tags:

views:

582

answers:

2

Hi, I've found an application which seems to be packed. I opened it with some hex editor and it contains "UPX1" section and "3.00 UPX!" string. Unfortunately I'm not able to decompress it with upx latest, it says "not packed by UPX". Is there a way to find out what other PE compressors/crypters were used?

+1  A: 

In many cases, a packaged executable starts with the launch program, followed by a standard zip file. This is possible because the ZIP header is at the end of the file, so you can prepend arbitrary data to a zip file, and it remains to be a zipfile. So try unzipping it, and see whether that works.

Martin v. Löwis
Unfortunately that is not my case. It's not a zip file, the program isn't a standard "self-extracting" archive, it's rather packed with some other PE packer, and ALSO an UPX (as I mentioned above, the UPX header is also present).
migajek
+2  A: 

PEiD is the tool you want. It can detect a variety of unpackers, attempt to unpack any packed exe (regardless of packing scheme), do simple disassembly, detect encryption algorithms present in the source code (not the encryption scheme of the exe, to be clear), and more. But primarily, it is an identifier of packers, cryptors, and compilers of an exe.

erjiang
it works great! thanks ! :)
migajek