Dailydave mailing list archives
Re: Unpacking & Visualisation
From: "Andrew R. Reiter" <arr () watson org>
Date: Wed, 23 Nov 2005 18:53:07 -0500 (EST)
yea, whenI first read halvar's post, it seemed like a lot of marketing. Way to go On Wed, 23 Nov 2005, Piotr Bania wrote: :Hey Halvar, : :> first of all, for those of you visually inclined, check: :>http://www.sabre-security.com/files/upx_unp.avi :>This is some research our new employee (since last week) Ero Carrera >Ventura :has been creating. :>On the x-axis, you have a timeline. On the y-axis, you have the >location of :the EIP in blue :>and the location of memory accesses in green. A UPX-packed binary is >then :executed, and :>you can see the EIP not changing much (decrypting loop) and the memory >access :do a very :>clearly visible "sweep" over the entire executable. After a while, the >memory :access patterns :>change dramatically and the locations of EIP do so, as well. This is >when the :executable is :>unpacked. : :Well, it looks nice :) Whats more funny - i have coded my own depacking engine :based on some similiar facts, you have described. Currently it can handle most :of known packers and unpackers without knowing any algorithm of protector used. : :Here is some sample video for FSG unpacking: :http://pb.specialised.info/all/depackit/depackit_vs_fsg.avi : :cheers, :Piotr Bania : :-- :-------------------------------------------------------------------- :Piotr Bania - <bania.piotr () gmail com> - 0xCD, 0x19 :Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 :http://pb.specialised.info - Key ID: 0xBE43AC33 :-------------------------------------------------------------------- : : " Dinanzi a me non fuor cose create : se non etterne, e io etterno duro. : Lasciate ogne speranza, voi ch'intrate " : - Dante, Inferno Canto III : : -- arr () watson org
Current thread:
- Unpacking & Visualisation halvar (Nov 23)
- <Possible follow-ups>
- Re: Unpacking & Visualisation Piotr Bania (Nov 23)
- Re: Unpacking & Visualisation Andrew R. Reiter (Nov 23)