Re: Unpacking & Visualisation

["Andrew R. Reiter" <arr () watson org>]

yea, whenI first read halvar's post, it seemed like a lot of marketing.  
Way to go


On Wed, 23 Nov 2005, Piotr Bania wrote:

:Hey Halvar,
:
:> first of all, for those of you visually inclined, check:
:>http://www.sabre-security.com/files/upx_unp.avi
:>This is some research our new employee (since last week) Ero Carrera >Ventura
:has been creating.
:>On the x-axis, you have a timeline. On the y-axis, you have the >location of
:the EIP in blue
:>and the location of memory accesses in green. A UPX-packed binary is >then
:executed, and
:>you can see the EIP not changing much (decrypting loop) and the memory >access
:do a very
:>clearly visible "sweep" over the entire executable. After a while, the >memory
:access patterns
:>change dramatically and the locations of EIP do so, as well. This is >when the
:executable is
:>unpacked.
:
:Well, it looks nice :) Whats more funny - i have coded my own depacking engine
:based on some similiar facts, you have described. Currently it can handle most
:of known packers and unpackers without knowing any algorithm of protector used.
:
:Here is some sample video for FSG unpacking:
:http://pb.specialised.info/all/depackit/depackit_vs_fsg.avi
:
:cheers,
:Piotr Bania
:
:-- 
:--------------------------------------------------------------------
:Piotr Bania - <bania.piotr () gmail com> - 0xCD, 0x19
:Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
:http://pb.specialised.info  - Key ID: 0xBE43AC33
:--------------------------------------------------------------------
:
:                          " Dinanzi a me non fuor cose create
:                            se non etterne, e io etterno duro.
:                            Lasciate ogne speranza, voi ch'intrate "
:                                          - Dante, Inferno Canto III
:
:

--
arr () watson org