At first it's strongly recommended to read this manual with care and to the end. If you call functions without any sense the program may crash or you even may get BSOD and potentially lose some data. Only some of the functions can be called in arbitrary order also only some of the functions should be called because some of them are used for internal purposes and this manual clearly states such cases.
You can take a look at Lua scripting language manual (included in Scripts folder (Lua Manual.html) also www.lua.org) to learn more about scripts also you can examine examples of scripts from Scripts folder (*.txt files).
If something works the wrong way or not the way it's intended to work read this manual for about 5 more times and only then report a bug. :)
And now follow extra functions and variables that can be called and used in the scripts.

---------------------------------------------------------------
Functions
---------------------------------------------------------------

number AddBreak(number where,number type1,number type2)
where-address to put a break on
type1-can be equal to the following values:
	1-opcode breakpoint (1 byte). The only difference from the standard breakpoint is in the opcode which adds a bit stealth
	2-standard and well-known 0xCC break
	3-hardware break in DR0 register
	4-hardware break in DR1 register
	5-hardware break in DR2 register
	6-hardware break in DR3 register
type2-on what condition to put a break. Can be equal to the following values: 0-on execution, 1-on memory write, 3-on memory write and read. This value is used only then debug register is chosen (type1=3-6) it may equal any value otherwise
result-true if the breakpoint was enabled; false if error occurred (for example there are too many breakpoints (see DeleteBreak()))
The function adds a breakpoint to the breakpoint list. This newly added breakpoint is disabled by default (see EnableBreak()). Hardware breaks on memory write and on memory write and read have size of 1

number AddMemoryBreak(number start_addr,number size)
start_addr-start address of memory to break on
size-size of memory to break on
result-true if the breakpoint was set; false if error occurred (for example wrong range)
The function needs for the interrupt 14 to be hooked (see Hook()) and sets memory breakpoint on execution on passed range of pages. When the breakpoint is hit, it's removed. Don't expect it to work without PAE enabled

number AddModuleToUnhookList(string library)
library-library name which export shouldn't be hooked
result-always 0
The function add the given library to a list of libraries whose export shouldn't be hooked if this option is set (see import_meth). If library export is already hooked it gets unhooked

number AddSection(string name,string body, number size)
name-name of a section
body-data to be written to a section
size-size of data to be written to a section
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function adds to the end of a dumped file section and writes data to it. The file should be dumped before calling this function (see Dump())

number Attach()
result-always 0
The function allows to attach to a running process. The effect is similar to pressing Attach to process button on the main program window. All the information about previously unpacked process will be lost. The function is not thoroughly tested yet so it's not recommended to use it very often

number AttachFast(number PID,number thread_id)
PID-process id of the process to attach to
thread_id-id of the thread in the process to attach to
result-always 0
The function is similar to the Attach() but doesn't show window with processes. It uses all the current settings and changes just process and thread (useful when packer uses 2 processes like Armadillo). victim_base and jmp_to_oep should be fixed manually

number CheckMemory(number address)
address-address to check
result-0 if memory isn't commited, 1-PAGE_NOACCESS, 2-else, 3-PAGE_GUARD
The function checks memory at the given address. Address is VA

number ClearImport()
result-always 0
The functions clears import table for the file being unpacked

number ClearLog()
result-always 0
The function clears all output log

number ClearModules()
result-always 0
The functions clears modules list for the file being unpacked. Used mostly for internal purposes

number ClearRelocs()
result-always 0
The functions clears relocation table for the file being unpacked

number ClearUnhookList()
result- 0
The functions clears list of libraries whose export shouldn't be hooked if this option is set (see import_meth)

number Continue(bool skiphooked)
skiphooked-determines if this function returns when hooked export table breakpoint was triggered or keeps executing
result-always 0
The function lets the program run similar to Run button in OllyDbg. Keep in mind when the program hits a breakpoint, this break will be automatically disabled (see EnableBreak()). Sometimes program may unexpectedly die it'll be good to check this (see break_where) before doing anything else

number CutSections()
result-0 if success; -1 if error occurred (for example process is dead)
The function cuts last sections. When using this function it's usually necessary to rebuild TLS (see ProcessTLS()) and resources (see ProcessResources()). The function should be called only after the process was dumped (see Dump())

bool DeleteBreak(number where)
where-address of a breakpoint
result-true if the breakpoint was disabled; false if error occurred (for example the breakpoint wasn't found in the list)
The function deletes the breakpoint at the given address from the breakpoint list

number DeleteBreakAll()
result-always 0
The function deletes all breaks including memory breaks

number DeleteLastSection()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function deletes last section in the dumped file. The file should be dumped before calling this function (see Dump())

number DeleteMemoryBreaks()
result-always 0
The function deletes all the memory breakpoints set

number Detach()
result-always 0
The function allows to detach from the process. The function is not thoroughly tested yet so it's not recommended to use it very often

bool DisableBreak(number where)
where-address of a breakpoint
result-true if the breakpoint was disabled; false if error occurred (for example the breakpoint wasn't found in the list)
The function disables the breakpoint at the given address

number DisableBreakAll()
result-always 0
The function disables all breaks

bool Disasm(number where)
where-address to disasm from
result-0 if error occurred (for example the memory couldn't be read); 1 if OK button or Enter were pressed; 2 otherwise
The function disassembles the code at the given address and shows it to the user

number Dump()
result-0 if success; -1 if error occurred (for example process is dead)
The function makes dump of the process to the memory. Before saving this dump to disk (see SaveFile()) necessary operations should be made first (restore import, relocations, TLS, overlay)

number DumpForRelocs()
result-0 if success; -1 if error occurred (for example process is dead)
To restore relocations (only for a DLL) one should either run extra DLL instance (see PreLoad()) or use this function. You should get to the OEP first and then call this function. The process then should be killed and started again only after that one can call RestoreImportRelocs() to rebuild relocations

number EmulateCPUID(number active)
active-can be equal to the following values: 0-disable emulation, 1-enable emulation
result-always 0
The function needs for the interrupt 13 to be hooked (see Hook()) and hardware virtualization engine and sends request directly to the driver so it's not recommended to use it very often. Disabled by default

number EmulateRDTSC(number active,number shift)
active-can be equal to the following values: 0-disable emulation, 1-enable emulation
shift-see time_delta
result-always 0
The function needs for the interrupt 1 and interrupt 13 to be hooked (see Hook()) and sends request directly to the driver so it's not recommended to use it very often. Disabled by default

bool EnableBreak(number where)
where-address of a breakpoint
result-true if the breakpoint was enabled; false if error occurred (for example the breakpoint wasn't found in the list)
The function enables the breakpoint at the given address. Keep in mind that after break was added it should be enabled because it's disabled by default. It also should be enabled after it was hit because then the program hits the breakpoint it disables the breakpoint automatically

number ExecuteFunction(string library, string function, number arg1, number arg2, number arg3, number arg4, number arg5)
library-full path to the library from which the function should be executed
function-function name which should be executed
arg1-arg5-arguments for this function
result-eax register value after the function was executed if success; -1 if error occurred (for example, the library wasn't found)
The function executes the given function from the given library with the given parameters in the context of the process to unpack. The library is automatically loaded in the context of the process to unpack (see LoadExtraLibrary()). Keep in mind that all 5 arguments must be passed! If function takes less than 5 arguments zeros should be added

number Find(string buf,number length,number start,number end)
buf-string with data to find
length-size of buf in bytes
start-address to start the search from in VA
end-address to and the search in VA
result-address with the found sequence of bytes; 0 if error occurred (for example process is dead) or nothing found
The function searches for the given sequence of bytes from the given address to the given address and returns address found at or 0 in case of error. The byte order in the memory is the same as byte order in the string. The function searches for the exact sequence of bytes so the given buffer should contain exact string of bytes
(example: "\104\101\108\108\111" denotes a string "hello"; it may also be supplied as string.char(0x68,0x65,0x6c,0x6c,0x6f))

number FindByMask(string buf,number length,number start,number end)
buf-string with data to find
length-size of buf in bytes
start-address to start the search from in VA
end-address to and the search in VA
result-address with the found sequence of bytes; 0 if error occurred (for example process is dead) or nothing found
The function searches for the given sequence of bytes from the given address to the given address and returns address found at or 0 in case of error. The byte order in the memory is the same as byte order in the string. The function allows using of wildcard (example: "558?EC")

number FindOEP()
result-OEP of the target; 0 if error occurred
The function shows well-known window with an OEP finder choice. The result of it's work is returned by the function

number FullUnpack()
result-always 0
The function stands for complete unpack. This function is called then one presses Full unpack button in the main program window. You should set all the values in the main program window for this function to work properly

number GetModuleAddress(string library)
library-library name which address should be obtained
result-address of the library if success; 0 if error occurred (for example, the library wasn't found)
The function returns address of the given library or 0 in case of error

number GetOrdinalAddress(string library,number ordinal)
library-library name from which address of the function should be obtained
ordinal-function ordinal which address should be obtained
result-address of the function if success; 0 if error occurred (for example, the function wasn't found)
The function returns address of the function with the given ordinal from the given library or 0 in case of error

number GetProcAddress(string library,string function)
library-library name from which address of the function should be obtained
function-function name which address should be obtained
result-address of the function if success; 0 if error occurred (for example, the function wasn't found)
The function returns address of the given function from the given library or 0 in case of error

number Hook(number victim_id, number int1, number int13, number int14)
victim_id-PID of the process to unpack
int1,int13,int14-what to do with the interrupt. Can be equal to the following values: 0-do nothing, 1-hook, 2-unhook
result-always 0
The function sends the request directly to the driver. Used mostly for internal purposes so it's strongly recommended to leave it uncalled BSOD possible otherwise. Interrupts 1, 13 and 14 are hooked by default and the victim_id equals PID of the process to unpack

string IdentifyAddressLib(number address)
address-address inside library to be identified
result-library name; -1 if address wasn't found
The function returns name of the library which contains specified address

string IdentifyFuncLib(number address)
address-address of the import function to be identified
result-library name; -1 if function wasn't found
The function returns name of the library which contains specified import function

string IdentifyFuncName(number address)
address-address of the import function to be identified
result-function name; -1 if function wasn't found
The function returns name of the import function which address was specified

string IdentifyFuncOrdinal(number address)
address-address of the import function to be identified
result-function ordinal; -1 if function wasn't found
The function returns ordinal of the import function which address was specified

number ImportAdd(number RVA)
RVA-address of the instruction which uses import (call dword ptr[xxx], jmp dword ptr[xxx], mov eax,dword ptr[xxx], etc.)
result-0 if success; 1 if reading of the given memory failed; 2 if the instruction doesn't seem to use import; 3 if import function wasn't recognized
The function uses only static methods to identify function, it fails in case of redirected import functions (see ImportTraceAdd())

number ImportTraceAdd(number RVA)
RVA-address of the instruction which uses import (call dword ptr[xxx], jmp dword ptr[xxx], mov eax,dword ptr[xxx], etc.)
result-0 if success; 1 if reading of the given memory failed; 2 if the instruction doesn't seem to use import; 3 if tracing failed
The function uses tracing to identify the function

number/string InputValue(string caption,string default)
caption-caption of an input window
default-default string to be shown in the edit
result-string or number that was entered; -1 if cancel was pressed
The function shows a window with given string as a caption and edit to input and returns entered string or number or -1

number InputYesNo(string caption,string text)
caption-caption of an yes/no window
text-text of an yes/no window
result-0, if No was pressed; 1, if Yes was pressed
The function shows window with given caption and text and Yes and No buttons and returns result which button was pressed

number IsEnabled(number where)
where-address of a breakpoint
result-enabled counter if the breakpoint is enabled; 0 if the breakpoint is disabled or error occurred (for example the breakpoint wasn't found in the list)
The function returns if the breakpoint at the given address enabled or not. The function was made just in case of a memory loss :)

number IsExist(number where)
where-address of a breakpoint
result-exists counter if the breakpoint exists; 0 if the breakpoint doesn't exist
The function returns if the breakpoint at the given address exists or not. The function was made just in case of a memory loss :)

number KillTimer()
result-always 0
The function kills a timer set by TerminateOnTimer

number LoadExtraLibrary(string library)
library-full path to the library which should be loaded
result-0 if success; -1 if error occurred (for example, library wasn't found)
The function loads the given library in the context of the process to unpack

number ModuleHook(number module_base)
module_base-imagebase of the module
result-always 0
The function adds a module with the given imagebase to a list of modules and hooks it's export if this option is set (see import_meth)

number ModuleUnhook(number module_base)
module_base-imagebase of the module
result-always 0
The function unhooks export of the given module. It's export won't be hooked again

number NextInstr(number where)
where-address of an instruction
result-address of the following instruction; 0 if error occurred (for example, bad address was given)
The function returns address of the instruction following a given instruction

number Pause(string message)
message-message to be shown in the MessageBox
result-always 0
The function pauses script execution and shows message. When one presses OK at the message window script continues to execute

number PreLoad()
result-0 if the process was terminated; 1 if success or if the unpacked file is an EXE file and Use force unpacking at the main program window is unticked
The function is used for Force unpacking (about this you can read at Readme.eng.txt) and for restoring relocations (only for a DLL). Before restoration of relocations (see RestoreImportRelocs()) either this function should be called or DumpForRelocs(). OEP at the main program window (also see jmp_to_oep) should be set before the function is called. The main difference from DumpForRelocs() is that it gets to the given OEP by itself and kills the process also by itself; when using DumpForRelocs() one should get to the OEP oneself at first and kill the process also oneself (see Terminate())

number ProcessDelphiInit(bool static)
static-static or dynamic tracing
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function restores Delphi Initialization table if delphi_init is true. The function should be called before SaveFile() and after the process was dumped and sections were cut

number ProcessExport()
result-0 if success; -1 if error occurred (for example process is dead)
The function processes export and writes it immediately to a separate section .edata. It's not mandatory to call this function. Only if export doesn't get in the dumped file (usually when last sections are cut (see CutSections())), this function should be called. The function should be called only after the process was dumped (see Dump())

number ProcessOverlay()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function takes overlay from the source file and adds it to the end of the file if append_overlay is true. The function should be called immediately before SaveFile() and after the process was dumped, import and if needed relocations and TLS were restored

number ProcessRelocs()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump() and DumpForRelocs() or PreLoad())
The functions processes and saves relocations. May be used also with EXE files in that case just nulls the pointer in header. The function should be called only after the process was dumped (see Dump()) and dumped for relocs (see DumpForRelocs() or PreLoad())

number ProcessResources()
result-0 if success; -1 if error occurred (for example process is dead)
The function rips and rebuilds resources. Rebuilt resources are not saved to the file immediately (see SaveResources()). It's useful to cut unused sections (see CutSections()). The function should be called only after the process was dumped (see Dump())

number ProcessTLS()
result-0 if success; -1 if error occurred (for example process is dead)
The function processes TLS and writes it immediately to a separate section .tls. It's not mandatory to call this function. Only if TLS doesn't get in the dumped file (usually when last sections are cut (see CutSections())), this function should be called. The function should be called only after the process was dumped (see Dump())

number ReadMem(number where,number size)
where-address to read the data from
size-size of data to read in bytes, can be equal to the following values: 1, 2, 3, 4 (and 5, 6, 7, 8 for x64)
result-read bytes; 0+error message in the log if error occurred (for example process is dead)
The function reads the given number of bytes of data from the given address and returns read bytes or 0 in case of error. The byte order in the result is the reversed byte order in the memory

number ReadMemDump(number where,number size)
where-address to read the data from, should be given in RVA form!
size-size of data to read in bytes, can be equal to the following values: 1, 2, 4
result-read bytes; 0 if error occurred
The function is identical to ReadMem() but reads the data from the dump. The function should be called only after the process was dumped (see Dump())

string ReadMemLarge(number where,number size)
where-address to read the data from
size-size of data to read in bytes
result-string with read bytes
The function reads the given number of bytes of data from the given address and returns string with read bytes. The byte order in the result is the same as byte order in the memory

number RemoveLastSEH(number handler)
handler-address of the handler returned by SetLastSEH()
result-always 0
The function removes the exception handler set by SetLastSEH() and may be used while manual import tracing to avoid some program crashes when the function being traced isn't import function

number RestoreImportRelocs()
result-0 if success; -1 if error occurred (for example process is dead)
The function restores import and relocations (only for a DLL, to restore relocations either Use force unpacking (see PreLoad()) or DumpForRelocs() and ProcessRelocs() functions are needed) with the chosen recovery method (see import_meth). They are immediately written to the separate sections .idata and .relocs. The function should be called only after the process was dumped (see Dump())

number Resume()
result-thread's previous suspend count; -1 if error occurred (for example thread is dying)
The function resumes the thread to unpack after Suspend() and fills some debug structures. Used mostly for internal purposes

number ResumeAllOther()
result-always 0
The function resumes the other threads to unpack after SuspendAllOther() and fills some debug structures. Used mostly for internal purposes but may be used while manual import recovery for the other threads not to interfere

number SaveFile()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function saves the dumped process from memory to disk. The function should be called the last one when any other needed things are already done with the unpacked process (process dumped, import and if needed relocations, TLS and overlay were restored)

number SaveImport()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function saves import to the file. The function should be called after the process was dumped

number SaveResources()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The function saves the resources to a separate section .rsrc. The function should be called only after the resources were ripped from the process (see ProcessResources())

number SetLastSEH()
result-address of the handler in the allocated memory
The function sets an exception handler by means of SetUnhandledExceptionFilter function and may be used while manual import tracing to avoid some program crashes when the function being traced isn't import function. Keep in mind that under x64 this function rarely saves because of idiotic stack unwinding

number SetMainBreaks()
result-always 0
The function sets main breakpoints. It's automatically called in Start() and it allows to watch loaded modules, hook export table in them (if appropriate option is set, see import_meth) and protect debug registers from reading from and writing to them (if appropriate option is set, see protect_dr)

number ShowImport()
result-0 if success; -1 if error occurred (for example, you didn't dump the process, see Dump())
The functions shows a window with import table which allows to edit it manually

number Start(bool stopsystem)
stopsystem-should it stop at system break or later, meaningful to EXE only
result-always 0
The function loads chosen EXE or DLL file in memory. The function only starts the process or also puts a breakpoint at the EP (entry point) or at the TLS Callback (if present) and the program stops at this break according to the passed parameter. Keep in mind that if you stop at system breakpoint you won't be able to use DR till EP and some functions may fail, use it your own risk

number Stop()
result-always 0
The function stops the unpacking process. Unpacking thread will be killed (similar to Kill target button in the main program window)

number Suspend()
result-thread's previous suspend count; -1 if error occurred (for example thread is dying)
The function suspends the thread to unpack. Used mostly for internal purposes

number SuspendAllOther()
result-always 0
The function suspends the other threads to unpack. Used mostly for internal purposes but may be used while manual import recovery for the other threads not to interfere

number Terminate()
result-always 0
The function kills the process to unpack. All the information about unpacked process will be lost any further work with it will be impossible

number TerminateOnTimer(number timeout)
timeout-timer timeout in ms
result-always 0
The function sets a timer which terminates a process to unpack on expiration (see also KillTimer)

number Trace()
result-always 0
The function makes one step using TF or breakpoint (see use_tf). Don't use this function too often it's rather slow and may be detected by antidebugging techniques. Sometimes program may unexpectedly die it'll be good to check this (see break_where) before doing anything else

number TraceAndReplace(number where)
where-address to trace
result-always 0
The function uses Trace() to go through breakpoint at given address and then enables the breakpoint back. The function is connected to automatic breakpoint disabling (see EnableBreak()) and used mostly for internal purposes. Sometimes program may unexpectedly die it'll be good to check this (see break_where) before doing anything else

number Wait()
result-always 0
The function loops in a breakpoint handling cycle and fills some debug structures. Used mostly for internal purposes

number WriteEx(string line, bool dobreak, bool bald, number textcolor)
line-string for the output into the log
dobreak-if the text should be output from the new line
bald-if the font is bald
textcolor-text color
result-always 0
The function is an advanced output of any information into the log. One may also use variables instead of string (see WriteLog())

number WriteLog(string line)
line-string for the output into the log
result-always 0
The function outputs any information into the log. One may also use variables instead of string. For example, WriteLog(EAX)

number WriteMem(number where,number buf,number size)
where-address to write the data to
buf-variable to write the data from
size-size of data to write in bytes, can be equal to the following values: 1, 2, 3, 4 (and 5, 6, 7, 8 for x64)
result-number of bytes written; 0 if error occurred (for example process is dead)
The function writes the given number of bytes of data to the given address from the given variable and returns number of bytes written or 0 in case of error. The byte order in the memory is the reversed byte order in the variable

number WriteMemDump(number where,number buf,number size)
where-address to write the data to, should be given in RVA form!
buf-variable to write the data from
size-size of data to write in bytes, can be equal to the following values: 1, 2, 4
result-number of bytes written; 0 if error occurred
The function is identical to WriteMem() but writes the data to the dump. The function should be called only after the process was dumped (see Dump()). The byte order in the memory is the reversed byte order in the variable

number WriteMemLarge(number where,string buf,number size)
where-address to write the data to
buf-string to write the data from
size-size of data to write in bytes
result-number of bytes written; 0 if error occurred (for example process is dead)
The function writes the given number of bytes of data to the given address from the given variable and returns number of bytes written or 0 in case of error. The byte order in the memory is the same as byte order in the string

---------------------------------------------------------------
Variables
---------------------------------------------------------------

bool autosave_log-enable or disable log autosaving, logs are written into Logs folder if strings>=5000. By default equals the chosen at the main program window checkbutton state

bool append_overlay-enable or disable overlay appending. By default equals the chosen at the main program window checkbutton state

number break_where-address at which current breakpoint was triggered. Can be equal to the following values in special cases:
	0xf00-process died. Sometimes program unexpectedly dies. To prevent useless script execution after a program ran for some time (Continue(), Trace(), TraceAndReplace()) it'll be good to check against this value
	0xf08-thread is dying and can die any moment, mostly used for internal purposes
	0xf10-SingleStep. Arises while TF (trace flag) usage, mostly used for internal purposes
	0xf11-Memory Break. Arises when memory breakpoint was triggered
	0xf12-CPUID Break. Arises when CPUID breakpoint was triggered
	0xf20-breakpoint on function from hooked export table occurred, mostly used for internal purposes
	0xf30-bUnhandledSingleStep. SingleStep occurred but it wasn't caused by us, mostly used for internal purposes
	0xf31-bUnhandledBreak. Break occurred but it wasn't caused by us, mostly used for internal purposes
	0xf32-bUnhandledBreakMem. BreakMem occurred but it wasn't caused by us, mostly used for internal purposes
	0xf40-bDr0. Hardware breakpoint occurred at Dr0 register
	0xf41-bDr1. Hardware breakpoint occurred at Dr1 register
	0xf42-bDr2. Hardware breakpoint occurred at Dr2 register
	0xf43-bDr3. Hardware breakpoint occurred at Dr3 register

number cut_module-cut sections at given RVA. By default equals Cut module at value in the main program window

bool cut_sections-enable or disable last sections removal and directories processing. By default equals the chosen at the main program window checkbutton state

bool delphi_init-enable or disable restoration of Delphi initialization table. Turn this on only if you are sure that this is Delphi program. By default equals the chosen at the main program window checkbutton state

bool direct_refs-enable or disable inclusion of call xxx/jmp xxx/mov reg,imm functions into import table. By default equals the chosen at the main program window checkbutton state

bool execute_functions-enable or disable import function execution while tracing import. By default equals the chosen at the main program window checkbutton state

string file_name-full path and name of a file being unpacked

number first_base-useful with PreLoad() and DLLs, determines the imagebase for a ghost DLL

number image_size-size of image, this variable after dump (see Dump()) equals size of image, before dump but after reading file from disk equals size of image from file, else equals 0

number import_meth-import recovery method. Will the export table of the loaded modules be hooked depends on it (see SetMainBreaks()) and the import recovery method itself (see RestoreImportRelocs()). Can be equal to the following values: 0-Do not recover, 1-Smart method, 2-Smart method+tracer, 3-Load libraries only. If this variable equals 2 the export table of the loaded modules will be hooked. By default equals the chosen at the main program window radiobutton state

number import_rva-put import table at this RVA instead of adding extra section. By default equals Import RVA in the import program window

bool is_dll-is it dll being unpacked or not. you shouldn't change this value

number jmp_to_oep-OEP for the program to unpack, can be used for PreLoad(). This is RVA! By default equals OEP in the main program window

bool leave_direct_refs-leave call xxx/jmp xxx/mov reg,imm import functions as they are without converting to call []/jmp []/mov reg,[]. By default equals the chosen at the main program window checkbutton state

bool long_import-import hooking uses short but suspicious trampoline or long but more safe. Short trampoline also involves unmapping of module and allocating memory. By default equals the chosen at the main program window checkbutton state

number module_end-treat this number as the end for the module while processing import. The number is used to skip pointers that lead into the module. This is RVA! By default equals End of module for import in the main program window

string parameters-parameters to be passed to the application to unpack. By default equals Parameters in the main program window

bool path_libs-enable or disable restoration of full path for import libraries. By default equals the chosen at the main program window checkbutton state

number platform-equals 32 or 64. you shouldn't change this value

bool process_relocs-enable or disable relocations processing. By default equals the chosen at the main program window checkbutton state

bool protect_dr-enable or disable protection of the debug registers. The protection will work only if appropriate function was called (SetMainBreaks()). By default equals the chosen at the main program window checkbutton state

bool suspect_functions-enable or disable inclusion of suspect functions into import table. By default equals the chosen at the main program window checkbutton state

number thread_id-ID of the current thread in the process to unpack. Used mostly for internal purposes so it's strongly recommended to leave it unchanged

number time_delta-two RDTSC instructions or GetTickCount calls will give the following difference: random(0-255)+delta. If the most significant bit is set in delta QuickUnpack calculates the delta itself and adds low part to smooth time on interrupt. Keep in mind that this hook is system-wide. By default equals Time delta in the main program window

bool unhook_inaction-enable or disable dynamic export unhooking, this improves speed but needs no be disabled upon import processing. By default equals false

bool use_force-use force unpacking of not. By default equals the chosen at the main program window checkbutton state

bool use_tf-Trace() uses TF or disassembler to calculate next instruction address and set breakpoint. By default equals the chosen at the main program window checkbutton state

number version-equals 40300. you shouldn't change this value. it may be used only to decide can some script be run on current version or not. I'm not going to ensure complete compatibility with previous versions in order not to turn QuickUnpack into some monster like windows :) so it'll be good if some script is run only on version it's designed for but I'll try to maintain compatibility with previous versions

number victim_base-imagebase the file to unpack is loaded at. Used mostly for internal purposes so it's strongly recommended to leave it unchanged

number victim_handle-handle of the process to unpack. Used mostly for internal purposes so it's strongly recommended to leave it unchanged

number victim_id-PID of the process to unpack. Used mostly for internal purposes so it's strongly recommended to leave it unchanged

State of the process to unpack is described by the following variables (for x64 the names are the same, just extended size):
number EAX-eax/rax register
number EBX-ebx/rbx register
number ECX-ecx/rcx register
number EDX-edx/rdx register
number EIP-eip/rip register
number EBP-ebp/rbp register
number ESP-esp/rsp register
number ESI-esi/rsi register
number EDI-edi/rdi register
number EFLAGS-eflags/rflags register. you shouldn't change this value
number DR0-dr0 register. you shouldn't change this value
number DR1-dr1 register. you shouldn't change this value
number DR2-dr2 register. you shouldn't change this value
number DR3-dr3 register. you shouldn't change this value
number DR6-dr6 register. you shouldn't change this value
number DR7-dr7 register. you shouldn't change this value
number CS-cs register. you shouldn't change this value

The following registers are x64 only:
number R8-R8 register
number R9-R9 register
number R10-R10 register
number R11-R11 register
number R12-R12 register
number R13-R13 register
number R14-R14 register
number R15-R15 register