Log in

View Full Version : packed files


Brill0
July 11th, 2001, 12:28
is there a way to tell what a program has been packed with, and then unpack it, or do you have to look at it with softice?
another thing if you have some free time, how can a program detect if it has been modified. i change a jz to like a jmp or nop it out and it picks it up somehow ???.

CoDe_InSiDe
July 11th, 2001, 13:28
Hi Brill0,

"Is there a way to tell what a program has been packed with, and then unpack it, or do you have to look at it with softice?"

SoftICE is not especially needed to know what kind of Packer/Encrypter has been used
You can simply check the Section Names for some suspicious names, for example with UPXed files a Section Name looks like "UPX0"
To be more Version specific, that's tougher ;D
And to Unpack it, you can try to Manually Unpack it or otherwise find an Unpacker for this Packer/Encrypter

"how can a program detect if it has been modified. i change a jz to like a jmp or nop it out and it picks it up somehow?"

Then there's probably a CRC check
A CRC check makes an unique Checksum out of the file and Compares that created Checksum with another (Original) Checksum.
If they're not equal, the CRC fails and you get probably an Error box
Otherwise it continues the Program
So you need to find that "weak" spot where it Compares or replace the (Original) Checksum with the newly created Checksum
Hope this helps.

Cya...

CoDe_InSiDe

Clandestiny
July 11th, 2001, 13:36
Hiya,

I replied to a question along these very same lines a few weeks ago. Check out the following post for a few clues on how to locate the CRC.

http://usa3.hostrack.net/woodmann/Ultraboard/Public/HTML/B8/1777-1.topic.html

Regards,
Clandestiny

Brill0
July 12th, 2001, 21:43
thanks for the info,