i dont recall the plugin name, but theres one out there for ida that
will stop execution on a particular instruction.. and i dont mean a
standard "breakpoint".. you need to stop execution on the "popa"
instruction since most packers immediatly call pusha at the begining of
execution, and after decryption/decompression call "popa" to restore the
registers to a state to continue execution..
of course, this screws you a bit if the particular packer checks for
debuggers (something like yodas protector).. but you should be able to
work past this..
enjoy
-phar
On Sun, 2006-01-29 at 19:02 +0000, lopez_morales (at) yahoo (dot) com [email concealed] wrote:
> Hi,
>
> I have to analysis a binary file, but it appears to be compressed or encrypted. Do anyone knows how to know with what utility has been compressed?
>
> Are there programs to know it?
>
> or some kind of test to do?
>
> thanks
i dont recall the plugin name, but theres one out there for ida that
will stop execution on a particular instruction.. and i dont mean a
standard "breakpoint".. you need to stop execution on the "popa"
instruction since most packers immediatly call pusha at the begining of
execution, and after decryption/decompression call "popa" to restore the
registers to a state to continue execution..
of course, this screws you a bit if the particular packer checks for
debuggers (something like yodas protector).. but you should be able to
work past this..
enjoy
-phar
On Sun, 2006-01-29 at 19:02 +0000, lopez_morales (at) yahoo (dot) com [email concealed] wrote:
> Hi,
>
> I have to analysis a binary file, but it appears to be compressed or encrypted. Do anyone knows how to know with what utility has been compressed?
>
> Are there programs to know it?
>
> or some kind of test to do?
>
> thanks
[ reply ]