On Friday 23 June 2006 21:05, [EMAIL PROTECTED] wrote: > Greetings, > > I recently came across a suspicious binary (.SCR) file in a > compromised system. As I started to analyse it by running a > 'strings' against it I noticed there was very little readable text > in it, but the first line caught my attention: PECompact2. > > I did some research and it seems this indicates the binary is > somehow compressed/obfuscated by using some sort of PE compression > tool (probably http://www.bitsum.com/pec2.asp). > > Now I would like to unpack the executable to carry on with the > analysis. From what I could understand this would only be possible > by running it in a test win32 system, probably using a dissasembly > tool, since it only "unpacks" itself when being executed. Is that > correct? Would there be some other way of doing so, perhaps using > some sort of decompression tool? I was not able to find any so far. >
You can use PEiD and it's generic unpacker. Also you can search on the net for a PECompact2 unpacking tool. But, please don't do this on your machine :) (at least don't unpack it with PEiD on your real system), use VMWare/VirtualPC/smth else... Regards, -- Andrei Saygo