Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unpacking & Visualisation

From: Piotr Bania <bania.piotr () gmail com>
Date: Wed, 23 Nov 2005 19:02:11 +0100
Hey Halvar,

> first of all, for those of you visually inclined, check:
>http://www.sabre-security.com/files/upx_unp.avi
>This is some research our new employee (since last week) Ero Carrera >Ventura has been creating. >On the x-axis, you have a timeline. On the y-axis, you have the >location of the EIP in blue >and the location of memory accesses in green. A UPX-packed binary is >then executed, and >you can see the EIP not changing much (decrypting loop) and the memory >access do a very >clearly visible "sweep" over the entire executable. After a while, the >memory access patterns >change dramatically and the locations of EIP do so, as well. This is >when the executable is 
>unpacked.
Well, it looks nice :) Whats more funny - i have coded my own depacking engine based on some similiar facts, you have described. Currently it can handle most of known packers and unpackers without knowing any algorithm of protector used. 

Here is some sample video for FSG unpacking:
http://pb.specialised.info/all/depackit/depackit_vs_fsg.avi

cheers,
Piotr Bania

--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr () gmail com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

                          " Dinanzi a me non fuor cose create
                            se non etterne, e io etterno duro.
                            Lasciate ogne speranza, voi ch'intrate "
                                          - Dante, Inferno Canto III
Previous By Date Next
Previous By Thread Next

Current thread: