Vulnerability Development mailing list archives
Re: unpacking UPX or PE-packed binaries
From: Henrik Bøgh <henrik.list () boegh net>
Date: Sat, 24 Apr 2004 10:34:22 +0200
On Friday 23 April 2004 04:25 Karma wrote to "Undisclosed-Recipient:;"@securityfocus.com: [...]
Been trying to disect the recent Gaobot variants and getting no where with my generic UPX-unpacker. Since this is more and more commonly used, I thought I would be wise to consult the Lists.
In the case of at least one of the Gaobot's the UPX-header was (probably deliberately by the author) mangled after the binary was packed. This method "obfuscating" code has been seen before. If you could restore the original UPX-header unpacking the code should be trivial.
Karma
-- Venlig hilsen / Kind regards Henrik Bøgh ( henrik.list () boegh net ) "Hva' glor du på? Det' sgu'da bare en hammer mand!" -- Søren Pilmark som Grethe i 'Ørkenens sønner'
Current thread:
- unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Suresh Ponnusami (Apr 27)