Packers and Unpackers:
a first list
Some Packers and some Unpackers
Courtesy of Fravia's page of reverse engineering
Well, here you have a small list of "packers", files packed with compressors like
PKLITE or DIET. In case you don't know, such programs use different
data compression routines to make a file smaller. Files which
were compressed with one of these pack programs will still stay
executable for the system but they will be much smaller. Another
reason for compressing is that a second person has no chance
to change any bytes inside a compressed program with a hex editor
or something like that
A list of "unpackers" follows below... as you'll see, tron, that we
reverse) as our "unpacker of choice" inside this
new "packer" subsection of the +HCU's "tough protections" project,
is NOT the only unpacker around. As +ORC noticed long ago, there
seems to be a geographical "specializing" going on: decrypt routines and research are developed mostly in Switzerland, and unpacker routines and research is developed mostly in Israel (StickBuster, Xopen), in Germany and in Holland
A list of packers
Taken from tron's instructions for a start, more will be
added in due time, keep cool, in the mean time visit THE site for
packers and unpackers and encryptors and stickers and everything
you may need:
1. Protect! EXE/COM
Known: 1.00, 2.00, 3.00, 4.00, 5.00
MSG to all users of Protect:
No software protection will be total secure!
Don't use a compression code under the protection structure. Only compress
after a file is protected. It takes one minute to get the original file if
a known packer was used. (otherwise it takes two :-)
If it would be impossible to write an unpacker for protect you will have to
know that there are enough other possibilities to extract the original file.
Hey Jeremy, the idea with the polymorphic engine is really good. But don't
forget Murphy's Law. "If a protection is safe it will be broken"
The v1.21 protected mode unpacker expanded your v5.50 without trouble.
By Jeremy Lilley.
(Scramble, .EXE .COM, 4.0+ very nasty)
2. ICE (Special)
Known: 1.00 (Released 1988)
ICE is a program which scrambles and compresses COM files
(not EXE files) yet allows them to be fully functional. The program
makes it difficult to alter the original program and it has the added
bonus of compressing COM files without detracting from their usefulness.
ICEd COM files still run as they did before ICE offers protection
against viruses in that ICE can scramble COMMAND.COM and make it difficult
for viruses to attach themselves to the scramble program.
By Keith P. Graham
(Scramble, .COM only, easy to hack)
3. TinyProg (Generic)
Known: Tiny 1.0, 3.3, 3.6, 3.8, 3,9
Tested on Tiny 3.3, 3.8, 3.9 with password and Data Header!
Should also open Tinys with text inside or kind like that.
To open a "tiny" with a password, you should know the password.
Also, a new kind of tinys with large text files in them is supported.
Newer Tiny Versions 3.8+ have a smart anti debugging routine in them
We are searching for TinyProg v3.5 and v3.6!
By Tranzoa, Co.
(Compress, CRC check, .EXE only, good)
3.1 PkTiny (Tiny)
Pktiny is a simple program which puts a pklite header into a tinyprogged
file. Then it modifies the file in a way that an unpacker isn't able
to correctly determine the size of the tiny user data area.
I am not sure why the program uses a pklite header because no unpacker
known to me identifys pklite compression on such files.
By Thomas Mönkemeyer
(Fooling, .EXE .COM, nice)
4. Micro$oft's EXE Pack (Generic)
Known: 3.60, 3.64, 3.65, 4.00, 5.31.009
There are plenty of ExePack versions. Tron knows about 5 of them.
They are all less effective, sometimes the ouputfile gets bigger
than the orginal one. This is a small joke.
By Micro$oft corp.
(Compress, .EXE only, old and deffective)
5. LZEXE (Generic)
Known: 0.90, 0.91
No mutations found. Makes CRC checked and packed EXE-Files.
By Fabrice Bellard.
(Compress, .EXE only, old and freeware)
6. PKLite (Generic)
Known: 1.00(á), 1.03, 1.05, 1.10, 1.12, 1.13, 1.14, 1.15, 1.20
From 1.14+ PkWare added a small encryption routine inside the registered
Version to make Pklited files harder to extract!
Pklite is the most used compressor today, there are a lot of hacks
circulating. In some boards pklite 1.20 was declared to be a hack,
but we think it's an official version now! Version 1.20 of Pklite has a
different encryption routine.
By PKWare (Phil Katz's).
(Compress, EXE & COM, the best compression)
7. PROPACKER (Special)
Known: 2.08 Emphasis on packed size
Emphasis on packed size, locked
By Rob Northern Computing, UK.
(Compress, .EXE only, good)
8. DIET (Generic)
Known: 1.00d, 1.02b, 1.10a, 1.20, 1.44, 1.45f
Diet is also capable of acting like STACKER -
such files are not supported by tron.
By Teddy Matsumoto.
(Compress, EXE & COM, very good)
There are not many files around of this antique.
The packed code is saved in an overlay area behind the sea-axe code.
By System Enhancement Associates
(Compress, .EXE only, old and less effective)
10. PGMPak (Generic)
Not easy to extract. There are some nice tricks used to make unpacking
harder, we couldn't use our normal unpacking routines.
PgmPak doesn't give you full memory, it also keeps its name in
the end of the compressed file as an overlay.
By Todor Todorov.
(Compress, .EXE, good)
This is the program is found on all norton programs. We haven't found a
distributed version of this packer.
Found on some bbs intros.
(Scramble, .?, easy to hack)
Some of the compression programs have a build in
expand function! But for insiders it is no problem to trick this
functions out! Simply change the header signature "MZ" into "ZM" and
the original programs cannot handle their own files any longer. The
header signature can be found at the start of an EXE file!
And this is only one of many known possibilities.
A list of Unpackers
Tron, Version 1.30, see The Undertacker's work on it here
Xopen v3.20 (Ady/Israel)
opens really a lot, well done Ady, what about a gratis
registration for us? You will get a registered version of
TRON too...nice to see that there are other people which
know what they do.
Unp v4.10 (Ben Castricum/The Netherlands)
This program is freeware and has a lot of features!
Hello ben, your unpacker is the one liked most by us.
Just look at tron.
StickBuster v2.40r (Lihor Cohen/Israel)
From all unpackers we discovered, StickBuster is the one
which handles the most compressors, but these are mainly
very antique or only spread in local areas.
Hey Lihor, work on your user-interface!!!
You are deep inside Fravia's page of reverse
engineering, choose your way out:
Back to the arms race
+ORC students' essays tools
antismut search_forms mail_Fravia
is reverse engineering legal?