PDA

View Full Version : Unknown packer signature! Help


retrokode
August 20th, 2007, 08:26
Hey folks!

Last week I was tried to analyze and break a protection of an application (written in Delphi, i saw in reshacker), since then i'm facing a problem ... I know the application is protected, all resources are packed, then i decied to analyze it with PeID, the problem: PeID simply doesnt recognize the packer, even the crypto algo, simply nothing! And the most weird thing is that how the Reshacker showed me that it seems to be a Delphi application, PEID showed that it seems to be and MSVC compiled exe!!!! That is confusing me...
Finally I found another PE analyzer, called PEPirate, and I opened the EXE with PEPirate and it showed that the EXE is packed with SDProtector Pro 1.16! That was a good thing I though because I found too a tool written by Loveboom to unpack SDProtector packed exe's! Another problem, the tool reported that application is not packed with SDProtector!!!!

My question is:
1. Is there some similarities between SDProtector and another pack signatures?
2. Why PEID recognize that is MSVC and the application seems to be a Delphi exe?
3. What it's the best way to try to unpack that exe if I even know what protection was used?

Thanks for the help. Regards!

blurcode
August 20th, 2007, 09:02
You can try dump it from memory and look for "Boolean", "False", "True", 'WideChar", "Char", "Smallint", "Integer", "TObject" etc propably at the start of the dump. If it has those it is sure compiled with Delphi, if it has "fb:C++HOOK" it is compiled with C++ Builder.

naides
August 20th, 2007, 09:14
http://71.6.196.237/forum/showthread.php?t=9262&highlight=packer+signatures

h*tp://www.egrupos.net/grupo/rvlcn/ficheros/5/verFichero/25/RDGPackerDetectorv0.5.8.rar


For some inspiration

retrokode
August 20th, 2007, 09:31
First, thx to blurcode and naides...

Guys! I will take a look at that tips you've gave me, will crack head a lot... But again I wanna thank u for the help... This is realy driving me crazy...


p.s : Naides, your link is down...

thx, regards to all...

JMI
August 20th, 2007, 10:33
retrokode:

The first link being down should have "inspired" you to "think" about what you want. You are "looking" for "RDGPackerDetectorv0.5.8.rar" are you not? .....

Does ANYTHING come to mind? Something vaguely like a *cough* search engine????? Now it is true that I found only two links, and one of them was the one you reported was not working, but what about the other one???

If you look "carefully" at the post by fly, a master cracker in his own right, you could figure out a URL that will get you what you want. I was able to download it without problem.

Regards,

retrokode
August 30th, 2007, 14:31
Yeah JMI i get it you've said! I was able to download it to, sorry me endless!!!! But now i'm with another doubt:

I have discovered what packer is grace to RDGPacker (even being so old), then i discovered its packer with SoftDefender Pro 1.12
then i was downloaded the loveboom tool, SDProtector 1.16 unpacker, but it doesnt works, it says that is not packet with SDProtector 1.16, and trully its not!! heheheh

Now! I found a lil tut teaching how to unpack the SDProtector 1.12, it teaches how to found the real OEP (worst way), and after that, rebuild the IAT (i couldnt do it)... I wanna know if one of you, include you JMI could help me with this!!! unpack this crap of soft packed with this packer... I'm trying this since begin of august!

But i'll not give up, because real crackers doesnt give up!

Thanks JMI, js; and all you!!! bye

SiGiNT
August 31st, 2007, 01:45
There a few packers out there that mimic signatures of other packers - what sections does the olly show - that yields a glimpse to the inner workings - no packer identifier is perfect and RDG will always tell you an unpacked or sometimes unidentifiable file is packed with molebox - post your sections and we may have a clue - also you can try ProtectionID - primarily for gamers but sometimes it suprises you. - One more suggestion try using Qunpack - it actually works sometimes.

SiGiNT

Sorry - guys I'm still around - way too much work - not enough money!!!, but maybe I'll try to make a point of harassing again - I see JMI is getting soft in our old age, (judging by his post in this thread!)

LLXX
August 31st, 2007, 02:06
Real reversers don't need to care what the packer is exactly, since they all work generally the same. Just start tracing and observe what it does. (In Chinese we call packer "shell", and in the same way someone would crack a chicken's egg, they can also crack an ostrich's.)

retrokode
August 31st, 2007, 11:21
All that was said is sure trully! I agree with you guys, but i'm not a so skilled cracker like you guys, i'm starting (not so noob), but i was tried almost all the way to unpack this soft, and did get nothing! Ah! Sigint33 as you said too, i tried to use Qunpack and it crashed my pc when finding the OEP... my computer restared without warning (maybe some shit of RAM) :P

Then what i did: Like i know you guys could help me with this hard work, like i'm not having sucess :'( i wanna post here a link to you down that and try to help me, i dont wanna you see me bad, or dont understood, but i'm being deceptioned with myself because i can get nothing with this prog... Then, i would be pleasure if you, or one of you could help me... If it is not possible then i give up and you can close that thread and i will find another thing to do...

the link: [LINK DELETED - have you learned nothing here yet?]

Please, help me with this!

JMI
August 31st, 2007, 13:09
retrokode

I guess it's time for me to "straighten you out," since you clearly are on a one way trip to "self-destruction."

You apparently have not read the Friggin FAQ, or at least have not understood what it is telling you you may do and what you may not do.

Let's be frank. So the only thing you have apparently attempted to do is "identify" the packer for your target, so that you could try some form of "cookie-cutter" unpacker on that target. One can only conclude from your descriptions that you truely have almost no idea what reverse engineering is all about, if you can't "click" on a button from someone's ready made tool.

Reverse Engineering is a "process" which takes considerable time and effort. By this I don't mean "time attempting to find a ready made tool to do the work for you." This simply demonstrates that you do not appear to be "serious" at all about "reversing" and only want to achieve the "thrill" of having "someone else/someone else's tool" do all the work for you.

If you had actually READ and UNDERSTOOD the FAQ you would KNOW that this is not the place where you can "post a link" to some software and ask someone else to DO YOUR WORK FOR YOU!!!

So, at this point, you should take your own suggestion and "give up" and find "another thing to do" because you, so far, have clearly indicated you don't want to take the time necessary to actually learn what you are trying to do.

Regards,

retrokode
August 31st, 2007, 18:23
Well, sorry guys! Sorry JMI... and all you...

I'll try anothers ways to do it... thanks for all!



Bye!

SiGiNT
September 12th, 2007, 15:00
Hey LLXX,

I'm truly offended I guess I'm not a real reverser since unpacking the 20 or so variations of Aspack and UPX now bores me after doing it over and over again - I always prefer automation to rote work - anyway I never claimed to be a "real" reverser, since there is no definition of that

SiGiNT

LLXX
September 15th, 2007, 22:54
I'm not saying one should always unpack manually; only that that should be the method used when one encounters an unfamiliar packer, and that after the first time one shall write a tool to automate the work, in similarity to why the use of calculators by those who have not learned arithmetic is strongly frowned upon by the education community (though not as much now, unfortunately ).