EXE File Packers: a Exercise in Antivirus Annoyance


Through the years most antivirus programs overall have gotten better at not giving false positives, especially in regards to game trainers.

Although it seems if a program is compressed/packed with a EXE packer most AV (AntiVirus) programs will still give false positives - many of which are insane warnings.

The advantages of using a EXE file packer however are obvious - smaller file sizes, encrypted data, and even basic protection from would be thieves. As such many trainer authors will not release a trainer without using a EXE packer.

My recent Spelunky trainer without using a EXE packer gives zero false positives at two online virus scanning services (using a total of 63 virus scanners- with repeats); however, once that same trainer is packed with a EXE packer it receives multiple false positives.

The false positives given for the packed trainer range from obvious warnings to overly ridiculous warnings -such as a packed file warning, suspicious activity warning, claiming it is a trojan downloader, trojan dropper, possible worm, or even variations of a virus.

Towards the end of this article I included a section called Antivirus & Packer Results that goes into more details, with AV scanner reports, about false positives with antivirus software.


Unpacked Trainer
As mentioned my unpacked trainer gives 0 false positives at VirusTotal.com and Virusscan.jotti.org. Here is the VirusTotal report and the Jotti Virusscan report.

The trainer fresh from being compiled is only 158.5 KB (162,304 bytes) in size.

Being a unpacked file all the resources inside the EXE, text strings, images, memory addresses, etc. are easily read/modified/extracted with any hex editor or resource editor like Resource Hacker.

So even if the trainer has built in protection (see my trainer protection tutorial) against trainer spy programs, debuggers, or whatever - they can easily be removed from a unpacked file.

A EXE file packer will compress the data, encrypting it, and in many cases adding additional protection for any EXE or game trainer.


Choosing a EXE File Packer
To protect the work of creating the game cheats, writing a trainer, making the custom images, and such - a EXE packer is used. Finding the right packer software can take longer than all the work that went into the trainer itself.

The main reason is most file packers are used by malware/trojan/viruses, and any file packed with particular EXE packers are flagged by AV for that reason alone.

So the trick is to find a file packer that hasn't had it's reputation ruined by malware, and is still up to date to work with your trainer.

Antivirus companies all seem to claim that just because a file is packed by a EXE packer, their software will not flag the file just for that reason. Of course if you try scanning your trainer or EXE files before and after packing them you will see that AV software will for one reason or another.

Filer Packer - What to Look For
There are many things to look for, many of which you will decide on when trying file packers yourself. I have listed the main things I looked for when trying EXE file packers.

  1. Cost - freeware or paid file packers. As paid file packers are less likely to be used by malware authors many are not flagged by AV software as often; however, at a cost of $100 to several thousand it is often not worth it. Several paid programs such as Petite and PECompact are even flagged by AV more than UPX.

    If you want to invest money in a file packer then try the shareware software, otherwise stick to freeware. Either way, besides the cost, both types of software have nearly the same problems and benefits.
      
  2. Compression level for packed files. Not all EXE file packers offer the same level of compression of your game trainers or EXE files. I recommend you find one that provides a high level of compression, and perhaps even changes depending on the areas of the file (for example the compression on the EXE resources compared to the rest of the file).
      
  3. Additional features and extra protection. Many file packers are command line programs, and you may prefer a GUI frontend. Even if the EXE packer is command line driven many frontend programs exists - do a search to find if one exist.

    Also many file packers offer built-in protection against debuggers, unpacking, and other forms of protection. I would suggest if it claims to offer protection, try it for yourself.

    Another thing to look for is if the file packer can pack both 32-bit and 64-bit EXE files. That way no matter what type of PC file you have it will work.

    Be aware there are many file packers that have no protection besides basic encryption due to the file compression, and can easily be removed. For example UPX can easily be unpacked by the main program itself, and it offers no way to prevent it.
      
  4. How easy it is to unpack the compressed file. If you are only looking to shrink the trainer file size then you may not be concerned about this. As mentioned UPX can easily be unpacked by the main program itself, and it offers no way to prevent it.

    Some file packers are easily defeated by a easy to find and use scripts in OllyDbg, by the file packer itself (such as UPX), or other widely known methods.

    A easy way to check this is a simple web search of the file packer name and the text unpack - such as unpack UPX. Just remember everything is un-packable, you are just looking for something that makes it harder for others to unpack.

    One thing that helps is a often updated file packer and using the newest version. This often helps prevent would be thieves from unpacking your latest trainers.

Finding EXE File Packers
One of the most used file packers is UPX. Thankfully many antivirus programs do not flag everything packed with UPX instantly as a virus anymore. UPX however offers no protection, and any packed file is meant to be easily unpacked.

There are some tricks to prevent unpacking UPX packed files; however, doing them will often get even more AV flagged false positives. At the Skilinium blog tutorial are some tricks to prevent others from unpacking a UPX packed file.

There are numerous other file packers available, and perhaps some of the best packers are those not widely known. The more popular a file packer becomes the more unpacking tutorials, tools, and programs are made - making it easy to unpack a popular file packer.

I am listing some file directories of EXE file packers to get you started. Just be aware that many found online are often out of date and will only work on DOS, 16-bit, or 32-bit EXE files.

  • Softpedia - List of Packers/Crypters/Protectors
  • Download32 - Packers and Unpackers
  • SAC - Archivers, exe-compressors, archiver shells and other related utils

Many more can be found with a simple Google search, and often specific EXE packer websites.


Other Protection Methods
Besides using a EXE file packer there are things you can do when programming your game trainer to help protect it.

For many programming languages there are so called obfuscator tools. They work by basically renaming all functions to numbers (to make it more difficult to understand the code, for example turning the function GetAmmoPointer to function 123), renaming variables, removing all comments, and other things.

Of course you can use do such things yourself as you write your trainer or after it is completed.

Another thing you can do is to break up cheat memory addresses to two variables (or more), or do simple math on the address variable to make it valid (for example a variable holds 123460 before it's used,  four is subtracted to get the real address, which would be 123456).

Such tricks will keep the cheat address protected from people who use a hex editor to view the trainer EXE file looking for the addresses.

There are many other things you can do, just use your imagination. I have another tutorial about protecting your trainer available.



Antivirus & Packer Results
My unpacked  Spelunky trainer is 158.5 KB (162,304 bytes) in size, and has 0 false positives - here is the VirusTotal report and the Jotti Virusscan report. This is the base file used to get the following results.

UPX Packer
I first packed the same trainer with the most common EXE packer, UPX, with the best compression option of -9. The packed trainer file size is 94 KB (96,256 bytes).

Jotti Virusscan scanner reports 3 false positives (with 20 AV scanners) of a trojan-downloader. The VirusTotal scanner reports 7 false positives (with 43 AV scanners) of a trojan-downloader, generic packed file warnings, and a worm warning.

UPX Packer Modified
I used the same UPX packed trainer (as above). It had the same file size of 94 KB (96,256 bytes). This time however the packed trainer was modified so it is not as easy to unpack.

I used the software tool found at the Skilinium blog tutorial to make the UPX trainer harder to unpack. Afterwards the false positives increased due to AV scanners pointing out it is a modified UPX packed file.

Jotti Virusscan scanner reports 3 false positives (with 20 AV scanners) of a trojan-downloader. The VirusTotal scanner reports 9 false positives (with 43 AV scanners) of a trojan-downloader, generic packed file warnings, suspicious file, modified UPX warning, and a worm warning.

Additional UPX Trainer
As the UPX packed trainer was giving such insane virus/malware warnings from the virus scanners, I made a version of my trainer with nearly everything removed leaving just a window GUI with a few buttons.

I packed with the file with UPX and tested it, and here are the results. VirusTotal gave nearly the same results as always; however, Jotti Virusscan reported 5 false positives (with 20 AV scanners) of various trojan-downloaders in the trainer.


Online Scanner Details
I tried many various EXE file packers and every single one of them made my trainer give false positives. Unpacked the trainer gives no false positives, so I modified my trainer multiple times and noticed some various things happening with the online scanner results.

With the Virusscan.jotti.org scanner it seems three of the AV scanners always report the same thing as the other two. It seems that the AV scanners G Data, F-Secure, and BitDefender all share a virus definition database. No matter how long or specific the warning is, they all say the exact same thing every time.

The VirusTotal.com scanner has a great add-in that actually works and is useful. Any file scanned at the VirusTotal website is sent to the antivirus homepages so they can update their definition databases.

I have noticed several of the scan results of the trainer files at VirusTotal reported a certain false positive number, and if I re-scanned the same files or viewed the previous results a day or more later the false positives were often less.

For example one of my tests originally had 13 false positives late Saturday. Now as I am writing this article and checked the test results page it now currently only reports 9 false positives. It seems that several AV companies actually review and update their products from the VirusTotal files.

One other interesting thing I noticed is that even though both online scanners use several of the same AV scanners, those identical AV scanners will give different results. Often the AV scanner will find nothing at one site, and it will give a false positive at the other site.


Conclusion
I have to say that the VirusTotal.com scanner seems to be the best online virus scanner. It offers the most AV scanners on each test, and AV companies will get a copy of your file and often remove false positives without any extra effort.

It also seems that VirusTotal uses the most up to date scanner databases, by the fact that the results can vary day to day - plus they actually list when the AV was last updated.

EXE file packers can be a great tool to shrink your trainer file sizes by half or even more, while offering some basic protection.

AV false positives vary widely and can even if the only thing changed in your trainer is some text.

For example my released Spelunky trainer that is packed/compressed only has one false positive from 42 AV scanners; however, if I alter the text or cheat addresses in the trainer it has been as many as 13 false positives.

Using the same packer on various trainers that were created with the same tools, even the same programming method, will all have different results. I use the same basic trainer skeleton that I programmer for my various trainers (modifying the images, text, and cheats for each game), and each will have varying false positives.

False positives seem to be a part of the game cheating scene and as such most users just accept them.

If you want to avoid them there are two things you must do - use a programming language and write your own trainers (no trainer maker/creation tools as nearly anything made with them are flagged by AV) and do not use any EXE file packer.

You can learn more about creating trainers in my article about programming languages and trainer creation/maker tools.

0 comments:

Post a Comment