-=[]=---------------------------------------------------------------------=[]=-
        UNP64 v2.25 - Generic C64 prg unpacker - (C)2008-2011 iAN CooG
-=[]=---------------------------------------------------------------------=[]=-

Original source and idea: testrun.c, taken from Exomizer 2.0b7 by Magnus Lind.
Converted to a generic prg unpacker by iAN CooG. Being a derived project,
Exomizer' sources used for UNP64 are included and modified where needed.

-=[]=---------------------------------------------------------------------=[]=-

The idea is simple: to simulate the C64 memory/processor, run the program until
it reaches the unpack routine, usually relocated to an address lower than $0800,
then to continue execution until the Program Counter returns to a normal address
usually higher than $0800. At this point, save all the memory.
I normally do this process in emulators by setting breakpoints but an automatic
program that does it for me is handy.
PUCrunch and Exomizer 2.0Beta7 already have their own decrunch commands.
This program should cover those 2 and almost all the remaining ones.

Main changes applied to Exomizer sources:

- Many undocumented opcodes added to 6502emu.c to unpack more packers/coders.
- Fixed handling of some opcodes (indirect JMP, JSR, BRK not stopping, ADC/SBC)
- Better sysline detection and parameter to force entry point.
- TrilogicExpert/ActionReplay/SuperSnapshot5/FreezeMachine/Final Cart II & III
  scanner, should cover every known (to me) version.
- Action Replay 4 & FreezeMachine Split freezes are detected and a onefiled prg
  will be generated. Then you can unpack the result or crunch it.
  Action Replay 4.x files are: loader "name" and 2nd file "1name"
  Unknown Cart files can be any name, 2nd filename is written in loader.
  Of course both files must be in the same directory.
- Scanners to get exact unpack address from MANY difficult unpackers.
  See Unpackers section later in this document for a list.
- Tries to identify also entry point in SYS-less packers.
- Added some memory init values before running. A C64 minimal environment is
  replicated so many unpackers can act as on the real one.
- Added handling of some Kernal calls which return modified regs.
- Simple $01 banking implemented: writing to I/O area for example is handled
  only when RAM is visible there, else writes to I/O are skipped.
- Simple raster ($d011/2) handling, enough to avoid hanging some unpackers (AR)
- Faked keyboard checks to bypass many intros/trainers.
- Warnings are given in Verbose mode if vectors from $0314 are modified, so
  you'll know if an IRQ or something else should happen.

-=[]=---------------------------------------------------------------------=[]=-

usage: UNP64 <packed.prg>{[,|@]Addr} [-parameters]

-a      Save all mem instead of $0800-$ffff.
-t$Addr Truncate mem at Addr before saving. ZP Addr used as lo/hi pointer.
-e$Addr Specify entry point address in case SYS detection fails.
-d$Addr Unpacker address = Addr; default: first address < return address.
-r$Addr Return address from unpacker must be >= Addr. (default:$0800)
-R$Addr Return address from unpacker must be == Addr.
-u      Clean unchanged memory.
-l      Clean leftover packed data copied at end of memory.
-s      Use a zero-filled stack on loading + SP=$FF, else like on C64.
-fXX    Fill memory with byte XX instead of 0, before loading.
-i      Identify only.       -c      Continue unpacking until error.
-v      Verbose output.      -x      Trace for Debug.
-B      Patch original Basic ROM at $a000, if prg is shorter.
-K      Patch original Kernal ROM at $e000, if prg is shorter.

Output filename is packed.prg.XXXX where XXXX is the jmp address in hex.
Use packed.prg,Addr to relocate loading at Addr instead of .prg loadaddress.
Use packed.bin@Addr to load at Addr raw binaries without loadaddress.


-=[]=---------------------------------------------------------------------=[]=-
                                  PARAMETERS
-=[]=---------------------------------------------------------------------=[]=-

-a:
Use -a to save all mem $0002-$ffff, many times it is interesting also to see
the lower memory after unpacking, for example to know which address to give
to parameter -t. Sometimes the unpacked program starts from $0400 or less.

-c:
Continues unpacking until an error occours. Useful to blindly unpack all
packing layers. After 16 recursions it stops anyway, but 3-4 consecutive layers
should be considered normal, 5 layers to me are even excessive.
Worst case found so far had 15 layers (Cruncher 1.0 by Marauder/GSS):

ASC/SCF Protector, unpacker=$041f
Marauder Cruncher v1.x, unpacker=$033c
GSS Coder v1.2, unpacker=$0442
MC-Cracken Compressor, unpacker=$0100
FileCompactor I/MTB, unpacker=$033c
Marauder Cruncher v1.x, unpacker=$033c
FCG Coder, unpacker=$06c5
ECA Compacker, unpacker=$0100
Super Compressor / Flexible, unpacker=$0334
Super Compressor / Equal sequences, unpacker=$0335
Super Compressor / Equal chars, unpacker=$0100
Marauder Cruncher v1.x, unpacker=$033c
Marauder Cruncher v1.x, unpacker=$033c
Marauder Cruncher v1.x, unpacker=$033c
TCS Cruncher v3.0, unpacker=$0334

so many layers surely discouraged non-experts to unpack each layer manually in
the past, but that surely didn't stop anyone to reset/freeze and dump the memory
once the program was started, so I don't see the point in such aggressive and
counter-productive protection, only worsened filesize and unpacking time.

-d:
The unpacker address is detected by a simple rule: the first address reached
LESS than the return address, which is by default $0800 but can be changed
with parameter -r or -R. Some unpackers constantly jump from lower mem to
upper mem, so a specific address must be supplied.
Some of these particular packers needed this parameter, from version 1.04
many are identified and parameters changed automatically. There are surely some
others that will need this parameter, I can't test every prg I have, but I'll
try as many as possible and include automatic detection.

-e:
Entry point is found automatically by searching the SYS line.
If it's too complex or there is none you can supply it by yourself with -e
example: -e$80d ; can be written -e2061

-f:
Simulated memory is initialized to all zeroes. In some circumstances using
a different filler byte is handy. For example to quickly identify unchanged
memory, like Action Replay does, use -f$BD. To start filling at a specified
address instead of $0000, use high word as address and lower word as filler.
-f$080100f8 will fill memory with byte $f8 starting at address $0801.

-l:
Some packers copy all the packed data at the end of memory then start unpacking.
Most of the times, at the end of unpack, the packed data remains there because
it's not overwritten by unpacked data. This option makes UNP64 scan the end of
memory backward against the packed program and clear everything that seems the
original packed data until a different byte is found, then it prints the
address reached.
ECA Compacker have some special code to relocate $d000-$efff to $e000-$ffff
after unpacking, so memory at $d000-dfff will result sometimes as unnecessary
garbage, but it's not always true. The moved area seems to be determined by the
"Low Mem" setting of the packer, so can be different. Someone could have set it
wrongly, and the copied data at $e000 could be even the part to clean.
You have to try with -l to clean the area - UNP64 determines the range by itself
analyzing the unpacker code - and see if it's really unneeded.
When using this parameter, a ".clean" extension is appended to the output file.

-r/-R:
Return address is the first address reached after unpacking (usually by a
JMP as the last instruction in the unpacker code). Normally anything higher or
equal to $0800 will stop unpacking and causes the dump of the memory.
This is normally the Startaddress of the unpacked program.
If you know the startaddress is something "around" an address you can use -r.
If you need an exact address and not something higher, use -R.
-r$400 will dump after reaching anything from $400 and higher
-R$428 will dump after reaching exactly $428.
If UNP64 exits with "Max iterations reached" which means it detected a loop,
that address is wrong.
Some known packers are scanned for the exact return address, but there's no
sure method to detect them all.
The majority of unpackers end with a9 37 85 01 58 4c xx xx or similar ones,
but it's not a rule of thumb.
When -r is used and the address supplied is less than $800 the memory will be
saved from that address. When not sure, use -a.

-s:
Many unpackers set the stack pointer to $FF and use the stack space as code or
buffer, so any value contained in the stack space and SP is irrelevant.
Some others instead assume SP being already set to $F6 and expect also to
read or "pop" values from stack as in a C64 just switched on before loading.
UNP64 by default sets the stack space exactly as in a C64, with SP=$F6 just
before executing the initial SYS. In case the stack space should be zeroed
and SP set to $FF, use this parameter. So far only 3 unpackers were found
requiring this parameter, and they're already managed by custom scanners.

-t:
Some unpackers rely on exact filesize using basic pointers to determine it.
UNP64 sets the basic pointers from $2b and $ae/$af as in a C64.
Other unpackers also set the pointers during or after unpack, some of these
unpackers are known to UNP64 and correct filesize is determined at runtime.
For all the other cases where UNP64 does not yet know how to reliably determine
the size, the option -t is useful. Just give the address you want to truncate.
If address is in zeropage (usually $2d) the address pointed by it after
unpacking will be used: if $2d contains $34, $2e contains $12, $1234 is used.
Usually -t45 or -t$2d is enough to set the right size of the unpacked prg.
Some others update $ae/af instead, so try -t$ae.
You have to disassemble the prg or do some tries to find out the right one.

-u:
Parameter -u is far from perfect but it is useful to know which memory area
should be cleaned. It happens many times that the packed program is not made
from a contiguous stream of memory from $0800 to $ffff but little pieces
linked together, for example:
$1000-$17ff
$2000-$2400
$8000-$9000
$c000-$cfff
Or more simply starting from $0900 etc. In such cases after unpacking, lots of
the original packed data will be left in the "holes" of the unpacked memory.
When using this parameter a ".clean" extension will be appended and the
generated output prg will have zeroed memory where the same bytes of the
unpacked prg are left unchanged.
You know that "shit happens" and there are lots of cases where the same bytes
are meant to be there, so a 4-byte check is done. If the same 4 bytes are found
they will be zeroed, otherwise they will remain the same.
Some unpacker where this option is useful: ByteCompactor, Mr.Cross, TCD Link.
When unpacking IsePic freeze files use -u to remove the nasty pseudorandom fill
pattern, else it's hard to do it manually.

-v:
Some debugging messages will be printed to console, normally you don't need to
read them. These messages include:
- IRQ/NMI vectors from $0314 changed by the code.
- JSR $FFE4 or reads from $DC00/1 (wait for fire/space) are simulated.
  JSR $FFE4 receives a sequence of keys in Accumulator, each time a different
  key: space, run/stop, return, crsr down, 1. LDA $DC00/1 always returns A=$EF.
  Key debounce is simulated aswell, every 2nd read will return "released".
- reads from $DD0x forced to $ff instead of what's actually in memory.
- many other special warnings.
- some unpacker text, for example on BYG comp, Sledgehammer II+, etc.
- address ranges of linked sections with some linkers.
- number of iterations and total cycles taken by the unpacker.

Changed IRQ/NMI vectors means the program probably should be emulated to be
correctly unpacked.
If the entrypoint leads to an intro or de-coder that does its stuff all inside
IRQ, UNP64 will probably enter in an infinite loop, which is detected anyway:
after a fixed, big number of iterations or number of instructions executed,
UNP64 will exit saying "Max iterations reached".
Use Ctrl-Break to interrupt it, of course, but this shouldn't be needed.
Try changing the entry point to the IRQ address ($0314 pointed value printed
when using -v param) as most intros check for space in one of the IRQ routines.
If everything fails it's better to unpack with a real emulator, but most of the
times UNP64 unpacks also freezed prgs.

Example:
C:\test\>unp64 -v "SUPER MONACO GP!.prg.0810"
Entry point: $0810
pass1, find unpacker: Warning! Vector $0314-$0315 changed from $ea31 to $0831
pass1, find unpacker: Warning! Vector $0314-$0315 changed from $0831 to $083f
pass1, find unpacker:
Max Iterations Reached, quitting...

C:\test\>unp64 -v "SUPER MONACO GP!.prg.0810" -e$83f
entry point forced to $083f
Entry point: $083f
pass1, find unpacker:
LDA $DC01->space pressed
$033c
pass2, return to mem:
$a659 -> forced RUN
($a7ae)->$0801
saved $0800-$ffff as SUPER MONACO GP!.prg.0810.0801

-i:
Use this parameter to only identify packers without actually unpacking.
UNP64 emits only filename and identified packer then exits.
Errorlevel is set to 0 for unknown, 1 for known packers.
Example batch usage:

for %a in (*.prg) do unp64 "%a" -i>>output.txt

output.txt will look like this:

PD-075.prg : Time Cruncher v3.1, unpacker=$0100
PD-079.prg : DarkSqueezer / Generic Hack, unpacker=$0100
PD-080.prg : MDG Packer, unpacker=$0400
PD-086.prg : Time Cruncher v5, unpacker=$0100
PD-096.prg : DarkSqueezer v2.x, unpacker=$0100
PD-097.prg : Gentlemen FX Packer 2.0, unpacker=$0001
PD-099.prg : Super Compressor / Equal sequences, unpacker=$0335
PD-102.prg : CruelCrunch v1, unpacker=$0100
PD-104.prg : FX bytepress, unpacker=$040d
PD-107.prg : MasterCompressor, unpacker=$0100
....

-x:
Trace every emulated instruction and emit full dump of registers and disasm.
Expect *long* output and *slow* execution, use with redirection > of course.

-B:
-K:
(experimental options)
There are some (few I hope) unpackers that use locations from ROMs to
decrypt datas, or (found in only one occasion so far) use indirect jumps
in ROMs. Anyway, whatever they are needed for, original ROMs should be there.
These 2 options simply patch the simulated memory copying the ROMs in their
places - $A000 for Basic, $E000 for Kernal - and work only if the prg
doesn't already overlap the needed ROM space.
TSM coder for example was one of those needing the Kernal ROM, but now the
prg is patched on the fly to avoid this need.

-=[]=---------------------------------------------------------------------=[]=-
   Unpackers previously needing special handling but now understood by UNP64
-=[]=---------------------------------------------------------------------=[]=-

-=-------------=-
* FREEZER CARTS *
-=-------------=-
Action Replay (3.x / 4.x and newer)
Action Replay Split Freeze
FinalCart I Split Freeze
FinalCart II Split Freeze
FinalCart III Split Freeze
Freeze Machine
Freeze Machine Split Freeze
IsePic (at least 2 variants)
Super Snapshot 5
Trilogic Expert v1.x / v2.x / v3.x / v4.x (+various hacks)

-=-------------------=-
* PACKERS & CRUNCHERS *
-=-------------------=-
1001 CardCruncher v4 (cruncher/new packer/old packer)
1001 CardCruncher hacks (ACM/NATO CRAM/HTL)
3Code Zipper/REM / v2.x/ENT
4C Packer
4Code Zipper v2.0/v2.S
4WD-Soft Packer
64'er BitPacker / BitPacker special (with 2 layers)
64'er / Equal sequences 4.0A/B/C/D/F / 4.1A/B/C
64'er / special versions (2nd layers)
64'er (Happy-Packer) / Equal sequences 2.2/3.2
ABCruncher  (at least 4 variants, SCS and ONS hacks included)
AbuzeCrunch v3.x (3 variants) / v3.7 / v5.0
Action Packer
Agnus $02 Packer
Agony Packer v2
ALZ64/Kabuto
Amnesia Packer (2 variants)
Antiram Packer (aka Packer 820, 2 variants)
Apack/MadRom
BAM Compacker
BAM Reductor v3.0 / v3.3
BeastLink (+sysless)
Beeftrucker (aka $56 zipper) / Zipplink (aka $54 zipper) (3 variants)
Beeftrucker/Zipplink Loadback
Beta Dynamic Compressor v2.x (2 variants + loadback) / v3.x (3 variants)
BeyondForce Packer
BitImploder (at least 2 variants)
BitPacker v2.x (Super Compressor hack)
BitStreamer v1.1
BN 1872 Packer
Brains Packer
Bronx Packer
BYG Compactor v1.x / v2.x
Byte Baby (BYG Compactor hack)
ByteBoiler (+ ByteBoiler/CPX hack)
ByteBoozer
ByteBuster 4.x/Triad
ByteCompactor
ByteKiller v1.x
Byterapers Packer v1.x / v2.x
ByteStrainer v1.x
C4MRP/RSi
Cadaver Packer
Cadgers Packer
CCS Cruncher v1.x/v2.x
CCS Executer
CCS MaxShorter (and hacks)
CCS Packer
CCS ScreenShorter v1
CCS Special
CCS Super Compressor/Equal Sequences hack
CCS Unknown
CeleriPack
Chris Noack's Mega Byte Packer
CNCD Classic Packer
CRM Packer (S8 hack?)
CruelCrunch 1.0 / 1.x / 2Mhz / CC fast (3 variants)
CruelCrunch 1.2 / 1.3 (Galleon/S451) / 1.4 (Light)
CruelCrunch 2.0 / 2.1 / 2.3TKC / ILS/RND Variants
Crush/Taboo
Dark Packer v2.0 / v2.1 / v3.1
DarkSqueezer v0.8 / v2.1 / v2.2 (at least 3 variants) / v2.x  / v4.x
DarkSqueezer hacks: F4CG / XTC / G*P / DOM
DarkSqueezer / ByteBonker (2 variants)
DarkSqueezer / Darkfiler v1.0
Datel UltraCompander (1001 CardCruncher hack: cruncher/compactor/packer)
DSC Cruncher
DSC Packer v1/v2
EastLinker
ECA Compacker (8+ variants)
ECA / Old Packer (earlier than Compacker/linker)
Enigma MFFL (1-filed IFFL)
Entropy Packer
Equal Byte Compressor v1.2 (3 variants +sysless & loadback) / v1.4 (sys&sysless)
Excalibur 666 Packer
Exomizer (should cover every possible variant from 1.0 to 2.0beta7)
Exploding Cruel 2.6
Exploding Cruncher v2.x / v2.1
Exploding Faces v1.x / v2.x
FacePacker v1.0 / v1.1
Falco Paul Packer
FCG Packer (4 variants)
FCG Linker (similar to TMC ultimate linker)
File Press Expert (Time Cruncher hack)
FileCompactor I/MTB
Final Compactor
Final/Super Compressor: Flexible / Equal Chars / Equal Sequences (many hacks)
FinalCart 3 Packer
Flexible Code Compactor (aka FileCompactor III/TMC; FP, Scoop & HTL variants)
Flexible Code Compactor v2.x / Kinetic2
Frog Packer
Frontpacker
FSW Packer
FX BitStreamer
FX Bytepress / BB Bytepress / BB Soundpacker / Jewels Bytepress / Seen
G-Packer/Oxyron
Galleon's Alvesta Link
Galleon's Byteraper
Galleon's Compactor v3.5/ v3.6 / v3.7 / v3.8 / v3.9 / v3.x (sysless/loadback)
Galleon's Equal Chars
Galleon's FW4C v1.x / V2.x (+sysless) / V3.0/V3.1 (sysless)
Galleon's Whom Packer v1.x / v2.x / 4.x (+sysless)
Galleon's $02 Packer
Galleon's $100 Packer
Gandalf Packer
Gentlemen FX Packer 2.0
Gentlemen Stat Packer
Graffity Packer
HardPacker/Caution
Hawk Packer
Helmet/TempesT v2.x
HitMen $02 Packer
HitMen $20 Linker
Huffer v1.0 / FLT
Huffer v1.1 / Quick Cruncher
Idiots FX Packer v1.0 / v2.0 / v2.1
Ikari Cruncher
ILS Compacker v2.x / v3.x (variable codebytes, sys&sysless)
ISC (Normal/Bitstream/Packer)
IsePic onefiler: Generic
IsePic onefiler: Anti-IsePic/7up v1/v2
IsePic onefiler: Anti-IsePic/GSS v1.1
IsePic onefiler: IsePicker/DD
IsePic onefiler: IsePic Defroster/NC
IsePic onefiler: IsePic Defroster/Amigo
IsePic onefiler: Why IsePic/CT v1/v2
J0xstrap's "SuperSekret" Cruncher
JazzCat Cruncher
JazzCat Packer
Jedi Linker v1.x / v2.x
Jedi Packer
Just A Packer 2.0/Agony
Kompressmaster Cruncher / 711 / BB (+special version)
Kompressmaster Packer (2 variants +special version)
Koncina Packer (many variants)
Kress Cruncher
Lightmizer
Loadstar Mod Linker
Loadstar Linker v2.0
Loadstar Packer
Low Cruncher
LTS Packer
LZMPi/MartinPiper v1.x / v2.x
Marauder Cruncher v1.x
Marauder Cruncher&Coder v1.0/v1.1
MaschinenSprache-Kompressor (variable entrypoint)
MasterCompressor (and hacks, aka Time Cruncher 1.x/2.x)
Matcham Basicpacker
Matcham Charpacker
Matcham Denser (Flexible / Equal Chars / 251)
Matcham Flexer/229
Matcham Linker/251
MC-Cracken Compressor / Compressor+Coder
MC-Cracken Hacks: CFB v2/TSS3/Crusher/Cobra/DigitalPacker/CodeOptimizer/SCC
MDG Packer (and hacks)
MeanTeam Cruncher (Flexible Code Compactor hack)
Megabyte Cruncher64 (2 variants)
MegaCrunch 4.0 (Time Cruncher hack)
Megacruncher/BlackDuke
Mekker
Mr.Cross-linker v1.x / v2.x (+sysless)
Mr.Z Packer (aka Mr.Z Crunch)
MSCrunch 1.0 / 1.5 / 1.5ABS / 1.x / Unknown variant (Similar to Cruel)
MSI Cruncher v2.x / v3.x
NEC Packer (variable entrypoint)
NM156 Packer
NM156 Linker
NSU Packer v1.0 (from Beta Dynamic Compressor) / v1.1 (Action)
Oneway Makt-Link v2.0
ONS Packer
Optimus Packer (+sysless hack)
P100 Cruncher
Packer 64/Taboo
Packer Optimizer (2 variants)
PAN Packer v1.0/v2.0
Panoramic Equalizer v1.5
Panoramic Packer v1.0/v2.0/v3.0/v3.1/v3.2
PET Packer
Plush Packer (sysless/loadback)
Polonus Unknown $101 Packer
Polonus Unknown $45c Packer
Polonus C64/+4/Amiga Packer
Polonus Charblaster
Polonus Equalchars Packer
Polonus Krejzi Packer
Pride Packer
PUCrunch (many variants)
PZW Compactor
QuickPacker/Caution v1.0 / v2.0 (+sysless) / v2.5 (+sysless)
Rap Equal Chars
Ratt Packer
Ratt Linker
Rebels Packer
Relax 3-Byter
Relax Packer v2.x
Rows Cruncher
ScreenCrunch 2064 / 2066 v1 / 2066 v2 / FCG
Section 8 Packer (3 variants)
Shurigen/Glitters Packer
SIR Compact v1/2/3/4 (Time Cruncher hacks)
SIR MasterLinker
SIR MiniPacker
SledgeHammer v1.0/v1.1/v1.2/v2.0/v2.1/v2.2/v2.2CCS/v2.3/v3.0/Trap
Spy Packer
StarCrunch
Supercrunch (2 variants)
Superpack v4
SupraCompactor (Time Cruncher hack)
Syncro Packer v1.2 / v1.3 (+sysless) / v1.4 / v1.55 (sysless)
T.L.R. Packer
TBC Multicompactor v1 / v2 (not sure it's a v2 but it's very similar)
TCD Link&Crunch v1.x / v2.x
TCS Cruncher v2.x (at least 2 variants) / v3.x
TFG Packer
ThunderCats Packer
Time Cruncher v3.x/4.x/5.x (different variants each)
Time Cruncher hacks (FBI/TRI/DTC/RDL/2000AD/RWE/HTL/Relax/F4CG/HSCG/HSCG-FE/TDF)
Time Cruncher hacks (ATC/Triton/Triad/PC/Entropy/Mule/Agile/S451/Ikari)
Time Cruncher unknown variants (2061/2072/2074)
Time Cruncher 2MHZ! (Stoat&Tim v1/v2)
TKC Bytepress v1.0
TMC Ultimate Linker
TMM Packer
Total Packer v1.X/v2.0
TrashCan v1.x / v2.x / Unknown variant (Abuzecrunch variants)
Trianon Cruncher
Trianon Packer (2 variants) / v2.x / v3.x
TSB Packer v1.x/v2.1/v3.0
TSM Packer
Turbo Packer
UltraComp 3.0
Unipacker v1.x / v2.x / v3.x (+sysless and textless)
VIP 1.x / 2.0 / 3.2
Visiomizer v6.2 / v6.3
Warlock Packer
Winterberg Packer
Winterberg SpeediCompactor
Winterberg SpeediCruncher MW1/MW2
X-Rated Exploding Cruncher v6 (Time Cruncher hack)
X-Rated PowerCrunch v7.1 / 7.4
X-Terminator v2.0 / FLT (7Code Zipper, sysless)
XIP (autostarter, packer)
XTC Packer v1.0/v2.1/v2.2/v2.3/v2.x G*P/ (+sysless & variable codebytes)
Zigag Packer
Zipper 3.0 / 5.0 (aka Chromizer) / 5.0 hack / 5.1 (4 variants) / 8
Unknown $25 Packer
Unknown $8e Packer
Unknown $fd Packer  (+sysless) (used in FLT and ESM warez)
Unknown $100 Packer v2.x
Unknown $100 Packer v3.x
Unknown $101 Packer (sysless)
Unknown $107 Packer (+sysless)
Unknown $107 Packer v2.x
Unknown $111 Packer
Unknown $400 Packer
Unknown (P3) Packer
Unknown Oneway packer (2 variants)
Unknown Taboo Cruncher
Unknown Taboo Packer
Unknown Triad Cruncher (maybe by Agile or Light)

-=---------------=-
* CODERS/CRYPTERS *
-=---------------=-
Abyss Coder v1/v2
AEK Coder v1.1 / v2.0
ALS Coder
ASC/SCF Protector v1.14
BonanzaBros Coder
C+C Coder
Change Protector v2.0
CIA Crypt v2.x
CFB Coder v1 (+hacks) / v2
Cobra/SCG Coder
DD Intro Coder
DSCompware Coder
Excalibur 666 Coder
Excell/Ikari Intro Coder
Exploding Coder
FCC Coder (2 variants)
FCG Coder (3 variants)
FCG ExProtect
FCG Protector ("evil" hack of H.Leise, formats disk on failure)
FDT Coder
Flash Protector v3.3
FP Coder
FSW Protector
GrafBinaer Coder
GSS Coder v1.2
H.Leise Protector v1.1
HTL Coder
ILS/RND Coder
Jazoo Coder
KGB Coder
LST Coder v1.x / v2.x
MSI Coder
OUG Coder (autostarter)
PIT Coder
Polonus Quartet Protector
Pyra Coder v1.x / v2.x
Skyline Protector
SPC/FCS Coder
SPC Protector
STL Protector (formats disk on failure)
T.L.R. Protector v1 / v2
THS BitCoder
TMC Coder
TSM Coder
WDR softprotector
WGI Coder
XDS Coder v1 / v2
XDS Coder k1 / k2 / k3
Yeti Coder
WHO Coder
Unknown $420 Coder

-=------=-
* INTROS *
-=------=-
711   IntroDesigner3
BN 1872 (intromaker)
F4CG  (f4cg-23)
FLT   (flt-01)
G*P   (gp-02)
Relax (relax-01,-02)
S451  (s451-09)
Triad (triad-01,-02,-05)
Ikari (many by Excell/Ikari, ikari-06 by Tri-Dos)

-=--------------------=-
* OTHERS / NOT PACKERS *
-=--------------------=-
64'er Autostarter
AFLG/M.Pall Autostarter
BHP Virus
Bula Virus
CruelCrunch headers (various)
GCS Autostarter (2 variants)
HIV Virus
SIR Combine v1.x / v2.x / v3.x
Time Cruncher headers (BB/ILS/ANM/Vikings)
WCC Modem Converter

-=------------------------------=-
* OTHER IDENTIFIED-ONLY PROGRAMS *
-=------------------------------=-
Austro/Blitz Compilers
Basic64 Compiler
BasicBoss Compiler
CC65 Compiler (many versions)
DTL-64 Compiler
FinalCart Loader (Unknown version)
IsePic Loader
Hypra Compiler
LaserBasic Compiler
PetSpeed Compiler
Plush Emu-Fuxx0r v1/v2
Speed Compiler
Password Protector: Cop Shocker
Password Protector: Time Coder/Trap
Password Protector: Snacky
Password Protector: TCD
Password Protector: J-Coder v1.0/JCH
Password Protector: Oneway
Password Protector: Unknown [F]

-=[]=---------------------------------------------------------------------=[]=-

Exomizer dynamically generates the unpacker code so there are many variants.
Exomizer desfx actually works in a different way, it checks for the Stack
Pointer to know if the unpacker has been reached.
Use Exomizer desfx if UNP64 fails, but shouldn't happen.

PUCrunch also has variable code, I've tried to manage all variants aswell,
including an unknown version to me, probably an older version.

Other variable code unpackers are: Unipacker, Lightmizer, Visiomizer...
These have the option to not include the sysline and to "loadback" to another
address than $0801. These are handled aswell but the loadaddress must be the
same as the startaddress to easily find the startup code.

Also keep in mind that many names in the supported list are only my guessing
and it's highly possibile that I've made up some names. Any help identifying
correct packers' names is appreciated.

-=[]=---------------------------------------------------------------------=[]=-
HISTORY

1.00 - 2.19 not public betas, no history (first implementation 2008.09.12)
New scanners added almost on a daily basis for more than a year.
First beta testers were Overkiller/HF and Jazzcat/ONS.


2.20  - 2010.03.17
- first public release at CSDb.
- major code cleanup of all scanners
Thanks to CountZero for support and Groepaz for providing corrected makefile,
which I have further expanded.


2.21 - 2010.03.26-20010.05.03
- better parsing of scanner functions
- all printf() in scanners moved on a single source, to have a single string
  pool, thus reducing a bit the final exe size (about 16kb, oh well ;)

Scanners added:
- Abyss Coder (2 variants, similar to ASC/SCF)
- Graf Binaer Coder aka F4CG compactor 2.0 (2 variants, one of which needed
  basic ROM, patched on the fly to avoid it)
- Starline Coder (formats drive 8 on failure, patched to avoid it)
- SPC/FCS Coder
- MCCracken Compressor+Coder
- Time Cruncher 3.x/Triad (nth variant, similar to TC3/Relax but at $812)
- Time Cruncher 3.x/PC (could be even a Master compressor/TC1 hack, dunno)
- Action Replay 4 & Unknown Cart Split Loader (generates 1 file from 2)
- FloraSoft (FSW) packer/coder, 2 versions.
- TSB Packer v2.1
- Zipper 5.0 Hack
- Zipper 5.1/Xenon
- JAP 2.0/Agony
- BAM Compacker
- BAM Reductor v3.0 (2.0 is identical) / v3.3
- Cobra/SCG Coder
- FX Bitstreamer
- 64'er v1.2 / v1.3 / v1.4
- 64'er Special v1.5
- Kompressmaster/BB
- Unknown $100 Packer v3.x
Scanners revised:
- ECA: better scan of return address.
- FileCompactor III/TMC: also handles sysless prgs.
- Beta Dynamic 2.x: handles "loadback" files (f.e. Digital Talk chapters)
- CruelCrunch/Fast: now detects another variant.
- Time Cruncher 5.x: better scan of return address.
- Zipper 3.0: start of memory wasn't set.
- TSB Packer v3.x (was 2.x, verified with TSB3.0/Giants)
- Jazzcat Packer: expected $01==#$34 (after JCT Cruncher); fixed a particular
  case on return address == $0124, where it executes a RUN instead.
- ABCruncher: better entrypoint detection for sysless prgs.
- Dark Packer 2.x (was Unknown $02) & Dark Packer 3.1 identified.
- Unknown $8e Packer: better scan of end address.


2.22 - 2010.05.04-2010.06.11
- fix: when EndAddress is $0000 actually means $10000 so it needs to be set
  to $10000. Previous check was bugged, it used $00/01 content as a pointer.
- sysline with simple calcs (10*256) are resolved. 2 operands, +-*/^ only.

Scanners added:
- 64'er Autostarter
- 64'er v1.5
- BitStreamer 1.1
- ByteBuster 4.x/Triad (variable code)
- ByteStrainer
- Cadaver Packer
- FSW Protector (formats drive 8 in case of failure or if a cart is detected)
- G-Packer/Oxyron
- Jedi Linker v1.x / v2.x (v2 needed Basic ROM, patched)
- Jedi Packer
- Mekker
- PET Packer (similar to Section 8)
- Pride Packer
- SIR Combine (splits the combined prg into all the prgs linked inside)
- SPC Protector
- Spy Packer
- StarCrunch
- Super Compressor / Equal Chars Hack
- Super Compressor / Equal Sequences Hack
- Time Cruncher 3.x/Entropy (similar to SIRcrunch3)
- Time Cruncher 3.x/Mule
- Trashcan Unknown Variant (dINO/FLT)
Scanners revised:
- BitImploder: now detects Chrysagon/X-Ray variant. Start of memory wasn't set.
- CruelCrunch: better scan of return address.
- DarkSqueezer v2.2 identified (was DarkSqueezer/Generic hack)
- Exploding Cruel 2.6 (was Exploding Cruncher 1.x): start of memory wasn't set.
- File Press Expert: now detects one more variant.
- Flexible Code Compactor (was FileCompactor III/TMC) original found on 64'er.
- Sledgehammer 1.0: now detects more variants.
- TCS Crunch 2.x: now detects one more variant.
- Time Cruncher / Triumwyrat: more generic id, better scan of return address.
- Time Cruncher 4.4: now detects a BROKEN variant (ldy instead of ldx, genial!1)


2.23 - 2010.06.12-2010.07.30
- found a Time cruncher hack expecting registers set by JSR $FD15 ($31/$30/$ff),
  now it's handled correctly in pass 1.
- in verbose mode, now also number of iterations and total cycles taken by the
  simulated CPU are printed, just to see which is the slowest&fastest unpacker.
- raised max iterations to support VERY intensive unpackers like ALZ64, worst
  testcase I found needs 27097007 (0x019D77AF) iterations to finish unpacking.
  This cruncher isn't really meant for crunching programs ranging from $0801 to
  $ff00 due to its slowness, but still has to be supported even when abused =)
  New max value is set to 0x02000000, should be more than enough for anything
  that actually reaches end of unpacking, and won't cause too much delay with
  programs that can't be really unpacked or with endless loops.
- raised max recursion (parameter -c) to 16.
- when return address is $a7ae (RUN), if the unpacker sets start of basic
  pointers $2b/$2c to something different than $0801, it will be printed.
  In any case, if the new basic sysline can't be resolved or does not exist,
  "RUN" will be displayed instead of $a7ae.
  For example: ($a7ae)->(new basic start $4001)->RUN

Scanners added:
- 4Code Zipper v2.S
- 4WD-Soft Packer
- 64'er (Happy-Packer) / Equal Sequences 2.2
- AFLG/M.Pall Autostarter
- BN 1872 Packer
- BN 1872 Intro
- CNCD Classic Packer
- CruelCrunch / RND variant
- DarkSqueezer / G*P
- DSC Packer v2
- ECA / Old Packer
- Excalibur 666 Coder
- Excalibur 666 Packer
- Excell/Ikari Intro (many with similar reloc code)
- FLT-01 intro
- Ikari-06 Intro (Tri-Dos)
- FCG ExProtect
- FX Bytepress / Seen variant
- FinalCart 3 Loader (id only)
- HardPacker/Caution v1.0
- Galleon's FW4C V3.0/V3.1 (sysless&loadback)
- GCS Packer (2 variants)
- GCS Autostarter (2 variants)
- Helmet/TempesT v2.x
- Loadstar Packer
- Loadstar Linker v2.0
- MSCrunch v1.5 / ABS variant
- Oneway Makt-Link v2.0
- QuickPacker/Caution v1.0 (sysless)
- ScreenCrunch / FCG (+xor)
- SledgeHammer v2.x/Trap
- T.L.R. Packer
- T.L.R. Protector v1/v2
- TFG Packer (FCG Packer hack + xor)
- Time Cruncher 3.x/Agile
- Time Cruncher 3.x/S451
- Time Cruncher / Vikings header
- Trilogic Expert v2.9a/Expert User Club
- Trilogic Expert / ASS (probably an hack of some v2.x)
- TSM Packer
- XTC Packer v2.3 / G*P variant
- X-Terminator v3.x / ILS (variable codebytes, sys&sysless, 2 variants)
- Unknown Oneway packer (2 variants)
- Unknown $107 Packer v2.x (probably by Rockstar)
- CC65 v2.x(?): new version detected

Scanners revised:
- 64'er Packer identified, found also an earlier version called Happy-Packer
  (was 64'er Cruncher and SIR Packer); it's a cart-only packer system
  (C) 1987 Peter Arndt, found on 64'er disks. Creates many variants by letting
  user choose different parameters so code is variable. Descriptions and
  versions updated. Endaddress was one byte too much in some versions, fixed.
  Many combinations are not supported yet, but will be added for sure.
- Agile Packer v1.0: Now detects both versions, with sysline and sysless.
- ATT Packer: now detects also "loadback" versions.
- CCS Executer: More variants detected
- CruelCrunch / ILS variant (was CruelCrunch Unknown)
- DarkSqueezer 2.x: relaxed ID to detect some hacks.
- DSC Packer: adjusted start of memory, always writes 2 bytes too much.
- Beeftrucker/Zipplink: separated IDs for $56 (Beeftrucker) and $54 (Zipplink)
- Falco Paul Packer (was Unknown 20CC Packer) found in many Bros cracks aswell.
- FCG Packer 1.0/1.1: fixed End of memory, wrong pointer was used.
- G-Packer/Oxyron: Now detects both versions, with sysline and sysless.
- Galleon's Equal Chars: special version with an LDY before JMP now is patched.
- Idiots v1.0 identified (was Unknown $06 Packer), v1.1 is actually v2.1.
- ILS/RND Coder: now detects 1 variant used in Random imports. Made by Pudwerx?
- ISC Packer: start of memory wasn't set.
- Kompressmaster Packer (was 711 Packer) renamed.
- MasterCompressor/Relax: better return address detection.
- QuickPacker/Caution v2.5 (was Caution Packer v1.x): version identified and
  added sysless version.  QuickPacker V2.1 is actually V2.0 sysless.
- ScreenCrunch: End of memory was always 1 byte too much, fixed.
- SIR Combine v3.x: version with variable startaddress for each saved prg.
- Sledgehammer 2.1: better start of memory detection.
- Supercrunch: better return address detection.
- Super Compressor / Equal chars: start of memory required adding X register.
- TCD Link&Crunch: relaxed ID so it's detected even if the 1st SEI is missing.
  UNP64 doesn't need it, but such programs would fail on a real C64 unless the
  previous packing layer already stops interrupts.
- Time Cruncher 3.1: now detects a variant that RUNs the unpacked program.
- Time Cruncher 4.2/Generic Hack: entry point detected on more sysless variants.
- Time Cruncher 5.0: now detects another variant.
- Unknown $fd Packer: now detects also "loadback" versions.
- Unknown $107 Packer: now detects also "loadback" versions.
- XTC Packer v1.0/2.2 (was XTC Packer v2.x) renamed, they are very similar with
  just one difference. v2.4 is just an hack of v2.2 so it's identified as v2.2.
- XTC Packer v2.3 (was 6Code Zipper) identified.
- XTC Packer v2.x/G*P (was XTC Unknown, slightly different from 2.3 & 2.3/G*P)
- Zipper 3.0: again, start of memory wasn't set correctly. Seems that often
  writes also the byte before the real startaddress ($0fff instead of $1000)
- Petspeed: More variants detected


2.24 - 2010.08.01-2011.01.04
- sysline detection added also during pass 1. Very rarely needed but still
  happened a couple of times that a sysline re-evaluation is done by the
  unpacker so can't be avoided.
- Slightly better $d011 handling, should help bypass more intros.
- Added handling on more alternative kernal entry points
- Limit numeric parameters to $ffff

Scanners added:
- 1001 CardCruncher HTL hack
- 64'er / Equal sequences 4.0D
- BHP Virus
- Bula Virus
- Byte Baby (BYG Compactor hacked with smaller unpacker)
- Byterapers Packer v1.x / v2.x
- CCS Cruncher v1.x/v2.x
- CCS Super Compressor/Equal Sequences hack
- Change Protector v2.0
- CIA Crypt v2.x
- CruelCrunch v1.4 / Light
- CruelCrunch v2.3 / TKC
- Datel UltraCompander Packer (1001 CardCruncher hack)
- DarkSqueezer/DOM
- Entropy Packer
- Expert v1.x (not sure but seems earlier than 2.x, probably Trigsoft UPC1?)
- Expert / 2061 (unidentified)
- Facepacker v1.1
- FCG Packer v1.2 / v1.3
- FinalCart 1/2/3 Split Freeze (mem $0002-$03ff is not restored, rest is ok)
- Flash Protector v3.3
- Flexible Code Compactor v2.x / Kinetic2
- Galleon's $02 Packer
- Galleon's $100 Packer
- Galleon's Alvesta Link (sysless and loadback, bugged loadback prgs are patched
  on the fly before unpacking)
- Galleon's Compactor v3.5 (sysless and loadback)
- Galleon's Compactor v3.6 (sysless and loadback, 2 variants)
- Galleon's Whom Packer 1.0 (sysless)
- Galleon's Whom Packer 1.1 (sysless)
- Galleon's Whom Packer 2.x (sysless)
- Galleon's Whom Packer 4.x (sys+sysless)
- Gentlemen Stat Packer
- HIV Virus (you'd better use HIV-Expert 1.0 on the disk if you find this)
- Huffer v1.0 / FLT
- Huffer v1.1 / Quick Cruncher
- IsePic Defroster/Amigo
- MasterCompressor v3.5 / Channel4
- Matcham Flexer/229
- NM156 Packer
- NM156 Linker
- Packer 64/Taboo
- PAN Packer
- Panoramic Packer v1.0/v2.0/v3.0/v3.1/v3.2
- Plush Emu-Fuxx0r v1/v2 (ID only, needs a real emulator to run, X64SC or HOXS)
- Plush Packer
- Polonus $101 Packer
- Polonus Quartet Protector
- Ratt Packer
- Ratt Linker
- Rebels Packer
- Syncro Packer v1.4
- TKC Bytepress v1.0
- S451-09 intro
- Superpack v4
- Time Cruncher v3.2/S451
- Time Cruncher v3.x/Ikari
- Time Cruncher v5.3/Pamoramic
- THS BitCoder
- Unknown $25 Packer
- Unknown $420 Coder
- Yeti Coder

Scanners revised:
- 1001 CardCruncher old pack: More variants detected.
- 711 IntroDesigner3: save location $3fff in $02 to avoid data corruption.
- ABCruncher: better entrypoint detection even when the SEI is missing.
- BasicBoss Compiler: More variants detected.
- CruelCrunch v2.0: better entrypoint detection even when the SEI is missing.
- DarkSqueezer / Darkfiler v1.0 (was DS/X-Factor, actually by THCM/WOW).
- DarkSqueezer 2.2/XTC/DOM: Relaxed ID to detect some hacks.
- Datel UltraCompander Cruncher identified (was 1001 CardCruncher / 2061) and
  start address correctly set.
- Datel UltraCompander Compactor identified (was Zenith Packer).
- ECA: handles RWE hack which uses $fffe vector triggered by a BRK.
- Equal Byte Compressor v1.2 identified (was ATT Packer, aka EBC+REU256k).
- Equal Byte Compressor v1.4 (previously not versioned, it's the FLT version).
- Expert Cart: Relaxed ID to detect some hacks.
- Exomizer: One more variant detected.
- Facepacker v1.0 (previously not versioned): end address off by one, fixed.
- Freeze Machine identified (was Unknown Freezer Cart).
- Galleon's Compactor v3.8: now detects also "loadback" versions.
- Galleon's Compactor v3.x (was Unknown $100 v1, seems just an hack of 3.6).
- ILS Compacker v2.x/v3.x identified (was X-Terminator v3.x / ILS).
- IsePic: added a variant which isn't even supported by common IsePic onefilers.
- Kress Cruncher identified (was Unknown $ed).
- MDG Packer: Better Return address detection in an uncrypted variant.
- Mr.Cross: More variants detected, f.e. starting at $879.
- Mr.Z Packer: added one more variant and fixed a bug in start addr. detection.
- NSU Packer v1.0 / v1.1: both by Crisp/Action, v1.0 is from Beta Dynamic Comp.
- Packer Optimizer: Now detects another variant.
- Polonus C64/+4/Amiga Packer: better return address detection.
- SIR Combine: filenames normalized in 7 bit ASCII.
- Super Compressor / Equal Chars: More variants detected.
- Super Compressor / Flexible: More variants detected.
- Supercrunch: 1 variant detected and better return address detection. Really.
- Syncro Packer v1.3 identified (was Agile Packer 1.0).
- TBC Multicompactor v1: More variants detected.
- Time Cruncher v5.x: better return address detection.
- Unknown $100 Packer v2.x: Relaxed ID to detect some hacks.
- Unknown $400 Packer: Relaxed ID to detect some hacks.


2.25 - 2011.01.12-2011.05.05
- Fixed a logic bug that only happened on non-packers, causing an endless loop
  in pass 1; now falls in the max_iter check and will break as expected.
- fixed possible division by 0 error in sysline detection when "/" was found.
- Intros are now scanned after packers, to avoid false positives (valid code
  found inside charpacked files)

Scanners Added:
- Action Packer
- Agnus $02 Packer (prolly by Kulfon)
- BeyondForce Packer
- C+C Coder
- Frog Packer (also found as E-Compactor v1/BCC)
- HitMen $02 Packer
- HitMen $20 linker (leaves dirty mem, some HIT cracks link 2 crunched prgs)
- (ID Only) Password Protector: Cop Shocker
- (ID Only) Password Protector: Time Coder/Trap
- (ID Only) Password Protector: Snacky
- (ID Only) Password Protector: TCD
- (ID Only) Password Protector: J-Coder v1.0/JCH
- (ID Only) Password Protector: Oneway
- (ID Only) Password Protector: Unknown [F]
- KGB Coder
- PAN Packer v2.0 (sysless)
- Panoramic Equalizer v1.5
- Pyra Coder v1.x / v2.x
- ThunderCats Packer
- Time Cruncher v5.x / Generic Hack (differences in 1st bytes only)
- Total Packer v1.x
- VIP v1.x
- WHO Coder

Scanners revised:
- 1001 CardCruncher old pack: More variants detected.
- ABCruncher: Now identifies also DJB/ONS hack.
- AbuzeCrunch: Changed ID bytes to detect more hacks.
- Antiram Packer (was GCS Packer) identified.
- DarkSqueezer v0.x -> DarkSqueezer v0.8, I just found v0.1 (which is identical
  to TimeCruncher 3.1/2072) and no other version tagged v0.x. There is no 1.0!
- DarkSqueezer v1.x -> DarkSqueezer v2.1, even v2.0 tags the file as "DS V2.1",
  there is a DS v1.3 around but it's misnamed, aswell as a 2.0+ which is TC3.1;
  v2.0 and v2.1 are assumed equal.
- Expert v2.11 (was Expert/2061) identified, there is a variant with SYS2074.
- IsePic: Changed ID bytes to detect more hacks.
- PUCrunch: Now identifies also some generic hacks.
- Rows Cruncher (was Unknown $152) identified and now detects also SYS version.
- SIR MasterLinker: Now detects another variant.
- SledgeHammer v1.x: Relaxed IDs
- Super Compressor / Equal sequences: fixed bug, now detects more variants.
- Syncro Packer v1.55 identified (was Agile Packer 1.1).
- Syncro Packer (was Agile Packer) v1.2: better return address detection.
- Total Packer v2.0 (was VIP 1.x) identified.
- XTC Packer 1.0/2.x: Relaxed ID to detect some hacks.
- Visiomizer v6.2 (was XTC Packer 1.x) identified.


-=[]=--- iAN CooG/HVSC^C64Intros ---=[]=-
   *> http://iancoog.altervista.org <*
http://hvsc.c64.org|http://intros.c64.org

