Collaborative RCE Tool Library - Exe Analyzers (including sub-categories)

Tool Added: Entyzer

Thu, 06 May 2010 09:56:00 GMT

Listed in categories: Entropy Analyzers

Most recent version:
0.1

Most recent release date:
April 9, 2010

Description:
Entyzer+ is an Advanced Entropy Analyzer.
- Calculates the Entropy, Redundancy, A. Mean and StdDev for any file.
- Calculates the Entropy and Redundancy for a specific range.
- Generates an HTML Graph Visualization.
- Calculates the Entropy, Redundancy and StdDev. for each section of an elf binary file.
- Description: Entropy Analyzer
+ Syntax: Entyzer -f <filename>
- To get the Entropy, Redundancy, A. Mean and StdDev. for any file.
+ Syntax: Entyzer -f <filename> -range <start address> <end address>
- To get the Entropy and Redundancy for a specific range.
+ Syntax: Entyzer -f <filename> -graph <IsValue> <Color Template>
- To generate an HTML graphical visualization of the supplied file.
- IsValue takes either 0 or 1. 1 for having the frequency of each character displayed, 0 otherwise.
- Color Template takes a value between 1 and 7 for different templates:
1:= Gray I, 2:= Gray II, 3:= Tan, 4:= Olive Green, 5:= Blue,
6:= Green + Green + Yellow, 7:= Orange + Orange + Yellow
+ Syntax: Entyzer -elf <filename>
- To get the Entropy, Redundancy and StdDev. for each section of an elf binary file.

Tool Updated: ExeInfo PE

Sat, 17 Apr 2010 15:35:54 GMT

Listed in categories: Compiler Identifiers, Packer Identifiers

Most recent version:
0.0.2.7

Most recent release date:
April 14, 2010

Description:
Good detector for packers, compressors + unpack info + internal exe tools.

Tool Updated: Ent

Sun, 07 Mar 2010 20:15:06 GMT

Listed in categories: Entropy Analyzers

Most recent version:
0.0.3

Most recent release date:
March 9, 2009

Description:
Ent does two things:
1) it measures entropy of a file
2) it measures density of FPU instructions in the code section, if the file is a PE
(Why file entropy measurement is interesting is a story for another day (follow the link in 'related URLs') ;>)

The tool was made in C++, and currently it's Windows only (the next version will be portable, I'm just using some structures from winnt.h), and it uses libpng for PNG creation. The executable binary with the source code is (as always) available on the end of this post.

Ent is run from the command line, and we provide him with the name of a file that we won't to measure entropy of. Then, Ent divides the file to 256-byte fragments, and calculates entropy (using some entropy formula I found somewhere - check the source code for details) and draws a chart. If the file is a PE file, it additionally mark the sections (blue for data, green for code, gray for unused/headers), and in the code section it calculates FPU density and draws another small red chart. The FPU calculating is not very precise - it works by finding bytes from range D8 to DF inclusive, which are used as FPU opcodes. However, excluding some false-positives in high-entropy area, this method is sufficient.

Below in the screen shot you can see a chart of a sample PE file.

Tool Updated: AT4RE FastScanner

Sun, 10 Jan 2010 02:03:10 GMT

Listed in categories: Compiler Identifiers, Packer Identifier Signatures, Packer Identifiers

Most recent version:
3.0 Final

Most recent release date:
December 18, 2009

Description:
Yet another Win32 PE Packer/Protector Identifier.

[ Description ]

- FastScanner is a Detector for most packers, cryptors and compilers for PE Files Programmed in ASM and designed for ‎fast access to most needed plugins.

####################################################################
FastScanner v3.0 Final Change log:
07/01/2010

1- Update signature Database file.
2- Add Tricks Finder function in the Information dialog. [Still Beta]
3- Fixed Bug when click in the Smart-Scan button twice.
4- Fixed Bug with Overlay size.
5- Many Bug Fixed in the program.

####################################################################
FastScanner v3.0 Beta 3 Change log:
18/12/2009

1- Update and optimize signature Database file.
2- Update SmartScan method.
3- Improve the information dialog.
4- Add Overlay signature detection in the Information dialog.
5- Add number of sections detection method.
6- Add JunckCode Detection.
7- AT4RE Overlay Tool v0.2 by STRELiTZIA.
8- Hash & Crypto Detector v1.4 by Mr.Paradox.
9- Signature Manager v1.1 by GamingMasteR.
10- Fixed Bug in Smart-Scan with some protectors.
11- Fixed Bug with ToolTip when using Smart-Scan.
12- Fixed Bug when scanning a Folder.
13- Fixed Bug in the scanning algorithm.

####################################################################
FastScanner v3.0 Beta 2 Change log:
26/10/2009

1- Add colors to the disassembler by GamingMasteR.
2- Add SmartScan method.
3- Add Overlay Detection method.
4- Fixed Bug in ScanDirectory.
5- Fixed Bug in Scanning an opened file.
6- Fixed Bug with RLPack protected files.
7- Fixed Bug in Detecting Overlay.
8- Fixed Bug in Detecting Fake-Signature.
9- Fixed Bug in Matches number in the Total-Scan.

####################################################################
FastScanner v3.0 Beta Change log:
25/09/2009

1- Change Signature DataBase for more accuracy.
2- Updating the scanning algorithm.
3- New and powerful Signature Manager plugin.
4- New Hash & Crypto detector plugin by Mr.Paradox.
5- New GFX for version 3 by RobenHoodArab.
6- Add new PEHeader-Viewer dialog to main window in FS.
7- Add Hex-Viewer and Resource-Viewer on the PEHeader-Viewer Dialog.
8- Add tooltips with information about the content of PEHeader-Viewer dialog.
9- Add Unpacking Information dialog (still Beta).
10- Add ScanDirectory dialog.
11- Add Compiler Detection Mechanism.
12- Add Anti-FakeSignature algorithm.
13- Update the Export and Import Viewer dialogs.
14- Fixed Bug in ImportTable Viewer with Upack.
15- PE Editor : Fixed Bug in Resource Viewer.
16- PE Editor : Fixed Bug in ImportTable Viewer.
17- PE Editor : Fixed Bug in ExportTable Viewer.
18- PE Editor : Add ReadOnly-Mode and FullAccess-Mode.
19- PE Editor : Add 16Edit HexEditor by yoda.

Tool Updated: Marxio File Checksum Verifier

Sat, 09 Jan 2010 20:38:07 GMT

Listed in categories: Executable CRC Calculators

Most recent version:
1.6.2

Most recent release date:
December 29, 2009

Description:
Portable file checksum verifier that allows you to calculate many file checksums (hashes) and compare them with original one. Thanks to its simplicity and portability, it aims to be a portable, versatile and "must have" tool for dealing with single files and their checksums - to calculate, compare and verify them.

Marxio FCV supports major checksum types:
- CRC32,
- MD4,
- MD5,
- SHA1,
- SHA-256,
- SHA-384,
- SHA-512,
- RIPEMD-128,
- RIPEMD-160,
- HAVAL 256,
- TIGER 192.

"Drag and drop" function - all you need to to is to drag a file from Windows Explorer onto the form to calculate selected checksum type.

Context menu - optional integration with Explorer context menu with Your custom text and defined selected checksum to calculate

Compare checksums - with other selected checksum.

Large files support - with size over 32 GB.

Very fast - calculate 4 GB large DVD file/image in 2 minutes using md5 algorithm.

Portable version - one-file program, just one executable file.

Interface - simple, eye friendly with mini-form available.

Keyboard shortcuts - as much handy shortcuts as possible, even for copy and paste checksum from clipboard

Save checksum to file - checksum and filename.

History - save all calculated checksums to file.

Additional settings - stay-on-top, save windows position and last used checksum type, show mini-form, show hashes in upper or lowercase, break function, high contrast themes support, log file, snap to edge - all are configurable.

Frequent updates - new releases published even a week !

Vision difficulties - this application provides support for users with vision difficulties (vision impairment) - tries to respect Windows skins and color schemas.

Marxio FCV is a clean software. It does not contain any adverts. It does not integrate with Windows (unless user requested) and does not install any additional software nor it has spying mechanisms.

If you haven't found the function in this tool you looked for, I can develop it.

Note,
Marxio FCV target is to quickly calculate and verify ONE file and one checksum, not more. It's not any limit but this application works this way. Other application is being developed for calculating more files.

Tool Updated: Explorer Suite

Wed, 19 Aug 2009 15:45:19 GMT

Listed in categories: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors

Most recent version:
III

Most recent release date:
August 19, 2009

Description:
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Tool Updated: PEBrowse Professional

Sat, 18 Jul 2009 23:05:32 GMT

Listed in categories: .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers, Memory Dumpers

Most recent version:
10.0.1

Most recent release date:
July 12, 2009

Description:
PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.

Tool Updated: Hexer Plugin - Calculating the entropy of a file

Mon, 06 Jul 2009 00:34:39 GMT

Listed in categories: Entropy Analyzers, Hex Editors, Hexer Extensions

Most recent version:
1.4.0

Most recent release date:
July 1, 2008

Description:
I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe.

You can download the source file of the plugin here. The archive contains the source file EntropyCalculator.java as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation.

At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer.

Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button.

That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle.

If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked.

Tool Added: BDS S.I.C.K

Sun, 28 Jun 2009 13:09:17 GMT

Listed in categories: Delphi Tools, Exe Analyzers

Most recent version:

Most recent release date:
March 26, 2009

Description:
BDS S.I.C.K (Some Info Collection Kit) is a tool designed to help you to analyze compiled Delphi applications. It may be helpful when you need to know what units are inside, used classes, methods and the addresses. When you know this you can open it with your favorite disassembler or debugger and explore it. You don't need to vaste time for routine work.

* SICK has simple internal disassembler for quick analysis.
* Collecting info about objects, forms and classes.
* Objects are represented in tree form, so you can easily navigate
* Search objects by full or partial name (F3 in objects window)
* Exporting names and procedures to IDA
* Supporting all Win32 Delphi editions

Features to be added:

* Improving classes info collection
* Smart functions disassembly (analysis during disassembly)
* Plugins API (in development)
* VCL recognition (allow recognize well known functions)
* Reading PACKAGE info and some stuff from resources.

This tool is developed to be used with clean Delphi executables.

Tool Updated: RDG Packer Detector

Sat, 25 Apr 2009 19:27:16 GMT

Listed in categories: Compiler Identifiers, Entropy Analyzers, PE EXE Signature Tools, Packer Identifier Signatures, Packer Identifiers

Most recent version:
0.6.6

Most recent release date:
April 15, 2009

Description:
RDG Packer Detector is a detector packers, Cryptors, Compilers,
Packers Scrambler,Joiners,Installers.

-Holds Fast detection system..
-Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases.
-You can create your own Signatures detection.
-Holds Crypto-Graphic Analyzer.
-Allows you to calculate the checksum of a file.
-Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not.
-OEP-Detector (Original Point of Entry) of a program.
-You can Check and download and you always signaturas.RDG Packer Detector will be updated.
-Plug-ins Loader..
-Signatures converter.
-Detector distortive Entry Point.
-De-Binder an extractor attachments.
-System Improved heuristic.

What's New! v0.6.6

-New Interface!

-Fast Mode Detection and Mode Powerful Improved!
-Super base signatures Updated!
-Heuristic detection of Binders
-Detection and Extraction Overlay!
-Check and Auto-Update of signatures!
-Super Fast Detection of MD5 Hash!
-Support for Multiple Plug-ins for both RDG Packer Detector and other detectors!
-Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc..
-Detection and removal of attachments!

Tool Updated: PEiD

Wed, 01 Apr 2009 00:34:22 GMT

Listed in categories: Compiler Identifiers, Packer Identifiers

Most recent version:
0.95

Most recent release date:
March 31, 2008

Description:
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

PEiD is special in some aspects when compared to other identifiers already out there!

1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Tool Updated: ActiveMARK Version Viewer

Tue, 24 Feb 2009 19:33:48 GMT

Listed in categories: Packer Identifiers, Protection Identifiers

Most recent version:
1.2

Most recent release date:
February 24, 2009

Description:
ActiveMARK Version Viewer 1.2 - 2009/01/14 - Bilingual edition (English/Spanish)

Updated for the new version AM6.50.767.

History
-------

*** version 1.1 - 2008/08/14 - Bilingual edition (English/Spanish)

When checking an ActiveMARK license file, it shows the Activation Code.

*** version 1.0 - 2008/04/13 - Bilingual edition (English/Spanish)

Tool for detecting if a target is protected with ActiveMARK protection.

Available for any kind of file.

Running on an executable will launch it with the proper arguments to show the version by using the ActiveMARK internal engine.

It permits a static analysis (not executing anything), by checking 'Do not launch executables' checkbox. This option will prevent your system from getting neither new hidden registry entries that the protection adds to your system, nor hidden files, too, both of them being used by the protection for memorize the trial uses of the target.

For getting the possibility of use from a contextual menu, check 'Add to contextual menu' checkbox.

It detects if your system language is english or spanish before showing you all strings.

I hope you enjoy it :)

Nacho_dj / ARTeam

Coded & Developed by Nacho_dj / ARTeam

Tool Updated: Protection ID

Tue, 30 Dec 2008 00:08:26 GMT

Listed in categories: Packer Identifiers, Protection Identifiers

Most recent version:
6.1.3

Most recent release date:
December 26, 2008

Description:
The ultimate Game Protection Scanner

The current version does detect more than
250 exe-packers, PC ISO Protections, Dongles, Licenses and Installers in
such an exact and fake proof way you haven´t seen before in any scanning tool due the detailed checks.
False reports and detection where other tools fail are history.

Features

* Scanning of PC Games & Application files to detect the protection used(s)
* Detects most of the available executable compressor / crypter and it´s up to date in detecting the newest PC-Game protections
* Scanning CDs / DVDs for Tagés (only available on win2k / winxp, but no ASPI drivers required)
* Scan folders with all the included files
* Coded in 100% Win32 Assembly language, allowing it to run on every WinOS since Windows 95
* Easy scanning with the shell context menu 'Scan with Protection ID...' or drag & drop files into the (simple to use) GUI
* Ability to scan a cracked file and to get possible information which protection was originally used
* Check for the newest update and download it
* More strong scanning routines allowing it to detect multiple (!) protections in one file
* No additional files like VB Runtimes, MSVC dlls or ASPI drivers are required, you simply need one exe file !
* Constantly updated to detect the newest protections available for PC Games & Applications (hey which other tool has this feature too ? ;-)

* Detection for most of the available PC Game Protections
- 3P Lock
- CDCops
- CDLock
- Codelok
- JoWood X-Prot
- Laserlok / Laserlok Marathon
- Protect DiSC
- Ring-Protech
- Safedisc
- SecuROM
- Settec Alpha ROM
- SmartE
- SolidShield
- StarForce
- Sysiphus
- Tages
- VOB Protect CD/DVD

* PC Game Trial Protections
- ActiveMARK
- GameHouse Trial Wrapper
- INTENIUM Try & Buy detection
- KochMedia ePolice
- ReflexiveArcade Wrapper
- SVKP Online
- WildTangent Wrapper
- Zylom Wrapper

* Dongles
- DinKey
- Hardlock
- Guardant
- HASP Hardware Lock
- HASP Hardware Lock Envelope
- Key-Lok II
- SENTiNEL
- SENTiNEL SUPER PRO
- SmartKey
- WIBU

* Licenses
- CrypKey Instant
- CrypKey SDK
- eLicense
- FlexLM
- FlexNET
- HASP SL Licensing System
- InterLok
- nTitles Activator
- Protection Plus
- Release Software Corporations SalesAgent
- Safecast
- Sentinel License Manager

* .NET protectors
- {smartassembly}
- .NetZ
- dotFuscator
- DotNet Guard
- dotNet Protector v4 & v5
- dotNet Reactor v2.x / v3.x
- Sixxpack .Net Compressor
- XHEO CodeVeil

* EXE Packers / Protectors (freeware)
- ABC Crypt v1.0
- Alex Protector v1.0 Beta 2
- ANDpakk2
- Anslym Packer
- ARM Protector v0.1, v0.2, v0.3
- ASDPack v2
- Aver Cryptor v1.00, v1.02 Beta
- BamBam v0.0.1
- BeRoEXEPacker v1.00
- Beria v0.0.7
- Berio v1.0
- BitShape PE Crypt v1.5
- BJFNT v1.1, v1.2, v1.3
- CDS SS 1.0 Beta 1
- Celsius Crypter v2.1
- cEXE 1.0a / 1.0b
- CICompress v1.0
- CodeCrypt v0.15, v0.16 - v0.161, v0.163 - v0.164, [unknown version]
- Cryptic v2.0
- CRYPToCRACks PE Protector v0.9.2, v0.9.3
- DalKrypt v1.0
- Daemon Protect v0.6.7
- DEF v1.0
- DePack
- Dot Fix Fake Signer
- DragonArmor v0.0.4.1
- Dual´s EXE Encryptor v1.0, v1.1b
- Encrypt PE v1.2003.5.18, v2.2004.8.10 / 2.2006.1.15, v2.2006.10.1, v2.2007.4.11
- EP (EXE Pack)
- EP Protector v0.3 [AHTeam]
- Excalibur v1.03
- EXE Evil v1.0
- EXE ReFactor v0.2
- fEaRz Crypter v1.0 Beta 1
- fEaRz Packer v0.3
- FishPe Shield v2.0.1
- Forgot v1.0
- Frensh Layor v1.81
- FSG v1.0, v1.2, 1.3 - v1.31, 1.3.3, 1.33, v1.33a, 2.0
- Goat´s PE Mutilator v1.6
- Hide PE (ASProtect 1.2 [New Strain] method, VBOX 4.3 MTE method)
- hmimys PE-Pack v0.1
- JD Pack v1.01, v2.00
- KByS Packer v0.28 Beta
- KaOs PE eXecutable Undetecter
- kkrunchy
- Krypton v0.2, v0.3, v0.4, v0.5
- LameCrypt
- marcrypt v0.1
- MarjinZ ScramblerSE
- Mew 5 EXE Coder 0.1
- Mew 10
- Mew 11 SE v1.1 - v1.2
- mkfPack
- Morphine v1.2 - v1.3, 1.4 - v2.7
- mPack v0.0.2 & v0.0.3
- MSLRH v0.31a, v0.32
- MuCruncher
- MZ0oPE v1.0.6b
- MZ Crypt v1.0
- NFO v1.0
- Noodlecrypt v2
- nPack v1.1.250.2006 Beta, v1.1.300.2006 Beta
- Packanoid v1.0, v1.1
- PackItBitch v1.0
- Packman v0.0.0.1, v1.0
- Pack Master v1.6
- Passlock 2000
- PE 123 v2006.4.4
- PE-Armot (Hying) v0.x
- PEQuake v0.06
- PE Crypt v1.0x
- PE Diminisher v0.1
- PE LockNT v2.01, v2.02, v2.04
- PE Mangle
- PE Nguincrypt v1.0
- PE Nightmare
- PE Ninja
- PE Pack v0.99, v1.0
- PE Shield v0.1d, v0.2, v0.25, [unknown version]
- PE Shrink
- PE Spin v0.0b, v0.3, v0.41, v0.7, v1.0, v1.1, v1.3, [unknown version]
- PE Stub OEP v1.x (Entry Point Faker)
- PE Zip v1.0
- Perplex PE Protector v1.01
- PEX v0.99
- Poisen Ivy Crypter v1
- PolyCrypt PE
- PolyEnE
- Program Protector v1.x - v2.x
- Protect v0.1.3
- Protect EXE v0.4a Beta
- Punisher v1.5 (DEMO)
- QrYPt0r v1.0
- RLPack v1.16, v1.17, v1.18, v1.19, [unknown version]
- Sexe Crypter v1.1
- Shrink Wrap v1.4
- SimplePack v1.11
- Simple PE Crypter
- SLVc0deProtector v0.61, v1.1, v1.11
- Smokes EXE Shield v0.5
- Ste@lth PE v1.x, v2.x
- Stones PE Crypter v1.13
- TELock v0.42, v0.51, v0.60, v0.70, v0.71, v0.80, v0.85f, v0.90, v0.92a, v0.95, v0.96, v0.98b1, v1.00
- The Best Cryptor [by FsK]
- Thunderbolt v0.0.2
- TPP Pack
- unkOwn Crypter v1.0
- UPack v0.10 - v0.12, v0.20, v0.21, v0.22 - v0.23, v0.24 - v0.28, v0.29 - v0.33, v0.34 - v0.35, v0.36 - v0.39
- UPX, UPX Mutator, Visual UPX v0.2, [unknown / modified UPX]
- UPX Mutanter v0.2
- UPX Protector v1.0e
- UPX Scrambler
- UPX$HiT 0.0.1
- USSR v0.31
- VCrypt v0.9b
- Virogen Crypt v0.75
- VPacker v0.02.10
- WinKrypt v1.0
- XCR v0.12, v0.13
- xxPack v0.1
- Yoda´s Crypter v1.1, v1.2, v1.3
- Yoda´s Protector v1.0b, v1.02b, v1.02d, v1.02.05, v1.03.01 BETA, v1.03.02 BETA, v1.03.3
- YZPack v1.1 & v1.2
- Z-Code v1.01

* EXE Packers / Protectors (commercial)
- ACProtect v1.09, v1.10, v1.20, v1.21, v1.22, v1.23, v1.3c, v1.32, v1.35 - v1.40, v2.0
- Air EXE Lock
- Akala EXE Lock
- Armadillo (lots of specific versions and version ranges)
- ASPack v1.00b, v1.01b, v1.02b, v1.03b, v1.05b, v1.06b / v1.061b, v1.07b, v1.08.00, v1.08.01, v1.08.02, v1.08.03, v1.08.04, v2.000, v2.001, v2.1, v2.11, v2.11c / v2.11d, v2.12, v2.12b
- ASProtect v1.0, v1.1, v1.11, v1.2, v1.22 - v1.23, 1.23 RC4 - v1.3.08.24, v1.23 RC4 (Registered), v1.31 Build 2004.04.27, v1.32, v2.0, v2.1 SKE, v2.2, v2.3, 2.1 - v2.3, 2.x [unknown version]
- Bit-Arts Crunch v5.0
- CopyMinder
- Cryptolock
- DBPE v2.33
- Enigma Protector v1.02 Build 3.10, v1.02 Build 4.00, v1.11, v1.12, v1.14, v1.16
- EXE32Pack v1.37, v1.38, v1.42
- EXE Cryptor v1.5.x
- EXE Cryptor 2.0.0 - 2.1.0, 2.2.0 - v2.2.6, 2.3.0 - v2.3.9, 2.2.0 - 2.4.0, 2.4.0 (or newer), 2.xx [unknown version]
- EXE Guard v1.3
- EXE Password 2004 v1.111, 1.112, v1.114, [unknown version]
- EXE Password Lock v1.01
- EXE Prot v1.x
- EXE Protector v2.x
- EXE Safe v2.0
- EXE Shield 2.7, v2.7b, v2.8a, v2.9, v3.6, v3.7
- EXEStealth v2.70, v2.73, v2.74, v2.75, v2.75a
- ExPressor v1.0, v1.1, v1.2, v1.3, v1.4, v1.5
- E-Zip v1.0
- Ion Ice EXE Lock v1.0
- KasperSky Pack
- MazePath EXELockout v3.0
- MoleBox 2.0.0 - v2.3.0, 2.2.3, 2.2.4, 2.2.5, v2.2.6, v2.2.8, v2.3.0, v2.3.3 v2.4.0, v2.5.0, v2.5.5, v2.5.12 - v2.6.3, 2.3.3 - v2.6.4
- Neolite v1.x - v2.x
- NSPack 2.3 - v2.7, v2.9, v3.0, v3.1, v3.3, v3.4, v3.5, v3.6, v3.7, [unknown version]
- nTitles Verifier for .NET
- NTkernelPacker v0.1 (exe + dlls)
- Obsidium v1.0.0.61, v1.1.1.0, v1.1.1.4, v1.2.0.0, v1.2.5.0, v1.3.0.0, v1.3.0.4, v1.3.3.4, v1.3.3.7, v1.3.3.9, v1.3.4.1, [unknown version]
- ORiEN v2.12
- PC Guard v4.06, v5.00, v5.01
- PEBundle v3.xx
- PE Compact v1.00 - v1.3x, v1.40 - v1.50, v1.55, v1.56 - v1.65, v1.66 - v1.84 v2.0 Beta Build 52, v2.00 - v2.10, v2.20 - v2.79, 2.xx [unknown version]
- PE Lock v1.0x
- Petite v1.2, v1.3, v1.4, v2.2, v2.3, [unknown version]
- PKLite32 v1.1
- Private EXE v2.x
- SD Protector v1.12, v1.16
- Special EXE Password Protector
- Shegerd EXE Protector & Anti-Debugger
- Shrinker v3.4, v3.5, [unknown version]
- Softdefender v1.0 - v1.1
- Soft Sentry v3
- Software Compress v1.2, v1.4
- SoftWrap
- SVKP v1.051, v1.11, v1.3x - v1.4x, [unknown version]
- Themida v1.0.0.0 - v1.8.1.0, v1.8.2.0 (or newer)
- Trial Master v2.x
- VBO Watch 3
- Visual Protect
- Vcasm-Protector v1.0
- VM Protect 1.00 - v1.10, 1.20 - v1.50
- WinLicense v1.0.0.0 - v1.8.1.0, v1.8.2.0 (or newer)
- WWPack32 v1.xx
- X-treme Protector v1.00 - v1.06, 1.07 - v1.08, 1.07 BUiLD 12-12-03, 1.08 BUiLD 15-12-03, 1.08 FiNAL

* Installers
- 7 - Zip SFX Setup Module
- AKInstaller Module
- Aquarius Soft Self-Extractor Archive
- Astrum Install Wizard
- AW Install Engine
- BinPatch
- Bitarts Install Wrap
- Blizzard PrePatch Module
- Clickteam Install Maker
- Clickteam Patch Maker
- Create Install 2003
- Gentee Installer
- Ghost Installer
- GKWare SFX Setup
- Inno Setup
- InstallAware Setup Module
- Installer 2 Go
- InstallShield v5.53.168.0, v6.31.100.1221, v7.1.100.1242, v7.7.0.262, v8.x, v9.1.0.429, v10, v10.5, v11, v12
- Install Zip Setup
- IZarc Self Extractor
- Microsoft SFX CAB Module
- Nullsoft SFX Setup
- Paquet Builder - Enhanced Self-Extracting Zip Module
- Patch Wise
- PKSFX Module
- Power Archiver 2003 v8.x SFX Module
- QSetup SFX Kernel
- Red Shift Installation System
- RTPatch Module
- Setup Factory
- SFX Factory!
- Silicon Realms Install Module
- Sony Self-Extracting Packager Archive
- Spoon Installer
- Tarma Installer Module
- VISE Mindvision Wizard
- WinAce Self-Extractor Module
- WinRAR SFX Archive
- WinZip SFX
- Wise Installation Wizard
- Zip Central SFX Module
- Zip SFX Archive
- Z-Up Maker SFX Archive
- Zylom Games Setup Module

Tool Updated: ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)

Fri, 26 Sep 2008 08:29:21 GMT

Listed in categories: Automated Unpackers, Protection Identifiers

Most recent version:
1.1

Most recent release date:
September 23, 2008

Description:
ActiveMARK Decrypter 1.0 - ARTeam (Bilingual English/Spanish)

Released Summer/2008

Features:
- Provides information about ActiveMARK protection on any file.
- Identifies the protection version.
- Unpacks & decrypts the content of any ActiveMARK protected file.
- Extraction of the main key
- Now it shows information about Only Buy / Trial Limited Version
- Information messages
- Allows an internal analysis of the content of every compressed file within the encrypted container.
- It works statically (none executable is launched).
- Detects automatically the language in your system. :)

How to use:
Select first any executable. Then you can decrypt any external file associated to it, using the Uncompress key.

Note: Any ActiveMARK encrypted file is similar to a .zip or .rar file, containing several files in its inside.

Coded & designed by Nacho_dj/ARTeam

Tool Added: DELTA EXE Analyzer

Thu, 31 Jan 2008 12:50:44 GMT

Listed in categories: Exe Analyzers

Most recent version:
1.0

Most recent release date:
2001

Description:
Back in 2001 I wrote my own exe analyzer just for fun, while looking into the MZ and PE format. I never released it to anyone, but since it contains quite cool cave finding and cave analysis abilities, which I have never seen in any other program, I'll upload it here now for anyone to play with. You can also feel free to distribute it to anyone or upload it anywhere, I don't care.

But note that the program is just my own little ugly dirty hack, so I won't support it, the GUI isn't exactly the most beautiful, and I won't guarantee it won't crash and so on, but it has been quite stable while I have played around with it anyway.

It analyzes quite many aspects of the executable file, but one extra interesting and unique feature is the bunch of tools under "Extended executable info (PE)" ---> "File anatomy & offsets". It will give you details of all section padding areas (caves), and it will also automatically find any area inside the executable file which does not belong to any section (I actually found an alignment bug in a compiler/linker with this tool, which left a 512 byte block of null-bytes between two sections in the middle of the compiled file, ready to be exploited as a mega-size cave :)), including any data which is appended after the last section of the file. Quite useful sometimes. But the really juicy stuff will be found when you select a section in the box to the right and click "Show detailed map". It will the give you a graphical overview on the screen, of each and every single byte in that section. You can even click inside the graphic map to select any area and see what it is (click and hold down the mouse button and drag the mouse over the map for extra fun). This is very cool for "getting a feel" for how a certain linker/packer/whatever builds its sections, and also for finding "micro caves", consisting only of a few bytes, in the middle of a section! You can choose to display an analysis map of the free space or the used space of the selected section by clicking the radiobuttons on the upper right of the map.

Tool Updated: Pynary

Tue, 15 Jan 2008 07:13:58 GMT

Listed in categories: Deobfuscation Tools, Diff Tools, Exe Analyzers, Executable Diff Tools, Programming Libraries, Reverse Engineering Frameworks

Most recent version:
0.0.1

Most recent release date:

Description:
pynary will become a powerful platform independent framework for binary code analysis.

The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible.

Once the initial goal is achieved, a number of cool features are planned:

* stack frame analysis
* un-inliner
* exception handling parsing/analysis
* 'functionally equivalent' matching
* c++ template function matching
* meta-data transfer between IDBs
* c++ class reconstruction (with/without RTTI)
* ...

This project is still in its infancy, and looking for volunteers.

Tool Updated: DiE (Detect it Easy)

Sun, 06 Jan 2008 01:08:28 GMT

Listed in categories: Compiler Identifiers, Packer Identifiers

Most recent version:
0.64

Most recent release date:
May 6, 2007

Description:
Packer identifier that is supposed to be good.

Tool Updated: CheckSum Fixer

Sat, 29 Dec 2007 01:15:23 GMT

Listed in categories: Executable CRC Calculators

Most recent version:
1.0

Most recent release date:
January 5, 2006

Description:
The PE files headers include a CheckSum field which is located into the
IMAGE_NT_HEADER->IMAGE_OPTIONAL_HEADER->CheckSum

This value is an overall checksum of the whole file, often not set and left to 0x0000 by most compilers and thus doesn't happens often to worry about it, but sometimes this value is used to check if there have been alterations in the executable file.
There is for example an API, MapFileAndCheckSum(), which calculates the real checksum of a PE file and reports also the value stored into the PE Header. It is then simple for simple protectors to detect alterations of a PE file, even of a single byte.

It's a simple technique that advanced protector doesn't use too often and you can of course intercept this API and modify it online or skip its call, but for example with PocketPC smartphones or system drivers this check is done by the operative system, so you simply have no choice to intercept this check and the only way is to fix the value stored in the PE file header.

This program simply does this conveniently. Already other tools have this functionality (LordPE for example), but I just wanted a fast program able to fix this checksum in a click (e.g. with LordPE you have to do at least 5, 6 clicks).

It is very handy with ring0 drivers which test this checksum value!

Tool Updated: CRC Calculator

Sat, 29 Dec 2007 01:11:09 GMT

Listed in categories: Executable CRC Calculators

Most recent version:
1.1

Most recent release date:
January 6, 2005

Description:
Just drag & drop files to it or use the button to calculate the CRC, then select and paste.

Adapted from existing sources, small and easy.

History
-1.0 initial version
-1.1 added command-line support ideal for integration into Total Commander

Tool Updated: Neil's Collection of Packer Signatures

Tue, 25 Dec 2007 22:07:15 GMT

Listed in categories: Packer Identifier Signatures

Most recent version:

Most recent release date:
December 5, 2007

Description:
Neil's Collection of Packer Signatures