>>I have to analysis a binary file, but it appears to be compressed or
encrypted. Do anyone knows how to know with what utility has been
compressed?
Hi,
The process goes something like this:
1. Perform static file analysis. Identify with strings analysis, PE header
program information, and hex editors what type of file it is and if it is
packed with something. For example, PEID, LordPE, BinTex, Hedit32.
2. Attempt to perform a native decompression of the program. If this is not
possible look for a non-native decompression utility that you can find
through googling - use with caution in a VMWare enviroment since such tools
may be Trojaned.
3. If that doesn't work you try to perform a memory dump through LordPE,
Ollydbg, IDAPro, or similar programs. Then you have to fix the header and
try to get it to work, read strings in the dumped file, etc, to give you
additional clues.
In some cases you may have to perform some special customized scripts in
order to get everything to work or play with it for a looooong time.
Experience and networking with other professionals really helps.
encrypted. Do anyone knows how to know with what utility has been
compressed?
Hi,
The process goes something like this:
1. Perform static file analysis. Identify with strings analysis, PE header
program information, and hex editors what type of file it is and if it is
packed with something. For example, PEID, LordPE, BinTex, Hedit32.
2. Attempt to perform a native decompression of the program. If this is not
possible look for a non-native decompression utility that you can find
through googling - use with caution in a VMWare enviroment since such tools
may be Trojaned.
3. If that doesn't work you try to perform a memory dump through LordPE,
Ollydbg, IDAPro, or similar programs. Then you have to fix the header and
try to get it to work, read strings in the dumped file, etc, to give you
additional clues.
In some cases you may have to perform some special customized scripts in
order to get everything to work or play with it for a looooong time.
Experience and networking with other professionals really helps.
Ken Dunham
Director of the Rapid Response Team
[ reply ]