Unpacking & Visualisation

[<halvar () gmx de>]

Hey all,

first of all, for those of you visually inclined, check:

http://www.sabre-security.com/files/upx_unp.avi

This is some research our new employee (since last week) Ero Carrera Ventura has been creating.
On the x-axis, you have a timeline. On the y-axis, you have the location of the EIP in blue
and the location of memory accesses in green. A UPX-packed binary is then executed, and
you can see the EIP not changing much (decrypting loop) and the memory access do a very
clearly visible "sweep" over the entire executable. After a while, the memory access patterns
change dramatically and the locations of EIP do so, as well. This is when the executable is 
unpacked. 

On a related note: We at SABRE are not only offering fun tools, but also people that can use them 
(e.g. specialized consulting). So if you end up needing someone to do 
    1) Security analysis of executables
    2) Analysis of custom malware found on compromised boxes
    3) Comparison of executables, e.g. for security patches
    4) Comparison of executables for code theft detection
    5) Other directly RE-related tasks (some embedded RE'ing perhabs?)
feel free to drop info () sabre-security com a line.

Cheers,
Halvar