[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: unpacking UPX or PE-packed binaries



On Friday 23 April 2004 04:25 Karma wrote to 
"Undisclosed-Recipient:;"@securityfocus.com:

[...]

>Been trying to disect the recent Gaobot variants and getting no where with
>my generic UPX-unpacker. Since this is more and more commonly used, I
>thought I would be wise to consult the Lists.

In the case of at least one of the Gaobot's the UPX-header was (probably 
deliberately by the author) mangled after the binary was packed. This method 
"obfuscating" code has been seen before. If you could restore the original 
UPX-header unpacking the code should be trivial.

>Karma

-- 
Venlig hilsen / Kind regards
Henrik Bøgh ( henrik.list@xxxxxxxxx )
  "Hva' glor du på? Det' sgu'da bare en hammer mand!"
   -- Søren Pilmark som Grethe i 'Ørkenens sønner'