Now contest is over, I can explain. When you check tcp follow stream option in wireshark, you can see there are few bytes before MZ starts and also at the end there are few extra bytes.
I think foremost check header bytes MZ only to extract exe file.
I think there are 2 ways you can use, manually if you want to carve then you can calculate length of PE file based on PE file structure and second can be run some tool which can create fake client/server request/response that way you can actually download exact pe file.

G

Gave that a shot and still no go. Could be a cross-platform issue, or god knows what. I’m just glad to be on the lookout for it from now on

I’ll dig into it some more when I have time, but thank you all for your suggestions.

Dave

If you export chunked data from wireshark to unchunk later with another tool, try to export as ASCII and not as raw content.

This is peculiar to say the least, as the the header and footer of the exe are identical with the corrupted and correct versions. Guess the foremost just fell down in this instance.

Thanks for the replies. Now that the contest is over, I can say that I extracted with both foremost and manually. A hexdump shows UPX packing with version 3.0.1. I’ll take a look at the solution once posted and retrace my steps. Thanks again.

I had no problems unpacking it.

I’d look at how you’re extracting it from the pcap file, if you’re positive that you are extracting it correctly then you are probably using the wrong unpacker or a 3rd party unpacker.