Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-15-2005, 03:30
acme acme is offline
Friend
 
Join Date: Aug 2005
Posts: 30
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 7
Thanks Rcvd at 10 Times in 9 Posts
acme Reputation: 1
Fool packer detector

how and what metods exists to fool a packer detector? changing the ep can do induce a pe identifier to identify a file packed with X instead of Y... what about?
Reply With Quote
  #2  
Old 09-15-2005, 05:43
Avenger
 
Posts: n/a
If you want to cover big range of packers, I think you should know all of the detect algorithms, or it's easy, if you have 'PEid' source code, for getting detect alghorithm!

if you have full awareness about 'PE structures' , your knowldege is more than me! and you can teach me your way!
Reply With Quote
  #3  
Old 09-15-2005, 05:52
Unforgiv3N's Avatar
Unforgiv3N Unforgiv3N is offline
Friend
 
Join Date: Aug 2005
Posts: 172
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
Unforgiv3N Reputation: 0
Try FakeSigner
www.dotfix.net
Reply With Quote
  #4  
Old 09-15-2005, 06:26
Whiterat
 
Posts: n/a
FakeSigner:
http://forum.exetools.com/showthread.php?t=7797

or

Killing PEid detection Tutorial by KaGra
Reply With Quote
  #5  
Old 09-15-2005, 08:56
netxman
 
Posts: n/a
Really hard to get registered.
Reply With Quote
  #6  
Old 09-15-2005, 20:24
Messer
 
Posts: n/a
I also wrote a tool for this matter. It is script-based and there are also some scripts included: hxxp://rapidshare.de/files/2443319/k_muh-v0.6.rar

Feedback would be welcome.
Reply With Quote
  #7  
Old 09-15-2005, 21:32
acme acme is offline
Friend
 
Join Date: Aug 2005
Posts: 30
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 7
Thanks Rcvd at 10 Times in 9 Posts
acme Reputation: 1
seems to be very interesting, i'm studin it but i have some difficult to understand german language... can you post some documentation in english? tnx in advance. New version and update notice is often appreciate

thanks,

acme
Reply With Quote
  #8  
Old 09-15-2005, 21:42
WerEsT
 
Posts: n/a
acme
Use for kill PEid detection
http://download.ahteam.org/files/oursoft/epprotector.zip
Reply With Quote
  #9  
Old 09-15-2005, 22:12
dj-siba's Avatar
dj-siba dj-siba is offline
Musician Member
 
Join Date: Jun 2003
Location: Outside the dot
Posts: 324
Rept. Given: 34
Rept. Rcvd 43 Times in 21 Posts
Thanks Given: 56
Thanks Rcvd at 159 Times in 43 Posts
dj-siba Reputation: 42
The best way is to write your own crypter to crypt the loader your packed exe
Reply With Quote
  #10  
Old 09-15-2005, 22:23
Messer
 
Posts: n/a
The main idea is to reproduce the code at the oep of a packer or protector and put it in a new section. Then place your code there and change the EP to this direction. You just need to find out where you can place a jump to the oep in this code without destroying the stack or the registers.

BTW, it may be a good idea to debug the injected code to see what it does and what restored is. Her is a little commented script:

GETENTRYPOINT var0 -> store entrypoint in var0
GETIMAGEBASE var1 -> store imagebase in var1
ADD var0 var1 -> var0=entrypoint + imagebase

GETSECTIONCOUNT var2 -> store numberofsections in var2
ADDSECTION >.text 0 1000 0 200 E0000020 -> add a new section to the exe, named .text with VOffset=automatic & ROffset=automatic and RSize=VSize=0. Characteristics E0000020
GETSECTIONROFFSET var3 var2 -> store ROffset of new Section in var3
GETSECTIONVOFFSET var4 var2 -> store VOffset of new Section in var4
SETENTRYPOINT var4 -> New Entrypoint of PE-File is var4 (VOffset of new Section)
SEEK var3 -> Move Filepointer to var3 (ROffset of new Section)
PUTBYTE F 8B 44 24 08 83 F0 00 74 00 68 00 00 00 00 C3 (Put 0xF Bytes -> 8B 44 ...)
ADD var3 A -> var3+=0xA
SEEK var3 -> Move Filepointer to var3
PUTDWORD 1 var0 -> Put 0x1 dword at Offset var3 (Build OEP-Jump)

I hope this helps a little bit. Just start your debugger and you will see what was done. Don't use k_muh on Windows-EXEs like the calc, because there are important informations stored in the PE-Header of this files.

Maybe i will rewrite the readme.
Reply With Quote
  #11  
Old 09-16-2005, 01:38
acme acme is offline
Friend
 
Join Date: Aug 2005
Posts: 30
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 7
Thanks Rcvd at 10 Times in 9 Posts
acme Reputation: 1
good, useful clarification... i've observed how it works and also write an example script for testing purpose. In some cases the app crash but i think that is a results of my dirty script....

Thanks again,

acme
Reply With Quote
  #12  
Old 09-16-2005, 03:00
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
the more "easy" way is making a XOR encryption of your loader, PEID will say "unknow" but this is only to despiste peid, to avoid reverse use a best crypt scheme.
Reply With Quote
  #13  
Old 09-18-2005, 07:18
SlashZero SlashZero is offline
Friend
 
Join Date: Aug 2002
Posts: 28
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SlashZero Reputation: 0
http://dl2.rapidshare.de/files/4735596/86788709/peidverarschentun.rar

maybe thats sueful for you.. disassamble em to get an idea of how its done
they are pure asm so its easy to understand

if you want to implement some known packer/crypter get some decent userdb.txt and use these EP scans to generate your own fake packer EP.

[edit]
i just got told that these exe files got packed with k_muh by messer
so seems his tool did a nice work
[/edit]

Last edited by SlashZero; 09-18-2005 at 22:04.
Reply With Quote
  #14  
Old 09-18-2005, 22:35
Veritas
 
Posts: n/a
another example to fool PEiD (only tested on unpacked/uncrypted binary):

- Search for a code cave in your binary caused by alignment
- Just set a JMP to Original EntryPoint there
- Change EntryPoint to this JMP and realign PE header
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
# RDG Packer Detector # RDGMax Community Tools 38 11-08-2023 19:07


All times are GMT +8. The time now is 13:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )