

> Hm, do you have an example of software which can be unpacked only using
> this way? What is so heavy protexted? Maybe some game, for example?

Today I unpacked HackStop protector.

https://megawrzuta.pl/download/30c3c4bb93fe321651ce1ca7f4c6e3b4.html

rosegondon

C:\DOS,
31.03.2023, 07:07

@ CandyMan

CandyMan's Tracer

> CandyMan's Tracer (CT) is another tool (after Dark Debugger DD) that allows
> you
> to unpack 16-bit exe files. This is a real mode CPU emulator. It can be
> used
> where other tools fail. Thanks to it, I was able to unpack, among others,
> HackStop protector.

Hi,

Will it unpack EXEs protected by famous Trap 1.26 by Christoph Gabler?

---
echo g=ffff:0|debug>nul

CandyMan

31.03.2023, 13:03

@ rosegondon

CandyMan's Tracer

> Will it unpack EXEs protected by famous Trap 1.26 by Christoph Gabler?

Yes, below is the link to unpacked Trap 1.26

https://megawrzuta.pl/download/e3ea79fe3a9016d39e567833c1cdf03a.html

I still changed a few things. This is not the final version.

Zyzzle

01.04.2023, 02:57

@ CandyMan

CandyMan's Tracer

Thanks for this new tool. Looks excellent.

Two that I was never able to get unpacked back in the day included Game Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are obviously obfuscated and contain multiple traps and also probably packed multiple times with different schemes.

rosegondon

C:\DOS,
01.04.2023, 09:25

@ Zyzzle

CandyMan's Tracer

> Thanks for this new tool. Looks excellent.
>
> Two that I was never able to get unpacked back in the day included Game
> Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are
> obviously obfuscated and contain multiple traps and also probably packed
> multiple times with different schemes.

I remember that years ago I unpacked TEU executable in few stages, using iceunp and cup386.

Also I vaguely remember EliCZ's EDump was able to unpack TEU file, but I also remember workflow was complicated (it required windows 9x and working in multiple stages).

Those beautiful years of DOS executable (un)protectors... and protectors vs. unprotectors wars ;)

---
echo g=ffff:0|debug>nul

CandyMan

01.04.2023, 17:58

@ CandyMan

CandyMan's Tracer

Today I added displaying changed interrupt vectors like in DarkDebugger (Ctrl-V hotkey) and fixed some bugs.

For now, I will not change the version number, only the date displayed at startup.

CandyMan

02.04.2023, 21:39

@ Zyzzle

CandyMan's Tracer

> Thanks for this new tool. Looks excellent.
>
> Two that I was never able to get unpacked back in the day included Game
> Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are
> obviously obfuscated and contain multiple traps and also probably packed
> multiple times with different schemes.

I managed to unpack also TEU v1.82 (link below) but only with Dark Debugger because it's too complicated for CT. :-(

https://megawrzuta.pl/download/c96ea81e1d7b579df75260ff5d6e882d.html

CandyMan

02.04.2023, 21:39

@ CandyMan

CandyMan's Tracer

> > Thanks for this new tool. Looks excellent.
> >
> > Two that I was never able to get unpacked back in the day included Game
> > Wizard 3.0a GW.EXE and TEU v 1.82 exe file decompressor. Those are
> > obviously obfuscated and contain multiple traps and also probably packed
> > multiple times with different schemes.
>
> I managed to unpack also TEU v1.82 (link below) but only with Dark Debugger
> because it's too complicated for CT. :-(
>
> https://megawrzuta.pl/download/c96ea81e1d7b579df75260ff5d6e882d.html

rosegondon

C:\DOS,
03.04.2023, 09:19

@ CandyMan

CandyMan's Tracer

> > Will it unpack EXEs protected by famous Trap 1.26 by Christoph Gabler?
>
> Yes, below is the link to unpacked Trap 1.26
>
> https://megawrzuta.pl/download/e3ea79fe3a9016d39e567833c1cdf03a.html
>

This is seriously impressive. Trap was one of the best DOS executable protectors back in a day. I will spread the word about CT. Keep the good work!

---
echo g=ffff:0|debug>nul

Zyzzle

05.04.2023, 08:34

@ CandyMan

CandyMan's Tracer

> > I managed to unpack also TEU v1.82 (link below) but only with Dark
> Debugger
> > because it's too complicated for CT. :-(
> >
> > https://megawrzuta.pl/download/c96ea81e1d7b579df75260ff5d6e882d.html
Very impressive work on getting these unpacked. This is quite magical. Your skills are unequalled. Unpacking complicated and obfuscated packers obviously requres a lot of work, and isn't possible to automate.

CandyMan

05.04.2023, 09:25

@ Zyzzle

CandyMan's Tracer

> Very impressive work on getting these unpacked. This is quite magical. Your
> skills are unequalled. Unpacking complicated and obfuscated packers
> obviously requres a lot of work, and isn't possible to automate.

The hardest part is finding the program's original entry point. The second time it will be the same place but shifted (segment) by 4096/16 and the offset will be the same. You can track interrupts (usually int 0..5) and find when the old values are restored. It is especially difficult to unpack programs like (HackStop) which are written in such a way that their code after unpacking contains many jumps and looks like it is still coded.
Like any tool, mine can be bypassed, but I won't tell you how.

rosegondon

C:\DOS,
06.04.2023, 07:08

@ CandyMan

CandyMan's Tracer

> CandyMan's Tracer (CT) is another tool (after Dark Debugger DD) that allows
> you
> to unpack 16-bit exe files. This is a real mode CPU emulator. It can be
> used
> where other tools fail.

Can you add scripting support as in TR (Super Tracer) by LiuTatoTao ?
(available, for example, at https://www.sac.sk/files.php?d=17&l=T )

---
echo g=ffff:0|debug>nul

CandyMan

06.04.2023, 10:24

@ rosegondon

CandyMan's Tracer

> Can you add scripting support as in TR (Super Tracer) by LiuTatoTao ?

Unfortunately, probably not, all the work has to be done by hand. Although in the future maybe...

CandyMan

16.07.2023, 21:11

@ CandyMan

CandyMan's Tracer

Here is unpacked new HackStop v1.30 (for 8086 & 80386 CPU)

https://megawrzuta.pl/download/23fd6e19294fa76cfda4a95939160b10.html

Back to the board
Thread view  Mix view  Order
22049 Postings in 2034 Threads, 396 registered users, 205 users online (0 registered, 205 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum