[Dshield] Guru Help Please.
brian at dessent.net
Mon Aug 25 01:33:50 GMT 2003
Chris Ream wrote:
> So, I guess I'm not asking how to quarantine it. Just how to un-upx it
> with a bad checksum? If anyone has any ideas on this please let me know.
> I've downloaded the UPX source and have begun studying that to see if it
> is of any assistance but that's not exactly a quick process.
Just load it in a debugger and step through it. The inital
self-unpacking should be apparant because it will be the first thing it
does before anything else, and it will be one or more loops over and
over again. After you've found those loops you can set breakpoints
progressively further and further along in the execution until
eventually you find a breakpoint where the unpacking stops and you have
a meaningful hunk of code decrypted in memory. You can then save that,
analyze it for strings, disassemble it, whatever.
More information about the list