Vulnerability Development: Re: unpacking UPX or PE-packed binaries

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: unpacking UPX or PE-packed binaries

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 24 Apr 2004 16:34:55 +0200

Blue Boar wrote:

Karma wrote:
Just interested in how AV R&D companies unpack worms with complex UPXand PE
pack protocols.
The modified UPX packing is a pretty small change usually. Compare onewith a standard UPX header for the same version. There are a variety ofunpackers out there.


[Hey BB, 'sup? :)]

Having taken a look at the samples, they are indeed agobots (look a bitmore like phatbots, but who can tell anymore?), but polymorphic ones(polybots).

Also, they are packed using PE-Crypt.Wonk, which would explain why upx-d didn't work.


        Gadi Evron.

By Date By Thread

Current thread:

unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
    - Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)
    - Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 27)