Author Topic: binary header M8Z ???  (Read 3315 times)

0 Members and 1 Guest are viewing this topic.

February 17, 2010, 04:24:28 pm
Read 3315 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
never seen before...

sample:
Code: [Select]
http://didbotta6.unipv.it/dokeos/main/inc/lib/formvalidator/Element/ssh_history

February 18, 2010, 02:43:05 pm
Reply #1

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
I'm guessing it's a proper binary encoded. I've been finding shellcode that decodes the binary AFTER it has been downloaded by the shellcode. If you can find the exploit that links to it, load the shellcode into ollydbg and follow it and you'll see the normal download code plus a routine that decodes the binary. Normally the shellcode is a simple conditional XOR, this looks like something more maybe. If I find anything I'll post more detail.

February 18, 2010, 03:12:39 pm
Reply #2

t4L

  • Newbie

  • Offline
  • *

  • 3
The binary is simply compressed with regular compression algo which frequently used in PE packers (don't remember its name, maybe LZMA)