Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: unpacking UPX or PE-packed binaries
From: Henrik Bøgh (henrik.listboegh.net)
Date: Sat Apr 24 2004 - 03:34:22 CDT
On Friday 23 April 2004 04:25 Karma wrote to
>Been trying to disect the recent Gaobot variants and getting no where with
>my generic UPX-unpacker. Since this is more and more commonly used, I
>thought I would be wise to consult the Lists.
In the case of at least one of the Gaobot's the UPX-header was (probably
deliberately by the author) mangled after the binary was packed. This method
"obfuscating" code has been seen before. If you could restore the original
UPX-header unpacking the code should be trivial.
Venlig hilsen / Kind regards
Henrik Bøgh ( henrik.listboegh.net )
"Hva' glor du på? Det' sgu'da bare en hammer mand!"
-- Søren Pilmark som Grethe i 'Ørkenens sønner'