The binary is a Flareon 2015 challenge (#4), was compiled with "/GS" and packed with UPX. The unpacked binary executes fine on windows XP but not on Windows 7. The challenge is quite easy to solve but I'm very curious to understanding why the hell this guy is not executing on Windows 7.

The problem is happening when the function "__init_security_cookie" is called. This function is trying to access the security_cookie somewhere inside the data segment and my guess is that the DS doesn't hold the correct value for the base address of the data segment. When I disassemble the binary it shows a direct reference for the address of __security_cookie, like:

<blah> mov eax, __security_cookie (0x407018)

But when I execute the binary the code changes for:

<blah> mov eax, ds:407018h

and the following exception is raised:

"the instruction <blah> references a memory at 0x407018. The memory could not be read -> 00407018"

The weird thing is that this problem does not happen when I execute the packed binary (on Windows 7 and XP) and when I execute the same binary on Windows XP. My guess is that the PE loader for Windows 7 is modifying something at run time.

Any tip? or suggestions how to understanding this issue?

Thanks,