packers

Packers and Unpackers:
a first list

Courtesy of Fravia's page of reverse engineering

Well, here you have a small list of "packers", files packed with compressors like PKLITE or DIET. In case you don't know, such programs use different data compression routines to make a file smaller. Files which were compressed with one of these pack programs will still stay executable for the system but they will be much smaller. Another reason for compressing is that a second person has no chance to change any bytes inside a compressed program with a hex editor or something like that
A list of "unpackers" follows below... as you'll see, tron, that we present (and reverse) as our "unpacker of choice" inside this new "packer" subsection of the +HCU's "tough protections" project, is NOT the only unpacker around. As +ORC noticed long ago, there seems to be a geographical "specializing" going on: decrypt routines and research are developed mostly in Switzerland, and unpacker routines and research is developed mostly in Israel (StickBuster, Xopen), in Germany and in Holland

A list of packers
Taken from tron's instructions for a start, more will be added in due time, keep cool, in the mean time visit THE site for packers and unpackers and encryptors and stickers and everything you may need:

http://www.SuddenDischarge.com/SelectExecutablesIndex.html


1. Protect! EXE/COM

   Known: 1.00, 2.00, 3.00, 4.00, 5.00



    MSG to all users of Protect:

    No software protection will be total secure!

    Don't use a compression code under the protection structure. Only compress

    after a file is protected. It takes one minute to get the original file if

    a known packer was used. (otherwise it takes two :-)

    If it would be impossible to write an unpacker for protect you will have to

    know that there are enough other possibilities to extract the original file.



    Hey Jeremy, the idea with the polymorphic engine is really good. But don't

    forget Murphy's Law. "If a protection is safe it will be broken"

    The v1.21 protected mode unpacker expanded your v5.50 without trouble.



    By Jeremy Lilley.

    (Scramble, .EXE .COM, 4.0+ very nasty)





2. ICE	(Special)

   Known: 1.00 (Released 1988)

   ICE is a program which scrambles and compresses COM files

   (not EXE files) yet allows them to be fully functional. The program

   makes it difficult to alter the original program and it has the added

   bonus of compressing COM files without detracting from their usefulness.

   ICEd COM files still run as they did before ICE offers protection

   against viruses in that ICE can scramble COMMAND.COM and make it difficult

   for viruses to attach themselves to the scramble program.

   By Keith P. Graham

   (Scramble, .COM only, easy to hack)





3. TinyProg (Generic)

   Known: Tiny 1.0, 3.3, 3.6, 3.8, 3,9

   Tested on Tiny 3.3, 3.8, 3.9 with password and Data Header!

   Should also open Tinys with text inside or kind like that.

   To open a "tiny" with a password, you should know the password.

   Also, a new kind of tinys with large text files in them is supported.

   Newer Tiny Versions 3.8+ have a smart anti debugging routine in them

   We are searching for TinyProg v3.5 and v3.6!

   By Tranzoa, Co.

   (Compress, CRC check, .EXE only, good)





3.1 PkTiny (Tiny)

    Pktiny is a simple program which puts a pklite header into a tinyprogged

    file. Then it modifies the file in a way that an unpacker isn't able

    to correctly determine the size of the tiny user data area.

    I am not sure why the program uses a pklite header because no unpacker

    known to me identifys pklite compression on such files.

    By Thomas M–nkemeyer

    (Fooling, .EXE .COM, nice)





4. Micro$oft's EXE Pack (Generic)

   Known: 3.60, 3.64, 3.65, 4.00, 5.31.009

   There are plenty of ExePack versions. Tron knows about 5 of them.

   They are all less effective, sometimes the ouputfile gets bigger

   than the orginal one. This is a small joke.

   By Micro$oft corp.

   (Compress, .EXE only, old and deffective)





5. LZEXE (Generic)

   Known: 0.90, 0.91

   No mutations found.	Makes CRC checked and packed EXE-Files.

   By Fabrice Bellard.

   (Compress, .EXE only, old and freeware)





6. PKLite (Generic)

   Known: 1.00(·), 1.03, 1.05, 1.10, 1.12, 1.13, 1.14, 1.15, 1.20

   From 1.14+ PkWare added a small encryption routine inside the registered

   Version to make Pklited files harder to extract!

   Pklite is the most used compressor today, there are a lot of hacks

   circulating. In some boards pklite 1.20 was declared to be a hack,

   but we think it's an official version now! Version 1.20 of Pklite has a

   different encryption routine.

   By PKWare (Phil Katz's).

   (Compress, EXE & COM, the best compression)





7. PROPACKER (Special)

   Known: 2.08 Emphasis on packed size

	       Emphasis on packed size, locked

   By Rob Northern Computing, UK.

   (Compress, .EXE only, good)





8. DIET (Generic)

   Known: 1.00d, 1.02b, 1.10a, 1.20, 1.44, 1.45f

   Diet is also capable of acting like STACKER -

   such files are not supported by tron.

   By Teddy Matsumoto.

   (Compress, EXE & COM, very good)





9. SEA-AXE

   Known: 2.0

   There are not many files around of this antique.

   The packed code is saved in an overlay area behind the sea-axe code.

   By System Enhancement Associates

   (Compress, .EXE only, old and less effective)





10. PGMPak (Generic)

    Known: 1.15

    Not easy to extract. There are some nice tricks used to make unpacking

    harder, we couldn't use our normal unpacking routines.

    PgmPak doesn't give you full memory, it also keeps its name in

    the end of the compressed file as an overlay.

    By Todor Todorov.

    (Compress, .EXE, good)





11. OPTLink

    This is the program is found on all norton programs.  We haven't found a

    distributed version of this packer.





12. DeltaPack

    Known: 1.0

    Found on some bbs intros.

    By ?

    (Scramble, .?, easy to hack)

Some of the compression programs have a build in expand function! But for insiders it is no problem to trick this functions out! Simply change the header signature "MZ" into "ZM" and the original programs cannot handle their own files any longer. The header signature can be found at the start of an EXE file! And this is only one of many known possibilities.

A list of Unpackers


Tron, Version 1.30, see The Undertacker's work on it here



Xopen v3.20  (Ady/Israel)

	      opens really a lot, well done Ady, what about a gratis

	      registration for us? You will get a registered version of

	      TRON too...nice to see that there are other people which

	      know what they do.



Unp v4.10    (Ben Castricum/The Netherlands)

	      This program is freeware and has a lot of features!

	      Hello ben, your unpacker is the one liked most by us.

	      Just look at tron.



StickBuster v2.40r (Lihor Cohen/Israel)

	    From all unpackers we discovered, StickBuster is the one

	    which handles the most compressors, but these are mainly

	    very antique or only spread in local areas.

	    Hey Lihor, work on your user-interface!!!

You are deep inside fravia's page of reverse engineering, choose your way out:

Back to the arms race

cocktails

is reverse engineering legal?