As far as i know, packer is partly for anti reversing and crypter is to bypass anti virus program. So what are differences between them , if have???Can anybody tell some basic princples of them??? Thank in advance

IMHO
a PE packer is a tool to make littler the size of an executable
a PE crypter is a tool to encrypt an executable so it cannot be disassembled
a PE protector is a tool containing anti-debugging tricks, so it cannot be debugged

two or more of these attributes can be present in the same tool

Best regards, bilbo

thanks, i m at first step of getting knowledge.So can anyone tell more details about their basic princples.I need an outline only

IMHO (again), best way to gain knowledge is not through an abstract outline but working on some examples (obviously some C and ASM notion is a prerequisite).

The first links I can find are:
http://www.programmersheaven.com/2/PE-Protector
http://www.scribd.com/doc/23256191/How-to-Write-Your-Own-Packer (from CodeBreakers Magazine)

Best regards, bilbo

P.S. UPX (Ultimate Packer for eXecutables) is open source but I am afraid that if you start from there you will be soon tired before acquiring enough knowledge...

Hi,

I would like to say a few things here. A packer as already stated above is a program whose main purpose is to compress the executable. However, it might help to understand better if you know how a packer works.

My suggestion would be to start with some basic and well known packers like UPX, ASPack and FSG. Also, it would be better if you learn to unpack them manually.

These packers will reduce the size of the executable which you can test by picking any program like calc.exe or notepad.exe and see the effect. IIRC, a compression of upto 60% is possible. However, how this would deter a reverse engineer is as follows:

Original Entry Point is the key to begin analyzing a software. But these packers mess up with the OEP and also the Import Table. So, if you attach a debugger to a packed program, you will not land up at the OEP. This is what is going to deter you from reverse engineering. However, once you have identified the Packer being used, it is straightforward. Manual Unpacking is always suggested.

Take a look at the different sections of a packed executable like, .text, .data, .rsrc, .reloc, you will see that some of the sections are merged. Sometimes, even the packers name will be visible in place of section names. All are good indicators.

Protectors on the other hand shall detect that they are being debugged and can either crash, terminate or make you run around in loops until you stop reversing it. This is more fun.

A good example worth stating here is teLock packer. You will notice that it as a stub similar to other packers like UPX and ASPack but when you try to unpack it manually in the same way, it will throw an exception. Something like division by zero. In such cases, it is a sign that the packer is also using some protector features to prevent you from analyzing it or locating its entry point.

Hope this will help you to get started and to explore the packers and protectors.

Packer=Compression
Crypter=Obfuscation
Protector=Packer+Obfuscation