Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/theme.php on line 508

Deprecated: Function split() is deprecated in /home/teamfurr/public_html/wordpress/wp-content/plugins/inspector-wordpress/InspectorWordpress.php on line 110
MW-Blog » Blog Archive » Unpacking NsPack

Unpacking NsPack

NsPack is a commercial packer sold by North Star Software. NsPack is quite a common packer used in malware, with the packing usually done with cracked and pirated versions of the software. When taking a look at the entrypoint of NsPack we see a jmp command followed with pushf and pusha:

NsPack EntryPoint

So, once again let’s look for matching series of popa and popf:

NsPack Footer

Set a breakpoint on the jmp command, and press F9 to run to the target. Singlestep through it, and you’ll find yourself at the original entrypoint. Just dump the memory image and you’re ready to analyze.

Leave a Reply

You must be logged in to post a comment.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.


InspectorWordpress has prevented 27 attacks.