Why using exe compressors?

Cowsheep · #1 23-05-2010, 03:30

Why the trainer scene is using exe compressors so often?
I dont see any positive effects.
- Files are packed with Winrar or similiar, so smaller exe does not matter for downloading or hosting the file
- The 100 or 200kb smaller exe on disc does not matter with hdd sizes of 500 GB or more
- Exe compressors are causing often Antivirus false positives
- They can be easily unpacked, so no protection from analyses by others

Cowsheep · #2 23-05-2010, 05:28

haxor started using PEcompact only short time ago, Psych and some scene groups do that for a much longer time.

[Psych] · #3 23-05-2010, 05:51

Light protection from reversing by newbs (although it's not just vanilla PECompact on my trainers; some additional bits to it in there), smaller file sizes if not by all that much (still good ratios on my releases so might as well), PECompact doesn't flag up anymore than the original file (due in part to the dev working with major AV companies). That's basically it. Look at it the other way, there are basically no negative effects are there.

Cowsheep · #4 23-05-2010, 07:35

Quote:

Originally Posted by [Psych]

Light protection from reversing by newbs (although it's not just vanilla PECompact on my trainers; some additional bits to it in there), smaller file sizes if not by all that much (still good ratios on my releases so might as well), PECompact doesn't flag up anymore than the original file (due in part to the dev working with major AV companies). That's basically it. Look at it the other way, there are basically no negative effects are there.

You mean the kernel32.dll import protection?
I didnt notice any other difference to standart Pe compact.

[Psych] · #5 23-05-2010, 07:44

No.

Caliber · #6 23-05-2010, 07:48

what does

http://fileforums.com/showthread.php?t=89266

have to do with anything? is this supposed to save you or something?

anyways, the only reason things are being packed is to try and prevent people from prying into the code of the .exe, especially with simple tools like IDA PRO which can map the entire flow of a program pretty quickly (and thus you can reverse it faster and kill it). i leave it up to pysch to say if it's helpful or harmful, although i have seen some big named trainer makers create problems for themselves by using packers (the antivirus programs flag them as suspicious sometimes).

unfortunately, once the .exe is in 'memory', then you can still reverse it (as evidenced by the thousands of REVERSED and RIPPED PROTECTIONS of the .exe's posted on the gamecopyworld.com site (which clearly defies the EULA agreements to these games, LOL) that had/have packers and such attached to them). so to me it's a wasted step and introduces more 'potential' problems in the end. however, it will keep the newbs out i guess.

either the creator of the .exe doesn't want you to see their code because they don't want you copying it, or the code has nefarious things in it...which is why AV flags them more often..

my 2 cents-

best,
Cal

[Psych] · #7 23-05-2010, 13:11

To illustrate my point on my packer of choice not setting off AV flags. This is from one of my most recent releases:

The original file:
http://virusscan.jotti.org/en-gb/sca...e62cff0ea46b10

The packed file:
http://virusscan.jotti.org/en-gb/sca...96af74f8e40148

I'll do a more comprehensive scan with VirusTotal once their service comes back online, but the results will be pretty much the same, perhaps just with the odd rarely-used AV program flagging something up as 'generic'.

For the record, I do my research before trying anything out of the norm, especially when it's going to be used on a 'product', essentially, which someone is going to buy. Out of all the packers/protectors i've tried (and it's a massive amount), PECompact is the one which gives great compression ratios, is feature-rich (a plugin system, many options etc), it's cheap and it plays nice with AV's. It's one thing to mess people about with free stuff, but a paid release is quite another, and i'm aware of this.

There's are reasons more and more people are starting to use PECompact on files when they previously used an alternative packer, and although I can't speak for them, I bet it's the same as my reasons above. Cheers.

Joe Forster/STA · #8 23-05-2010, 13:39

What's the problem with UPX?

I see no reason for EXE compression in this era - for DOS, small partitions and floppy disks, it was vital but only if the decompressor was fast enough (slow CPU's, too!), otherwise you would've lost during decompression the time that you won by the shorter disk access.

However, e.g. some distribution packages of MPlayer recommend compressing the executable - it's an option you can tick during installation and then the installer will compress the EXE's, stored uncompressed in the package. For what reason...?

Cowsheep · #9 23-05-2010, 13:48

Quote:

Originally Posted by Joe Forster/STA

What's the problem with UPX?

Maybe upx.exe -d target.exe ?
Pecompact and others have to be muped or unpacked (if untouched standart version) with a 3rd party tool.

[Psych] · #10 24-05-2010, 00:56

It's turning into a debate of opinion as usual. I've stated why I use them personally. Yeah, perhaps it is pointless, but i've had no negative effects from using it up to now, so i'll just roll with it. I'm suprised no-one else who packs their releases has chimed in yet. Perhaps my reasons are the same?

@Cowsheep, I believe Joe was asking why UPX wasn't used, rather PECompact. I don't think he's having a problem with trying to decompress files, unless i've missed something. UPX is indeed a good packer, but as part of my reaosn for packing was to deter reversing (in a light way!), UPX is just plain silly. Anything can unpack that. At least with PECompact it can be setup to break decompression on common unpackers and tracers, and make manual reconstruction that little bit more difficult.

Cowsheep · #11 24-05-2010, 02:25

Find oep, dump, fix iat. For me, muping Pecompact or other packers is not harder then UPX.

[Psych] · #12 24-05-2010, 03:56

Quote:

Originally Posted by [Psych]

Light protection from reversing by newbs

Quote:

Originally Posted by Caliber

however, it will keep the newbs out i guess

As already stated ^

Quote:

Originally Posted by Cowsheep

Find oep, dump, fix iat. For me, muping Pecompact or other packers is not harder then UPX.

I don't protect my releases from 'you'. I'm not sure what sort of response you're wanting Cowsheep.. :/

Joe Forster/STA · #13 24-05-2010, 06:47

I know that UPX can be told to uncompress EXE's compressed by itself but aren't there some little obfuscators that make UPX-compressed EXE's - if not uncompressable but, at least, - hard to decompress? I'm just asking because the price of the compressor was mentioned, too, and UPX is free.

[Psych] · #14 24-05-2010, 07:51

Indeed. I think UPX-scrambler is one of these. I seem to recall trying these, though, and they seemed to set off more generic malware alarms in AV's. That's something i'll have to revisit at some point and see what effect it has.

Cowsheep · #15 24-05-2010, 08:34

I didnt want any particular answer from you Psych, i just wanted to say that packers dont offer any protection even against a newbie reverser like me. Iam only interested in manual unpacking and not in trainer making.