Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-07-2019, 01:47
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 131
Rept. Given: 5
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 14 Times in 14 Posts
rcer Reputation: 7
Finding which packer has been used

Hi,

I am trying to patch a flexlm.dll, from company slb, but the file has been packed, so the normal search routines don't work.
How can I find out which packer has been used?
Reply With Quote
  #2  
Old 09-07-2019, 06:27
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 251
Rept. Given: 24
Rept. Rcvd 101 Times in 47 Posts
Thanks Given: 42
Thanks Rcvd at 421 Times in 166 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
- DetectItEasy (DIE)
- ProtectionID
- PEiD (With custom signature database otherwise it's pretty trash now.)
- ExeinfoPE
- RDG Packer Detector

Etc. there are a lot of detector apps available to help determine things with ease. Otherwise you can manually investigate the file to look for common traits of popular packers.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following 2 Users Say Thank You to atom0s For This Useful Post:
binarylaw (10-25-2019), niculaita (09-08-2019)
  #3  
Old 09-13-2019, 23:57
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 131
Rept. Given: 5
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 14 Times in 14 Posts
rcer Reputation: 7
O.K.
I tried all the tools you suggested but nonen of them detects the packer used.

PEID doesn't even recognize the dll file as a PE file, and I have no idea where to get the custom signature database file.
Reply With Quote
  #4  
Old 09-14-2019, 02:37
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 251
Rept. Given: 24
Rept. Rcvd 101 Times in 47 Posts
Thanks Given: 42
Thanks Rcvd at 421 Times in 166 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Quote:
Originally Posted by rcer View Post
O.K.
I tried all the tools you suggested but nonen of them detects the packer used.

PEID doesn't even recognize the dll file as a PE file, and I have no idea where to get the custom signature database file.
PEiD wont recognize 64bit files. So don't bother finding the custom databases for it if that is the case. You could post the file here and have someone take a look for you though if you still have issues figuring it out though.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
  #5  
Old 09-14-2019, 04:28
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 131
Rept. Given: 5
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 14 Times in 14 Posts
rcer Reputation: 7
O.K. I have uploaded the file.
Would be nice to get some hints about how to unpack this file
Attached Files
File Type: rar SlbLicenseC.rar (3.43 MB, 27 views)
Reply With Quote
  #6  
Old 09-20-2019, 18:29
0xdeadb0b 0xdeadb0b is offline
Friend
 
Join Date: May 2018
Posts: 7
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 6
Thanks Rcvd at 2 Times in 2 Posts
0xdeadb0b Reputation: 0
Sometimes I'm using Virustotal.com for analyzing files, but for rare packers will probably fail
Reply With Quote
  #7  
Old 09-20-2019, 18:47
parrot parrot is offline
Friend
 
Join Date: Sep 2019
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
parrot Reputation: 0
Could you use an external link so people with not enough credits to download can access the file?
Reply With Quote
  #8  
Old 09-21-2019, 14:38
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 102
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 21
Thanks Rcvd at 42 Times in 27 Posts
cybercoder Reputation: 11
As I can't view it, I cannot look.
Reply With Quote
  #9  
Old 09-21-2019, 17:54
evlncrn8 evlncrn8 is online now
VIP
 
Join Date: Sep 2005
Posts: 175
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 46
Thanks Rcvd at 113 Times in 69 Posts
evlncrn8 Reputation: 54
scanned using all the tools ? dont think so..

scanned it with pid (yeh im biased)..

[!] LiCENSE - FlexLM [unknown version] signs detected !
[!] LiCENSE - FlexNET v11.8 signs detected !
[!] DONGLE - NetHASP Network Dongle references detected !

so probably flexlm
Reply With Quote
  #10  
Old 09-21-2019, 23:07
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 431
Rept. Given: 100
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 124
Thanks Rcvd at 140 Times in 90 Posts
bolo2002 Reputation: 11
Quote:
Originally Posted by evlncrn8 View Post
scanned using all the tools ? dont think so..

scanned it with pid (yeh im biased)..

[!] LiCENSE - FlexLM [unknown version] signs detected !
[!] LiCENSE - FlexNET v11.8 signs detected !
[!] DONGLE - NetHASP Network Dongle references detected !

so probably flexlm

yes and plenty infos inside the file,slb mean to schlumberger license tool...
__________________
I like this forum!
Reply With Quote
  #11  
Old 09-22-2019, 03:54
evlncrn8 evlncrn8 is online now
VIP
 
Join Date: Sep 2005
Posts: 175
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 46
Thanks Rcvd at 113 Times in 69 Posts
evlncrn8 Reputation: 54
Quote:
Originally Posted by bolo2002 View Post
yes and plenty infos inside the file,slb mean to schlumberger license tool...
yep, saw that in the version info, wasnt sure if it was some custom one off company thing or an actual drm / licensing system
Reply With Quote
  #12  
Old 09-26-2019, 02:54
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 131
Rept. Given: 5
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 14 Times in 14 Posts
rcer Reputation: 7
Here is the link:
https://mega.nz/#!wNt3xahA!6QzL0CNkxFZlxzxo7kcReDC7Vqj5LFKG5IVTv-gLo-I

Yes it's flexlm, but the file is only unpacked at run-time, so finding and patching l_pubkey_verify statically is not possible
Reply With Quote
  #13  
Old 09-30-2019, 01:42
nikkapedd nikkapedd is offline
VIP
 
Join Date: Mar 2011
Location: Somewhere In Europe
Posts: 218
Rept. Given: 275
Rept. Rcvd 148 Times in 63 Posts
Thanks Given: 159
Thanks Rcvd at 183 Times in 81 Posts
nikkapedd Reputation: 100-199 nikkapedd Reputation: 100-199
Yes, you can find the flexnet routine only by dumping the file, and fix the relocations..
Or patching the dll on debugging..It's the same obfuscation as other slb programs.
Maybe are using the utility "lmstrip" to obfuscate the routine.. Read the flexnet sdk programmer's guide..
On x86 i have no problem to unpack this obfuscation, but on 64bits is a little different...
Reply With Quote
The Following 2 Users Say Thank You to nikkapedd For This Useful Post:
binarylaw (10-25-2019), niculaita (09-30-2019)
  #14  
Old 10-14-2019, 05:19
rcer rcer is offline
Friend
 
Join Date: Dec 2008
Posts: 131
Rept. Given: 5
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 14 Times in 14 Posts
rcer Reputation: 7
Nikkapedd,

O.K I will have a look into this.
rgds
Reply With Quote
  #15  
Old 10-17-2019, 00:35
Sany Sany is offline
Friend
 
Join Date: Oct 2019
Location: r00t
Posts: 11
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 3 Posts
Sany Reputation: 0
I use Detect it Easy, it's detecting 90% of all packer version
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding Correct EP RaptorX General Discussion 2 02-17-2011 14:53
Finding API Address britedream General Discussion 5 10-05-2006 21:28
finding more code space in an exe jonwil General Discussion 7 05-16-2004 11:21
finding numega softice somashraba General Discussion 0 05-17-2003 20:32


All times are GMT +8. The time now is 07:10.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX