Detecting Packer

shutout5591 · #1 10-26-2009, 03:02 PM

Ultimately, I am trying to figure out what packer Stylizer 4.1 uses, here is the direct file, no wait!:
http://rapidshare.com/files/29827077...r.bak.exe.html

It is one file, that has a collection, 16 .Net files in it that interopp native dlls, which also must be contained in the only executable. I tried searching for .net bit patterns which did not work, so the files are either encrypted or compressed in side the executable.

I ran .NetUnPacker at 2 different stages of the program, and got back a few different files, so i think files are being unpacked dynamically.

Thanks.

kao · #2 10-26-2009, 06:55 PM

Packer is Xenocode. Unicode string "Xenocode Virtual Appliance Runtime" is present in the beginning of file (offset 0x6B8), it's hard not to see it.

shutout5591 · #3 10-26-2009, 07:00 PM

Ok, so is that how you detect it, searching for string?

Is there a specific offset to look or look around?

How can I tell which verson of xenocode it was packed by?

What reversing tools are available for xenocode?

rami_rez · #4 11-07-2009, 03:29 AM

Give it a try to lots of signature based PE sniffers, like PEiD, exeinfoPe, etc

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode