Log in

View Full Version : general unpacking question


nullvolt
March 19th, 2001, 16:23
hi there,
i know there are several tuts around which explain unpacking for different packers. my question is: how to find out which packer was used? do they all leave their own sign i should recognize?

thx,
so long,
nullvolt.

CoDe_InSiDe
March 20th, 2001, 05:43
Hi nullvolt,

Most of the time you can see that by just examining the Sections.
For example UPX, then you'll see Section names with UPX
Hope this helps.

Cya...

CoDe_InSiDe

Eternal Bliss
March 20th, 2001, 09:29
Hiya,
there are programs that will sometimes tell you what packers are used. And after a while, you might just be able to recognise what packer is used simply by the code.
protools.cjb.net

Regards
EB

nullvolt
March 21st, 2001, 04:50
Quote:
Eternal Bliss (03-20-2001 06:29):
Hiya,
there are programs that will sometimes tell you what packers are used. And after a while, you might just be able to recognise what packer is used simply by the code.
protools.cjb.net

Regards
EB


thx for ya help ebliss but i cant seem to find such a program on protools. u know itīs name by chance?

so long,
nullvolt.

splaj
March 21st, 2001, 06:03
yo nullvolt,..... watt ya want amp le help

try :-

www.exetools.com

nice section called 'file analysers'

SplAj

SirLeechaLot
March 21st, 2001, 06:27
Hi,

I tried Language 2000 but most of the time it doesnt recognize the format with which the exe is packed and especially it doesnt show anymore info which is needed for asprotect.
So which fileanalyzer shows an exact format?
Any experiences?

thanx for repyling

siRl

splaj
March 21st, 2001, 07:21
Yes this is a good point for newbies, experience is the key.

Overcome the phear and feel the code. Once you are delving in deep you can usually tell the type of code from experience.

Asprotect is one of those that lets you CHOOSE the section name, also you can manually change the section names with PEditor !
So such 'tools' that attempt to recognise the packer for you are useless. The brain beats them all up. Just practise and practise. I could make you an ASpacked file LOOK like UPX !!! After 1 year you get the 'feel'.

I made a tut on unpacking and also inline patching Lockdown 2000
last year, my opening statment was ' I don't know what the f*uck has been used to pack this target..... just for fun lets do some fishing'. In an attempt to show an approach and get the feel of how most packers unpack in memory and hand over to the real exe. Most use the aPlib routines anyway ! This is taken out from unpacked CrunchV2.exe from BiTarts :-

"aPLib v0.22b - the smaller the better ..Copyright (c) 1998-99 by Joergen Ibsen / Jibz, All Rights Reserved....This copy of aPLib is free for non-profitable use.....For more information: http://apack.cjb.net/ "

Well a few who tried the tut did e-mail me and correctly identify ASpack.

Well done.

Keep fishing.

SplAj

The Archivist
March 21st, 2001, 16:30
Well I guess I should put in a plug for the Information|Identification section of suddendischarge.com, especially FileInfo and GetTyp