Simple technique to avoid packer detection


Simple technique to avoid packer detection – by Mo4x.

I’m sorry for my poor English. I’m from Poland.

1. Intro
Hi! I want to tell you something about avoiding packer detection.
First, you must to get to know something about packer…

packer – also called: Packer, Compressor, PE Packer, Exe Packer etc.
So, packer is a tool which we use to make the exe smaller.
Malware coders use packers to crypt and pack a virus file.
Packers are also using to make cracker’s life more difficult 😉
In the most applications we can detect a packer.

…and acquaint with this:
http://en.wikipedia.org/wiki/Executable_compression
http://en.wikipedia.org/wiki/.exe

2. What we need?

Tools that we need:

PEiD:
http://peid.tk/
http://peid.has.it/
http://www.download.net.pl/2819/PEiD/

Olly Debugger:
http://www.ollydbg.de/

xvi32:
http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

Download those programs.

3. Playing with FSG 2.0 🙂
If we want to play with packers, we must get another packer.
Our first packer will be “FSG 2.0 by bart^xt”. I think, it’s a good packer for
learning about packers 😉

FSG 2.0 GUI:

Download link:
http://www.woodmann.net/bart/files/xt_fsg20.zip

Now, you must get FSG from the link above.

Downloaded? All right, let’s go!

Now, download this file:
http://mo4x.ovh.org/my_textz/program.zip

This is a simple Hello World program written in Borland Delphi.
Extract program.zip to your desktop.

Next, make a three copies of your program and change it’s names to: program1.exe, program2.exe and program3.exe
Run PEiD and drag program1.exe to PEiD window and drop it. You should see somethin’ like this:

Borland Delphi 6.0 – 7.0
You see? Now copy fsg.exe to your desktop and run it. Choose file “program2.exe” and pack it.

Now, drag packed program2.exe to PEiD window and drop it there.
You will see something like this:

Before packing: Borland Delphi 6.0 – 7.0
After packing: FSG 2.0 -> bart/xt
Now, we try to change First Bytes of packed file. After changing first bytes, PEiD will can’t detect packer.

Run OllyDbg and open program2.exe in this debugger.

First bytes:
…in OllyDbg:

…in PEiD:

In ollydbg you can see first instruction and simply change it.
First instruction is:
XCHG DWORD PTR DS:[40DA30],ESP

We have something like this:

So, press Space key. You should see:

Now, enter text below to the textbox that you see.
MOV ESP,DWORD PTR DS:[40DA30]

Look at this picture:

Everything ok? Now, click on “Assemble” button. Instruction was change.

Instruction changed… So, press cancel button.
Click on the changed instruction to select it (it will be highlighted) and right mouse button click on it.

You’ll see new window. Right mouse button click on it.

Next you will see a savedialog. Enter the file name “program2_modified.exe” and click save (look at the picture below).

Now, at your desktop are four files.

program1.exe -> Borland Delphi 6.0 – 7.0
program2.exe -> FSG 2.0 -> bart/xt
program3.exe -> Borland Delphi 6.0 – 7.0
program2_modified.exe -> Nothing found *

Well done!

Ugh, not done… Only one detail to change.
Run xvi32 and open file “program2_modified.exe” in this editor.
Now you must search something like this:

How to change it? It’s very simple. Enter there what do you want.
I entered there “LOL2” 😉

Now we can say:
Well done!!!

…but with other packers, maybe you need do more things than modifing first bytes.

4. Gr33tz
Gr33tz to (alphabetically):
– Achates
– Bi3gan
– BlackHat
– Conel
– D0han
– d3vil
– DarkShadow
– Die_Angel
– FDJ
– Hunter
– LamHac
– los3r
– McFiro
– pkoper
– SP4M
– Strike
– Umbro
– ViKiNG

My respects fly out to:
– fl3a
– M1ch00
– bart^xt
– all members of HTB Team 🙂

5. Outro
Thanks 4 reading 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: