#1
|
|||
|
|||
Fool packer detector
how and what metods exists to fool a packer detector? changing the ep can do induce a pe identifier to identify a file packed with X instead of Y... what about?
|
#2
|
|||
|
|||
If you want to cover big range of packers, I think you should know all of the detect algorithms, or it's easy, if you have 'PEid' source code, for getting detect alghorithm!
if you have full awareness about 'PE structures' , your knowldege is more than me! and you can teach me your way! |
#3
|
||||
|
||||
Try FakeSigner
www.dotfix.net |
#4
|
|||
|
|||
FakeSigner:
http://forum.exetools.com/showthread.php?t=7797 or Killing PEid detection Tutorial by KaGra |
#5
|
|||
|
|||
Really hard to get registered.
|
#6
|
|||
|
|||
I also wrote a tool for this matter. It is script-based and there are also some scripts included: hxxp://rapidshare.de/files/2443319/k_muh-v0.6.rar
Feedback would be welcome. |
#7
|
|||
|
|||
seems to be very interesting, i'm studin it but i have some difficult to understand german language... can you post some documentation in english? tnx in advance. New version and update notice is often appreciate
thanks, acme |
#8
|
|||
|
|||
acme
Use for kill PEid detection http://download.ahteam.org/files/oursoft/epprotector.zip |
#9
|
||||
|
||||
The best way is to write your own crypter to crypt the loader your packed exe
|
#10
|
|||
|
|||
The main idea is to reproduce the code at the oep of a packer or protector and put it in a new section. Then place your code there and change the EP to this direction. You just need to find out where you can place a jump to the oep in this code without destroying the stack or the registers.
BTW, it may be a good idea to debug the injected code to see what it does and what restored is. Her is a little commented script: GETENTRYPOINT var0 -> store entrypoint in var0 GETIMAGEBASE var1 -> store imagebase in var1 ADD var0 var1 -> var0=entrypoint + imagebase GETSECTIONCOUNT var2 -> store numberofsections in var2 ADDSECTION >.text 0 1000 0 200 E0000020 -> add a new section to the exe, named .text with VOffset=automatic & ROffset=automatic and RSize=VSize=0. Characteristics E0000020 GETSECTIONROFFSET var3 var2 -> store ROffset of new Section in var3 GETSECTIONVOFFSET var4 var2 -> store VOffset of new Section in var4 SETENTRYPOINT var4 -> New Entrypoint of PE-File is var4 (VOffset of new Section) SEEK var3 -> Move Filepointer to var3 (ROffset of new Section) PUTBYTE F 8B 44 24 08 83 F0 00 74 00 68 00 00 00 00 C3 (Put 0xF Bytes -> 8B 44 ...) ADD var3 A -> var3+=0xA SEEK var3 -> Move Filepointer to var3 PUTDWORD 1 var0 -> Put 0x1 dword at Offset var3 (Build OEP-Jump) I hope this helps a little bit. Just start your debugger and you will see what was done. Don't use k_muh on Windows-EXEs like the calc, because there are important informations stored in the PE-Header of this files. Maybe i will rewrite the readme. |
#11
|
|||
|
|||
good, useful clarification... i've observed how it works and also write an example script for testing purpose. In some cases the app crash but i think that is a results of my dirty script....
Thanks again, acme |
#12
|
||||
|
||||
the more "easy" way is making a XOR encryption of your loader, PEID will say "unknow" but this is only to despiste peid, to avoid reverse use a best crypt scheme.
|
#13
|
|||
|
|||
http://dl2.rapidshare.de/files/4735596/86788709/peidverarschentun.rar
maybe thats sueful for you.. disassamble em to get an idea of how its done they are pure asm so its easy to understand if you want to implement some known packer/crypter get some decent userdb.txt and use these EP scans to generate your own fake packer EP. [edit] i just got told that these exe files got packed with k_muh by messer so seems his tool did a nice work [/edit] Last edited by SlashZero; 09-18-2005 at 22:04. |
#14
|
|||
|
|||
another example to fool PEiD (only tested on unpacked/uncrypted binary):
- Search for a code cave in your binary caused by alignment - Just set a JMP to Original EntryPoint there - Change EntryPoint to this JMP and realign PE header |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
# RDG Packer Detector # | RDGMax | Community Tools | 38 | 11-08-2023 19:07 |