Binary Analysis
PECompact2 Jun 23 2006 06:08PM
als hush com (4 replies)
RE: PECompact2 Jun 25 2006 11:07PM
Earl_Marcus_Tan dell com
Re: PECompact2 Jun 23 2006 11:08PM
derez (derez packetforge net)
Re: PECompact2 Jun 23 2006 10:42PM
Lance James (phishing securescience net)
als (at) hush (dot) com [email concealed] wrote:
> Greetings,
> I recently came across a suspicious binary (.SCR) file in a
> compromised system. As I started to analyse it by running a
> 'strings' against it I noticed there was very little readable text
> in it, but the first line caught my attention: PECompact2.
> I did some research and it seems this indicates the binary is
> somehow compressed/obfuscated by using some sort of PE compression
> tool (probably
There are many ways to unpack and it really depends on the executable.
You're going to want to most likely find where it jumps to the Original
Entry Point (OEP). Then you would establish a breakpoint on that
instruction and dump the memory to file. This is the quick and easiest way.

There is also tools out there like OllyBone (I believe it's released
now) by Joe Stewart.
> Now I would like to unpack the executable to carry on with the
> analysis. From what I could understand this would only be possible
> by running it in a test win32 system, probably using a dissasembly
> tool, since it only "unpacks" itself when being executed. Is that
> correct? Would there be some other way of doing so, perhaps using
> some sort of decompression tool? I was not able to find any so far.
> Thanks for any help.
> regards,
> alex
> Concerned about your privacy? Instantly send FREE secure email, no account required
> Get the best prices on SSL certificates from Hushmail

Lance James
Chief Scientist
Secure Science Corporation
Author of "Phishing Exposed"

[ reply ]
Re: PECompact2 Jun 23 2006 09:59PM
Greg Hunt (gregory hunt gmail com)


Privacy Statement
Copyright 2010, SecurityFocus