Jump to content
Tuts 4 You

Berio V1.0


Recommended Posts

berio v1.0 is a promising packer/protector, out for about a month now.

I packed an exe : have some fun :D

- *FIXED - Executables protected with Berio won't always run right away and may need to be click on a few times to work. I realize this is a big problem and I'm trying to fix it as soon as possible.

- There is a major compatibility issue with his program so it currently only works on Windows 2000/Windows XP

What will be in the next version:

- More advanced protection options

- Icon and version changer

- CRC and checksum checker

- Improved GUI

Future Versions:

- Better compression

- Better encryption

- Better protection

- Better Compatibility

Link to comment

It's the successor of beria --> see version.

This one emphasises on debugger detection and has some nice tricks like SUB Z3RO says.

The author is still working on it, especially because it's not winall.

Hehe, it's not newbie stuff ;)


Link to comment

Is the protector itself available or is it currently private?

Maybe I should stop being lazy and Google it....


For all those as lazy as me:


Edited by FaTaL_PrIdE
Link to comment
This packer has one major flaw and weakness. I didn't even use Olly to unpack this, Lena SC will be happy to hear this... :P


Ah ! I see what you mean. Nice hint, I didn't think of that yet.

Hehe, takes only 1 minute.

Thanks Teddy. :hug::thumbsup:

Link to comment

To Teddy Roggers :

I didn't use olly too ! hehe :D !

just dump child process with Lord PE ! ( as easy as dumping !!! )

( this packer comes from mixing of ASPack + ACProtector + Self Debugging + some nice debugger detection tricks ! )

Edited by SUB Z3R0
Link to comment

Nice debugger detection tricks are useless, if you can dump it in few seconds. Even IAT fixing is not necessary. :D

Link to comment

But take a look inside : it checks for a bunch of stuff ... even PETools, but the author forgot LordPE (and some others too :^ )

Link to comment
Teddy Rogers

I couldn't get it to dump with LordPE but I had no problem with other tools. It is a similar flaw to Beria that hasn't been fixed in this release...


Link to comment

Hi Ted! Hi Lena !

Did you know this packer is written by VB ?!?!!!!

I have bring you some analyzation about this packer's anti-debugging tricks ...

1,It Creates 500ms Timer .....


CreateFile : \\.\SICE

CreateFile : \\.\NTICE

Looking For : "TIdaWindow"

Looking For : ">TRACING wait!"

Looking For : ">TRACING"

Looking For : "OWL_Window"

Looking For : "OLLYDBG"

Looking For : "18467-41"

Looking For : "NMSCMW50"

Looking For : "HexWorks"


Looking For : "Unpacker Status"

Get PID By The Handle ... Open Process By PID ... Send it a Termination Code ...

( NoDebugger -> Result = 0 / Debugger -> Result = Kernel32.Terminate Processs )

Same Work For These :

Looking For : "Select Filename for saving..."

Looking For : "Save process memory to..."

Looking For : "Save module memory to..."

// End

Looking For : "APIMonitor By Rohitab" -> Try To Hide "SysListView32"

Try To Delete : "$$TEMP$$.$$$"


If Detects Debugger .... It Creates A Command.Bat File And Execute It ...

{ Command.Bat :



IF Not EXIST ".\UnpackMe.exe" Goto FILENOTFOUND

DEL ".\UnpackMe.exe"








2,It Creates 500ms Timer .....


Looking For : "Procs32.dll" Module In All Processes

Looking For : "NDump.dll" Module In All Processes

Looking For : "RebPE32.dll" Module In All Processes

Looking For : "HideDebugger.dll" Module In All Processes


3,It Corruptes PE Header By Calling Ntdll.ZwUnmapViewOfSection

Link to comment
I have bring you some analyzation about this packer's anti-debugging tricks ...

Good job SUB Z3RO :thumbsup:

This packer is insane anti reversing. Every berio packed file that runs deletes itself when a tool from its blacklist is opened.

Hehe, imagine some unfortunate chap has bought a soft packed by berio but uses e.g. IDA for his job.

Of course he has no backup from his soft. Hehe, bye bye software whenever both are running :P;)


[EDIT] Euhm, BTW, did you notice that the author promises us "More advanced protection options" for the next version :wacko::worthy::zorro:

Edited by lena151
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...