EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 12-24-2015, 04:59
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
As a direct response to the leaker, I have documented the main depacker internals. I might do a static unpacker, too.

Quote:
http://www.mudlord.info/blog/?p=286
I have no intention of obfuscation at all. Being transparent should be a goal of any ethical programmer. Hopefully this stops any ideas of people using the packer to pack malware.
Reply With Quote
  #17  
Old 01-07-2016, 16:53
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Updated:

* better error handling when handling invalid files (already mupacked files, .NET assemblies, x64 files).
* tested post packing digital code signing.
Attached Files
File Type: zip mupack_pub58.zip‎ (207.9 KB, 28 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to mudlord For This Useful Post:
mr.exodia (01-07-2016), Storm Shadow (01-08-2016)
The Following 5 Users Say Thank You to mudlord For This Useful Post:
alephz (01-08-2016), dj-siba (01-07-2016), MarcElBichon (01-07-2016), Max (04-04-2016), niculaita (01-07-2016)
  #18  
Old 01-07-2016, 21:52
dj-siba's Avatar
dj-siba dj-siba is offline
Musician Member
 
Join Date: Jun 2003
Location: Outside the dot
Posts: 311
Rept. Given: 31
Rept. Rcvd 43 Times in 21 Posts
Thanks Given: 24
Thanks Rcvd at 102 Times in 19 Posts
dj-siba Reputation: 42
Nice tool

Dragging an executable on mupack_pub.exe won't start packing.
Packing section take some time, at first i thought it freezes during while loop or something, it would be nice to have some text like "Wait...Packing" while packing.
Also what about merging all section into one section ? no options tab ?

About Compression ratio: Have you done some exe packer comparison with similar tools ? (uPack/XPack/MEW/..)
__________________
at4re.com
Reply With Quote
The Following User Says Thank You to dj-siba For This Useful Post:
niculaita (01-07-2016)
  #19  
Old 01-08-2016, 02:23
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Quote:
Dragging an executable on mupack_pub.exe won't start packing.
Nice idea, I should add commandline support.

Quote:
Packing section take some time, at first i thought it freezes during while loop or something, it would be nice to have some text like "Wait...Packing" while packing.
Another nice idea, I'll add that.

Quote:
Also what about merging all section into one section ? no options tab ?
Merging all sections would take a rewrite, although it should help compression ratio. I didn't see the need for a options tab, what options should there be?

Quote:
About Compression ratio: Have you done some exe packer comparison with similar tools ? (uPack/XPack/MEW/..)
No, I should though.
Reply With Quote
  #20  
Old 01-08-2016, 08:29
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 139
Rept. Given: 25
Rept. Rcvd 53 Times in 23 Posts
Thanks Given: 19
Thanks Rcvd at 29 Times in 17 Posts
evlncrn8 Reputation: 53
blog seems down chief, also firefox reports the site as serving malware... if i tell it to ignore it i get a 404 on the link you posted for the 'response' ... kinda sucks someone leaked, i know what that feels like.. really makes you question the motives of some people
Reply With Quote
The Following 2 Users Gave Reputation+1 to evlncrn8 For This Useful Post:
mr.exodia (01-08-2016), mudlord (01-17-2016)
  #21  
Old 01-08-2016, 10:55
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Yah, Google in thier infinite wisdom blocked my site thanks to some false positives on some demos & files I coded, because I used a packer. And its impossible to get them to unblock because the review process seems to be entirely automated.

I tried working around it by setting Apache settings to make http://mudlord.info/blog usable instead, but that broke Wordpress entirely.

At least now the people at the taggant team have a PDF of the depacker internals, hopefully they can spread it amongst the cabal so they can autodepack it like UPX.
Reply With Quote
The Following User Gave Reputation+1 to mudlord For This Useful Post:
evlncrn8 (01-08-2016)
  #22  
Old 01-08-2016, 16:21
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 815
Rept. Given: 474
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 72
Thanks Rcvd at 407 Times in 165 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@mudlord you could try setting a subdomain with some aliasing, but chances are google blocked your entire domain range
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #23  
Old 01-08-2016, 19:57
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 139
Rept. Given: 25
Rept. Rcvd 53 Times in 23 Posts
Thanks Given: 19
Thanks Rcvd at 29 Times in 17 Posts
evlncrn8 Reputation: 53
automated blacklisting is a recipe for disaster...
Reply With Quote
  #24  
Old 01-08-2016, 23:35
dj-siba's Avatar
dj-siba dj-siba is offline
Musician Member
 
Join Date: Jun 2003
Location: Outside the dot
Posts: 311
Rept. Given: 31
Rept. Rcvd 43 Times in 21 Posts
Thanks Given: 24
Thanks Rcvd at 102 Times in 19 Posts
dj-siba Reputation: 42
Quote:
Originally Posted by mudlord View Post
I didn't see the need for a options tab, what options should there be?
There are many:
Strip TLS
Strip Reloc
Strip Debug
Strip Delphi Resources
Don't compress resource
Preserve Overlay
Merge Sections
Compression Algo
...
__________________
at4re.com
Reply With Quote
  #25  
Old 01-17-2016, 16:47
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Quote:
Originally Posted by evlncrn8 View Post
automated blacklisting is a recipe for disaster...
I know, but I proved it happened: Managed to unblacklist my site just by password protecting ZIPs/RARs with packed files.

Quote:
Strip TLS
Some executables might need it.

Quote:
Strip Reloc
Might be needed for some executables, mandatory for DLLs.

Quote:
Strip Debug
Useful feature to strip. Will have to do some research to see which section debug data is stored in.

Quote:
Strip Delphi Resources
Could you elaborate?

Quote:
Don't compress resource
Better yet, selectable section compression.

Quote:
Preserve Overlay
Overlay preservation is a feature I must add, especially when there is plenty of Flash games around these days.

Quote:
Merge Sections
Would like to add. Would need to experiment with some things, such as the rebuilt resource section after resources compression.

Quote:
Compression Algo
Private build already does this dynamically depending on the file size. It also does better compression with the default compression algorithm. But whats in there currently thats public is already pretty good as it. It sure beats LZO/aplib/zlib/LZ4/lzss. I have some ideas to further improve the compression algorithm though, but I got a private x64 rewrite in progress though.
Reply With Quote
  #26  
Old 01-18-2016, 17:23
dj-siba's Avatar
dj-siba dj-siba is offline
Musician Member
 
Join Date: Jun 2003
Location: Outside the dot
Posts: 311
Rept. Given: 31
Rept. Rcvd 43 Times in 21 Posts
Thanks Given: 24
Thanks Rcvd at 102 Times in 19 Posts
dj-siba Reputation: 42
Quote:
Strip Delphi Resources
Could you elaborate?
Strip VCLAL and PACKAGEINFO resources
Quote:
Private build already does this dynamically depending on the file size
Nice, so that's why it's one file drop pack and Go
__________________
at4re.com
Reply With Quote
  #27  
Old 01-19-2016, 08:22
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Quote:
Originally Posted by dj-siba View Post
Strip VCLAL and PACKAGEINFO resources
Thanks for the info.

Quote:
Originally Posted by dj-siba View Post
Nice, so that's why it's one file drop pack and Go
Yes, the private build uses a high compression variant of whats in the public build as well as LZMA1. LZMA2 wasn't chosen since thats just 7z related, and not compression algo related. It changes on the fly since LZMA works well on files on large file sizes whereas the LZ77+range coder works well on small-medium file sizes. There is also a tradeoff when using the HC variant of LZ77+range coder, in terms of speed, so thats taken into account too. I'm quite proud of that.

Last edited by mudlord; 01-19-2016 at 08:27.
Reply With Quote
  #28  
Old 01-19-2016, 21:29
CryptXor CryptXor is offline
Friend
 
Join Date: Oct 2015
Posts: 46
Rept. Given: 0
Rept. Rcvd 23 Times in 11 Posts
Thanks Given: 17
Thanks Rcvd at 61 Times in 19 Posts
CryptXor Reputation: 24
Have you tried alternatives to LZMA by any chance?
Reply With Quote
  #29  
Old 01-20-2016, 08:02
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
LZMA1 seemed to be one of the best, if not the best for compression ratio vs decompressor size.
Reply With Quote
  #30  
Old 03-16-2016, 05:29
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 82
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 156 Times in 44 Posts
mudlord Reputation: 69
Started work on dj-siba's requests, next version will have at least commandline support for integration into MSVC and other things.
Attached Images
File Type: jpg CdUaIigUEAAJ9im.jpg large.jpg‎ (86.2 KB, 12 views)
Reply With Quote
The Following 2 Users Say Thank You to mudlord For This Useful Post:
dj-siba (03-16-2016), Storm Shadow (03-18-2016)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 09:14.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX