Packing and unpacking, material which I hope will be welcomed by the more discerning reverse engineers out there, however updates will be fairly infrequent I'm afraid ;-(. I'll use this introductory space to explain briefly a little something about 'packing'. The 'packing' process is usually a simple one, all the protector needs is a copy of his/her program and the packing program itself, some packers are fully configurable, supporting user defined encryption keys amongst other options e.g. section names, anti-debugging options, import table destroying etc, etc.
Packers do simply as their name suggests, they 'pack' or 'compress' a program much the same way a compressor like Pkzip does, packers then attach their own decryption / loading stub which 'unpacks' the program before resuming execution normally at the programs original entry point. Packed files have several main advantages, firstly the physical file size is usually smaller, of some benefit if you are marketing your product via Internet download, the second benefit (perhaps the one we are more concerned with) is that packed files are resistant to the casual JNZ-->JMP type of cracker since a target must be unpacked or rebuilt before it can be patched. Naturally these advantages come at a price, both run-time and commercially.
My earliest recollection of a packer was sometime back in 1989 or so when I found a virus protected with PKLite, amongst the older DOS packers you may still encounter tricks such as keyboard and timer interrupt masking, interrupt vector replacement & trap flag disabling as well as many others, in fact old virii sites can be very useful for the discerning historian. The biggest problem most of you will encounter is 'packer glut', the last 5 years have seen a rapid explosion in the availability and awareness of these type of programs, although there were always the COM/EXE packers in the days of DOS. I'd guess that you'll probably see only 10 or so of them more than once. The weakness of every packer is of course simple, if a program runs it must be unpacked at some stage and at said stage we can dump the program to disk, albeit this is something of an oversimplification.
Armadillo - http://www.siliconrealms.com/armadillo.htm
- Incorporates both a license manager and wrapper system. Since
v3.0 or so only one individual (sKAMER DeLEBRE / dREAM TEAM) appears
to have been able to generate keys and one instance of an application
key generator (DVDIdle) for Armadillo (I have decided to remove
the 2 keys that have leaked to the warez scene from this page).
The Armadillo developers are confident that the individual concerned
is using a considerable amount of processing power to generate
just a single key.
Armadillo Unpacked v1.83 (654k) & v1.84 (523k), Armadillo v2.01 (build 1 unpacked) (167k).
Armadillo Killer v1.3 (38k).
UnArmadillo v1.1/v1.2/v1.3/v1.4 - UCF's continued support (168k).
* v3.4 and onwards update - Although a key generator for both v3.5 & v3.6 of Armadillo exists, the hole it exploits is one simply of v3.4 backward compatibility, i.e. the default certificate based upon Blowfish & Elgamal. In v3.5 the Blowfish key length was simply increased and the algorithm slightly modified, this actually doesn't prevent anyone owning a legitimate Armadillo key from breaking the Blowfish part but heals the brute force possibility if you don't own a real key. This still leaves Elgamal to be broken.
The current key generator for v3.6 generates keys for the Armadillo Free Certificate (actually a very (feature) limited version of the program), these keys are given away freely to people joining Digital River's online selling service (e.g. RegSoft). The Silicon Realms developers now custom compile versions of Armadillo for their customers and have also incorporated ECC into the very latest versions (v3.6a+). From my point of view, custom compiling always seemed to be the logical way to go and should have been done ages ago. Armadillo isn't completely secure but no protection scheme ever has been or ever will be, it does however have enough strengths to make it a considerable barrier to all but the best professional crackers.
I learned in (June 2004) that v3.75 of Armadillo was keygenned by the group TMG (in contradiction to what I had written above); this was as a direct result of the source code being obtained (by illegal means) and a weak (32-bit) PRNG being identified. I have been assured this has been fixed, but I'll wait a while a little while before praising Armadillo's security again ;-).
Latest Armadillo Tools
Arma Intruder 0.4 by
ArmStripper v0.1 beta 6 (177k).
ASPack & ASProtect - http://www.entechtaiwan.com/aspack.htm - A very competent Win32 compressor by Russian author Alexey Solodovnikov, note this useful snippet "After compression of the executable image, ASPack writes a small decompressor and places icons at the end of the compressed file. The address of the application's entry point is set to the beginning of the decompressor, and the original entry point is saved. After the decompressor decompresses the image in memory, it jumps to the application's original entry point" (common sections include .adata / .udata / .aspack).
ASPack is an advanced Win32 executable file compressor, capable of reducing the file size of 32-bit Windows programs by as much as 70%. ASPack makes Windows 95/98/NT programs and libraries smaller, and hence faster to both load and download; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with ASPack are self-contained and run exactly as before, with no runtime performance penalties.
Anti-ASPack v0.2 Unpacker
AspackDie v2.11 Unpacker (16k).
ASPack v2.10 Keyfile (360 bytes).
ASPack v2.11 Key Generator (24.1k).
ASProtect v1.1 Key Generator (24.4k).
ASProtect v1.35 Incl. Key Generator (1.85Mb).
DeASPack v2.11 Unpacker (16k).
NeoLite v2.0 - http://www.neoworx.com/neolite - 32-bit file compressor (DLL/EXE).
PECompact - http://www.CollakeSoftware.com - PECompact is a utility that compresses Windows 9x/NT4/w2k portable executables (EXE, DLL, SCR, OCX, etc..) significantly while leaving them 100% functional. PECompactd applications occupy less disk space, cost less to distribute, are more fault tolerant, are loaded quicker across networks, decrease network traffic, and are more difficult to reverse-engineer and modify.
PECompact works by compressing the code, data, import directory, selected resources, and other portions of Windows portable executables. At runtime, the executable is rebuilt with no noticeable delay. In fact, compressed executables can actually load quicker in some cases because there is less data to be retrieved from the disk or network, which is usually the largest bottleneck. Both compression algorithms used by PECompact feature an optimized, 32bit x86 assembly language decompressor for maximum data throughput.
This tool is highly configurable and gives the user a great deal of power to select what and how things are compressed. PECompact also has unique plug-in support to allow users to supply their own encryption/decryption procedures or special functionality to compressed executables.
PECompact Archive (v1.45/v1.47/v1.50/v1.55/v1.56) - (175k).
PKLite - http://www.pkware.com/downloads - both 32-bit and DOS versions are available (Lite), from the authors of PKZip.
Petite v1.4/2.x - http://www.un4seen.com/petite/ - PE file compressor by Ian Luck (UK). Later versions use anti-debugging (read the SEH documents) and import table and PE tamper checking tricks.
PolyCrypt PE v2.1 - http://www.jlabsoftware.com - Simplistic packer (discontinued in 2005), employs basic SEHÂ handling, INT 3 &Â documented tricks to detect VM environments and prevent accurate reconstruction of the PEÂ header.
Shrinker - http://www.blinkinc.com/shrinker.htm - One of the better packers from Blink Inc. j0b's DeShrink (see below) seems to do a good job of all versions up to 3.3 (even bruteforcing the encryption key), however v3.4 seems to have implemented a trick or 2 to break it.
UPX - http://upx.sourceforge.net/ - A free packer for individual use by Markus Oberhumer & Laszlo Molnar, of Hungarian origin and a scene favourite.
VBox - http://www.previewsystems.com/ - Preview Software's software wrapper which they are now selling for music downloads too, v4.2 uses some anti-debugging tricks (FG/JM) and mangles the imports quite effectively, however most programs can still be unwrapped or patched by adding your own routines. Here you will also find ZipLock which uses 512-bit RSA for web ready software distribution, I've not seen any instances of this being reversed, though despite what they say the wrapper won't prevent anyone legally owning the software from distributing it. In June 2001 Preview Software ceased to be and was acquired by none other than Aladdin Knowledge Systems (they of HASP fame).
byeVBox4 - generic VBox
v4.x unpacker - (10k).
UCF's UnVBox - VBox unwrapper (237k).
VBox Builder v4.3 - Protection system that you may care to study (3.03Mb's).
WWPack(32) - http://www.webmedia.pl/wwpack32/mainmenu.html - DLL/EXE compressor by Piotr Warezak & Rafal Wierzbicki (2 very good Polish authors).
I'm not an expert on packers so don't take this as the definitive gospel, I've probably only studied 5-10 examples at the most just to ensure I could unpack them if need be (excluding the HASP envelope). Here's a checklist you ought to run through before considering unpacking.
i) Knowledge of the PE file format (used by all Win32 OS's) is essential. Microsoft's site provides some general information, I recommend these 2 articles (45k), the one by Randy Kath is the Microsoft approved text. The omnipresent Matt Pietrek has also written some good articles (not least his book), for a limited time only you can get your very own OCR'd copy of Windows System Programming Secrets at NeuRaL_NoiSE's site.
ii) Knowledge of SEH (Structured Exception Handling) is required, read this article by Jeremy Gordon and download the example file except32.zip. Have a look too at these brief SEH notes (22k).
iii) A Win32 API guide, read specifically :- CreateProcess, GetCurrentProcessID, GetModuleHandleA, GetProcAddress, OpenProcess, ReadProcessMemory, VirtualAlloc, VirtualFree, WriteProcessMemory.
iv) A good debugger, SoftICE or TRW, in extreme cases Turbo Debug.
v) A PE dump utility. Borland's TDUMP or Matt Pietrek's PEDump are recommended, even QuickView included with Windows can be adequate.
vi) A HEX editor with good cut/copy & paste facilities, I like UltraEdit, but Hex Workshop or Hiew will also do. You'll also require a memory dumping tool (IceDump or SoftDump).
v3.4 - CyberWare/UCF's ageing DOS unpacker, pretty good for
pre-1997 files, otherwise not effective.
DeShrink v1.6 - j0b's unpacker for Shrink packed files from Blink Inc. DeShrink is pretty reliable and quite well supported, worthy of a position in any reversers toolkit.
Import Rebuilding Essay - Courtesy of TiTi, describes how to fix corrupted imports under Petite v2.1 (4k).
Import REConstructor v1.6 - Excellent import reconstructor by Mackt (280k).
PEiD - Packer identification tool.
PE Rebuilder v0.96b - Does exactly as it says on the packet (26k).
ProcDump v1.6 - Very good unpacker for Win32 PE targets, hampered now by its success as more protectionists are implementing tricks to prevent its use, there are also specific issues with unpacked targets running under Windows NT.
Revirgin 1.2 beta - +Tsehp's IAT rebuilding tool (542k).
Sudden Discharge - The best packer/unpacker repository on the net (or dare I say it used to be, now down).
Tron v1.3 - An old yet good DOS unpacker (useful mainly for its PkLite support).
|Packer / Target Name||Description||Date|
|Armadillo v1.7||Unwrapping this registration system, patching SoftICE.||13/12/99|
|ASPack v1.08.03||2 part debunking of this packer.||21/07/99|
|ASPack v2.001 / Petite v2.2||A very useful manual unpacking tutorial by r!sc.||Feb 2000.|
|AZPR v3.01||ASProtect vagaries courtesy of HobGoblin.||May 2000.|
|BugTrapper v3.0||Just add your own code and let ASPack do the rest.||25/04/00|
|Conseal PC Firewall v1.37||IAT hooking, great 'concept' tutorial for all reversers, by Sara.||18/08/99|
|Petite Adventures in PE Land||Reversing Petite v2.x using SEH and your own code (by Accz).||07/03/00|
|Stamping the Import Table Manually||'Spelunking' with PEPack courtesy of ZenLoren.||05/09/99|
|Unpacker Archive - (565k, 579,192 bytes).|
ArmKiller (alternative Armadillo unpacker), Bye PE-Crypt v1.2
(PE-Crypt), PE-Protect v0.9.
PEunCompact v0.01 & PE-UnCompact v1.5 Beta (PECompact), PEUNLOCK-NT.
r!sc's Petite enlarger v1.0/v1.2/v1.3, rAD v0.6 (AsProtect), tEunlock v1.0, UnArmadillo v1.1 & v1.2 (courtesy of UCF).
UnAspack v220.127.116.11 (ASPack). un-CodeCrypt, undbpe 1.2, unNFO v1.0, UNPCPECa.
UNPE-SHiELD v0.14 & v0.25 (PE-Shield), UnShrinker v1.0.
Please feel free to send me suitable inclusions or suggestions for this archive. You might also like to read Cokine's Guide to ProcDump Scripting, automated unpacking will save you a lot of time.