![]() |
Why using exe compressors?
Why the trainer scene is using exe compressors so often?
I dont see any positive effects. - Files are packed with Winrar or similiar, so smaller exe does not matter for downloading or hosting the file - The 100 or 200kb smaller exe on disc does not matter with hdd sizes of 500 GB or more - Exe compressors are causing often Antivirus false positives - They can be easily unpacked, so no protection from analyses by others |
haxor started using PEcompact only short time ago, Psych and some scene groups do that for a much longer time.
|
Light protection from reversing by newbs (although it's not just vanilla PECompact on my trainers; some additional bits to it in there), smaller file sizes if not by all that much (still good ratios on my releases so might as well), PECompact doesn't flag up anymore than the original file (due in part to the dev working with major AV companies). That's basically it. Look at it the other way, there are basically no negative effects are there.
|
Quote:
I didnt notice any other difference to standart Pe compact. |
No.
|
what does
http://fileforums.com/showthread.php?t=89266 have to do with anything? is this supposed to save you or something? anyways, the only reason things are being packed is to try and prevent people from prying into the code of the .exe, especially with simple tools like IDA PRO which can map the entire flow of a program pretty quickly (and thus you can reverse it faster and kill it). i leave it up to pysch to say if it's helpful or harmful, although i have seen some big named trainer makers create problems for themselves by using packers (the antivirus programs flag them as suspicious sometimes). unfortunately, once the .exe is in 'memory', then you can still reverse it (as evidenced by the thousands of REVERSED and RIPPED PROTECTIONS of the .exe's posted on the gamecopyworld.com site (which clearly defies the EULA agreements to these games, LOL) that had/have packers and such attached to them). so to me it's a wasted step and introduces more 'potential' problems in the end. however, it will keep the newbs out i guess. either the creator of the .exe doesn't want you to see their code because they don't want you copying it, or the code has nefarious things in it...which is why AV flags them more often.. my 2 cents- best, Cal |
To illustrate my point on my packer of choice not setting off AV flags. This is from one of my most recent releases:
The original file: http://virusscan.jotti.org/en-gb/sca...e62cff0ea46b10 The packed file: http://virusscan.jotti.org/en-gb/sca...96af74f8e40148 I'll do a more comprehensive scan with VirusTotal once their service comes back online, but the results will be pretty much the same, perhaps just with the odd rarely-used AV program flagging something up as 'generic'. For the record, I do my research before trying anything out of the norm, especially when it's going to be used on a 'product', essentially, which someone is going to buy. Out of all the packers/protectors i've tried (and it's a massive amount), PECompact is the one which gives great compression ratios, is feature-rich (a plugin system, many options etc), it's cheap and it plays nice with AV's. It's one thing to mess people about with free stuff, but a paid release is quite another, and i'm aware of this. There's are reasons more and more people are starting to use PECompact on files when they previously used an alternative packer, and although I can't speak for them, I bet it's the same as my reasons above. Cheers. |
What's the problem with UPX?
I see no reason for EXE compression in this era - for DOS, small partitions and floppy disks, it was vital but only if the decompressor was fast enough (slow CPU's, too!), otherwise you would've lost during decompression the time that you won by the shorter disk access. However, e.g. some distribution packages of MPlayer recommend compressing the executable - it's an option you can tick during installation and then the installer will compress the EXE's, stored uncompressed in the package. For what reason...? |
Quote:
Pecompact and others have to be muped or unpacked (if untouched standart version) with a 3rd party tool. |
It's turning into a debate of opinion as usual. I've stated why I use them personally. Yeah, perhaps it is pointless, but i've had no negative effects from using it up to now, so i'll just roll with it. I'm suprised no-one else who packs their releases has chimed in yet. Perhaps my reasons are the same?
@Cowsheep, I believe Joe was asking why UPX wasn't used, rather PECompact. I don't think he's having a problem with trying to decompress files, unless i've missed something. UPX is indeed a good packer, but as part of my reaosn for packing was to deter reversing (in a light way!), UPX is just plain silly. Anything can unpack that. At least with PECompact it can be setup to break decompression on common unpackers and tracers, and make manual reconstruction that little bit more difficult. |
Find oep, dump, fix iat. For me, muping Pecompact or other packers is not harder then UPX.
|
Quote:
Quote:
Quote:
|
I know that UPX can be told to uncompress EXE's compressed by itself but aren't there some little obfuscators that make UPX-compressed EXE's - if not uncompressable but, at least, - hard to decompress? I'm just asking because the price of the compressor was mentioned, too, and UPX is free.
|
Indeed. I think UPX-scrambler is one of these. I seem to recall trying these, though, and they seemed to set off more generic malware alarms in AV's. That's something i'll have to revisit at some point and see what effect it has.
|
I didnt want any particular answer from you Psych, i just wanted to say that packers dont offer any protection even against a newbie reverser like me. Iam only interested in manual unpacking and not in trainer making.
|
and really, you don't need to unpack a trainer, just breakpoint on writeprocessmemory / readprocessmemory in most cases gives you what you need, unless the trainer injects a dll, in which case usually virtualprotect gets you to the area (cos it has to change it to writable)... so all a packer gains in essence (at least to me) is a size change and very little else
|
Yeah, you can BP the WPM/RPM etc export rather than the import (which may well be unavailable due to the destroyed IAT), absolutely.
Quote:
|
One more thing pro any kind of compression: the ability to check for damages in the file. (Although the original question was not about this problem/solution...)
I really hate it when - thinking of computer-illiterate users who are hardly able to do more than click on buttons and icons - web pages show you for download naked EXE's, especially large ones. You download them, run them and will get mysterious error messages or seemingly unrelated problems if the file was damaged during download (or upload?!) and it doesn't explicitly check its own integrity. Pack it with an EXE compressor or archive it with ZIP, RAR etc. and you'll find out whether it's damaged or not. |
I never had problems with muping PECompact, but an oep dump with fixed iat of hax0rs latest trainers gives me a "Stream read error" message.
Patching that msg away dont help, i get an empty grey window then. Copying the overlay from original file and add it to the dump dont help, too. Whats so special about muping hax0rs trainers? |
It's something to do with the Cheat Engine feature on which they are based. It does a similar thing when you unpacked a standard UPX'ed CE trainer. But personally i'm not interested in unpacking, or in any other way, messing with other people's trainers. It never seems to end well whatever the intentions.
|
I never saw an upxed CE trainer, you know an example?
I just want to improve my MUPing skills. |
1 Attachment(s)
Attached.
|
| All times are GMT -7. The time now is 22:22. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
FileForums @ https://fileforums.com