FileForums

FileForums (https://fileforums.com/index.php)
-   Game Trainers (https://fileforums.com/forumdisplay.php?f=51)
-   -   Why using exe compressors? (https://fileforums.com/showthread.php?t=89671)

Cowsheep 23-05-2010 03:30

Why using exe compressors?
 
Why the trainer scene is using exe compressors so often?
I dont see any positive effects.
- Files are packed with Winrar or similiar, so smaller exe does not matter for downloading or hosting the file
- The 100 or 200kb smaller exe on disc does not matter with hdd sizes of 500 GB or more
- Exe compressors are causing often Antivirus false positives
- They can be easily unpacked, so no protection from analyses by others

Cowsheep 23-05-2010 05:28

haxor started using PEcompact only short time ago, Psych and some scene groups do that for a much longer time.

[Psych] 23-05-2010 05:51

Light protection from reversing by newbs (although it's not just vanilla PECompact on my trainers; some additional bits to it in there), smaller file sizes if not by all that much (still good ratios on my releases so might as well), PECompact doesn't flag up anymore than the original file (due in part to the dev working with major AV companies). That's basically it. Look at it the other way, there are basically no negative effects are there.

Cowsheep 23-05-2010 07:35

Quote:

Originally Posted by [Psych] (Post 385338)
Light protection from reversing by newbs (although it's not just vanilla PECompact on my trainers; some additional bits to it in there), smaller file sizes if not by all that much (still good ratios on my releases so might as well), PECompact doesn't flag up anymore than the original file (due in part to the dev working with major AV companies). That's basically it. Look at it the other way, there are basically no negative effects are there.

You mean the kernel32.dll import protection?
I didnt notice any other difference to standart Pe compact.

[Psych] 23-05-2010 07:44

No.

Caliber 23-05-2010 07:48

what does

http://fileforums.com/showthread.php?t=89266

have to do with anything? is this supposed to save you or something?

anyways, the only reason things are being packed is to try and prevent people from prying into the code of the .exe, especially with simple tools like IDA PRO which can map the entire flow of a program pretty quickly (and thus you can reverse it faster and kill it). i leave it up to pysch to say if it's helpful or harmful, although i have seen some big named trainer makers create problems for themselves by using packers (the antivirus programs flag them as suspicious sometimes).

unfortunately, once the .exe is in 'memory', then you can still reverse it (as evidenced by the thousands of REVERSED and RIPPED PROTECTIONS of the .exe's posted on the gamecopyworld.com site (which clearly defies the EULA agreements to these games, LOL) that had/have packers and such attached to them). so to me it's a wasted step and introduces more 'potential' problems in the end. however, it will keep the newbs out i guess.

either the creator of the .exe doesn't want you to see their code because they don't want you copying it, or the code has nefarious things in it...which is why AV flags them more often..

my 2 cents-

best,
Cal

[Psych] 23-05-2010 13:11

To illustrate my point on my packer of choice not setting off AV flags. This is from one of my most recent releases:

The original file:
http://virusscan.jotti.org/en-gb/sca...e62cff0ea46b10

The packed file:
http://virusscan.jotti.org/en-gb/sca...96af74f8e40148

I'll do a more comprehensive scan with VirusTotal once their service comes back online, but the results will be pretty much the same, perhaps just with the odd rarely-used AV program flagging something up as 'generic'.

For the record, I do my research before trying anything out of the norm, especially when it's going to be used on a 'product', essentially, which someone is going to buy. Out of all the packers/protectors i've tried (and it's a massive amount), PECompact is the one which gives great compression ratios, is feature-rich (a plugin system, many options etc), it's cheap and it plays nice with AV's. It's one thing to mess people about with free stuff, but a paid release is quite another, and i'm aware of this.

There's are reasons more and more people are starting to use PECompact on files when they previously used an alternative packer, and although I can't speak for them, I bet it's the same as my reasons above. Cheers.

Joe Forster/STA 23-05-2010 13:39

What's the problem with UPX?

I see no reason for EXE compression in this era - for DOS, small partitions and floppy disks, it was vital but only if the decompressor was fast enough (slow CPU's, too!), otherwise you would've lost during decompression the time that you won by the shorter disk access.

However, e.g. some distribution packages of MPlayer recommend compressing the executable - it's an option you can tick during installation and then the installer will compress the EXE's, stored uncompressed in the package. For what reason...?

Cowsheep 23-05-2010 13:48

Quote:

Originally Posted by Joe Forster/STA (Post 385381)
What's the problem with UPX?

Maybe upx.exe -d target.exe ?
Pecompact and others have to be muped or unpacked (if untouched standart version) with a 3rd party tool.

[Psych] 24-05-2010 00:56

It's turning into a debate of opinion as usual. I've stated why I use them personally. Yeah, perhaps it is pointless, but i've had no negative effects from using it up to now, so i'll just roll with it. I'm suprised no-one else who packs their releases has chimed in yet. Perhaps my reasons are the same?

@Cowsheep, I believe Joe was asking why UPX wasn't used, rather PECompact. I don't think he's having a problem with trying to decompress files, unless i've missed something. UPX is indeed a good packer, but as part of my reaosn for packing was to deter reversing (in a light way!), UPX is just plain silly. Anything can unpack that. At least with PECompact it can be setup to break decompression on common unpackers and tracers, and make manual reconstruction that little bit more difficult.

Cowsheep 24-05-2010 02:25

Find oep, dump, fix iat. For me, muping Pecompact or other packers is not harder then UPX.

[Psych] 24-05-2010 03:56

Quote:

Originally Posted by [Psych] (Post 385338)
Light protection from reversing by newbs

Quote:

Originally Posted by Caliber (Post 385350)
however, it will keep the newbs out i guess

As already stated ^

Quote:

Originally Posted by Cowsheep (Post 385389)
Find oep, dump, fix iat. For me, muping Pecompact or other packers is not harder then UPX.

I don't protect my releases from 'you'. I'm not sure what sort of response you're wanting Cowsheep.. :/

Joe Forster/STA 24-05-2010 06:47

I know that UPX can be told to uncompress EXE's compressed by itself but aren't there some little obfuscators that make UPX-compressed EXE's - if not uncompressable but, at least, - hard to decompress? I'm just asking because the price of the compressor was mentioned, too, and UPX is free.

[Psych] 24-05-2010 07:51

Indeed. I think UPX-scrambler is one of these. I seem to recall trying these, though, and they seemed to set off more generic malware alarms in AV's. That's something i'll have to revisit at some point and see what effect it has.

Cowsheep 24-05-2010 08:34

I didnt want any particular answer from you Psych, i just wanted to say that packers dont offer any protection even against a newbie reverser like me. Iam only interested in manual unpacking and not in trainer making.

TippeX 24-05-2010 09:17

and really, you don't need to unpack a trainer, just breakpoint on writeprocessmemory / readprocessmemory in most cases gives you what you need, unless the trainer injects a dll, in which case usually virtualprotect gets you to the area (cos it has to change it to writable)... so all a packer gains in essence (at least to me) is a size change and very little else

[Psych] 24-05-2010 11:03

Yeah, you can BP the WPM/RPM etc export rather than the import (which may well be unavailable due to the destroyed IAT), absolutely.

Quote:

Originally Posted by Cowsheep (Post 385396)
i just wanted to say that packers dont offer any protection even against a newbie reverser like me.

Stating the obvious/pointless comment. It's already been stated. You seriously didn't think you was actually telling me something new did you?! :P Don't like packers, then don't use them :/

Joe Forster/STA 25-05-2010 02:38

One more thing pro any kind of compression: the ability to check for damages in the file. (Although the original question was not about this problem/solution...)

I really hate it when - thinking of computer-illiterate users who are hardly able to do more than click on buttons and icons - web pages show you for download naked EXE's, especially large ones. You download them, run them and will get mysterious error messages or seemingly unrelated problems if the file was damaged during download (or upload?!) and it doesn't explicitly check its own integrity. Pack it with an EXE compressor or archive it with ZIP, RAR etc. and you'll find out whether it's damaged or not.

Cowsheep 27-05-2010 02:53

I never had problems with muping PECompact, but an oep dump with fixed iat of hax0rs latest trainers gives me a "Stream read error" message.
Patching that msg away dont help, i get an empty grey window then.
Copying the overlay from original file and add it to the dump dont help, too.

Whats so special about muping hax0rs trainers?

[Psych] 27-05-2010 04:16

It's something to do with the Cheat Engine feature on which they are based. It does a similar thing when you unpacked a standard UPX'ed CE trainer. But personally i'm not interested in unpacking, or in any other way, messing with other people's trainers. It never seems to end well whatever the intentions.

Cowsheep 27-05-2010 04:41

I never saw an upxed CE trainer, you know an example?
I just want to improve my MUPing skills.

[Psych] 31-05-2010 03:22

1 Attachment(s)
Attached.


All times are GMT -7. The time now is 22:22.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
FileForums @ https://fileforums.com