#1
|
|||
|
|||
Finding which packer has been used
Hi,
I am trying to patch a flexlm.dll, from company slb, but the file has been packed, so the normal search routines don't work. How can I find out which packer has been used? |
#2
|
||||
|
||||
- DetectItEasy (DIE)
- ProtectionID - PEiD (With custom signature database otherwise it's pretty trash now.) - ExeinfoPE - RDG Packer Detector Etc. there are a lot of detector apps available to help determine things with ease. Otherwise you can manually investigate the file to look for common traits of popular packers.
__________________
Personal Projects Site: https://atom0s.com |
#3
|
|||
|
|||
O.K.
I tried all the tools you suggested but nonen of them detects the packer used. PEID doesn't even recognize the dll file as a PE file, and I have no idea where to get the custom signature database file. |
#4
|
||||
|
||||
PEiD wont recognize 64bit files. So don't bother finding the custom databases for it if that is the case. You could post the file here and have someone take a look for you though if you still have issues figuring it out though.
__________________
Personal Projects Site: https://atom0s.com |
#5
|
|||
|
|||
O.K. I have uploaded the file.
Would be nice to get some hints about how to unpack this file |
#6
|
|||
|
|||
Sometimes I'm using Virustotal.com for analyzing files, but for rare packers will probably fail
|
#7
|
|||
|
|||
Could you use an external link so people with not enough credits to download can access the file?
|
#8
|
|||
|
|||
As I can't view it, I cannot look.
|
#9
|
|||
|
|||
scanned using all the tools ? dont think so..
scanned it with pid (yeh im biased).. [!] LiCENSE - FlexLM [unknown version] signs detected ! [!] LiCENSE - FlexNET v11.8 signs detected ! [!] DONGLE - NetHASP Network Dongle references detected ! so probably flexlm |
#10
|
|||
|
|||
Quote:
yes and plenty infos inside the file,slb mean to schlumberger license tool...
__________________
I like this forum! |
#11
|
|||
|
|||
yep, saw that in the version info, wasnt sure if it was some custom one off company thing or an actual drm / licensing system
|
#12
|
|||
|
|||
Here is the link:
https://mega.nz/#!wNt3xahA!6QzL0CNkxFZlxzxo7kcReDC7Vqj5LFKG5IVTv-gLo-I Yes it's flexlm, but the file is only unpacked at run-time, so finding and patching l_pubkey_verify statically is not possible |
#13
|
|||
|
|||
Yes, you can find the flexnet routine only by dumping the file, and fix the relocations..
Or patching the dll on debugging..It's the same obfuscation as other slb programs. Maybe are using the utility "lmstrip" to obfuscate the routine.. Read the flexnet sdk programmer's guide.. On x86 i have no problem to unpack this obfuscation, but on 64bits is a little different... |
#14
|
|||
|
|||
Nikkapedd,
O.K I will have a look into this. rgds |
#15
|
|||
|
|||
I use Detect it Easy, it's detecting 90% of all packer version
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Finding Correct EP | RaptorX | General Discussion | 2 | 02-17-2011 14:53 |
Finding API Address | britedream | General Discussion | 5 | 10-05-2006 21:28 |
finding more code space in an exe | jonwil | General Discussion | 7 | 05-16-2004 11:21 |
finding numega softice | somashraba | General Discussion | 0 | 05-17-2003 20:32 |