----- Original Message -----
From: "Andrei Saygo" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, June 30, 2006 6:30 AM
Subject: Re: PECompact2
On Friday 23 June 2006 21:05, [EMAIL PROTECTED] wrote:
Greetings,
I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.
I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably http://www.bitsum.com/pec2.asp).
Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.
PECompact is rather trivial to manually unpack...
The first instruction of the packer is a MOV EAX, [addr].
Go to the address at [addr] and scroll down until you reach JMP EAX.
Put a Breakpoint on the JMP EAX, run the software and that will break at the
jump to OEP...
RaMatkal
