Hey there, no worries at all—starting out in reverse engineering can feel super overwhelming, especially when you hit an unknown packer that tools like PEiD can’t pick up. Let’s walk through some practical steps you can take next:

• Try alternative packer detection tools
  PEiD is pretty outdated, so it often misses newer or more niche packers. Give these tools a shot instead:

  • Exeinfo PE: Has a larger database of packers and can detect more variants.
  • Detect It Easy (DIE): Actively maintained, supports both x86 and x64 binaries, and flags suspicious sections or behaviors.

• Manual PE structure analysis
  Load the binary into a PE viewer like PEview or even a debugger like x64dbg to inspect its section table. Look for red flags that signal packing:

  • Oddly named sections (e.g., .pack, .upx, or random strings).
  • Huge discrepancies between a section’s Raw Size (disk size) and Virtual Size (memory size)—packed sections are compressed on disk, so they’ll expand drastically when loaded into memory.
  • Sections with unusual permissions (e.g., RWX (Read-Write-Execute) instead of the standard RX for code sections).

• Start dynamic debugging to spot unpacking behavior
  Fire up x64dbg (or x32dbg for 32-bit binaries) and load the EXE. Here’s what to look for:

  • The entry point (OEP) will likely have dense, repetitive code typical of unpacking loops (e.g., XOR operations, calls to decompression routines).
  • Keep an eye out for anti-debugging checks—common ones include calls to IsDebuggerPresent or CheckRemoteDebuggerPresent APIs. You can use debugger features to bypass these if you run into them.
  • Try stepping through the code (using F7 for single-step) to follow the unpacking process, though be prepared: some packers use obfuscation to make this tricky.

• Leverage community knowledge
  If you’re still stuck, gather some key details about the binary (like its architecture, section table info, or the first 20-30 lines of assembly at the entry point) and ask for help in reverse engineering communities. Experienced folks might recognize the packer’s signature from those clues.

• Learn the basics of manual unpacking
  Once you have a better sense of the packer, dive into tutorials on manual unpacking. The core workflow usually involves:

  1. Finding the Original Entry Point (OEP) where the real program code starts after unpacking.
  2. Dumping the unpacked memory image from the debugger.
  3. Fixing the PE headers so the dumped file runs correctly.

内容的提问来源于stack exchange，提问作者Denis