-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for all the feedback. I have always taken the poor mans approach to this since its not really my job, but a fun hobby on the side.
regards mike On Fri, 05 Aug 2005 02:49:49 -0700 Peter Kruse <[EMAIL PROTECTED]> wrote: >Hey, > >> These were not submitted to any AV vendors since Norton did >> flag them. In the past I have submitted unknown trojans/ >> viruses like these to Symantec when clients have been owned, >> but what can I say they are hardly 0day more like 300 day. > >8-) > >> http://www.bitsum.com/pec2.asp > >Yes, I already have this tool in my box. Pretty useful for first >glance. > >> Could you share your methodology on how you go about reverse >> engineering/ disassembling a malicious piece of code that has >> had a packer ran on it? > >There are many off-the self unpackers out there that will do the >job just >fine, but lately malware writters rather modify or use >enhanced/hacked >version of popular PE-packers. Either way a compressed binary will >have to >uncompress itself using the compressor stub in order to run. In >order to >unpack look for the call that jumps from the stub to unpacked >code. When the >jmp address is located modify so the jmp goes to esi. This will >put the code >in a loop. Next procdump. > >There are plenty of good tutorials. One of these are associated >with IDA: >http://www.datarescue.com/idabase/unpack_pe/ > >I hope this helps you getting started. > >Regards >Peter Kruse -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkLzNy8ACgkQUjm7xSZSd8GYjACeIoBxJOXEqi4omXslFRpJRGF7Vw0A n3tB9zvUITpeklmYRUG0GQN8Gxjs =rUI8 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
