0

Does anybody know an unpacker/decryptor that can unpack Stone's PE Encrypter v2.0? I found one but it was for a previous version, not version 2.0. IDA's universal unpacker seems to hang when trying to unpack this. "waiting for unpacker to finish" forever. Thank you.

the_endian
  • 1,860
  • 17
  • 39
savram
  • 207
  • 2
  • 12

1 Answers1

6

Depending on what you're looking to accomplish, you have a handful of options:

  1. Use RL!dePacker 1.5, which supports unpacking Stone's PE Encryptor 2.0. The technology at the core of this unpacker, TitanEngine, has been immensely improved since its implementation back then, and is available as open source via ReversingLabs. Official video tutorial from RL can be viewed here.

  2. FUU utilizes TitanEngine and has signatures for multiple versions of Stone's PE Encryptor, including v2.0.

  3. Use The aPE, which allows for patching of supported packed binaries--Stone's PE Encryptor v2.0 being one of the supported packers.

  4. A code search on GitHub for "PE Encryptor v2.0" yields additional results you may want to sift through in case any of the solutions above don't pan out.

dsasmblr
  • 2,234
  • 10
  • 18
  • Are you sure this "RL!dePacker 1.5" is virus free? My AV is going nuts with it. – savram Dec 18 '17 at 16:08
  • 2
    Mine did as well. Virus Total shows more positives than negatives: (https://www.virustotal.com/#/url/dca3fde4df8b92b170d99f604707bdb54c400f09ddc246279c3ce89b93eb6401/detection), but if you're weary, just run it and your target within a VM or use something like Sandboxie: https://www.sandboxie.com/ – dsasmblr Dec 18 '17 at 16:12
  • I used RDG Packer Detector v0.7.6.2017 to determine that the PE is packed with Stone's PE Encrypter, but oddly FUU doesn't seem to recognize that, and RL!dePacker just seems to freeze. They don't seem able to find the OEP. – savram Dec 18 '17 at 17:22
  • Try using Exeinfo PE to see what it thinks it's packed with: http://exeinfo.atwebpages.com/ – dsasmblr Dec 18 '17 at 17:57
  • And for more binary opinions, try Hex-Rays' tool, Extensive File Dumper (https://www.hex-rays.com/products/decompiler/support.shtml), as well as the tool "Detect It Easy": http://ntinfo.biz/index.html. What kind of file are you dealing with, anyway? – dsasmblr Dec 18 '17 at 18:09
  • Weird. Detect it Easy has stone's signature but all it tells me is the compiler. I'm going to investigate further. – savram Dec 18 '17 at 20:24
  • This is what I found with DIE: Adler CRC32, Adler CRC32, Adler CRC32, CRC-16-IBM poly, CRC-32-IEEE 802.3 poly, CRC-32-IEEE 802.3 poly, libavutil ff_log2_tab, ACSS reverse sbox, SSH RSA id-sha1 OBJ.ID. oiw(14) secsig(3) algorithms(2) 26, Zlib dist_code, Zlib length_code, Zlib base_length, Zlib base_dist, Jpeg dct AA&N scale factor (flt64), FFT and FHT routines rv_tbl, Generic bitmask table, zinflate_lengthStarts, zinflate_lengthExtraBits, zinflate_distanceStarts, zinflate_distanceExtraBits, anti-debug: IsDebuggerPresent, bitmask, unlzx table_three, DMC compression, – savram Dec 18 '17 at 20:36
  • 1
    @savram, any chances that you'd share the binary with us? We may be able to help – Megabeets Dec 19 '17 at 06:49
  • Ah...well. I'm just a hobbyist. I didn't want to focus on unpacking,I wanted it already unpacked so I could use https://retdec.com/ to study the PE. But damn, it seems this won't be possible. I guess I'll take the opportunity to learn how to unpack things manually. Hopefully I'll manage. I can't share the binary, that's illegal. I've tried all tools presented here, if anyone knows more I'm all ears. Thanks guys. – savram Dec 19 '17 at 15:57
  • TitanEngine has not been (publicly) updated by ReversingLabs since 2010 and I have found it to be rather unstable... – mrexodia Dec 25 '17 at 01:35