PDA

View Full Version : Packer detector for .NET

sirp
10-21-2008, 04:16 AM
is there any tool like peid where u can add signatures
..so it shows us with which protection / packer its done ?
Kurapica
10-21-2008, 05:23 AM
I have always wanted to code such tool but I'm too lazy to start, maybe soon I will get busy with this project.
sirp
10-22-2008, 03:56 AM
that would be another of my fav .net reverser tools ,)
..uh and again its from Kurapica hehe
Kurapica
10-22-2008, 08:50 AM
@ Everyone :

to help us complete this little and usuful project please post any protected .NET file here and mention the protection used If you manage to know it.

I'm trying to gather as much signatures as I can to make it more useful.

Thanks.
sirp
10-23-2008, 03:23 AM
.NET Reactor (i think)
http://rapidshare.com/files/156705616/reactor.rar.html
sirp
10-23-2008, 03:35 AM
http://rapidshare.com/files/156707811/smartasm.rar.html

i think its smartassembler
sirp
10-23-2008, 03:39 AM
http://rapidshare.com/files/156708339/reactor.rar.html
(another reactor one)
Kurapica
10-23-2008, 04:57 AM
Good work sirp ...

Thanks
cardim
10-23-2008, 12:03 PM
Here 's a very complete list with links to almost all available .net protectors...
either for generating his/her packed samples for identification purposes,
or for whatever else 'evaluation' reasons,lol... ;)
http://www.csharp411.com/net-obfuscators/
sirp
10-24-2008, 04:21 AM
come on .net ppl give us more ,)
Kurapica
10-24-2008, 01:43 PM
hmmm ! Why reinvent the wheel !?

I always use Daniel Pistelli great tools for scanning PE and other stuff, anyway I recommend using this tool for detecting .NET protectors.

http://www.ntcore.com/pedetective.php

I will upload the .NET protectors signatures soon so that you can add them to the tool database.
Kurapica
10-26-2008, 07:02 AM
Here are the signatures of the common .NET protectors.

You must have installed CFF explorer and PE-detective first.

Over-write the file in
"C:\Documents and Settings\All Users\Documents\Explorer Suite Signatures"
and you are done.

http://www.zshare.net/download/5043830233085ca2/
sirp
10-27-2008, 04:48 AM
very nice tip .. will try it out ... but i have to get sume hours of rest first hehe it was a 3days awake weekend ..hardly can manage to stay awak in work hehe
sirp
11-06-2008, 05:32 AM
works nice ,m) ... but suddenly i stumbled bout a app
its not packed nor its obfuscated .. and it showes up as a new Reactor version ...
http://rapidshare.com/files/161131910/wrongsig.rar.html
webpat
10-06-2009, 02:29 PM
Hi, first I want to thank the community for these amazing tutorials. Can you please tell me, where can I find updated signatures file for PE detective, the rapidshare link is dead. I'm stuck with on packed dll, I don't know where to start since I don't know the protection.
Do you have any idea about the usage frequency distribution of each packer ?
sirp
10-06-2009, 04:55 PM
try rongchaua's netid it rox ,)
and this for just checkin the compiler
http://www.ntcore.com/pedetective.php
webpat
10-06-2009, 05:23 PM
This tool kiks ass ! It has detected a .NetReactor obfuscation type on my target.

Thx.
Git
09-11-2010, 02:22 PM
Over-write the file

@Kurapica - could you upload the PEDetective .NET signature again please?

Git
Kurapica
09-17-2010, 04:01 AM
Hi Git

sorry but it looks like I don't have that file any more, I use the organic way !!! I mean by looking :P

anyway the signatures are obsolete now and I don't think they are useful any more, you can create a new signature using CFF suite.
Git
09-17-2010, 06:25 AM
Lets be honest here, *you* can create a new signature with CFF, I don't have the knowledge :)

Git