lena151 Posted June 6, 2006 Posted June 6, 2006 berio v1.0 is a promising packer/protector, out for about a month now. I packed an exe : have some fun - *FIXED - Executables protected with Berio won't always run right away and may need to be click on a few times to work. I realize this is a big problem and I'm trying to fix it as soon as possible. - There is a major compatibility issue with his program so it currently only works on Windows 2000/Windows XP What will be in the next version: - More advanced protection options - Icon and version changer - CRC and checksum checker - Improved GUI Future Versions: - Better compression - Better encryption - Better protection - Better Compatibility
Teddy Rogers Posted June 6, 2006 Posted June 6, 2006 This is Beria not Berio - unless the name has changed?... Ted.
SUB Z3R0 Posted June 6, 2006 Posted June 6, 2006 That Packer Has Very Hard Debugger Detection Tricks , But Also Has Some Bugs UnPacked :http://rapidshare.de/files/22359756/UnPacked.zip.html
lena151 Posted June 6, 2006 Author Posted June 6, 2006 It's the successor of beria --> see version. This one emphasises on debugger detection and has some nice tricks like SUB Z3RO says. The author is still working on it, especially because it's not winall. Hehe, it's not newbie stuff lena151
Teddy Rogers Posted June 6, 2006 Posted June 6, 2006 This packer has one major flaw and weakness. I didn't even use Olly to unpack this, Lena SC will be happy to hear this... Ted. unpackme_unpacked.zip
Loki Posted June 6, 2006 Posted June 6, 2006 (edited) Is the protector itself available or is it currently private?Maybe I should stop being lazy and Google it....EDIT:For all those as lazy as me:/>http://berioprotector.tripod.com/ Edited June 6, 2006 by FaTaL_PrIdE
lena151 Posted June 6, 2006 Author Posted June 6, 2006 This packer has one major flaw and weakness. I didn't even use Olly to unpack this, Lena SC will be happy to hear this... Ted. Ah ! I see what you mean. Nice hint, I didn't think of that yet. Hehe, takes only 1 minute. Thanks Teddy.
SUB Z3R0 Posted June 6, 2006 Posted June 6, 2006 (edited) To Teddy Roggers : I didn't use olly too ! hehe ! just dump child process with Lord PE ! ( as easy as dumping !!! ) ( this packer comes from mixing of ASPack + ACProtector + Self Debugging + some nice debugger detection tricks ! ) Edited June 6, 2006 by SUB Z3R0
Vepergen Posted June 6, 2006 Posted June 6, 2006 Nice debugger detection tricks are useless, if you can dump it in few seconds. Even IAT fixing is not necessary.
lena151 Posted June 6, 2006 Author Posted June 6, 2006 But take a look inside : it checks for a bunch of stuff ... even PETools, but the author forgot LordPE (and some others too )
Teddy Rogers Posted June 7, 2006 Posted June 7, 2006 I couldn't get it to dump with LordPE but I had no problem with other tools. It is a similar flaw to Beria that hasn't been fixed in this release...Ted.
SUB Z3R0 Posted June 7, 2006 Posted June 7, 2006 Hi Ted! Hi Lena !Did you know this packer is written by VB ?!?!!!!I have bring you some analyzation about this packer's anti-debugging tricks ...1,It Creates 500ms Timer .....{CreateFile : \\.\SICECreateFile : \\.\NTICELooking For : "TIdaWindow"Looking For : ">TRACING wait!"Looking For : ">TRACING"Looking For : "OWL_Window"Looking For : "OLLYDBG"Looking For : "18467-41"Looking For : "NMSCMW50"Looking For : "HexWorks"// Looking For : "Unpacker Status"Get PID By The Handle ... Open Process By PID ... Send it a Termination Code ...( NoDebugger -> Result = 0 / Debugger -> Result = Kernel32.Terminate Processs )Same Work For These :Looking For : "Select Filename for saving..."Looking For : "Save process memory to..."Looking For : "Save module memory to..."// EndLooking For : "APIMonitor By Rohitab" -> Try To Hide "SysListView32"Try To Delete : "$$TEMP$$.$$$"}If Detects Debugger .... It Creates A Command.Bat File And Execute It ...{ Command.Bat :@ECHO OFF:STARTIF Not EXIST ".\UnpackMe.exe" Goto FILENOTFOUNDDEL ".\UnpackMe.exe"GOTO START:FILENOTFOUNDATTRIB COMMAND.BAT -H -SDEL COMMAND.BATCLSEXIT}2,It Creates 500ms Timer .....{Looking For : "Procs32.dll" Module In All ProcessesLooking For : "NDump.dll" Module In All ProcessesLooking For : "RebPE32.dll" Module In All ProcessesLooking For : "HideDebugger.dll" Module In All Processes}3,It Corruptes PE Header By Calling Ntdll.ZwUnmapViewOfSection
lena151 Posted June 7, 2006 Author Posted June 7, 2006 (edited) I have bring you some analyzation about this packer's anti-debugging tricks ... Good job SUB Z3RO This packer is insane anti reversing. Every berio packed file that runs deletes itself when a tool from its blacklist is opened. Hehe, imagine some unfortunate chap has bought a soft packed by berio but uses e.g. IDA for his job. Of course he has no backup from his soft. Hehe, bye bye software whenever both are running lena151 [EDIT] Euhm, BTW, did you notice that the author promises us "More advanced protection options" for the next version Edited June 7, 2006 by lena151
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now