Packers and Unpackers:
a first list


Some Packers and some Unpackers

Courtesy of Reverser's page of reverse engineering

Well, here you have a small list of "packers", files packed with compressors like PKLITE or DIET. In case you don't know, such programs use different data compression routines to make a file smaller. Files which were compressed with one of these pack programs will still stay executable for the system but they will be much smaller. Another reason for compressing is that a second person has no chance to change any bytes inside a compressed program with a hex editor or something like that
A list of "unpackers" follows below... as you'll see, tron, that we present (and reverse) as our "unpacker of choice" inside this new "packer" subsection of the +HCU's "tough protections" project, is NOT the only unpacker around. As +ORC noticed long ago, there seems to be a geographical "specializing" going on: decrypt routines and research are developed mostly in Switzerland, and unpacker routines and research is developed mostly in Israel (StickBuster, Xopen), in Germany and in Holland

A list of packers
Taken from tron's instructions for a start, more will be added in due time, keep cool, in the mean time visit THE site for packers and unpackers and encryptors and stickers and everything you may need:
1. Protect! EXE/COM
   Known: 1.00, 2.00, 3.00, 4.00, 5.00

    MSG to all users of Protect:
    No software protection will be total secure!
    Don't use a compression code under the protection structure. Only compress
    after a file is protected. It takes one minute to get the original file if
    a known packer was used. (otherwise it takes two :-)
    If it would be impossible to write an unpacker for protect you will have to
    know that there are enough other possibilities to extract the original file.

    Hey Jeremy, the idea with the polymorphic engine is really good. But don't
    forget Murphy's Law. "If a protection is safe it will be broken"
    The v1.21 protected mode unpacker expanded your v5.50 without trouble.

    By Jeremy Lilley.
    (Scramble, .EXE .COM, 4.0+ very nasty)

2. ICE	(Special)
   Known: 1.00 (Released 1988)
   ICE is a program which scrambles and compresses COM files
   (not EXE files) yet allows them to be fully functional. The program
   makes it difficult to alter the original program and it has the added
   bonus of compressing COM files without detracting from their usefulness.
   ICEd COM files still run as they did before ICE offers protection
   against viruses in that ICE can scramble COMMAND.COM and make it difficult
   for viruses to attach themselves to the scramble program.
   By Keith P. Graham
   (Scramble, .COM only, easy to hack)

3. TinyProg (Generic)
   Known: Tiny 1.0, 3.3, 3.6, 3.8, 3,9
   Tested on Tiny 3.3, 3.8, 3.9 with password and Data Header!
   Should also open Tinys with text inside or kind like that.
   To open a "tiny" with a password, you should know the password.
   Also, a new kind of tinys with large text files in them is supported.
   Newer Tiny Versions 3.8+ have a smart anti debugging routine in them
   We are searching for TinyProg v3.5 and v3.6!
   By Tranzoa, Co.
   (Compress, CRC check, .EXE only, good)

3.1 PkTiny (Tiny)
    Pktiny is a simple program which puts a pklite header into a tinyprogged
    file. Then it modifies the file in a way that an unpacker isn't able
    to correctly determine the size of the tiny user data area.
    I am not sure why the program uses a pklite header because no unpacker
    known to me identifys pklite compression on such files.
    By Thomas Mönkemeyer
    (Fooling, .EXE .COM, nice)

4. Micro$oft's EXE Pack (Generic)
   Known: 3.60, 3.64, 3.65, 4.00, 5.31.009
   There are plenty of ExePack versions. Tron knows about 5 of them.
   They are all less effective, sometimes the ouputfile gets bigger
   than the orginal one. This is a small joke.
   By Micro$oft corp.
   (Compress, .EXE only, old and deffective)

5. LZEXE (Generic)
   Known: 0.90, 0.91
   No mutations found.	Makes CRC checked and packed EXE-Files.
   By Fabrice Bellard.
   (Compress, .EXE only, old and freeware)

6. PKLite (Generic)
   Known: 1.00(á), 1.03, 1.05, 1.10, 1.12, 1.13, 1.14, 1.15, 1.20
   From 1.14+ PkWare added a small encryption routine inside the registered
   Version to make Pklited files harder to extract!
   Pklite is the most used compressor today, there are a lot of hacks
   circulating. In some boards pklite 1.20 was declared to be a hack,
   but we think it's an official version now! Version 1.20 of Pklite has a
   different encryption routine.
   By PKWare (Phil Katz's).
   (Compress, EXE & COM, the best compression)

7. PROPACKER (Special)
   Known: 2.08 Emphasis on packed size
	       Emphasis on packed size, locked
   By Rob Northern Computing, UK.
   (Compress, .EXE only, good)

8. DIET (Generic)
   Known: 1.00d, 1.02b, 1.10a, 1.20, 1.44, 1.45f
   Diet is also capable of acting like STACKER -
   such files are not supported by tron.
   By Teddy Matsumoto.
   (Compress, EXE & COM, very good)

   Known: 2.0
   There are not many files around of this antique.
   The packed code is saved in an overlay area behind the sea-axe code.
   By System Enhancement Associates
   (Compress, .EXE only, old and less effective)

10. PGMPak (Generic)
    Known: 1.15
    Not easy to extract. There are some nice tricks used to make unpacking
    harder, we couldn't use our normal unpacking routines.
    PgmPak doesn't give you full memory, it also keeps its name in
    the end of the compressed file as an overlay.
    By Todor Todorov.
    (Compress, .EXE, good)

11. OPTLink
    This is the program is found on all norton programs.  We haven't found a
    distributed version of this packer.

12. DeltaPack
    Known: 1.0
    Found on some bbs intros.
    By ?
    (Scramble, .?, easy to hack)
Some of the compression programs have a build in expand function! But for insiders it is no problem to trick this functions out! Simply change the header signature "MZ" into "ZM" and the original programs cannot handle their own files any longer. The header signature can be found at the start of an EXE file! And this is only one of many known possibilities.

A list of Unpackers
Tron, Version 1.30, see The Undertacker's work on it here

Xopen v3.20  (Ady/Israel)
	      opens really a lot, well done Ady, what about a gratis
	      registration for us? You will get a registered version of
	      TRON too...nice to see that there are other people which
	      know what they do.

Unp v4.10    (Ben Castricum/The Netherlands)
	      This program is freeware and has a lot of features!
	      Hello ben, your unpacker is the one liked most by us.
	      Just look at tron.

StickBuster v2.40r (Lihor Cohen/Israel)
	    From all unpackers we discovered, StickBuster is the one
	    which handles the most compressors, but these are mainly
	    very antique or only spread in local areas.
	    Hey Lihor, work on your user-interface!!!

You are deep inside reverser's page of reverse engineering, choose your way out:

Back to the arms race
homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_reverser
is reverse engineering legal?