Packer

A packer is program that takes an executable and compresses it. Reasons for doing this include making the binary smaller to conserve resources, and to make it harder to reverse engineer the binary by encrypting and/or obfuscating the contents of the original executable.

After packing, the packed executable will contain the packed original payload plus an unpacking stub. The packed executable will typically replace the original entrypoint of the executable with a new entrypoint pointing to the unpacking stub. When executed, the packed executable will run the unpacking stub, which will unpack the remaining original payload, and then transfer control to it.

In the reverse engineering community, there is widespread interest in being able to run the unpacking stub, but stopping the execution of the program before control is transferred to the original program. Many techniques have been used to implement this. Typically this involves a way to identify how a binary has been packed (typically by matching binary signatures against the packed binary), and then executing the unpacking stub in a controlled manner with some form of unpacking script. These unpacking scripts use commands similar to those given to a low-level debugger to set break points, execute code, and similar operations.

Reko has implemented the infrastructure for signature matching and loading unpacking scripts. Currently Reko supports scripts written in OllyScript, a scripting language used widely in the reverse engineering community, and based on OllyDbg, a popular debugger. Adding unpacking scripts is easily done by adding them to the application configuration file.