How to detect what was the PE packer used on the given exe?

winapi exe upx
migajek picture migajek · Aug 13, 2009 · Viewed 24.3k times · Source

I've found an application which seems to be packed. I opened it with some hex editor and it contains "UPX1" section and "3.00 UPX!" string. Unfortunately I'm not able to decompress it with upx latest, it says "not packed by UPX". Is there a way to find out what other PE compressors/crypters were used?

Answer

erjiang picture erjiang · Aug 13, 2009

PEiD is the tool you want. It can detect a variety of unpackers, attempt to unpack any packed exe (regardless of packing scheme), do simple disassembly, detect encryption algorithms present in the source code (not the encryption scheme of the exe, to be clear), and more. But primarily, it is an identifier of packers, cryptors, and compilers of an exe.

Related questions

How do I programmatically get the version of a DLL or EXE file?

I need to get the product version and file version for a DLL or EXE file using Win32 native APIs in C or C++. I'm not looking for the Windows version, but the version numbers that you see by right-clicking …

Read More
How to read / write .exe machine code manually?

I am not well acquainted to the compiler magic. The act of transforming human-readable code (or the not really readable Assembly instructions) into machine code is, for me, rocket science combined with sorcery. I will narrow down the subject of …

Read More
Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

A friend of mine downloaded some malware from Facebook, and I'm curious to see what it does without infecting myself. I know that you can't really decompile an .exe, but can I at least view it in Assembly or attach …

Read More