View Full Version : Unknown packer (sorry)
Peres
November 9th, 2005, 16:32
Hi guys (and girls)
Does anybody know of a protector which is able to compress a whole PE file into a single TEXT section? It's not a simple packer, because it carries antidebugging tricks with itself.
I can't identify it by myself, so any help would be appreciated.
Thanks
Peres
LLXX
November 10th, 2005, 00:44
Does PEiD or any other analyser have any success with it?
It might be a custom designed one-of-a-kind packer, there are quite a few of those around... all the popular ones I can remember (Armadillo, Aspack, Asprotect, UPX, XProtect) create packed files with more than one section.
SiGiNT
November 10th, 2005, 03:32
ExeCryptor Loves to fool around with code sections - use Trial Reset or maybe EVA (I don't think it includes ExeCryptor), even if it's not a trial - the reg keys should be detected.
SiGiNT
Peres
November 10th, 2005, 04:57
Quote:
[Originally Posted by LLXX]Does PEiD or any other analyser have any success with it?
It might be a custom designed one-of-a-kind packer, there are quite a few of those around... all the popular ones I can remember (Armadillo, Aspack, Asprotect, UPX, XProtect) create packed files with more than one section. |
I wouldn't have asked if my tools had helped me. Anyway, it doesn't look like a custom protector. It features a system service (crypserv.exe) and anti debugging tricks (via a small debugger spawned by the protected executable itself).
I managed to dump it via Procdump, and I got an image with a destroyed import section. The file had been UPX-ed before! I hope I can make it.
Peres
Nacho_dj
November 10th, 2005, 07:55
Hello:
Could you tell us where to find it in the web? (Or PM the name).
Thanks!
Nacho_dj
drizz
November 10th, 2005, 12:47
the crypserv.exe is part of crap..sorry...CrypKey
i worked on a very old version so i'm no help,
LLXX
November 10th, 2005, 21:21
When you mentioned crypserv.exe that was all that I needed. It's CrypKey. Some digging around on their site found this:
Quote:
| When hard drive cloning became common with various easily obtained and inexpensive utilities, CrypKey developed "CloneBuster" technology which averts hard drive copying through accessing and logging the hard drive serial numbers (HDSN). Both CrypKey SDK and CrypKey Instant prevent hard drive copying with this unique "CloneBuster" technology |
You might want to check the reserved sectors of the drive that you're using...
Quote:
| Memory Dumping. CrypKey Stealth technology is revolutionary in this area. It divides the program into many small segments and keeps them in random order. Only the segment that needs to be running is unencrypted and executed. When the segment is finished running, it is removed from memory. This defeats the memory "snapshot" technique of hacking, and literally forces the hacker to try and pt together a large jigsaw puzzle that has no image on the pieces. |
Basically, like Armadillo debug-blocker...
Quote:
| prevents reverse engineering |
I don't think so... Download the little trial from their site (after spoofing a form) and prove them wrong
Peres
November 11th, 2005, 17:52
Quote:
| [Originally Posted by LLXX]I don't think so... Download the little trial from their site (after spoofing a form) and prove them wrong |
Sounds like something I will try during my next summer vacation.
Thank you everybody.
Peres
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.