+HCU: Academy of reverse engineering
hcu97 Founded by +ORC in April 1996 hcu98

Packers and Unpackers: an arms race

Project start:
September 1997
packers
Last update:
September 1999

Courtesy of Fravia's page of reverse engineering

This new section is of course related to the "Our protection" project
[essays] ~ [how does an unpacker work?] ~ [crunching]

keep cracking!

From Fravia's own private
"cracking posters" collection

"Get hot - Keep cracking"
(1942)

The +HCU Packers
and Unpackers project
(1997)

Are we concerned?
Yes, we are.
From a Fravia perspective, packers (and unpackers) represent an ideal field of study, for obvious reasons: since the prehistory of software protection one of the most commonly used systems in order to avoid de-protection consisted, of course, in the "packing" (and the de facto encrypting) of the executable files. A packed executable cannot be hex-edited, nor is it possible to modify it easily on the fly. Even to day shrewd net inhabitants exchange files that have been zipped AND THEN lha-compressed, knowing that most automatic sniffers will NOT be able to intercept/decrypt such "double compressed" files on their road around the world.
There is indeed an even better method: compressing data using home made algorithms (child-easy if you are a cracker): i.e. algos that are slightly different from the main commercial ones.
This is one of the best methods I know of to avoid automated interception... even better than zipping and PSPing your communications, I have been told by the older ones, since some automated sniffers apparently can crack PSP but no automated sniffer will ever know the simple silly algorithms that you have made out yourself together with your pals! You dig it? These encryption algos may be simple and stupid, but they will be NEW (since you made them) and therefore impossible to decipher for any automated sniffer robot (ok, if humans are sniffing, they will be able to quickly decrypt your communications, but most of the times humans are called in only AFTERWARDS, if an automated robot has smelt (or smelled, whatever you prefer :-) a rat in the first time.

The old "arms race" between packers and unpackers, represents a very interesting snippet of the history of software, since both kind of programs have been (and are being) written by GOOD ASSEMBLY programmers and buffs, and not by those stupid overbloated "windozed" zombies that dare call themselves 'programmers' nowaday.
This race has IMHO entered a new phase with the development of tron, a DOS based unpacker which is really able to unpack UNKNOWN algorithms simply by examining the "clearing" of the code in memory (that's in nuce the work a reverse engineer would have made per hand).
It does not wonder me that unpackers keep ahead vis-a-vis of packers: often the same programmers develope packers as well as unpackers! (like some virii writers I knew of, that have later turned into brave, honest "commercial" antivirus protectionists :-) and -come to think of it- who would ever need new packers if the old ones would work flawlessly?
Given this situation, and the quick evolution of this matters, reverse engineers, code buffs, software dudes and assembly wizards (i.e. most readers of my pages :-) have much to learn from this fascinating sector!



Intent of this section
I don't intend to recreate, with this section, one of the ubiquitous lists of all packers and unpackers tools that do exist on the web... you'll anyway find an example of them below.
The main "point" of this project is to deepen some reversing aspects of the packers and unpackers thema. For much more packers and unpackers related material and tools don't forget to check (and contribute to) the two best pages I know of for packers & unpackers (ring me if you feel there are other pages that should be added):
redStone's page
See the packers & unpackers list there... Stone is a great Fravia, and I like his work a lot beacuse he is one of the few good Fravias that do actually CONTRIBUTE to our science
redLord Caligo's page
There is no need to present LordCaligo's site: one of the BEST sites around, his packers and unpackers collections and links and files are among the best on the web...
These matters are also relevant for a future possible +HCU project: "demomakers' creations"... i.e. the disassembly and reverse engineering of the (often heavily "antisniffing" protected) "intros" and "demos" of the graphical demo scene... we'll see... in the meantime, here you go with our essays about packers, unpackers and installshields reverse engineering. 
Awaiting more contributions, you lazy scoundrels!

THE ESSAYS

PHASE A
by The Undertaker, 18 Sep 1997
redTron version 1.30
"Reverse engineering the feeble protection scheme of a good unpacker"
PHASE B
by snickers, 09 Jan 1998
redPatching the Patcher: Cracking .RTPatch Professional - 4.00 Eval Release
"Fun with packed files"
PHASE C
by The Undertaker, 13 Jan 1998
redPROTEXE V2.11 - by TOM TROFS
"EXPLORING A PARANOID PROTECTION SCHEME"
PHASE D
by +Aitor, 19 Jan 1998
redReverse Engineering MATLAB 5 - Part II: InstallShield Packages Encryption
"how NOT to encrypt your own programs"
PHASE E
by Quine, 20 Jan 1998
redPushing the Envelope with HASP
"De-Hasping, zip cracking and other marvels"
PHASE F
by The Undertaker, 02 February 1998
redTRAP Ver 1.13 EXPLORING A STUPID PROTECTION SCHEME
(Opcode generators and selfchanging code)

PHASE 10
by +ReZiDeNt, 05 May 1998
redReverse Engineering a Compressed Target (Phase I)
A surgical attack (we cut open the target, repair the damage, then stitch it up again)

19 May 98 The RudeBoy ~ rude45.htm Reversing Packed Targets packers ~fra_011E
20 May 99 +tsehp ~ packepro.htm A Packed protection packers ~fra_xxxx
6 July 99 Volatily ~ volati_s.htm Manually Unpacking - ASPack v1.083 packers ~fra_xxxx
6 September 99 Lord Soth ~ patchpck.htm Generating a patch for a packed program: Another approach to cracking packed programs packers ~fra_xxxx
6 September 99 Staier ~ threade.htm Cracking a packed exe. _packer: Neolite 2.0 _program: AZPR 2.31. packers ~fra_xxxx

Some 'snippets' may also result quite interesting for this project:

The Undertaker's redUnpack/unprotect com files using debug.exe 16 January 1998
(old powerful dos debugging - still useful today - "An acquarium for your viri")

How does an unpacker work?

Well, since not all of you will read and study the abovelinked essay by the Undertaker, and since we'll anyway work mostly with this intersting "tron" tool, let's give a taste of its working to all people that are only browsing this part of my site and that have not yet "decided" if they want to embark on this reversing path...
Here is how redtron130.zip works... see which packed files dwell on the hard disk of the computer I am using right now: here are the packed files on the c:\windows directory of this PC, as seen through my (slightly modified) own copy of tron:

fratron -i c:\windows\*.exe >showme
-- 0001 --
processing file :  C:\WINDOWS\PSEDIT.EXE
file structure  :  executable (EXE)
processed with  :  LZEXE V0.91
-- 0002 --
processing file :  C:\WINDOWS\MAP.EXE
file structure  :  executable (EXE)
processed with  :  LZEXE V0.91
-- 0003 --
processing file :  C:\WINDOWS\PKUNZIP.EXE
file structure  :  executable (EXE)
processed with  :  REGISTERED PKLITE V1.20
-- 0004 --
processing file :  C:\WINDOWS\PCTOOLS.EXE
file structure  :  executable (EXE)
processed with  :  EXEPACK V4.05/4.06
-- 0005 --
processing file :  C:\WINDOWS\PKZIPFIX.EXE
file structure  :  executable (EXE)
processed with  :  REGISTERED PKLITE V1.20
-- 0006 --
processing file :  C:\WINDOWS\VXDLIB.EXE
file structure  :  executable (EXE)
processed with  :  REGISTERED PKLITE V1.13



CRUNCHING

12 December 98 Joa ~ crunchi1.htm Little essay about the various methods and viewpoints of crunching papers ~fra_0126
10 June 98 Joa ~ crunchi2.htm Little essay about the various methods and viewpoints of crunching II papers ~fra_0129
17 June 98 Joa ~ crunchi3.htm Little essay about the various methods and viewpoints of crunching III papers ~fra_012E
17 June 98 Joa ~ crunchi4.htm Little essay about the various methods and viewpoints of crunching IV papers ~fra_xxxx
17 June 98 Joa ~ crunchi5.htm Little essay about the various methods and viewpoints of crunching V papers ~fra_xxxx
17 June 98 Joa ~ crunchi6.htm Little essay about the various methods and viewpoints of crunching VI papers ~fra_xxxx
17 June 98 Joa ~ crunchi7.htm Little essay about the various methods and viewpoints of crunching VII papers ~fra_xxxx
17 June 98 Joa ~ crunchi8.htm Little essay about the various methods and viewpoints of crunching VIII papers ~fra_xxxx

You are deep inside Fravia's page of reverse engineering, choose your way out:

redList of packers and unpackers redTron version 1.30
our protections
Our protections
Our tools
Our own tools
Progcorner
Programmer's corner
redhomepage red links red anonymity red+ORC redstudents' essays redtools redcocktails
redacademy database redantismut search_forms redmail_Fravia
redis reverse engineering legal?

red(c) Fravia, 1995, 1996, 1997, 1998, 1999. All rights reserved