#1
|
|||
|
|||
determining packer version on packed exe
Hello, I would like to know how you guys determine the packer version just by looking at the exe file? or is there any other way?
For example a program packed with aspack, how would you know which aspack version is being use to pack it. or an exe file is packed, how would you know which packer did it use? Thanks Last edited by rix; 10-14-2003 at 13:33. |
#2
|
|||
|
|||
hi rix,
you can use some tools to check if the programe is packed and which version it has: you can use -Stud_PE hxxp://itimer.home.ro/ -peid hxxp://protools.anticrack.de/files/utilities/peid.zip -pe-scan hxxp://protools.anticrack.de/files/utilities/pe-scan.zip with stud_PE, you will find out the name of packer on section "signature" [Edit by JMI: No clickable links Please, not even to tool sites.] bye Rheya |
#3
|
|||
|
|||
thanks! this tool is great!
|
#4
|
|||
|
|||
Ok, i tried the PE_stud on the target file an under the signature tab it says ASPack 2.001. I tried looking for tuts on unpacking ASPack but mostly i found its about ASProtect and pack with ASPack 2.001. Would anyone here give me some links regarding this matter?
|
#5
|
|||
|
|||
if you've the intention to learn something try to follow the tutorial posted by r@dier
else find a unpacker on protools or another tools site |
#6
|
|||
|
|||
Here's a suggestion:
Try something REALLY hard, like entering "unpacking + aspack 2.001" or even "unpacking + aspack 2.00" in your favorite search engine and see what you get. Learning to search is one of the most important tools for reverse code engineering. Regards.
__________________
JMI |
#7
|
|||
|
|||
I did try the unpack tutorial by r@dier but it seems that the value given by him differs from what i see. I was wondering if it has to do with winXP. Since its an NT base OS, maybe it showed up diffrently.
|
#8
|
|||
|
|||
@rix
the tutes are about a method to use, not values , what have you tried so far? R@dier Last edited by R@dier; 10-15-2003 at 17:01. |
#9
|
|||
|
|||
In that case, i got them right except i dint have the tools to continue. It's ok ill try to find them sooner or later. Currently i'm kindda busy with other stuff at college and my company
|
#10
|
|||
|
|||
@rix,
the oep of your progy was 00406744, I used the same method in the tut with oly dump plugin, and let the plugin rebuild the Imports, runs fine Regards R@dier 0052A001 > 60 PUSHAD <-------start point execute F7 0052A002 E8 72050000 CALL target.0052A579 <----set breakpoint on addy in ESP register F9 run the progy 0052A4F4 75 08 JNZ SHORT target.0052A4FE <--- you will land here 0052A4F6 B8 01000000 MOV EAX,1 0052A4FB C2 0C00 RETN 0C 0052A4FE 68 44674000 PUSH target.00406744 <--- OEP ady 0052A503 C3 RETN F7 till you execute the RETN you will land here 00406744 68 CC874000 PUSH target.004087CC <----------start dump here 00406749 E8 F0FFFFFF CALL target.0040673E 0040674E 0000 ADD BYTE PTR DS:[EAX],AL 00406750 0000 ADD BYTE PTR DS:[EAX],AL done Last edited by R@dier; 10-15-2003 at 19:07. |
#11
|
|||
|
|||
yeaa thanks alot for the tutorial r@dier. I followed it with the tools needed. And I also found the same OEP as you did. Its unpack now and i'm happy. I guess, the only thing stopped me from the tutorial u gave me is that i dont have the tools but i've got em now.
For others, thanks alot for the help and thanks for the stud_pe rheya |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Perplexing in determining packers | PhreakAccident | General Discussion | 7 | 11-29-2011 07:27 |