#1
|
||||
|
||||
mupack
This is a small executable packer that I have been working on and off for some time. The public build is restricted compared to the private one, but it still packs alright. There is some bugs:
Known bugs: * Resources are not compressed in certain cases. Might redo resource compression to fix this. * TLS callbacks with DLLs don¡¯t work fully. TLS callback tables and ptrs need to be relocated via the relocs. * Proxy TLS callback not implemented. I guess this is a feature as atm it works like a antidebug trick. Ideally it should handle TLS callbacks cleanly to ease debugging. * Crash when unpacking VBA-Ms Wx build. Not sure why, need to fix the above TLS issue before fixing this. This would make debugging a lot easier. * Digital code signing when executables are packed does not work. Source code: Quote:
Last edited by mudlord; 07-05-2016 at 07:43. |
The Following 3 Users Gave Reputation+1 to mudlord For This Useful Post: | ||
The Following 8 Users Say Thank You to mudlord For This Useful Post: | ||
alekine322 (03-17-2016), Asus (10-05-2015), chessgod101 (10-05-2015), giv (10-05-2015), Max (09-14-2015), rukov (08-31-2015), Storm Shadow (08-31-2015), [ID]ZE (09-01-2015) |
#2
|
||||
|
||||
Updated:
* Rewrote resource compression. Fixes a known bug of not compressing executables in certain cases. |
The Following 3 Users Gave Reputation+1 to mudlord For This Useful Post: | ||
#3
|
||||
|
||||
Updated:
* Rewrote TLS callback emulation. As a result, there is preliminary TLS callback in DLL support as well as easier debugging of EXE/DLL files with TLS callbacks. I found one case where TLS callbacks/index variables in DLLs doesn't work properly, need to debug that use case more. * More work on handling uncompressed resources, fixes some bugs. |
The Following User Gave Reputation+1 to mudlord For This Useful Post: | ||
mr.exodia (11-12-2015) |
The Following User Says Thank You to mudlord For This Useful Post: | ||
niculaita (11-09-2015) |
#4
|
||||
|
||||
Updated:
* Fixed any TLS regressions from last build. DLL support for TLS callbacks is still preliminary, though. * Now updates the PE file checksum. * Added a small TLS callback on TLS using executables to fix any possible invalid TLS addresses. |
The Following 2 Users Gave Reputation+1 to mudlord For This Useful Post: | ||
mr.exodia (11-12-2015), Storm Shadow (11-10-2015) |
The Following 4 Users Say Thank You to mudlord For This Useful Post: | ||
giv (11-11-2015), niculaita (11-10-2015), Storm Shadow (11-10-2015), wilson bibe (11-10-2015) |
#5
|
||||
|
||||
Cool utility.
I guess the unpacking will not be difficult as i see into the stub: Code:
0049A000 m> BB 00000000 MOV EBX,0x0 0049A005 E9 03000000 JMP mupack_p.0049A00D 0049A00A C2 0C00 RETN 0xC 0049A00D 8D83 00A04900 LEA EAX,DWORD PTR DS:[EBX+<ModuleEntr> 0049A013 53 PUSH EBX 0049A014 50 PUSH EAX ; mupack_p.0041F394 0049A015 8D83 7EA04900 LEA EAX,DWORD PTR DS:[EBX+0x49A07E] 0049A01B FFD0 CALL EAX ; mupack_p.0041F394 0049A01D 8D83 94F34100 LEA EAX,DWORD PTR DS:[EBX+0x41F394] 0049A023 - FFE0 JMP EAX ; mupack_p.0041F394 |
The Following User Gave Reputation+1 to giv For This Useful Post: | ||
mudlord (11-11-2015) |
The Following User Says Thank You to giv For This Useful Post: | ||
mudlord (11-11-2015) |
#6
|
||||
|
||||
Yeah, my private builds focus on compression ratio, using completely different compression algorithms. I designed it to be easy to depack. Figured theres no point in trying protection since people will crack it anyway. The public build is there so there is no real loss if people misuse it, although there might still be a possibility of that happening. Pity the taggant scheme for packers is a crock of sh*t. (only useful for commercial stuff, not freeware) And digital signatures do nothing too.
Plus, many packers like ASPack, PESpin and mpress seem to miss crucial things like proper TLS callback support. I guess now I need to work out overlay support, and fully reentrant DLL entry points. (so it doesn't needlessly depack itself over and over) Atm I am trying to debug a nice (as in, interesting and hard) test case with DLLs with TLS. For some reason there is one flaw there, but other DLLs with TLS callbacks work fine. Dunno if its something to do with reentrancy though. |
The Following User Gave Reputation+1 to mudlord For This Useful Post: | ||
mr.exodia (11-12-2015) |
#7
|
||||
|
||||
Do not share outside EXETools.com, otherwise development will cease.
Updated: * removed asmjit, replaced with Xbyak. * added DLL reentrancy. * saved bytes in entrypoint, down to 34 bytes. * removed aplib (lzss based), replaced with a lz77+arithmetic coder backend: double the depacker size (around 360 bytes compared to 160 bytes for aplib), yet a much improved compression ratio, nearing the private packer builds compression ratio in some cases, which uses LZMA. |
The Following 4 Users Gave Reputation+1 to mudlord For This Useful Post: | ||
The Following 5 Users Say Thank You to mudlord For This Useful Post: | ||
JeRRy (12-15-2015), niculaita (12-16-2015), nikkapedd (12-16-2015), ReBirth (12-19-2015), wilson bibe (12-17-2015) |
#8
|
|||
|
|||
you can't avoid it,the only way is to share it with private people that you trust with in.
__________________
I like this forum! |
#9
|
||||
|
||||
True, but I can ask for some common basic human decency?
I guess that is too much to ask for? If thats the case, might as well stop dev already. So far I haven't noticed any leaks which is nice, hopefully it stays that way, otherwise development can go back to being completely private. |
#10
|
|||
|
|||
i'm afraid it's not anymore a world to expect that,you may trust in me as i think like you but it's not the place to expand psychology
regards!
__________________
I like this forum! |
#11
|
||||
|
||||
There are so many retarded people in the RE forums that it will sell your program in a few minutes after you put on public. The time teach me that some users are present including this site.
So NO do not ask for that. |
#12
|
|||
|
|||
Unfortunately that is a little too true... Brutal... But too true
|
#13
|
||||
|
||||
Yep, as proven by the most recent leak and using download credits on some website (so in practise, it being sold)....
So instead, will stick to people that I know and trust, like what was done a few months ago. At least with that, might as well experiment with taggants too down the track. |
#14
|
||||
|
||||
From past experience the "developers" will take your program and edit the resources to wipe your name and put his on credits and sell your thing as his.
Many of my scripts was selled too for hundreds of EUR even i put them on sites for free. This happened with CodeCracker tools and many other developers work. So for me is a strong "NO" for put for free my work because i know what will happen next. |
#15
|
||||
|
||||
In that case, no point releasing the x64 port when its finished.
|
Thread Tools | |
Display Modes | |
|
|