PEDiminisher unpacker

Hello friends,

i'm proud to bring you my unpacker for PEDiminisher v0.1 from Teraphy.

Why do i say "Complete decryptor" ?

- PeDiminisher Unpacker (Direct approch) from DESPERATE is failing with original PED, my unpacker is working.

- Generic unpackers and PeDiminisher Unpacker (Debug approach) from DESPERATE are working with PED, but you can't remove "extra" sections from PED if "Encrypt resources" and "Exclude Icons" were checked.

In default, PED creates a ".teraphy" unpacking section in packed file.

In case "Encrypt resources" and "Exclude Icons" were checked, PED creates an extra section named ".icon", where it duplicates icon contents from resource to this new ".icon" section and finally correct the RVA in resource to this new section.

So, if you're removing ".teraphy" and ".icon" section, the RVA is now an unallocated contents, and it failed.

My hardest work was the resource scanner to correct the RVA in order to be able to remove these sections.

As usual, unpacker source in masm and packer are included for interested ones...

(Note: Look at the resource scanner, it's an incredible recursive proto.)

I'm actually finishing "sourcing" PED for those who are interested...

Any comments, opinions on source code, bug reports or others are welcome...

See you soon ...

Laurent aka BIGBOSS from COPs...

PEDiminisher_v0.1.zip

CPS!UnPED.zip

Edited March 10, 201015 yr by bigboss-62