home *** CD-ROM | disk | FTP | other *** search
- Xref: sparky comp.os.msdos.programmer:9104 sci.math.symbolic:2332
- Newsgroups: comp.os.msdos.programmer,sci.math.symbolic
- Path: sparky!uunet!cs.utexas.edu!qt.cs.utexas.edu!yale.edu!ira.uka.de!math.fu-berlin.de!zrz.tu-berlin.de!zappe
- From: zappe@mikro.ee.tu-berlin.de (Harald Zappe)
- Subject: Re: studying executables
- Message-ID: <zappe.715802962@tubue>
- Sender: news@mailgzrz.tu-berlin.de (News Manager)
- Nntp-Posting-Host: mikro.ee.tu-berlin.de
- Organization: ZRZ/TU-Berlin
- References: <ARA.92Sep6131908@camelot.ai.mit.edu>
- Distribution: comp
- Date: Sun, 6 Sep 1992 18:09:22 GMT
- Lines: 30
-
- One big problem in debugging and/or analyzing executables is self-modifying
- code. There are 2 sections were this is done:
-
- 1. viruses: some years ago I studied the 1704-Virus, which used a self-
- encryption algorithm.
- copyprotection: ... several encryption & collection technics ...
-
- 2. exe-file-compressors: BTW this is an encryption too, but with another
- purpose. There seems to be 4 (or more) popular compressors:
-
- LINK/e (or EXEPACK)
- LZEXE (signature LZ91)
- PKLITE (signature PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserv
- ed)
- ??? (signature jr0)
-
- In all cases you must run a part of the program (or just emulate the decoder)
- to get the rest of the program/data out of the encoded/packed data. Until now
- I always did this with the help of a debugger (and most important: under human
- control).
-
- Harald
-
- #----------------------------------------------------------------------------
-
- zappe@mikro.ee.tu-berlin.de | |
- zappe@sony1.sietec.de |-+-
- zappe@idefix.sietec.de | |/
- /
- /__
-
