Doesn't work on SOME PE files + key size issue

[KFSPC8]

Shows "File successfully packed !", but 64-bit executable doesn't run.

Tested on: Windows 10 64-bit Version 1809 (OS Build 17763.437)
Executable tested: procexp64.exe (Windows Sysinternals)

[EgeBalci]

If you can share more details such as verbose tool output, go environment values and nasm version i will try to help. Tool is working fine with PE32+ files. There must be some special situation for your case.

[KFSPC8]

Here's the Verbose output:

[*] File: procexp64.exe
[*] Reflective: false
[*] Key Size: 8
[*] API: EAT
[*] Verbose: true

[*] Checking requirments...
[*] Setting up work directory at D:\Users\me\AppData\Local\Temp/954b552d35c491bca26985785a767bee
[*] Opening input file...
[*] Analyzing PE file...
[*] File Size:   byte
[*] Machine: 0x8664
[*] Magic: 0x20B
[*] Found executable characteristics
[+] ASLR supported !
[*]  Using ASLR stub...
[*] Subsystem: 0x2
[*] Image Base: 0x140000000
[*] Address Of Entry: 0xAE184
[*] Size Of Image: 0x189000
[*] Export Table: 0x40000000
[*] Import Table: 0x40115058
[*] Base Relocation Table: 0x40187000
[*] Import Address Table: 0x400D0000
[*] Assembling stub
[*] Ciphering payload...
[*] Payload encrypted with RC4 algorithm
[*] Key

{0x84, 0xE5, 0x85, 0xBD, 0x92, 0xBB, 0xD7, 0xC0}

[*] Assebly completed.
[*] Creating virtual file system...
[*] Obfuscating function names...
[*] Compiling go stub...

[*] Final Size: 1458856 -> 6827008 bytes
[?] File successfully packed ! 

[KFSPC8]

go env:

set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=D:\Users\me\AppData\Local\go-build
set GOENV=D:\Users\me\AppData\Roaming\go\env
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=D:\Users\me\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=c:\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=c:\go\pkg\tool\windows_amd64
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fmessage-length=0 -fdebug-prefix-map=D:\Users\me\AppData\Local\Temp\go-build536879466=/tmp/go-build -gno-record-gcc-switches

[KFSPC8]

I'm using nasm-2.14.03rc1. I've tried using it on PE32 applications and it works, only when I use it on PE32+ application that the output executable fails to run. Your help will be greatly appreciated!

[KFSPC8]

Update: It works on calc.exe (System32 file), but not on procexp64.exe (Windows sysinternals file).
So it only works on some PE32+ but not all. Curious if you know why it's happening?

Update 2: calc.exe works when key size = multiple of 8 (8, 16, 32 ...), doesn't work on different key size

[EgeBalci]

Some executable files including procexp64 are using execution methods such as process hollowing. This method some times may break the execution flow of the Amber packer. Up coming update will fix most of this issues. Also problem you are having with key size is a known bug it will also be fixed at new version.

[KFSPC8]

@EgeBalci Thanks for the info. Any idea when the next update will be?

[EgeBalci]

I'll try to push it in 2019 :)