Back to list
Jun 23 2006 06:08PM
als hush com
Jun 25 2006 11:07PM
Earl_Marcus_Tan dell com
Jun 23 2006 11:08PM
derez (derez packetforge net)
als (at) hush (dot) com [email concealed] wrote:
> I recently came across a suspicious binary (.SCR) file in a
> compromised system. As I started to analyse it by running a
> 'strings' against it I noticed there was very little readable text
> in it, but the first line caught my attention: PECompact2.
> I did some research and it seems this indicates the binary is
> somehow compressed/obfuscated by using some sort of PE compression
> tool (probably http://www.bitsum.com/pec2.asp).
> Now I would like to unpack the executable to carry on with the
> analysis. From what I could understand this would only be possible
> by running it in a test win32 system, probably using a dissasembly
> tool, since it only "unpacks" itself when being executed. Is that
> correct? Would there be some other way of doing so, perhaps using
> some sort of decompression tool? I was not able to find any so far.
> Thanks for any help.
Check out http://www.openrce.org/reference_library/packer_database where
quig has done some great analysis of PECompact2.x (as well as other
packers) and provides an Entry Point Signature. There is also an
Ollyscript Plugin to unpack it by hacnho/VCT2k4 referenced.
[ reply ]
Jun 23 2006 10:42PM
Lance James (phishing securescience net)
Jun 23 2006 09:59PM
Greg Hunt (gregory hunt gmail com)
Copyright 2010, SecurityFocus