A couple of recent malware analysis articles of general interest..

Packer Detection and Generic Unpacking Techniques
http://www.websense.com/securitylabs/blog/blog.php?BlogID=176


Unscrambling Custom obfuscation and Executable "infection"
http://www.websense.com/securitylabs/blog/blog.php?BlogID=178

dunno abt the second one but the first one has got nothing special at all

I knew someone would say that..

I understand what you're saying, BUT..

To anyone who knows about the Olly "ESP trick" for breaking on the OEP of some packed executables and has done it all before yadayada.. yes, you're right.

But, For those who are unsure of what "ESP trick" or even "OEP" stands for.. then no, it's a very nice example that is now referenced in our forum and indexed in the Search function under the general keywords "Packer Detection" and "Generic Unpacking Techniques". That does make it special then for all the new seekers to come by this way in the future, which is after all part of our purpose here..

Thanks Kayaker for the publicity

I wrote the second blog, but a colleague of mine, wrote the first one.
The guy is well aware that this trick is known to any average reverser, but that's not the point of the blog post, as Kayaker said.

Beside , a blog post isn't a technical paper, it's just something for people to read and enjoy (or not

am glad you understand and i guess i was a bit misunderstood. i said it had nothing special but i didn't mean it shouldn't be here
its just that the title[Packer Detection and Generic Unpacking Techniques] was a bit misleading for me and i thought it had more than the ESP trick.

I understand that i didnt think from the newbie's perspective which is wrong and an example of what you are talking abt can be seen here
http://forums.accessroot.com/?s=&showtopic=6681&view=findpost&p=44963 ("http://forums.accessroot.com/?s=&showtopic=6681&view=findpost&p=44963")

btw after these posts it would definitely turn up in the search engine under the keywords "Packer Detection" and "Generic Unpacking Techniques" "OEP packed" "esp trick"

Nice work Nico, am sure people will find it helpful

Hi GEEK,

I actually find the title a bit misleading too, my fault . You're correct in that the main goal was to have folks understand what they are doing instead of falling into a pattern. What specific registers are generally used for, purposes of the different breakpoints, etc.

Thanks for the feedback GEEK/Kayaker

- Joren

Welcome Joren,

How about we say that that was the first of a series of blog posts by you under that general heading? Since we all like to read that kind of stuff then everbody will be happy

The contributions are always appreciated, keep up the good work.

Regards,
Kayaker

Hi Joren,

Nice work on the tutorial mate
am glad my post was not taken out of context
Kayaker is right we all would like to see more articles from you


GEEK

Thanks Nico and joren. Nice articles, they made for a good bedtime story (not saying they were boring, I was just on my way to sleep and saw this thread). Now to the off-topic part, my company used to use websense hardware filters to control user traffic. I guess we switched because it was cheaper, but just funny to me that I saw their name here.

Also: