MW-Blog

NsPack is a commercial packer sold by North Star Software. NsPack is quite a common packer used in malware, with the packing usually done with cracked and pirated versions of the software. When taking a look at the entrypoint of NsPack we see a jmp command followed with pushf and pusha:

So, once again let’s look for matching series of popa and popf:

Set a breakpoint on the jmp command, and press F9 to run to the target. Singlestep through it, and you’ll find yourself at the original entrypoint. Just dump the memory image and you’re ready to analyze.

This entry was posted on Sunday, March 25th, 2007 at 8:29 am and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.