From: Andrew R. Reiter (arrwatson.org)
Date: Wed Nov 23 2005 - 17:53:07 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

yea, whenI first read halvar's post, it seemed like a lot of marketing.
Way to go

On Wed, 23 Nov 2005, Piotr Bania wrote:

:Hey Halvar,
:
:> first of all, for those of you visually inclined, check:
:>http://www.sabre-security.com/files/upx_unp.avi
:>This is some research our new employee (since last week) Ero Carrera >Ventura
:has been creating.
:>On the x-axis, you have a timeline. On the y-axis, you have the >location of
:the EIP in blue
:>and the location of memory accesses in green. A UPX-packed binary is >then
:executed, and
:>you can see the EIP not changing much (decrypting loop) and the memory >access
:do a very
:>clearly visible "sweep" over the entire executable. After a while, the >memory
:access patterns
:>change dramatically and the locations of EIP do so, as well. This is >when the
:executable is
:>unpacked.
:
:Well, it looks nice :) Whats more funny - i have coded my own depacking engine
:based on some similiar facts, you have described. Currently it can handle most
:of known packers and unpackers without knowing any algorithm of protector used.
:
:Here is some sample video for FSG unpacking:
:http://pb.specialised.info/all/depackit/depackit_vs_fsg.avi
:
:cheers,
:Piotr Bania
:
:--
:--------------------------------------------------------------------
:Piotr Bania - <bania.piotrgmail.com> - 0xCD, 0x19
:Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
:http://pb.specialised.info - Key ID: 0xBE43AC33
:--------------------------------------------------------------------
:
: " Dinanzi a me non fuor cose create
: se non etterne, e io etterno duro.
: Lasciate ogne speranza, voi ch'intrate "
: - Dante, Inferno Canto III
:
:

--
arrwatson.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]