Tuesday, 31 August 2010

GREM Paper

My GREM paper is finally published on the SANS reading room.

This document provides instructions on how to unpack NsPack 3.4 and 3.7 using the OllyDbg debugger. The OllyScripts used in this process are included in the appendixes. The custom plug-ins that are used to automate the procedure are provided with the source code. This paper also includes instructions on how to fully restore the import table so the file can be restored to its original state and executed. This is continued further with instructions on how to convert the machine code (assembly language) into a higher level language (in this paper we will use C) so that an analyst can better understand the workings and purpose of the packer.

See:
http://www.sans.org/reading_room/whitepapers/malicious/packer-analysis-report-debugging-unpacking-nspack-34-37-packer_33428

No comments: