SubSpace: UnPeX

Introduction

Every single public release of the Continuum client has been passed through an executable packer. The packer does a number of things:

  • compresses the original executable
  • encrypts the original executable
  • encrypts the original import table
  • attaches a loader to the post-processed executable

When the final executable is launched, the loader executes, decrypts and decompresses the post-processed executable and its import table in memory, and jumps to the original entry point. The loader is designed to prevent debuggers from attaching and to make static code analysis difficult.

UnPeX is a tool that unpacks Continuum executables and reproduces the original, unprocessed executable. Since Continuum checks its integrity on launch, the unpacked executables cannot run unmodified. Therefore, UnPeX also patches the security checks away to allow full operation.

Supported Versions

The following versions are supported:

  • 0.35 - fully supported
  • 0.36 - fully supported
  • 0.37 - fully supported
  • 0.38 - fully supported
  • 0.39pr1 - unpacking only, not patching
  • 0.39 - not supported
  • 0.40 - not supported

In addition, UnPeX unpacks standard PeX compressed executables which includes some beta verisons of Continuum (0.31+).