3.03 beta series (currently at 3.03.23) - final will be v3.04
This new version adds proper support of SafeSEH modules and also other rarely used tables in the LoadConfig directory. It also
fixes possible very rare memory corruption of DLLs that were compiled to utilize SafeSEH and were forced into a base collission or are ASLR aware,
then mapped into a process where all modules also support SafeSEH and ASLR.
Also coming this version is a fix for compression of self-extracting archives (SFX), installers, and other executables with an extra-data/overlay
that is referenced at a physical offset. Now the new /EmulateOverlay (/Emo) switch will fix most all cases of this, and now is AUTOMATICALLY selected
when a file is compressed with an overlay larger than 32KB.
Addition.core: New overlay emulation, as provided by the /EmulateOverlay:[I|O|N] command line parameter, to fix SFX installers, interepted languages built into EXEs, and other similar files. This is done through inclusion of the extradata in the PE image and API hooks on the file reads to redirect reads to the extra-data's original physical offset to the correct location.
Addition.core: Added 'N' option to /EmulateOverlay to explicitly disable it, while possible still keeping the overlay with /KeepOverlay:Y
Addition.core: Added 'I' option to /EmulateOverlay to include the overlay within the PE image, allowing it to be compressed (default is 'O' for outside image)
Addition.core: Auto-induce new overlay emulation if overlay found exceeding 100KB in size
Addition.core: Added deep delete and/or relocate of LoadConfig directories
Addition.core: Added proper LoadConfig.SafeSEH and LoadConfig.LockTablePrefix support
Addition.core: Added /StripLoadConfig:Y|N (/Slc:Y|N) command line parameter to strip the LoadConfig directory (or not)
Addition.core: Proper registration of loader exception handler(s) is appended to LoadConfig.SafeSEH table, if one exists
Addition.Installer: Made 'pec.exe' the main executable, but is a 5KB stub for 'pec2.exe'. May inverse these in the future.
Addition.Installer: Included C++ source to PEHTLib in registered build
Addition.Installer: C++ source for PEHideText decryption is now incldued (registered verison only)
Addition.EAD.Loader: Added new code to cause OllyDbg to crash
Addition.GUI: Added Polish translation
Addition.GUI: Added option for overlay emulation
Addition.GUI: Added option for stripping the LoadConfig directory (or not)
Fix.GUI: Fixed error message shown when specific loader host is removed from the configuration. The previous design mandated a specific loader host always be provided, but now default is simply used.
Fix.EAD.Loader: The Enhanced Anti-Debug Loader could previously wipe out one of the watermarks stored by PEWatermark, causing runtime retrieval of the watermark to fail
Fix.core/loaders: Fix of a memory leak on compressed DLLs that are loaded, then freed. Note that the leak will still exist if you use any API hook plug-in because the decompressed loader can't be deallocated [in the current PECompact architecture] since it contains API hook code that may be later referenced. None of this is of any concern to EXEs, nor to DLLs you don't Free.
Fix.core: Fixed possible memory corruption on DLLs that support SafeSEH and get relocated (via ASLR or base collision)
Change.plugins: IsPacked plug-in now requires API name of PEC_IsPacked or ordinal of 0xffff AND an an HMODULE of 1 OR -1
Change.plugins: IsPacked plug-in now requires API name changed to PEC_IsPacked, but backwards compatibility for PEC2_IsPacked is retained
Change.loaders: Some minor tweaks and changes - I tried to change as little as possible
Change.GUI: Standardized command line switches, so always 'Y' and 'N' instead of some intermingled 'Yes' and 'No's
Change.All: Updated to VC10 (Visual Studio 2010)
Removal.Installer: Removed PEHT alternate libraries because C++ source for PEHideText decryption is now incldued
Change.Installer: PEHideText now back in trial build, for evaluation purposes
Change.Plugins: Updated BoB's IsDebuggerPresent plug-in to v1.08 (registered version only)
Change.LoaderSDK: PEC_HOST_INFO structured appended with three new DWORDs
Removal.Installer: Removed some older codecs, languages, and components that have been deprecated or unmaintined
Change.core: Minor maintenance and other changes
Change.core: Disallow NO_SEH characteristic on all modules (not just DLLs)
Addition.PEClassify: Classifies Armadillo protected executables based on their SEH chain by-pass marker that is embedded in the PE for Windows to use
Change.GUI: Mandated 'Highest Available' rights via manifests
Change.All: Embedded manifests in primary executables
Change.Loader: Now allows plug-ins to have SEH traps in Vista+
[.19]Fix: IsPacked plugin that broke in previous beta build
[.20]Fix: Restore Windows 2000 compatibily of PECompact itself (compressed apps always worked in W2K)
[.20]Fix: Restore Windows 2000 compatibily of PE Suite tools
[.21]Fix: Continued W2K legacy work for PEC itself, cobwebs being brushed out, VC9 migration continues
[.21]Fix. Minor adjustments
[.22]Change.PEHideText: Allow FreeDecryptedText to take either a pointer to the original obfuscated text, or (more traditionally), a pointer to the dynamically allocated deobfuscated rendition of it.
[.22]Change.Loader: Minor change
[.23]Change.PEHideText: Major rewrite of PEHT runtime decryption code. It is now assumed you'll be linking with the source code included in registered version, or writing your own.
[.23a]Change.PEHideText: Allow caller supplied buffer, for decrypting to stack for instance, and randomize some null space left behind that could help identify these segments
--Unreleased--
[.24]Change.PEHideText: Add /o switch to specify a custom obfuscator key to give the user a custom implementation
[.2x]Change.PEHideText: Randomly generate keys for EACH string encrypted, instead of using the same for every string
3.02
Fix.Core: Fixed issue where debug directory entry wasn't completely cleared when stripping of debug directory was indicated
Addition.Plugins: Added a new loader that does not execute any code from writable dynamic memory allocations (pec2ldr_no_rwx_mem). This is useful in various situations.
Change.Plugins: Updated IsDebuggerPresent plug-in by BoBSoft
Change.Licensing: Extended trial period to 30 days to give users time to evaluate product
Change.PEHideText: Increased size of encrypted text marker to ensure no accidental collisions with random code and data. This makes the new version incompatible with the old version, so be sure to get the latest PEHT lib.
Change.PEHideText: If key not supplied on command line, then a random number is used.
Change.Loader: Minor maintenance
Change.Loader.Slim: Slim version of loader tweaked a bit
Change.Loader.Enhanced.Anti.Debug: Added new anti-debugging capabilities (note: EAD loader is a seperate purchase)
Change.Loader.Enhanced.Anti.Debug: Added new anti-dump capabilities (note: EAD loader is a seperate purchase)
Change.Updater: Consolidated all locale specific update checker resource files into main resource files
Change.Docs: Some formatting and content updates
Change.All: Removed cs_cpl (language selection) DLL, library is now statically linked
Addition.Installer: Added help, about, and publisher links for use by the OS
Change.Installer: Reduced total install size
Fix.Updater: No longer shows update check dialog if 'never check for updates' is selected
Fix.Installer: Improved uninstall procedure to properly clean up the newly renamed default PECompact start menu folder
Fix.Installer: Fixed rarely used 'Visit Bitsum Tehcnologies' start menu shortcut
Fix.Installer: Fixed missing PEC2CodecSDK.h for CODEC SDK (registered build only)
Fix.Installer: Fixed scrambled Swedish EULA
Post-release updates:
[.1]Change.Updater: Only show update dialog when an update is actually available, instead of asking user for permission to check every time we want to merely check
[.2]Change.Plugins: Updated BobSoft's IsDebuggerPresent plug-in to v1.06 - This fixes DEP violations with this plug-in
3.00
Addition.Package: Added user contributed ElfHash plug-in (a fast hash algorithm)
Addition.Package: Added user contributed Pascal/Delphi header files for all plug-in types (registered version only)
Addition.Package: Added user contributed 'IsDebuggerPresent' API plug-in (registered version only)
Addition.Package: Added user contributed API hook and Codec plug-ins developed in Delphi
Addition.Installer: Added x64 build of PEHTLib.lib
Change.GUI: Improved message boxes (updated to XMessageBox 1.10 and applied Bitsum custom mods)
Change.PETrim: Enhanced stripping of debug directories
Change.PEHTLib: Change to macros
Change.Installer: Switched to UNICODE build of NSIS
Change.Localization: Updated Swedish translation
Change.Docs: Added credits for contributions of BoB of team PEiD
Change.Docs: Some minor maintenance and improvements
Removal.Installer: Some out of date languages removed
Fix.GUI: Adjustments to initial display position of child windows
Fix.UpdateChecker: Fixed missing space after beta version numbers
Fix.Installer: Fixed missing application icon in 'Add/remove programs' or 'Programs and features'
Fix.PEHTLib: Some fixes for thread safety, applies only to users of PEHideText
Fix.Core: Fixed issue where small decoder was sometimes being used even when fast decoder was specified
Fix.EADLoader: Fixed conflict with removal of import table by enhanced anti-debug loader and Restore Imports option
[.1]Fix.Documentation: Fixed problem with missing pages in CHM
[.2]Change.Installer: Included more plug-ins in the trial edition (ones not abusable)
[.2]Change.All: Replaced all occurrances of 'PECompact2' with 'PECompact' (unreleased)
[.2]Change.EAD-Loader: Updated enhanced anti-debug loader for better interoperability with /RestoreImports:Y option
2.98.6
Fix.Core: Fixed problem with compression of some previously signed modules. Note that the signature is
removed after compression, since it will be invalidated by the changes
Fix.GUI: Fix to display of compression ratio
Fix.Installer: Improved Vista+ UAC support
Change.All: Removed use of alternate HKCU\PECompact registry key
Change.Core: Cleaned up console output
Change.Core: Removed /AllowSecurityDirectory (/Asd) command line parameter (now always 'Yes')
Change.Installer: Language selection is now propagated from the installer to GUI, removing redundant language selection on first run of the GUI
Change.PEClassify: Cleaned up console output
Addition.PEClassify: Added PE or PE+ type output
Addition.Package: Added new plug-in to break automated decompression by UN2PEC, pec2hooks_break_un2pec. (registered version only)
2.96
Fix.Core: Fixed compression of executables with MUI resources (i.e. Vista's
notepad.exe). In previous builds, affected executables would fail to start after
compression
Change.EAD.Loader: Updated, some more protection code added
Change.EAD.Loader: Changed name so it appears more descriptive and correct
Installer.Change: Trial verison no longer includes cipher codecs
Installer.Removal: Removed PEHideText from trial version
Installer.Removal: No longer publicly distributing student version due to abuse
by malware authors. Freeware authors and acedemics can obtain a freeware license
for PECompact by emailing support@bitsum.com
2.94
Fix.Core: Fixed handling of some non-Microsoft linkers debug directories. This
could have caused a decrease in compression ratio or an inability to locate
post-compressed debug information, depending on if /StripDebug was set to Yes or
No, respectively
Fix.Core: Improved compression ratio when debug directories are present and
preserved. In previous versions, unrelocated (old) copies of the debug data
would get left in the compressed data stream
Fix.Core: Improved handling of very large debug directories
Change.Core: If overlay/extra-data is empty (no non-NULL data) we skip storage
of it after compression. This is useful for the new code changes that can strip
debug information from the overlay/extra-data area
Fix.Core: Fixed help mode capital 'A' not being accepted correctly to show
advanced help menu
Fix.TestCodec: Various updates to get it up to speed with the latest CODEC
specifications and more
Change.Settings: Made /StripDebug:Yes (/SD:Y) the default. Debug information
will get stripped unless you specify /SD:N
Addition.GUI: Now remembers last browsed folder when adding files to the
listview in older NT OSes (XP, 2k)
Change.GUI: Minor cosmetic adjustments
Addition.Package: Included new cipher1 codec in all packages
Addition.Package: Included new cipher2 codec in retail build
Installer: Update to NSIS 2.39
2.92
Fix.Core: Fixed issue with DLLs with type libraries (COM objects usually have
them)
Fix.Core: Fixed empty sections sometimes not getting assimilated when they
should be. For some executables, this improves comrpession ratio back to what it
was in v2.88
2.90
Fix.Core: Fix for infinite loop condition on some executables when merging
sections is turned off, or certain sections are skipped (such as shared
sections). This would literally cause compression to never end
Fix.Core: Fix for some shared sections containing only NULL data getting
optimized out (assimilated) and losing their shared status even when '/ssh:y' is
given
Change.Core: Tweaking handling of section attributes when merging. Now only
executable characteristics will be merged
Changes.Codec: Updated IbsenSoftware's aPLib CODEC to v0.44, thanks to Joergen
Ibsen for providing the CODEC plugin
2.88
Addition.Core: New beta support for .NET executable compression is finally here!
We are still ironing out kinks, adding features, optimzing, and testing on
various .NET applications. That said, you can try our early implementation out
now. Yes, your shell icons, version information, and other resources are
properly preserved. Also, all PECompact plug-ins are utilized, including the
CODECs. The .NET assemblies are compressed using LZMA
Addition.GUI: Various things to facilitate .NET support
Addition.Core: Added '/FrameworkVersion=x.x.x.x' or '/Fv=x.x.x.x' switch to
set the .NET Framework version that should be loaded by compressed .NET
assemblies
Fix.Core: Reworked behavior of '/CompressResource:No' (/cr:n). Now resources are
loaded and re-written, but all are kept uncompressed. This results in better
compression ratios and fixes known errata with excluding all resources on some
executables
Fix.GUI: Fixed problem when test launching executables with spaces in the
pathname. They would launch, but some would interept the first parameter wrong
since it wasn't quote encapsulated and may not be able to 'find themselves' if
they rely on the first argument to determine their executable path
Fix.GUI: Improved cosmetics of progress bar during long compressions
Change.Core: We now preserve overlays/extra-data by default. The previous
default was to only preserve them if they were in excess of 255 bytes in length
Fix.Docs: Fixed up ugly headers and fixed title of CHM
2.86
Change.Core: More proper support of ASLR aware programs in that fixups on EXEs are stripped
unless they utilize ASLR