Fool packer detector
 

how and what metods exists to fool a packer detector? changing the ep can do induce a pe identifier to identify a file packed with X instead of Y... what about?

If you want to cover big range of packers, I think you should know all of the detect algorithms, or it's easy, if you have 'PEid' source code, for getting detect alghorithm!

if you have full awareness about 'PE structures' , your knowldege is more than me! and you can teach me your way!

Try FakeSigner
www.dotfix.net

FakeSigner:
http://forum.exetools.com/showthread.php?t=7797

or

Killing PEid detection Tutorial by KaGra

Really hard to get registered.

I also wrote a tool for this matter. It is script-based and there are also some scripts included: hxxp://rapidshare.de/files/2443319/k_muh-v0.6.rar

Feedback would be welcome.

seems to be very interesting, i'm studin it but i have some difficult to understand german language... can you post some documentation in english? tnx in advance. New version and update notice is often appreciate :)

thanks,

acme

acme
Use for kill PEid detection
http://download.ahteam.org/files/oursoft/epprotector.zip

The best way is to write your own crypter to crypt the loader your packed exe

The main idea is to reproduce the code at the oep of a packer or protector and put it in a new section. Then place your code there and change the EP to this direction. You just need to find out where you can place a jump to the oep in this code without destroying the stack or the registers.

BTW, it may be a good idea to debug the injected code to see what it does and what restored is. Her is a little commented script:

GETENTRYPOINT var0 -> store entrypoint in var0
GETIMAGEBASE var1 -> store imagebase in var1
ADD var0 var1 -> var0=entrypoint + imagebase

GETSECTIONCOUNT var2 -> store numberofsections in var2
ADDSECTION >.text 0 1000 0 200 E0000020 -> add a new section to the exe, named .text with VOffset=automatic & ROffset=automatic and RSize=VSize=0. Characteristics E0000020
GETSECTIONROFFSET var3 var2 -> store ROffset of new Section in var3
GETSECTIONVOFFSET var4 var2 -> store VOffset of new Section in var4
SETENTRYPOINT var4 -> New Entrypoint of PE-File is var4 (VOffset of new Section)
SEEK var3 -> Move Filepointer to var3 (ROffset of new Section)
PUTBYTE F 8B 44 24 08 83 F0 00 74 00 68 00 00 00 00 C3 (Put 0xF Bytes -> 8B 44 ...)
ADD var3 A -> var3+=0xA
SEEK var3 -> Move Filepointer to var3
PUTDWORD 1 var0 -> Put 0x1 dword at Offset var3 (Build OEP-Jump)

I hope this helps a little bit. Just start your debugger and you will see what was done. Don't use k_muh on Windows-EXEs like the calc, because there are important informations stored in the PE-Header of this files.

Maybe i will rewrite the readme.

good, useful clarification... i've observed how it works and also write an example script for testing purpose. In some cases the app crash but i think that is a results of my dirty script....

Thanks again,

acme

the more "easy" way is making a XOR encryption of your loader, PEID will say "unknow" but this is only to despiste peid, to avoid reverse use a best crypt scheme.

http://dl2.rapidshare.de/files/4735596/86788709/peidverarschentun.rar

maybe thats sueful for you.. disassamble em to get an idea of how its done
they are pure asm so its easy to understand

if you want to implement some known packer/crypter get some decent userdb.txt and use these EP scans to generate your own fake packer EP.

[edit]
i just got told that these exe files got packed with k_muh by messer ;)
so seems his tool did a nice work
[/edit]

another example to fool PEiD (only tested on unpacked/uncrypted binary):

- Search for a code cave in your binary caused by alignment
- Just set a JMP to Original EntryPoint there
- Change EntryPoint to this JMP and realign PE header