Posted June 6, 200619 yr berio v1.0 is a promising packer/protector, out for about a month now. I packed an exe : have some fun - *FIXED - Executables protected with Berio won't always run right away and may need to be click on a few times to work. I realize this is a big problem and I'm trying to fix it as soon as possible. - There is a major compatibility issue with his program so it currently only works on Windows 2000/Windows XP What will be in the next version: - More advanced protection options - Icon and version changer - CRC and checksum checker - Improved GUI Future Versions: - Better compression - Better encryption - Better protection - Better Compatibility
June 6, 200619 yr That Packer Has Very Hard Debugger Detection Tricks , But Also Has Some Bugs UnPacked :http://rapidshare.de/files/22359756/UnPacked.zip.html
June 6, 200619 yr Author It's the successor of beria --> see version. This one emphasises on debugger detection and has some nice tricks like SUB Z3RO says. The author is still working on it, especially because it's not winall. Hehe, it's not newbie stuff lena151
June 6, 200619 yr This packer has one major flaw and weakness. I didn't even use Olly to unpack this, Lena SC will be happy to hear this... Ted. unpackme_unpacked.zip
June 6, 200619 yr Is the protector itself available or is it currently private?Maybe I should stop being lazy and Google it....EDIT:For all those as lazy as me:/>http://berioprotector.tripod.com/ Edited June 6, 200619 yr by FaTaL_PrIdE
June 6, 200619 yr Author This packer has one major flaw and weakness. I didn't even use Olly to unpack this, Lena SC will be happy to hear this... Ted. Ah ! I see what you mean. Nice hint, I didn't think of that yet. Hehe, takes only 1 minute. Thanks Teddy.
June 6, 200619 yr To Teddy Roggers : I didn't use olly too ! hehe ! just dump child process with Lord PE ! ( as easy as dumping !!! ) ( this packer comes from mixing of ASPack + ACProtector + Self Debugging + some nice debugger detection tricks ! ) Edited June 6, 200619 yr by SUB Z3R0
June 6, 200619 yr Nice debugger detection tricks are useless, if you can dump it in few seconds. Even IAT fixing is not necessary.
June 6, 200619 yr Author But take a look inside : it checks for a bunch of stuff ... even PETools, but the author forgot LordPE (and some others too )
June 7, 200619 yr I couldn't get it to dump with LordPE but I had no problem with other tools. It is a similar flaw to Beria that hasn't been fixed in this release...Ted.
June 7, 200619 yr Hi Ted! Hi Lena !Did you know this packer is written by VB ?!?!!!!I have bring you some analyzation about this packer's anti-debugging tricks ...1,It Creates 500ms Timer .....{CreateFile : \\.\SICECreateFile : \\.\NTICELooking For : "TIdaWindow"Looking For : ">TRACING wait!"Looking For : ">TRACING"Looking For : "OWL_Window"Looking For : "OLLYDBG"Looking For : "18467-41"Looking For : "NMSCMW50"Looking For : "HexWorks"// Looking For : "Unpacker Status"Get PID By The Handle ... Open Process By PID ... Send it a Termination Code ...( NoDebugger -> Result = 0 / Debugger -> Result = Kernel32.Terminate Processs )Same Work For These :Looking For : "Select Filename for saving..."Looking For : "Save process memory to..."Looking For : "Save module memory to..."// EndLooking For : "APIMonitor By Rohitab" -> Try To Hide "SysListView32"Try To Delete : "$$TEMP$$.$$$"}If Detects Debugger .... It Creates A Command.Bat File And Execute It ...{ Command.Bat :@ECHO OFF:STARTIF Not EXIST ".\UnpackMe.exe" Goto FILENOTFOUNDDEL ".\UnpackMe.exe"GOTO START:FILENOTFOUNDATTRIB COMMAND.BAT -H -SDEL COMMAND.BATCLSEXIT}2,It Creates 500ms Timer .....{Looking For : "Procs32.dll" Module In All ProcessesLooking For : "NDump.dll" Module In All ProcessesLooking For : "RebPE32.dll" Module In All ProcessesLooking For : "HideDebugger.dll" Module In All Processes}3,It Corruptes PE Header By Calling Ntdll.ZwUnmapViewOfSection
June 7, 200619 yr Author I have bring you some analyzation about this packer's anti-debugging tricks ... Good job SUB Z3RO This packer is insane anti reversing. Every berio packed file that runs deletes itself when a tool from its blacklist is opened. Hehe, imagine some unfortunate chap has bought a soft packed by berio but uses e.g. IDA for his job. Of course he has no backup from his soft. Hehe, bye bye software whenever both are running lena151 [EDIT] Euhm, BTW, did you notice that the author promises us "More advanced protection options" for the next version Edited June 7, 200619 yr by lena151
Create an account or sign in to comment