Alex, > > Now I would like to unpack the executable to carry on with the > > analysis. From what I could understand this would only be possible > > by running it in a test win32 system, probably using a dissasembly > > tool, since it only "unpacks" itself when being executed. Is that > > correct? Would there be some other way of doing so, perhaps using > > some sort of decompression tool? I was not able to find any so far.
you could be using PEiD (http://peid.has.it/) to exactly tell you which compression tool had been used, then find the corresponding decompression tool at http://www.exetools.com/unpackers.htm, then run "strings" and other tools on the decompressed file again. Chapter 15 of "Real Digital Forensics" contains a really nice description of how to analyze unknown files. And no, I'm not affiliated with the authors... :-) Cheers, Stefan. -------------------------------------------------------- Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
