[Solved] Packer Help

[steve10120]

Hi. Ok so I'm making a packer, but, its not working on some files. For example, works fine on a Delphi hello world, but on HoundPE(also coded in Delphi) it doesn't. Get an exception then an empty message box. Checked and the file is being mapped correctly and imports definatly fixed.

Attached are examples of working and non-working files. Any suggestions welcome. Thanks.

Tests.rar

Edited February 14, 2010 by steve10120

[ghandi]

I dont have time to download your examples, but are you processing the TLS directory? Being Delphi, there might be things that need to be set up, even if it is merely copying the TLS data to another place so that it is intact in your packed file.

HR,

Ghandi

[kao]

Looks like your packer does not process resource directory correctly.

[steve10120]

Thanks for the replies.

I dont have time to download your examples, but are you processing the TLS directory? Being Delphi, there might be things that need to be set up, even if it is merely copying the TLS data to another place so that it is intact in your packed file.

HR,

Ghandi

I don't have that setup in my code, but for those examples I fixed manually, just copied the $18 bytes to the file just after the import entries and set the RVA accordingly. On my previous version I had it setup in the code and still got the same problem. There is a problem with C++ files too(notepad, calc, etc) so I don't think the TLS is the problem.

Looks like your packer does not process resource directory correctly.

Ah, at the moment I'm just mapping the section like the others. Should I be preserving it on disk ? Or..?

[kao]

Ah, at the moment I'm just mapping the section like the others. Should I be preserving it on disk ? Or..?

"Resource directory" is not the same as "resource section". Your packed files have resource directory RVA and Size = 0, therefore any function dealing with resources will fail.

[steve10120]

"Resource directory" is not the same as "resource section". Your packed files have resource directory RVA and Size = 0, therefore any function dealing with resources will fail.

Ah of course, seems so obvious now, just tried fixing manually and now notepad and HoundPE are working packed. Many thanks!

[ghandi]

TLS callbacks are processed BEFORE your entrypoint is called, also at every thread beginning/end, so it will make a difference if the application uses TLS callbacks and you havent taken this into consideration. TLS callbacks are also used in some C++ programs, you can see this if you unpack a packed executable which uses it, because it will either function strangely or not at all. More of a worry for C++ applications is if the packer/protector destroyed some of the constructor/destructor pointers, as an unpacked version will behave the same as i described unless it is repaired.

Back to Delphi and TLS callbacks though, copying 'the 0x18' bytes and adjusting the RVA will not work if the application uses TLS callbacks unless you emulate the function calling yourself (messy) or chose not to compress the callback code. Another option i guess, is if you can 'mark' out in the application what data and code need to be intact for the callbacks to process and compress it separate to the main body of the application. Then you can uncompress only the necesaries in your own TLS callback (coded for exactly this purpose), leaving it intact to be called. For this last idea to work, you will also need to adjust the TLS directory to reflect the change, making your callback the first in the list.

HR,

Ghandi

[steve10120]

Thanks for the info. Before copying the $18 bytes and adjusting the RVA, Delphi applications would crash after the main thread has finished. But I see UPX is handling the TLS different to me... Haven't done much work with TLS, if you know any articles that could help me support this properly can you share a link please?

Edit: Sorry not the main thread, the main code - on my Hello World.

Edited February 15, 2010 by steve10120