PDA

View Full Version : Unpacking .dll file problem, analyze strings.


Hugues01
April 21st, 2013, 09:39
Hello. guys. this is the Newbie in this forum here which just hope to be helped some assistance from forum developers about unpacking .DLL files by unknown packed program. when open the .dll file through hexeditor or ollydbgs, all strings shows the broken words, so cannot recognize the any strings. it's really problem to analyze the dll.

I hope to analyze the packed .DLL files. i uploaded the file in below link. but the problem is what it is hard to check the name of packing program, which packing the DLL.

http://speedy.sh/ccjNs/unpacking.rar ("http://speedy.sh/ccjNs/unpacking.rar")

if someone could unpack the dll files, and succeed to unpack the dll, hope desire give alms of tips to this newbie how to resolve the unpacked .dll file.

regards

Indy
April 21st, 2013, 11:37
HWB on 0x10074B6C and KiFastSystemCall(); or CreateFile("sice.."..

http://anubis.iseclab.org/?action=result&task_id=14dafb30be19ff0a4210e140626146068&format=html ("http://anubis.iseclab.org/?action=result&task_id=14dafb30be19ff0a4210e140626146068&format=html")
d1.tmp.dll - probably payload.

Many faults. Interesting sample

Hugues01
April 23rd, 2013, 07:04
thanks for reply, but it hard to check what program packed that .dll. it is still unknown.. is there better way to know the packing program that packed the dll files. PEiD-0.95 or RDG Packer Detector v0.6.4 cannot recognize the .dll file.. it is really hard to packing analysis.

R33N
April 25th, 2013, 19:38
Quote:
[Originally Posted by Hugues01;94579]Hello. guys. this is the Newbie in this forum here which just hope to be helped some assistance from forum developers about unpacking .DLL files by unknown packed program. when open the .dll file through hexeditor or ollydbgs, all strings shows the broken words, so cannot recognize the any strings. it's really problem to analyze the dll.

I hope to analyze the packed .DLL files. i uploaded the file in below link. but the problem is what it is hard to check the name of packing program, which packing the DLL.

http://speedy.sh/ccjNs/unpacking.rar ("http://speedy.sh/ccjNs/unpacking.rar")

if someone could unpack the dll files, and succeed to unpack the dll, hope desire give alms of tips to this newbie how to resolve the unpacked .dll file.

regards


Looks like Themida packed executable. If that helps any.

Here is a small string dump section , but did not go to far on it personally. This was generated with LordPE dump.

annot write oreans.vxd
Make sure that this file is not being used by another program.
\Oreans.vxd
!This program cannot be run in DOS mode.
Rich
LCOD
XPROTVXD
XPROTVXD
verPP
1vsR2vsR3vsR
XPROTVXD_DDB
ADVAPI32.DLL
OpenSCManagerA
CreateServiceA
StartServiceA
GetNativeSystemInfo
OpenServiceA
DeleteService
CloseServiceHandle
ControlService
oreans32.sys
oreansx64.sys
oreans32
\\.\oreans32
\\.\Global\oreans32
oreansx64
\\.\Global\oreansx64
SYSTEMROOT
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
administrator's permits the first time that you are going to run this program.
3Cannot open oreans.vxd driver. Make sure that oreans.vxd
is not open by another program.
3SecureEngine driver cannot be updated because there are some programs using
it. You need to close those programs or restart your computer.
Restart now?
\\.\Oreans.vxd
%s\Oreans.vxd
XprotEvent
HARDWARE\ACPI\DSDT\VBOX__
SeShutdownPrivilege
Software\WinLicense
CreateEvent API Error while extraction the driver
GetEnvironmentVariable API Error while extraction the driver
OpenSCManager API Error while extraction the driver
CreateService API Error while extraction the driver
CloseServiceHandle API Error while extraction the driver
OpenService API Error while extraction the driver
StartService API Error while extraction the driver
APIC error: Cannot find Processors Control Blocks. Please,
contact info@oreans.com for this error
Service Pack 3
Software\Wine
timeGetTime
winmm.dll