MaskPE is a packer that seems to have originated from China. It’s not extremely common, but you can stumble to these every once in a while. It’s a pretty basic packer but it does have one nice trick that can crash the packer stub if it detects a debugger. (more…)
This is a runtime unpacker for PolyCryptPE. Being a runtime unpacker, you have every chance of toasting your buttocks since I cannot promise the executable won’t escape. I have tried to add a few safeguards to it, but you still need to be careful. Also, it’s not a perfect unpacker since the imports will be broken in the dumped image. (more…)
Pohernah is a packer with Russian origins. Manual tracing is extremely tiresome since there are dozens of various decryption loops and layers in the code.
nPack is a public PE executable compressor that can be freely downloaded from various sites. Here’s a description by the author:
“nPack is a Win32 PE executable file compressor. Features: - Support for all types of PE files (exe, dll, ocx) - Compression of program code, data, and resources - Section naming support - Fast decompression routines - Relocation support - TLS support - File rebuilding - Strip relocation - Strip debug information”
I stumbled onto an unknown UPX protector a while back. The stub is easy to recognize and fingerprint, and the unpacking is just as easy. (more…)
While I was rummaging through my filestash for anything interesting I spotted a few files that were packed with something known as Stone’s Encrypter. It doesn’t contain any anti-debug tricks, and based on the filecount I had it seems to be a bit unpopular. Anyway, here are the instructions on unpacking it. (more…)
For some reason I’m seeing quite a many hits from Korea within a 24 hour timeframe seeking for nspack unpacking instructions. If there’s anyone who has a theory I’d love to hear it :) You can send any info to toni(_at_)teamfurry.com
It’s been a bit quiet for a while, as I was on a vacation :) As you might remember, I published unpacking instructions for RLPack a while back. I mentioned that while the free version of RLPack contained no anti-whatnot code, the premium version supposedly did but I didn’t have any files packed with it. I got contacted by ap0x, the coder of RLPack, and he was kind to send me a sample file packed with the premium edition. (more…)
Yoda’s Crypter (yC) was released 2004, but never seemed to gain popularity amongst malware writers. But still, it isn’t uncommon to run into a sample protected by it. yC utilizes a polymorphic stub to hide better, but the packer can be easily fingerprinted.
I switched on every possible option in the packer, and packed a testfile with it. I’ll try to go through all the options and display them in the code. At the same time, we’ll walk through the unpacking process.
RLPack Basic is an open source packer brought to you by the coders at Reversing Labs. One (if not the only) the coders there is ap0x. I’ve seen some of the code he’s done in the past, and I must admit he knows his trade very well. RLPack basic doesn’t contain any antidebug or antianalysis code, but the premium versions do. (more…)
