« previous next »
Pages: [1]   Go Down

Author Topic: binary header M8Z ???  (Read 4967 times)

0 Members and 1 Guest are viewing this topic.

February 17, 2010, 04:24:28 pm
Read 4967 times

cleanmx

  • Special Members
  • Hero Member
  • Offline
  • *
  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
binary header M8Z ???
never seen before...

sample:
Code: [Select]
http://didbotta6.unipv.it/dokeos/main/inc/lib/formvalidator/Element/ssh_history
Logged
February 18, 2010, 02:43:05 pm
Reply #1

parody

  • Private Forum
  • Jr. Member
  • Offline
  • *
  • 27
Re: binary header M8Z ???
I'm guessing it's a proper binary encoded. I've been finding shellcode that decodes the binary AFTER it has been downloaded by the shellcode. If you can find the exploit that links to it, load the shellcode into ollydbg and follow it and you'll see the normal download code plus a routine that decodes the binary. Normally the shellcode is a simple conditional XOR, this looks like something more maybe. If I find anything I'll post more detail.
Logged
February 18, 2010, 03:12:39 pm
Reply #2

t4L

  • Newbie
  • Offline
  • *
  • 3
Re: binary header M8Z ???
The binary is simply compressed with regular compression algo which frequently used in PE packers (don't remember its name, maybe LZMA)
Logged
Pages: [1]   Go Up
« previous next »