Leaderboard

/* Undefine this to disable thread support. */ //#define WEBP_USE_THREAD 1I commented this out and recompiled it. hope this helps libwebp.zip

Hi @LCF-AT F-AT and @fearless , I did some more digging on those SRW lock errors. The real problem is that fearless's libWebP.lib was compiled with modern MSVC which links threading support against Synchronization APIs — and the old Masm32 kernel32.lib simply doesn't have those __imp__ decorated exports. The cleanest fix without rebuilding the lib: Copy the kernel32.lib from your Windows SDK directly into your project folder: C:\Program Files (x86)\Windows Kits\10\Lib\10.x.x\um\x86\kernel32.libAdd it explicitly in your link command before the Masm32 one, so it takes priority: LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"C:\YourProject\SDKLibs" /LIBPATH:"C:\_First\RadASM\Masm32\Lib"The order matters — the linker searches paths left to right. For the uuid.lib LNK4003 warning: same story, the Masm32 version is old OMF format. Grab the COFF version from the same SDK \um\x86\ folder. Even cleaner — @fearless: if you still have the WebP CMake build around, could you rebuild with -DWEBP_USE_THREAD=OFF? That strips out the SRW/ConditionVariable dependencies entirely since LCF-AT is just doing single-threaded image loading anyway. The lib would be smaller and have zero CRT or threading baggage. Price h_h

No easy way. Some ways to obtain libs and or build them are: nuget: https://www.nuget.org - search for packages, select and choose download package on right side. .nupkg files are just zip archives, so rename .nupkg file and add a .zip to the extension and extract with Winzip, Winrar or 7zip. For example: https://www.nuget.org/packages/zlib_static vcpkg: https://www.studyplan.dev/pro-cpp/vcpkg-windows, https://github.com/microsoft/vcpkg. Once installed you can install packages via the command line, for example: vcpkg install zlib --triplet x86-windows-static. Note: If you don't have a x86-windows-static.cmake file in the triplets folder you can easily create one with notepad: set(VCPKG_TARGET_ARCHITECTURE x86) set(VCPKG_CRT_LINKAGE static) set(VCPKG_LIBRARY_LINKAGE static)cmake: https://cmake.org/download/ - third party and open source libraries on Github that support Cmake and have a CMakeLists.txt file. Cmake can build the visual studio solution (.sln) for x86 or x64. Once the solution is built you can compile the library with visual studio. Most of the solutions will only give you libraries that are compiled with cdecl prototypes, (PROTO C in masm etc), which makes it harder to use with lib2inc.exe for example as you will only be given :VARARG instead of defined parameters. That may be enough to use the library though. Also libraries compiled as for standard visual studio usage, along with the functions being exported/defined as cdecl, will also require additional visual c libraries to handle extra things like security cookies, exception handling and other stuff, which make linking with the library in asm a lot more awkward. I prefer if possible to compile libraries with stdcall (PROTO STDCALL in masm etc or just PROTO as the default is assumed as STDCALL), which means its easier to create definition files for RasASM/WInASM (masmApiCall.api or masmApiCall.vaa files) However its not just a case of changing the calling convention to stdcall (Solution right click->properties->Configuration Properties->C/C++->Advanced->Calling Convention: __stdcall (/Gz)) as some properties need changing and/or manual fixing up may be required: adjusting defines, changing some functions that cant be configured as __stdcall, disabling exception handling, disabling security check and changing runtime library to /MT instead of /MD : Solution right click->properties->Configuration Properties->C/C++->Enable C++ Exceptions: No Solution right click->properties->Configuration Properties->C/C++->Runtime Library: /MT Solution right click->properties->Configuration Properties->C/C++->Security Check: Disable Security Check (/GS-) There are other settings in a project that may need changing as well, like disabling Whole Program Optimization etc Once compiled, then you need to test that the library works in masm/uasm.

Its been ages since I wrote that bitmap control. Couldnt even remember it, had to go look up the source. Compiled libwebp.lib with standard call. Created the include file, and some definition files for WinASM and RadASM. Example RadASM project included. Loads a webp image that is stored as a resource. The bitmap control thing made the image a bit funny with the StretchBlt so i took out all that stuff and just sent the hBitmap to a SS_BITMAP static control instead using STM_SETIMAGE message. Probably best to use a static SS_BITMAP control or see if there is some other bitmap control as that one is old and probably could do with rewrite or fixing. Edit: Actually I realized that I had created a static control and also used the bitmap create control and thus is was clipped behind the static control, so I thought it wasn't working properly, and was only showing a small part of it, when the static control was covering the other control. So should be fine to use that control library if you wanted. libWebPTest.zip

You Chinese are showing off again. Hurry up and upload the patch

Hey guys. thanks again for your help so far. The good news first its working NOW using the latest new libweb from you @fearless. The bad news is, I don't know why because, I got again that error.. LIBCMT.lib(_chkstk_.obj) : fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'X86'..about x64 with x86. I made a new sample project just to put the lib with some functions calls into to see whether it works and at some point it did compile it but I really didn't changed anything what makes it so strange. In my big main code project I got same error again and then I just places the.. include libwebp.inc includelib libwebp.lib...somewhere higher and then it work to compile the project = Then I tried to place the both entry's back at the lower place and it worked too then. Super strange. So could it be that there is any reading syntax problem or something? Doing some new copy / paste did maybe fix that problem. I don't know, its again one of those super awkward issues you'll never get or find any logical answer for. (Used WinASM, still)! I don't have Windows SDK etc. As I said, I didn't code for longer while and just had to update some codes etc. By the way, I also tried to create a static lib of that dll or any others using Dll2Lib tool but even with the created libs from there it didn't work and also forgot how to use it right to get it work even I used it years ago pretty often. Damn! Is there now some easier way to make static libs etc? I mean without to install all those VC HUGE package tools I don't need etc. Just a tool, load dll, make the static lib, use it etc. Let me know if so. Thanks again guys. greetz

Hi again, @fearless could it be that you create that lib with specific linker options to include those specific other libs? I tried to load your example project in RadASM and compiled there but I get errors about missing libs... ucrt.lib Uuid.Lib vcruntime.lib oldnames.lib libcmt.lib....I put them into lib folder and get this error now... libWebP.lib(vp8l_dec.obj) : warning LNK4044: unrecognized option "alternatename:___isa_available=___isa_available_default"; ignored libWebP.lib(yuv.obj) : warning LNK4044: unrecognized option "alternatename:___isa_available=___isa_available_default"; ignored libWebP.lib(lossless.obj) : warning LNK4044: unrecognized option "alternatename:___isa_available=___isa_available_default"; ignored C:\_First\RadASM\Masm32\Lib\uuid.lib : warning LNK4003: invalid library format; library ignored C:\_First\RadASM\Masm32\Lib\uuid.lib : warning LNK4003: invalid library format; library ignored libWebP.lib(upsampling.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(rescaler.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(alpha_processing.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(lossless.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(filters.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(vp8_dec.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(thread_utils.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(dec.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(yuv.obj) : error LNK2001: unresolved external symbol __imp__ReleaseSRWLockExclusive@4 libWebP.lib(upsampling.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(rescaler.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(alpha_processing.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(lossless.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(filters.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(vp8_dec.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(thread_utils.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(dec.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(yuv.obj) : error LNK2001: unresolved external symbol __imp__AcquireSRWLockExclusive@4 libWebP.lib(thread_utils.obj) : error LNK2001: unresolved external symbol __imp__InitializeSRWLock@4 libWebP.lib(thread_utils.obj) : error LNK2001: unresolved external symbol __imp__InitializeConditionVariable@4 libWebP.lib(thread_utils.obj) : error LNK2001: unresolved external symbol __imp__WakeConditionVariable@4 libWebP.lib(thread_utils.obj) : error LNK2001: unresolved external symbol __imp__SleepConditionVariableSRW@16 libWebPTest.exe : fatal error LNK1120: 6 unresolved externals...any ideas how to fix that or could you maybe rebuild that lib somehow else / clean etc? Thanks. @Price Not sure about that, could also just some AntiDump issue the script maybe didn't find / fix it because manually changes etc. As I said, I'm out of to check TM WL stuff for long time. Hope you get some help by other member to handle your target problems. greetz

The reason hBitmap is returning 0 is because GdipCreateBitmapFromScan0 doesn't return a Windows handle—it returns a GdiPlus Object Pointer. To make it work with a standard control, you need a "bridge" to convert that object into a real HBITMAP. Here is the corrected flow for your code: The "Stride" (edx) The imul edx, 4 is mandatory. It tells GDI+ that each row of pixels is Width * 4 bytes long (32-bit BGRA). If this value is 0 or incorrect, the function will fail with error 2 in EAX. The conversion Bridge, You need to call GdipCreateHBITMAPFromBitmap to get a handle that BitmapControlSetBitmap can actually understand. ; 1. Create the GDI+ Object from raw WebP pixels invoke GdipCreateBitmapFromScan0, imgW, imgH, edx, PixelFormat32bppARGB, pPixels, addr pGdiObj .if eax == 0 ; Check if GDI+ returned 'Ok' ; 2. Convert GDI+ Object -> Standard Windows HBITMAP invoke GdipCreateHBITMAPFromBitmap, pGdiObj, addr hBitmap, 0 ; 3. Use the hBitmap (now it won't be 0!) invoke BitmapControlSetBitmap, hBMC, hBitmap, TRUE ; 4. Clean up the GDI+ object (the hBitmap stays valid) invoke GdipDisposeImage, pGdiObj .else ; If EAX is 1: GDI+ is not initialized ; If EAX is 2: Invalid Parameter (check imgW/imgH/Stride) .endif ; 5. Don't forget to free the WebP DLL buffer push pPixels call [_WebPFree] Make sure your lib calls GdiplusStartup before this.Double check that PixelFormat32bppARGB is defined as 0026200Ah.Always check EAX right after the call to see the specific error code. Price h_h

Hi! Yes, you've got the right API. In MASM, you should use WebPDecodeBGRA instead of WebPDecodeRGBA because Windows GDI/GDI+ uses the BGRA (Blue-Green-Red-Alpha) byte order.Here is the minimal setup for your code: The Prototype (Include this in your .inc): externdef WebPDecodeBGRA : proto :ptr byte, :size_t, :ptr dword, :ptr dword externdef WebPFree : proto :ptr byte The Logic: You cannot call BitmapFromMemory after decoding, because BitmapFromMemory expects a compressed file format (JPG/PNG). Since WebPDecodeBGRA returns raw pixels, you need to create the Bitmap object directly from those pixels. Example Flow: .data imgW dd 0 imgH dd 0 pPixels dd 0 .code ; 1. Get raw pixels from WebP memory buffer invoke WebPDecodeBGRA, pMemoryBuffer, BufferSize, addr imgW, addr imgH mov pPixels, eax .if eax != 0 ; 2. Create the GDI+ Bitmap from raw pixels (32bpp BGRA) ; Since you use Fearless's lib, check if he has a "BitmapFromRaw" ; or use GdipCreateBitmapFromScan0 directly: mov edx, imgW imul edx, 4 ; Stride = Width * 4 invoke GdipCreateBitmapFromScan0, imgW, imgH, edx, PixelFormat32bppARGB, pPixels, addr hBitmap ; 3. Use your BitmapControl functions with the new hBitmap invoke BitmapControlSetBitmap, hControl, hBitmap ; 4. Cleanup the buffer allocated by the DLL invoke WebPFree, pPixels .endif Note on DLLs: You only need libsharpyuv.dll if you are encoding. For decoding only, libwebp.dll is usually enough if it was compiled with static dependencies.I'll try to pack the .inc and .lib for you in my next post if you still need the pre-made files! Price h_h

Hi LCF_AT The issue is that BitmapFromMemory relies on GDI+, which doesn't natively support WebP. To fix this in MASM:Use libwebp.dll: It's the simplest way. Call WebPDecodeBGRA to get raw pixels from your memory buffer.Convert to HBITMAP: Once you have the raw BGRA pixels, use CreateBitmap or CreateDIBSection to make it compatible with Fearless's lib.WIC: Alternatively, use Windows Imaging Component (COM), but it's a headache in ASM.Quick logic: WebP Data -> WebPDecodeBGRA -> Raw Pixels -> CreateDIBSection -> Success!If you need the .inc prototypes for libwebp, let me know. Price h_h

I found the way I have define that struct in MASM64: MODULEINFO STRUCT lpBaseOfDll DQ ? ; Base address of module SizeOfImage DQ ? ; Size of the module in bytes EntryPoint DQ ? ; Entry point of the module MODULEINFO ENDS GetModuleInformation return proper value.

Hi guy's, I did notice that I can't use the BitmapFromMemory function when having a webp image in memory. Does anyone know whether there is an update function which can also deal with that format? Otherwise, how can I convert the image webp data in memory into an bitmap or other format the BitmapFromMemory can work with? I'm using the BitmapControl lib from fearless. PS: MASM greetz

prob need to change to include the PROTO C definition for functions: uncompress2 PROTO C :DWORD,:DWORD,:DWORD,:DWORDdll2lib is not the best way to accomplish this, as you are including the whole dll, all functions regardless of what you might want to use. Best way would be to download a static library and define the inc file using PROTO C, but that assumes you know what the parameters are - sometimes they are defined in docs, readmes, api's or headers. The ultimate way IMHO is to compile and selectively choose stdcall and strip out the stuff not needed for masm etc, as outlined in previous post.

Hi @fearless, thanks for all those info's but its really too complex. Lets say I have / find some lib on internet or download it from that website you did mention nuget like that zlib static. Now I put it in my project.. includelib zlib.lib...create a function proto.. uncompress2 PROTO :DWORD,:DWORD,:DWORD,:DWORD...and a function of it in source... invoke uncompress2,0,0,0,0...and I get... error LNK2019: unresolved external symbol _uncompress2@16 referenced in function _$$$00001@0 ...\WinAsm\testingonly\onlytest.exe : fatal error LNK1120: 1 unresolved externals....why? I know in the past I creates static libs using the dll2lib tool..https://binary-soft.com/index.htm but I forgot how it works or how to make the function work using that lib then. Just forgot it and I also get those linker errors. The only thing I can do is using the direct dll files to load them but its not so nice way and I would prefer doing some static libs instead. So my goal is it just to create a static lib of any dll I need to use few functions XY. I create the lib using dll2lib etc but always get some errors. greetz

Hi @fearless s and @LCF-AT , @fearless: Thanks for checking the headers. Since your lib is definitely x86, the issue is probably on my end—I likely messed up my MASM32 folder by overwriting msvcrt.lib with a version that’s causing that x64 conflict. I’ll try to restore my original libs and use your /RELEASE string to see if it bypasses the error. @LCF-AT: Thanks a ton for looking at my target! It’s been driving me nuts. Since you've checked the file, do you think I should focus on tracing the specific hardware calls for emulation, or is it better to aim for a full unpack/OEP dump? I'm a bit rusty but ready to dig into any "hotspot" you might have found. Price h_h

The library was compiled for x86. You probably are using older visual c libs. Make sure you have the latest all in one Visual C++ Redistributable: https://www.techpowerup.com/download/visual-c-redistributable-runtime-package-all-in-one/ and also the Windows Universal C Runtime (CRT) : https://www.microsoft.com/en-us/download/details.aspx?id=50410 I took the libs from Visual Studio 2022 or Visual Studio Build Tools 2019 Backup any existing libs before overwriting them in case you need the old ones for older code. I uploaded both versions - Im using the 2019 ones from what I remember, but just in case i uploaded the 2022 one. Make sure you are using a more modern linker, rc etc - not the older one that comes with masm32 sdk. MSVC_(2019)_14.29.30133_lib_onecore_x86.zip - https://e.pcloud.link/publink/show?code=XZ9JuGZbdHRaD1XA2jBbtxh5J6d1jN1aTYy MSVC_(2022)_14.44.35207_lib_onecore_x86.zip - https://e.pcloud.link/publink/show?code=XZKJuGZBCQjAH8UovSBI6JMQumC7Jb5umx7

Hi! That LNK1112 error is a classic: you are trying to link a 64-bit library into a 32-bit (x86) project. If the .lib file Fearless sent you was compiled for x64, it will never work in your x86 environment. You need the x86 version of the library. How to fix it: Check the Lib: Ask Fearless if he has the 32-bit (x86) version of his library and libwebp.lib. Linker Settings: Ensure your build script has /MACHINE:X86 and isn't pointing to any x64 or amd64 folders in your SDK/VC paths. The _chkstk error: This usually happens because the library was built with a C compiler (Visual Studio) and expects the C Runtime (LIBCMT). If you want to bypass it in pure ASM, you can add a dummy stub: public __chkstk __chkstk: ret It's a pain when simple image handling turns into a battle of architectures, especially with all the "modern" restrictions piling up. Another: I’m hitting a brick wall with the target from your topic and the dongle protection is driving me crazy.Would you be open to helping me one more time to achieve a 100% clean unpack or a way to emulate it? Your expertise would mean the world to me.😚😚🤭 Price h_h

Hey guys, thank you very much for the new input and also the lib inc files with a text example @fearless. So I tested it first manually as you said @Price and it did work correctly now to get the image data displayed on static control. Even I really forgot to add the startup GDI function. So the test did work now so far. Now I tried to test your lib file / functions fearless but I get some error about the module type.. /SUBSYSTEM:WINDOWS /DEBUG /DEBUGTYPE:CV /VERSION:4.0 /INCREMENTAL:NO /DYNAMICBASE:NO ... LIBCMT.lib(_chkstk_.obj) : fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'X86'...so is that lib only for x64? So you know I'm still just using x86. Or is it anything else? How to fix that? PS: Just can admit the statement on the image. One guy ruins everything and fornications up in its own dimension. But even the leaders in the UK got totally inside already by building walls of restrictions following Idiots ideas. Such a damn stupid nonsense what's going on these days. greetz

ldc.i4.s Mode 0 or 16 ldloc.s pass ldc.i8 salt StartHomomorphic Can you explain the difference between mode 0 and mode 16?

Ok thanks, so I tried this but does not work yet. I don't get any hBitmap value back just 0 at this address. I have this code... Invoke BitmapControlCreate, IMAGESTATIC_HANDLE, 00, 00, 450, 253, IDC_IMAGESTATIC mov hBMC, eax invoke BitmapControlGetBitmap, hBMC push offset imgH push offset imgW push filesize_image push section_bak call [_WebPDecodeBGRA] mov pPixels, eax mov edx, imgW imul edx, 4 ; <--- for whats that good for? invoke GdipCreateBitmapFromScan0, imgW, imgH, edx, PixelFormat32bppARGB, pPixels, addr hBitmap mov eax, hBitmap ; <--- 0 Invoke BitmapControlSetBitmap, hBMC, eax, TRUE...pretty harsh code now but just for testing. Any clue? I'm pretty rusty and can't remember anymore so much even forget some basic API's already. There is no BitmapFromRaw function. greetz

hekliet keygemne #1 Not much to say there. Valid solution is a keygen that produces a valid key for any given name. Binaries for Linux and Windows are provided. Plain C, no symbols stripped, compiled with -O0, so should be fairly easy to follow. Difficulty is medium. Or perhaps easy for someone with some math knowledge. Here are some valid keys: Name: hekliet Key: 3fec806bc9ce82d4c00ee01af273a0b5 Name: Tuts 4 You Key: 40105e5bb69056bd3fdc1a4496fa9430 Name: Guybrush Threepwood Key: 400e09a63ee6d3a2bfd94d31f7369d10 File Information Submitter hekliet Submitted 03/17/2026 Category KeygenMe View File

Hydra Obfuscator (Modded) About File: .NET Framework 4.8, 32-bit preferred Used Obfuscator: Hydra modded Used Features: JIT Obfuscation, JIT fornicationer, String Encryption (XOR), Control Flow, Proxy Class, Renamer, L2F, INT Encode, Method to delegate, Anti Decompiler & Tamper & Dump & Proxy, Cctor hider. Difficulty: 6/10 Goal: Crack and deobfuscate it competely. (u can ignore renamer) File Information Submitter whystarlix Submitted 03/05/2026 Category UnPackMe (.NET) View File

You missed alignment of struct members, I guess.

This is what I thought at first; anyway declarated like this doesn't works; SizeOfImage has to be also a qword.

20260222_142320.mp4

@0X7C9 pls can u upload https://tut4u.com/hexorcist-reverse-engineering-course/ in your webdav server

All protectors can be unpacked, that doesn't means dnguard isn't good.

Up!

off the Web Protection.

You can provide Another link & And solve this problem

Server is up , woth better uplink !Use webdav client. like WinSCP host : https://eddynet.cz:9865 u: learn p: 4EKS9umUYme3WAZrC

It is empty

Someone please share zero 2 automated reversing course. Thank you.

I added 64 bit support and generic extraction HydraDragonAntivirus/MegaDumper: Fixed 2025 version of Mega Dumper

...because cloning git repo, or just clicking on anonfiles.com_d1D7M7q9z4_vmpsrc.zip is so f*ing complicated. You don't need VMProtect sources. What you need is a basic understanding of this magical thing called "the internet".

I don't see any solution here fits the requirements ✍️

- Patch CRC_CHECK: 0x0046FB8D - I think I need some time to modify the source code of shfolder.dll Video_2024-01-16_170946.mp4

How to Unpack ? Solution - 3.9.5.3.zip

This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 EazUnpack.mp4 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip

Hello everyone, Here is a small SDK example for TitanEngine Community Edition. It covers far from all features, but enough to get you started. This is the code: #include <windows.h>#include <stdio.h>#include <psapi.h>#include "TitanEngine\TitanEngine.h"PROCESS_INFORMATION* fdProcessInfo;LPVOID lpBaseOfImage;char szDumpName[MAX_PATH]="";static void log(const char* format, ...){ va_list args; va_start(args, format); char msg[1024]=""; vsprintf(msg, format, args); puts(msg);}static void cbOep(){ long long rip=GetContextData(UE_RIP); log("> OEP 0x%llX reached!", rip); log("> Dumping..."); DeleteFileA(szDumpName); //Dump the process (notice that szDumpName need to be a full path) if(!DumpProcess(fdProcessInfo->hProcess, lpBaseOfImage, szDumpName, rip)) { log("> DumpProcess failed..."); StopDebug(); return; } log("> Dumping done!"); log("> Fixing imports..."); ULONG_PTR iatStart=0; ULONG_PTR iatSize=0; //Search for IAT (Search start is 'OEP' in Scylla) ImporterAutoSearchIAT(fdProcessInfo->dwProcessId, szDumpName, rip, &iatStart, &iatSize); if(!iatStart || !iatSize) { log("> IAT not found..."); StopDebug(); return; } log("> IAT Start: 0x%llX, IAT Size: 0x%llX", iatStart, iatSize); char szSectionName[]=".unp64"; //Auto fix the file (append a section & fix IAT) if(!ImporterExportIATEx(szDumpName, szDumpName, szSectionName)) { log("> ImporterExportIATEx failed..."); StopDebug(); return; } log("> Imports fixed!"); //Stop debugging StopDebug();}static void cbNearOep(){ log("> Near OEP!"); //Step using the trap flag StepInto((void*)cbOep);}static void cbPeSpin(){ //Set a hardware breakpoint at RSP with size 8 on read/write SetHardwareBreakPoint(GetContextData(UE_RSP), UE_DR0, UE_HARDWARE_READWRITE, 8, (void*)cbNearOep);}static void cbEntry(){ //Get RIP register long long rip=GetContextData(UE_RIP); log("> Entry point 0x%llX reached!", rip); //Search for MPRESS pattern unsigned char pattern[4]= {0x5D, 0x5B, 0xC3,0xE9}; BYTE wildcard=0; long long found=Find((void*)rip, 0x1000, pattern, 4, &wildcard); if(!found) { //Search for PESpin pattern unsigned char pespin[4]= {0xFF, 0x64, 0x24, 0xF8}; long long found=Find((void*)rip, 0x1000, pespin, 4, &wildcard); if(!found) { log("> MPRESS/PESpin pattern NOT found..."); StopDebug(); return; } log("> PESpin pattern found on 0x%llX!", found); //Step over StepOver((void*)cbPeSpin); return; } //Set a simple INT3 breakpoint SetBPX(found+3, UE_BREAKPOINT, (void*)cbNearOep); log("> MPRESS pattern found on 0x%llX!", found);}static void cbCreateProcess(CREATE_PROCESS_DEBUG_INFO* CreateProcessInfo){ //Get the loaded base lpBaseOfImage=CreateProcessInfo->lpBaseOfImage; log("> Process created on 0x%llX!", lpBaseOfImage);}static bool DevicePathToPath(const char* devicepath, char* path, size_t path_size){ if(!devicepath || !path) return false; char curDrive[3]=" :"; char curDevice[MAX_PATH]=""; for(char drive='C'; drive<='Z'; drive++) { *curDrive=drive; if(!QueryDosDeviceA(curDrive, curDevice, MAX_PATH)) continue; size_t curDevice_len=strlen(curDevice); if(!_strnicmp(devicepath, curDevice, curDevice_len)) //we match the device { if(strlen(devicepath)-curDevice_len>=path_size) return false; sprintf(path, "%s%s", curDrive, devicepath+curDevice_len); return true; } } return false;}static bool GetFileNameFromHandle(HANDLE hFile, char* szFileName){ if(!GetFileSize(hFile, 0)) return false; HANDLE hFileMap=CreateFileMappingA(hFile, 0, PAGE_READONLY, 0, 1, 0); if(!hFileMap) return false; void* pFileMap=MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1); if(!pFileMap) { CloseHandle(hFileMap); return false; } char szMappedName[MAX_PATH]=""; if(GetMappedFileNameA(GetCurrentProcess(), pFileMap, szMappedName, MAX_PATH)) { DevicePathToPath(szMappedName, szFileName, MAX_PATH); UnmapViewOfFile(pFileMap); CloseHandle(hFileMap); return true; } UnmapViewOfFile(pFileMap); CloseHandle(hFileMap); return false;}static void unpack(char* szFileName){ //Set an engine variable (hide console window of created process) SetEngineVariable(UE_ENGINE_NO_CONSOLE_WINDOW, true); //Get full file path HANDLE hFile=CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0); if(hFile==INVALID_HANDLE_VALUE) { log("> File \"%s\" doesn't exist...", szFileName); return; } GetFileNameFromHandle(hFile, szDumpName); CloseHandle(hFile); log("> Unpack of file \"%s\" started...", szFileName); FILE_STATUS_INFO inFileStatus= {}; if(IsPE32FileValidEx(szFileName, UE_DEPTH_DEEP, &inFileStatus) && inFileStatus.FileIs64Bit && !inFileStatus.FileIsDLL) { log("> 64-bit PE file detected!"); //Make name of dumped file int len=strlen(szDumpName); while(szDumpName[len]!='.' && len) len--; if(!len) len=strlen(szDumpName); strcpy(szDumpName+len, "_unp64.exe"); //Start the process fdProcessInfo=(PROCESS_INFORMATION*)InitDebugEx(szFileName, 0, 0, (void*)cbEntry); if(fdProcessInfo) { log("> InitDebug OK!"); //Set a custom handler SetCustomHandler(UE_CH_CREATEPROCESS, (void*)cbCreateProcess); //Start debug loop DebugLoop(); } else log("> InitDebug failed..."); } else { log("> Invalid/x86/DLL file..."); } log("> Unpack ended");}int main(int argc, char* argv[]){ puts("unp64 v0.1\n\nSupported packers:\nMPRESS v2.19\nPESpin v1.22 (Packer only)\n"); if(argc<2) puts("usage: unp64 [file.exe]"); else unpack(argv[1]); Sleep(2500); return 0;}Example output:unp64 v0.1Supported packers:MPRESS v2.19PESpin v1.22 (Packer only)> Unpack of file "mpress.exe" started...> 64-bit PE file detected!> InitDebug OK!> Process created on 0x140000000!> Entry point 0x14000F0F3 reached!> MPRESS pattern found on 0x14000FBD7!> Near OEP!> OEP 0x140005DC8 reached!> Dumping...> Dumping done!> Fixing imports...> IAT Start: 0x14000F048, IAT Size: 0x38> Imports fixed!> Unpack endedProject files + Binaries attached.Greetings, Mr. eXoDia unp64.rar