Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-14-2003, 13:30
rix
 
Posts: n/a
determining packer version on packed exe

Hello, I would like to know how you guys determine the packer version just by looking at the exe file? or is there any other way?

For example a program packed with aspack, how would you know which aspack version is being use to pack it.

or

an exe file is packed, how would you know which packer did it use?

Thanks

Last edited by rix; 10-14-2003 at 13:33.
Reply With Quote
  #2  
Old 10-14-2003, 16:25
Rheya
 
Posts: n/a
hi rix,
you can use some tools to check if the programe is packed and which version it has:

you can use

-Stud_PE hxxp://itimer.home.ro/
-peid hxxp://protools.anticrack.de/files/utilities/peid.zip
-pe-scan hxxp://protools.anticrack.de/files/utilities/pe-scan.zip

with stud_PE, you will find out the name of packer on section "signature"

[Edit by JMI: No clickable links Please, not even to tool sites.]

bye
Rheya
Reply With Quote
  #3  
Old 10-14-2003, 17:04
rix
 
Posts: n/a
thanks! this tool is great!
Reply With Quote
  #4  
Old 10-15-2003, 03:17
rix
 
Posts: n/a
Ok, i tried the PE_stud on the target file an under the signature tab it says ASPack 2.001. I tried looking for tuts on unpacking ASPack but mostly i found its about ASProtect and pack with ASPack 2.001. Would anyone here give me some links regarding this matter?
Reply With Quote
  #5  
Old 10-15-2003, 03:33
lownoise
 
Posts: n/a
if you've the intention to learn something try to follow the tutorial posted by r@dier
else find a unpacker on protools or another tools site
Reply With Quote
  #6  
Old 10-15-2003, 03:52
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Here's a suggestion:

Try something REALLY hard, like entering "unpacking + aspack 2.001" or even "unpacking + aspack 2.00" in your favorite search engine and see what you get. Learning to search is one of the most important tools for reverse code engineering.

Regards.
__________________
JMI
Reply With Quote
  #7  
Old 10-15-2003, 15:41
rix
 
Posts: n/a
I did try the unpack tutorial by r@dier but it seems that the value given by him differs from what i see. I was wondering if it has to do with winXP. Since its an NT base OS, maybe it showed up diffrently.
Reply With Quote
  #8  
Old 10-15-2003, 16:30
R@dier
 
Posts: n/a
@rix

the tutes are about a method to use, not values ,

what have you tried so far?


R@dier

Last edited by R@dier; 10-15-2003 at 17:01.
Reply With Quote
  #9  
Old 10-15-2003, 17:29
rix
 
Posts: n/a
In that case, i got them right except i dint have the tools to continue. It's ok ill try to find them sooner or later. Currently i'm kindda busy with other stuff at college and my company
Reply With Quote
  #10  
Old 10-15-2003, 18:23
R@dier
 
Posts: n/a
@rix,

the oep of your progy was 00406744,

I used the same method in the tut with oly dump plugin,
and let the plugin rebuild the Imports,
runs fine


Regards

R@dier

0052A001 > 60 PUSHAD <-------start point execute F7
0052A002 E8 72050000 CALL target.0052A579 <----set breakpoint on addy in ESP register
F9 run the progy



0052A4F4 75 08 JNZ SHORT target.0052A4FE <--- you will land here
0052A4F6 B8 01000000 MOV EAX,1
0052A4FB C2 0C00 RETN 0C
0052A4FE 68 44674000 PUSH target.00406744 <--- OEP ady
0052A503 C3 RETN

F7 till you execute the RETN
you will land here


00406744 68 CC874000 PUSH target.004087CC <----------start dump here
00406749 E8 F0FFFFFF CALL target.0040673E
0040674E 0000 ADD BYTE PTR DS:[EAX],AL
00406750 0000 ADD BYTE PTR DS:[EAX],AL


done


Last edited by R@dier; 10-15-2003 at 19:07.
Reply With Quote
  #11  
Old 10-15-2003, 18:59
rix
 
Posts: n/a
yeaa thanks alot for the tutorial r@dier. I followed it with the tools needed. And I also found the same OEP as you did. Its unpack now and i'm happy. I guess, the only thing stopped me from the tutorial u gave me is that i dont have the tools but i've got em now.


For others, thanks alot for the help and thanks for the stud_pe rheya
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Perplexing in determining packers PhreakAccident General Discussion 7 11-29-2011 07:27


All times are GMT +8. The time now is 18:21.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )