Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-31-2015, 11:21
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
mupack

This is a small executable packer that I have been working on and off for some time. The public build is restricted compared to the private one, but it still packs alright. There is some bugs:

Known bugs:
* Resources are not compressed in certain cases. Might redo resource compression to fix this.
* TLS callbacks with DLLs don¡¯t work fully. TLS callback tables and ptrs need to be relocated via the relocs.
* Proxy TLS callback not implemented. I guess this is a feature as atm it works like a antidebug trick. Ideally it should handle TLS callbacks cleanly to ease debugging.
* Crash when unpacking VBA-Ms Wx build. Not sure why, need to fix the above TLS issue before fixing this. This would make debugging a lot easier.
* Digital code signing when executables are packed does not work.

Source code:
Quote:
https://github.com/mudlord/mupack
Attached Files
File Type: zip mupack_pub.zip (214.3 KB, 40 views)

Last edited by mudlord; 07-05-2016 at 07:43.
Reply With Quote
The Following 3 Users Gave Reputation+1 to mudlord For This Useful Post:
canopus (09-02-2015), MarcElBichon (09-01-2015), mr.exodia (08-31-2015)
The Following 8 Users Say Thank You to mudlord For This Useful Post:
alekine322 (03-17-2016), Asus (10-05-2015), chessgod101 (10-05-2015), giv (10-05-2015), Max (09-14-2015), rukov (08-31-2015), Storm Shadow (08-31-2015), [ID]ZE (09-01-2015)
  #2  
Old 10-05-2015, 03:51
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Updated:
* Rewrote resource compression. Fixes a known bug of not compressing executables in certain cases.
Attached Files
File Type: zip mupack_pub.zip (214.1 KB, 25 views)
Reply With Quote
The Following 3 Users Gave Reputation+1 to mudlord For This Useful Post:
chessgod101 (10-05-2015), mr.exodia (10-26-2015), Storm Shadow (10-05-2015)
The Following 3 Users Say Thank You to mudlord For This Useful Post:
Ghost0507 (10-08-2015), niculaita (10-05-2015), [ID]ZE (11-19-2015)
  #3  
Old 11-09-2015, 04:15
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Updated:

* Rewrote TLS callback emulation. As a result, there is preliminary TLS callback in DLL support as well as easier debugging of EXE/DLL files with TLS callbacks. I found one case where TLS callbacks/index variables in DLLs doesn't work properly, need to debug that use case more.
* More work on handling uncompressed resources, fixes some bugs.
Attached Files
File Type: zip mupack_pub.zip (209.7 KB, 24 views)
Reply With Quote
The Following User Gave Reputation+1 to mudlord For This Useful Post:
mr.exodia (11-12-2015)
The Following User Says Thank You to mudlord For This Useful Post:
niculaita (11-09-2015)
  #4  
Old 11-10-2015, 06:49
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Updated:

* Fixed any TLS regressions from last build. DLL support for TLS callbacks is still preliminary, though.
* Now updates the PE file checksum.
* Added a small TLS callback on TLS using executables to fix any possible invalid TLS addresses.
Attached Files
File Type: zip mupack_pub.zip (210.0 KB, 36 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to mudlord For This Useful Post:
mr.exodia (11-12-2015), Storm Shadow (11-10-2015)
The Following 4 Users Say Thank You to mudlord For This Useful Post:
giv (11-11-2015), niculaita (11-10-2015), Storm Shadow (11-10-2015), wilson bibe (11-10-2015)
  #5  
Old 11-11-2015, 04:43
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Cool utility.
I guess the unpacking will not be difficult as i see into the stub:
Code:
0049A000 m>  BB 00000000           MOV EBX,0x0
0049A005     E9 03000000           JMP mupack_p.0049A00D
0049A00A     C2 0C00               RETN 0xC
0049A00D     8D83 00A04900         LEA EAX,DWORD PTR DS:[EBX+<ModuleEntr>
0049A013     53                    PUSH EBX
0049A014     50                    PUSH EAX                              ; mupack_p.0041F394
0049A015     8D83 7EA04900         LEA EAX,DWORD PTR DS:[EBX+0x49A07E]
0049A01B     FFD0                  CALL EAX                              ; mupack_p.0041F394
0049A01D     8D83 94F34100         LEA EAX,DWORD PTR DS:[EBX+0x41F394]
0049A023   - FFE0                  JMP EAX                               ; mupack_p.0041F394
Attached Files
File Type: rar mupack_pub_dump_SCY.rar (216.8 KB, 18 views)
Reply With Quote
The Following User Gave Reputation+1 to giv For This Useful Post:
mudlord (11-11-2015)
The Following User Says Thank You to giv For This Useful Post:
mudlord (11-11-2015)
  #6  
Old 11-11-2015, 06:23
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Yeah, my private builds focus on compression ratio, using completely different compression algorithms. I designed it to be easy to depack. Figured theres no point in trying protection since people will crack it anyway. The public build is there so there is no real loss if people misuse it, although there might still be a possibility of that happening. Pity the taggant scheme for packers is a crock of sh*t. (only useful for commercial stuff, not freeware) And digital signatures do nothing too.

Plus, many packers like ASPack, PESpin and mpress seem to miss crucial things like proper TLS callback support. I guess now I need to work out overlay support, and fully reentrant DLL entry points. (so it doesn't needlessly depack itself over and over)

Atm I am trying to debug a nice (as in, interesting and hard) test case with DLLs with TLS. For some reason there is one flaw there, but other DLLs with TLS callbacks work fine. Dunno if its something to do with reentrancy though.
Reply With Quote
The Following User Gave Reputation+1 to mudlord For This Useful Post:
mr.exodia (11-12-2015)
The Following 2 Users Say Thank You to mudlord For This Useful Post:
niculaita (11-12-2015), rasta (12-01-2015)
  #7  
Old 12-15-2015, 08:44
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Do not share outside EXETools.com, otherwise development will cease.

Updated:
* removed asmjit, replaced with Xbyak.
* added DLL reentrancy.
* saved bytes in entrypoint, down to 34 bytes.
* removed aplib (lzss based), replaced with a lz77+arithmetic coder backend:
double the depacker size (around 360 bytes compared to 160 bytes for aplib), yet a much improved compression ratio, nearing the private packer builds compression ratio in some cases, which uses LZMA.
Attached Files
File Type: zip mupack_pub54.zip (189.1 KB, 54 views)
Reply With Quote
The Following 4 Users Gave Reputation+1 to mudlord For This Useful Post:
alephz (12-26-2015), chessgod101 (12-22-2015), niculaita (12-16-2015), Storm Shadow (12-17-2015)
The Following 5 Users Say Thank You to mudlord For This Useful Post:
JeRRy (12-15-2015), niculaita (12-16-2015), nikkapedd (12-16-2015), ReBirth (12-19-2015), wilson bibe (12-17-2015)
  #8  
Old 12-16-2015, 00:21
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 614
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 217
Thanks Rcvd at 238 Times in 152 Posts
bolo2002 Reputation: 14
Quote:
Originally Posted by mudlord View Post
Do not share outside EXETools.com, otherwise development will cease.
you can't avoid it,the only way is to share it with private people that you trust with in.
__________________
I like this forum!
Reply With Quote
  #9  
Old 12-16-2015, 18:10
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
True, but I can ask for some common basic human decency?

I guess that is too much to ask for? If thats the case, might as well stop dev already. So far I haven't noticed any leaks which is nice, hopefully it stays that way, otherwise development can go back to being completely private.
Reply With Quote
The Following 3 Users Say Thank You to mudlord For This Useful Post:
niculaita (12-17-2015), ReBirth (12-19-2015), TechLord (12-17-2015)
  #10  
Old 12-20-2015, 21:14
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Yep, as proven by the most recent leak and using download credits on some website (so in practise, it being sold)....
So instead, will stick to people that I know and trust, like what was done a few months ago.
At least with that, might as well experiment with taggants too down the track.
Reply With Quote
  #11  
Old 12-21-2015, 15:04
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
From past experience the "developers" will take your program and edit the resources to wipe your name and put his on credits and sell your thing as his.
Many of my scripts was selled too for hundreds of EUR even i put them on sites for free.
This happened with CodeCracker tools and many other developers work.
So for me is a strong "NO" for put for free my work because i know what will happen next.
Reply With Quote
  #12  
Old 12-21-2015, 21:17
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
In that case, no point releasing the x64 port when its finished.
Reply With Quote
  #13  
Old 12-24-2015, 04:59
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
As a direct response to the leaker, I have documented the main depacker internals. I might do a static unpacker, too.

Quote:
http://www.mudlord.info/blog/?p=286
I have no intention of obfuscation at all. Being transparent should be a goal of any ethical programmer. Hopefully this stops any ideas of people using the packer to pack malware.
Reply With Quote
  #14  
Old 01-07-2016, 16:53
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Updated:

* better error handling when handling invalid files (already mupacked files, .NET assemblies, x64 files).
* tested post packing digital code signing.
Attached Files
File Type: zip mupack_pub58.zip (207.9 KB, 31 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to mudlord For This Useful Post:
mr.exodia (01-07-2016), Storm Shadow (01-08-2016)
The Following 5 Users Say Thank You to mudlord For This Useful Post:
alephz (01-08-2016), dj-siba (01-07-2016), MarcElBichon (01-07-2016), Max (04-04-2016), niculaita (01-07-2016)
  #15  
Old 01-07-2016, 21:52
dj-siba's Avatar
dj-siba dj-siba is offline
Musician Member
 
Join Date: Jun 2003
Location: Outside the dot
Posts: 324
Rept. Given: 34
Rept. Rcvd 43 Times in 21 Posts
Thanks Given: 56
Thanks Rcvd at 159 Times in 43 Posts
dj-siba Reputation: 42
Nice tool

Dragging an executable on mupack_pub.exe won't start packing.
Packing section take some time, at first i thought it freezes during while loop or something, it would be nice to have some text like "Wait...Packing" while packing.
Also what about merging all section into one section ? no options tab ?

About Compression ratio: Have you done some exe packer comparison with similar tools ? (uPack/XPack/MEW/..)
Reply With Quote
The Following User Says Thank You to dj-siba For This Useful Post:
niculaita (01-07-2016)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:23.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )