A new section to my site, one which I hope will be welcomed by the more discerning reverse engineers out there. I'll use this introductory space to explain briefly a little something about 'packing'. The 'packing' process is a simple one, usually all the protector needs is a copy of his/her program and the packing program, some packers are fully configurable, supporting user defined encryption keys.
Packers do simply as their name suggests, they 'pack' or 'compress' a program (dll's also) much the same way something like PkZip does. These packed files have several main advantages, firstly the physical file size is usually smaller, of benefit if you are marketing your product via Internet download, the second benefit (perhaps the one we are more concerned with) is that packed files are resistant to the casual JNZ-->JMP type of cracker. Naturally these advantages come at a price, both at run-time and commercially.
My earliest recollection of a packer was sometime back in 1989 or so when I found a virus protected with PKLite, the biggest problem most of you reversers will encounter is glut, the last 5 years have seen a rapid explosion in these type of programs, I'd guess however that you'll probably see only 10 or so of them more than once. The weakness of every packer is of course its unpacking 'stub', put very simply, if a program runs it must be unpacked at some stage.
AsPack, NeoLite, PEPack, Petite, PKLite, Shrinker, UPX, VBox (more a wrapper), WWPack.
I'm not an expert on packers so don't take this as the definitive gospel, I've probably only studied 5-10 examples at the most just to ensure I could unpack them if need be (excluding the HASP encryptor). Here's a checklist you ought to run through before considering unpacking.
i) Knowledge of the PE file format (used by all Win32 OS's) is essential. Microsoft's site provides some general information, I recommend the article by Randy Kath. The omnipresent Matt Pietrek has also written some good articles (not least his book).
ii) A Win32 API guide, read specifically: CreateProcess, GetCurrentProcessID, GetModuleHandleA, GetProcAddress, OpenProcess, ReadProcessMemory, VirtualAlloc, VirtualFree, WriteProcessMemory.
iii) A good debugger, SoftICE or TRW, in extreme cases Turbo Debug.
iv) A PE dump utility. Borland's TDUMP or Matt Pietrek's PEDUMP are recommended, even QuickView included with Windows can be adequate.
v) A HEX editor with good cut/copy & paste facilities, I like UltraEdit, but Hex Workshop or Hiew will also do. You'll also require a memory dumping tool (IceDump or SoftDump).
CUP386 v3.4 - CyberWare/UCF's ageing DOS unpacker, pretty good for pre-1997 files, otherwise not effective.
DeShrink v1.5 - j0b's unpacker for Shrink packed files from Blink Inc. DeShrink is pretty reliable and quite well supported, worthy of a position in any reversers toolkit.
ProcDump v1.5 - Very good unpacker for Win32 PE targets, hampered now by its success as more protectionists are implementing tricks to prevent its use.
| Packer / Target Name | Description | Date |
| ASPack v1.08.03 | 2 part debunking of this simple packer. | 21/07/99 |
| Petite Part 1 |
1st look at Petite with Multimedia Builder.  |
04/11/99 |
| Stamping the Import Table Manually | 'Spelunking' with PEPack courtesy of ZenLoren. | 05/09/99 |
Return
to Main Index