Can you hide/remove packer info from file?

[Crudd[RET]]

Well, the reason people might not want to advertise that their protector hides its identity is because then the author of tools like PeID would find a way around it (ie: find a long enough signiture that is always present in the file, preferalbe at a static offset). Same for the information not being widespread. If everyone knows how to defeat the tools, then the authors will just find new methods. If the method(s) used to hide the protector are well known, then they will be easily defeated. And PeID hides it detection methods just as protectors hide thier anti-PeID methods.
Crudd [RET]

I did`nt write exactly what i ment with hide/remove, my main idea whas/is to use a fake packer ID so when you pack something with lets say UPX the ID would`nt display UPX but Microsoft MFC blablabla.

The 1st thing most people do (i assume) is loading up a tool to lookup the packet tool ID before they start working on unpacking.

[Crudd[RET]]

Well, like miaomiao said, most packers are identified by thier entrypoint signature. So changing the the sig of your entry point will defeat most packer ID tools. You could do this manually or code a tool to do it (i think there is a tool that does this already, but i dont recall the name). You could just put a few useless bytes at the beginning of the loader and increase the loader size a bit, you could manually recode some of the opcodes using different regs/opcodes, and prolly a few other things. You may also want to change the sections names to somthing else (another packer, all blank, your name). Anyway, i hope that helps and is the answer you were looking for.
Crudd [RET]

[redbull]

There was a tool years ago which was designed to remove the borland signatures from borland pascal 7.0 files.

There were unpackers available which tested the memory of the program each time the program executed code in a new segment, and did a dump if it found a signature of a compiler it recognized. I forget its name, but this tool used to kill the borland bytes so that the unpackers did not recognize the exe as a borland exe.

Now borland exe's have quite a large library appended to them. About 150kb for pascal 7. The program only changed about 300 bytes of the library. It removed things like "copyright borland" and changed some of the fixed strings (ie a constant like "0123456789") and the entrypoint of the library itself. The entrypoint was re-written (ie manually re-coded) and was not simply a poly layer. Also there was a patch available for the complier library (a new version of turbo.tpl) which included these changes, so each time you compiled a file you had an "immune" copy.

It was very effective. Later on the game continued with the unpackers detecting these libraries. I think the last version I saw had a small poly layer around the library's entry point.

[TmC]

Anyway if you modify a packed file, you should also know where and how to modify the crc of the program, because protectors like armadillo, svkp, obsidium, asprotect, acprotect, sdprotector and so on does not allow you to modify even a single bit.

[hosiminh]

You can use DotFix FakeSigner for such job h**p://www.wasm.ru/tools/8/FakeSigner.zip