Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Finding which packer has been used (https://forum.exetools.com/showthread.php?t=19322)

rcer 09-07-2019 01:47

Finding which packer has been used
 
Hi,

I am trying to patch a flexlm.dll, from company slb, but the file has been packed, so the normal search routines don't work.
How can I find out which packer has been used?

atom0s 09-07-2019 06:27

- DetectItEasy (DIE)
- ProtectionID
- PEiD (With custom signature database otherwise it's pretty trash now.)
- ExeinfoPE
- RDG Packer Detector

Etc. there are a lot of detector apps available to help determine things with ease. Otherwise you can manually investigate the file to look for common traits of popular packers.

rcer 09-13-2019 23:57

O.K.
I tried all the tools you suggested but nonen of them detects the packer used.

PEID doesn't even recognize the dll file as a PE file, and I have no idea where to get the custom signature database file.

atom0s 09-14-2019 02:37

Quote:

Originally Posted by rcer (Post 118288)
O.K.
I tried all the tools you suggested but nonen of them detects the packer used.

PEID doesn't even recognize the dll file as a PE file, and I have no idea where to get the custom signature database file.

PEiD wont recognize 64bit files. So don't bother finding the custom databases for it if that is the case. You could post the file here and have someone take a look for you though if you still have issues figuring it out though.

rcer 09-14-2019 04:28

1 Attachment(s)
O.K. I have uploaded the file.
Would be nice to get some hints about how to unpack this file

0xdeadb0b 09-20-2019 18:29

Sometimes I'm using Virustotal.com for analyzing files, but for rare packers will probably fail

parrot 09-20-2019 18:47

Could you use an external link so people with not enough credits to download can access the file?

cybercoder 09-21-2019 14:38

As I can't view it, I cannot look.

evlncrn8 09-21-2019 17:54

scanned using all the tools ? dont think so..

scanned it with pid (yeh im biased)..

[!] LiCENSE - FlexLM [unknown version] signs detected !
[!] LiCENSE - FlexNET v11.8 signs detected !
[!] DONGLE - NetHASP Network Dongle references detected !

so probably flexlm

bolo2002 09-21-2019 23:07

Quote:

Originally Posted by evlncrn8 (Post 118337)
scanned using all the tools ? dont think so..

scanned it with pid (yeh im biased)..

[!] LiCENSE - FlexLM [unknown version] signs detected !
[!] LiCENSE - FlexNET v11.8 signs detected !
[!] DONGLE - NetHASP Network Dongle references detected !

so probably flexlm


yes and plenty infos inside the file,slb mean to schlumberger license tool...

evlncrn8 09-22-2019 03:54

Quote:

Originally Posted by bolo2002 (Post 118338)
yes and plenty infos inside the file,slb mean to schlumberger license tool...

yep, saw that in the version info, wasnt sure if it was some custom one off company thing or an actual drm / licensing system

rcer 09-26-2019 02:54

Here is the link:
https://mega.nz/#!wNt3xahA!6QzL0CNkxFZlxzxo7kcReDC7Vqj5LFKG5IVTv-gLo-I

Yes it's flexlm, but the file is only unpacked at run-time, so finding and patching l_pubkey_verify statically is not possible

nikkapedd 09-30-2019 01:42

Yes, you can find the flexnet routine only by dumping the file, and fix the relocations..
Or patching the dll on debugging..It's the same obfuscation as other slb programs.
Maybe are using the utility "lmstrip" to obfuscate the routine.. Read the flexnet sdk programmer's guide..
On x86 i have no problem to unpack this obfuscation, but on 64bits is a little different...

rcer 10-14-2019 05:19

Nikkapedd,

O.K I will have a look into this.
rgds

Sany 10-17-2019 00:35

I use Detect it Easy, it's detecting 90% of all packer version :)


All times are GMT +8. The time now is 04:53.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX