determining packer version on packed exe
 

Hello, I would like to know how you guys determine the packer version just by looking at the exe file? or is there any other way?

For example a program packed with aspack, how would you know which aspack version is being use to pack it.

or

an exe file is packed, how would you know which packer did it use?

Thanks

hi rix,
you can use some tools to check if the programe is packed and which version it has:

you can use

-Stud_PE hxxp://itimer.home.ro/
-peid hxxp://protools.anticrack.de/files/utilities/peid.zip
-pe-scan hxxp://protools.anticrack.de/files/utilities/pe-scan.zip

with stud_PE, you will find out the name of packer on section "signature"

[Edit by JMI: No clickable links Please, not even to tool sites.]

bye
Rheya

thanks! this tool is great!

Ok, i tried the PE_stud on the target file an under the signature tab it says ASPack 2.001. I tried looking for tuts on unpacking ASPack but mostly i found its about ASProtect and pack with ASPack 2.001. Would anyone here give me some links regarding this matter?

if you've the intention to learn something try to follow the tutorial posted by r@dier
else find a unpacker on protools or another tools site

Here's a suggestion:

Try something REALLY hard, like entering "unpacking + aspack 2.001" or even "unpacking + aspack 2.00" in your favorite search engine and see what you get. Learning to search is one of the most important tools for reverse code engineering.

Regards.

I did try the unpack tutorial by r@dier but it seems that the value given by him differs from what i see. I was wondering if it has to do with winXP. Since its an NT base OS, maybe it showed up diffrently.

@rix

the tutes are about a method to use, not values ,

what have you tried so far?


R@dier

In that case, i got them right except i dint have the tools to continue. It's ok ill try to find them sooner or later. Currently i'm kindda busy with other stuff at college and my company :)

@rix,

the oep of your progy was 00406744,

I used the same method in the tut with oly dump plugin,
and let the plugin rebuild the Imports,
runs fine


Regards

R@dier

0052A001 > 60 PUSHAD <-------start point execute F7
0052A002 E8 72050000 CALL target.0052A579 <----set breakpoint on addy in ESP register
F9 run the progy



0052A4F4 75 08 JNZ SHORT target.0052A4FE <--- you will land here
0052A4F6 B8 01000000 MOV EAX,1
0052A4FB C2 0C00 RETN 0C
0052A4FE 68 44674000 PUSH target.00406744 <--- OEP ady
0052A503 C3 RETN

F7 till you execute the RETN
you will land here


00406744 68 CC874000 PUSH target.004087CC <----------start dump here
00406749 E8 F0FFFFFF CALL target.0040673E
0040674E 0000 ADD BYTE PTR DS:[EAX],AL
00406750 0000 ADD BYTE PTR DS:[EAX],AL


done

yeaa thanks alot for the tutorial r@dier. I followed it with the tools needed. And I also found the same OEP as you did. Its unpack now and i'm happy. I guess, the only thing stopped me from the tutorial u gave me is that i dont have the tools but i've got em now.


For others, thanks alot for the help and thanks for the stud_pe rheya :)