Binary Analysis
Entry point analysis Oct 28 2005 11:28AM
keydet89 yahoo com (1 replies)
Re: Entry point analysis Oct 28 2005 12:05PM
David Perez-Conde (david perez conde gmail com) (2 replies)
Re: Entry point analysis Oct 28 2005 12:15PM
Harlan Carvey (keydet89 yahoo com) (1 replies)
RE: Entry point analysis Oct 28 2005 03:14PM
Chris Eagle (cseagle redshift com)
Re: Entry point analysis Oct 28 2005 12:08PM
Harlan Carvey (keydet89 yahoo com) (1 replies)
Re: Entry point analysis Oct 28 2005 12:26PM
David Perez-Conde (david perez conde gmail com)
Hi Harlan,

You're welcome.

In the official report (and also in some of the submissions) of
scan#32 I remember we included in the code analysis section a pretty
detailed description of how to obtain an uncompressed version of the
binary using a debugger, finding the original entry point, dumping the
memory contents and fixing the PE header.

The binary was packed using UPX and slightly edited so that upx would
refuse to unpack it. Finding and reversing those minor modifications
was simple enough in that case and then upx could be used to unpack
the binary, but the procedure explained in the report is applicable to
any packed binary, regardless of the algorithm.

I'm not sure if that's the kind of info you were looking for.

As for scan#33, I'm not sure it has similar info. I assumed it
probably does because it was dedicated to analyzing a binary with far
more complicated tricks in it to make analysis difficult.

Regards,
David.
---
David Perez - GSE
28oct05 14:26

On 10/28/05, Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]> wrote:
> David,
>
> Thanks for the email.
>
> > You may want to look at scans #32 and #33 at:
> >
> > http://www.honeynet.org/scans/index.html
>
> Yes, I have in the past, and I've been going over them
> both recently with regards to some other work I've
> done.
>
> Is there anything specific within either of the two
> scans that you can point to?
>
> thanks,
>
> Harlan
>
> ------------------------------------------
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://windowsir.blogspot.com
> ------------------------------------------
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus