Tool Release: PolyCryptPE Unpacker
This is a runtime unpacker for PolyCryptPE. Being a runtime unpacker, you have every chance of toasting your buttocks since I cannot promise the executable won’t escape. I have tried to add a few safeguards to it, but you still need to be careful. Also, it’s not a perfect unpacker since the imports will be broken in the dumped image.This is the output when the tool was run against a target packed with PolyCryptPE:
PolyCryptPE Unpacker, (c) 2006,2007 Toni Koivunen (toni(_at_)teamfurry.com)
[+] Unpacking c:\tgt\polpe\Setup.Exe
[+] Caught CREATE_PROCESS_DEBUG_EVENT
[+] File entrypoint is at 0×0041200d
[+] Stub entry bytes 60 E8 ED FF FF FF
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Target is loading a DLL into memory
[+] Injection stub finished executing, replacing it with the original
[+] Resetting Eip to entrypoint…
[+] Starting trace. This might take a while
[!] Original entrypoint reached, dumping the file.
[+] Modifying section .text
[+] Modifying section .data
[+] Modifying section .rsrc
[+] Modifying section
The tool can be downloaded from here: