Can you hide/remove packer info from file?

Hi, im new into this packing/unpacking and i wonder if it is possible to hide or remove the info a packer puts into a packed file, so you cant see it inmeddiately when you use for instance PEiD ???

[Crudd[RET]]

Yeh, there are a few ways to trick tools like PeID. I dont think they are implemented very often though. Seems most packers dont care if you know that its thier packer being used.
Crudd [RET]

[redbull]

Some packers / cryptors leave a signature in the file.. Either as a name of a section in the PE Header file or as bytes appended to the file.

Other packers / cryptors use standard bytes in their body or around their entry points or in certain places in the body of their unpack / decryption code.

I asked a question on the PEID forum a while ago about true polymorphic protectors (EG a protector that has no stable bytes at the entrypoint or anywhere in its body)

http://www.secretashell.com/PEiD/viewtopic.php?t=82

Basically to prevent detection of a packer or cryptor you need to understand what gives that packer away to the detectors. Is it stable bytes or a section header name or a certain DWORD in the PE header or any other thing.

The best way to discover this is to protect several different files with the same protector and try to find the similarities.

Results of your work will be apreciated !!

l8rz

Quote:

Originally Posted by Crudd[RET]

Yeh, there are a few ways to trick tools like PeID. I dont think they are implemented very often though. Seems most packers dont care if you know that its thier packer being used.
Crudd [RET]

Do you have any idea why people tend to not using it, because it seems to my like a 1st small defence against unpack, just 1 extra step someone has to take to unpack the file ?

Also are those tricks available to "the public" or are those 4 internal use only, inventing/finding out the same thing again while maybe 10 other people already have done it does`nt seem so usefull to me, on the other hand you can learn from finding out stuff yourselfs.

some tools can also pretend your EXE file to be a DELPHI or VC++ file. Generally, the Entrypoint codes is the reason that PEID can identify which packers in the PE.

[Crudd[RET]]

Well, the reason people might not want to advertise that their protector hides its identity is because then the author of tools like PeID would find a way around it (ie: find a long enough signiture that is always present in the file, preferalbe at a static offset). Same for the information not being widespread. If everyone knows how to defeat the tools, then the authors will just find new methods. If the method(s) used to hide the protector are well known, then they will be easily defeated. And PeID hides it detection methods just as protectors hide thier anti-PeID methods.
Crudd [RET]

I did`nt write exactly what i ment with hide/remove, my main idea whas/is to use a fake packer ID so when you pack something with lets say UPX the ID would`nt display UPX but Microsoft MFC blablabla.

The 1st thing most people do (i assume) is loading up a tool to lookup the packet tool ID before they start working on unpacking.

[Crudd[RET]]

Well, like miaomiao said, most packers are identified by thier entrypoint signature. So changing the the sig of your entry point will defeat most packer ID tools. You could do this manually or code a tool to do it (i think there is a tool that does this already, but i dont recall the name). You could just put a few useless bytes at the beginning of the loader and increase the loader size a bit, you could manually recode some of the opcodes using different regs/opcodes, and prolly a few other things. You may also want to change the sections names to somthing else (another packer, all blank, your name). Anyway, i hope that helps and is the answer you were looking for.
Crudd [RET]

[redbull]

There was a tool years ago which was designed to remove the borland signatures from borland pascal 7.0 files.

There were unpackers available which tested the memory of the program each time the program executed code in a new segment, and did a dump if it found a signature of a compiler it recognized. I forget its name, but this tool used to kill the borland bytes so that the unpackers did not recognize the exe as a borland exe.

Now borland exe's have quite a large library appended to them. About 150kb for pascal 7. The program only changed about 300 bytes of the library. It removed things like "copyright borland" and changed some of the fixed strings (ie a constant like "0123456789") and the entrypoint of the library itself. The entrypoint was re-written (ie manually re-coded) and was not simply a poly layer. Also there was a patch available for the complier library (a new version of turbo.tpl) which included these changes, so each time you compiled a file you had an "immune" copy.

It was very effective. Later on the game continued with the unpackers detecting these libraries. I think the last version I saw had a small poly layer around the library's entry point.