Dailydave mailing list archives
Re: Unpacking & Visualisation
From: Piotr Bania <bania.piotr () gmail com>
Date: Wed, 23 Nov 2005 19:02:11 +0100
Hey Halvar, > first of all, for those of you visually inclined, check: >http://www.sabre-security.com/files/upx_unp.avi>This is some research our new employee (since last week) Ero Carrera >Ventura has been creating. >On the x-axis, you have a timeline. On the y-axis, you have the >location of the EIP in blue >and the location of memory accesses in green. A UPX-packed binary is >then executed, and >you can see the EIP not changing much (decrypting loop) and the memory >access do a very >clearly visible "sweep" over the entire executable. After a while, the >memory access patterns >change dramatically and the locations of EIP do so, as well. This is >when the executable is
>unpacked.Well, it looks nice :) Whats more funny - i have coded my own depacking engine based on some similiar facts, you have described. Currently it can handle most of known packers and unpackers without knowing any algorithm of protector used.
Here is some sample video for FSG unpacking: http://pb.specialised.info/all/depackit/depackit_vs_fsg.avi cheers, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr () gmail com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- " Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate " - Dante, Inferno Canto III
Current thread:
- Unpacking & Visualisation halvar (Nov 23)
- <Possible follow-ups>
- Re: Unpacking & Visualisation Piotr Bania (Nov 23)
- Re: Unpacking & Visualisation Andrew R. Reiter (Nov 23)