This packer works by encrypting a specific code places, create new section that will be contain the stub for decrypting and the necessary obfuscation.
Packer has one common stub that will be obfuscated using several methods which has adverse effects on analyzers/decompilers.
X86 and x64 binaries are currently supported.
Packer by default works off a command line. Listed below are the arguments requried to use it.
| Argument | Description | Extra arguments |
|---|---|---|
-oep_call |
Obfuscation of the entry point, namely the call to the required address. | |
-adasm |
Anti-disassembly technique, allows to break the hex-rays decompiler in particular | |
-mba |
Mixed Boolean Arithmetic obfuscation, inserts unwanted mathematical operations | |
-senc |
Includes encryption using the XOR algorithm of the required sections | |
-fpack |
Encrypts the required function using the XOR algorithm, adding a stub for decryptingr | addr1, addr2 |
-finstr |
Generates invalid instructions that will adversely affect analyzers/decompilers. | |
-noaslr |
Allows you to disable ASLR |
pe-packer.exe <input.exe> <output.exe> <mutations> [flags...]
pe-packer.exe file.exe file_packed.exe 5 -mba -senc -fpack 0x401040 0x401072
Note
The -fpack argument takes two additional arguments, the first address (start address of the function), the second address (end address of the function).
I understand how inconvenient it is to specify the addresses of the function that needs to be encrypted, the .MAP parser will be added soon, the method that is currently used will not be removed, for the reason that some people are not used to generating .MAP files at the time of compilation.
I am going to periodically update the functionality, add new tricks that I find, in the nearest goals there is an item added anti-debug, IAT obfuscation, anti-vm tricks and other things. You should understand that the project was created by a PE packer and there is no goal to make it an obfuscator. Perhaps you will see a separate obfuscator soon.