Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: lil malware unpacking contest here!

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1

    lil malware unpacking contest here!

    i found this interesting EXE from some Downloader.
    first step is UPX -d ;
    it just crashes at start on XP.. looks like damaged infection??
    ooo, but try find correct way to execute & unpack THIS!


    in rar is my unpack.. passworded..
    Attached Files Attached Files

  2. #2
    I have that variant as well in my older system,have fun!
    esther


    Reverse the code,Reverse Your Minds First

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    yu mean: clean EXE?
    sad::

    upload it.. i will look

  4. #4
    No I didn't unpack it,its in my trash bin :P,I might take a look at what you upload here if I have time
    esther


    Reverse the code,Reverse Your Minds First

  5. #5
    Hey evaluator,

    Nothing wrong with the malware,crashes winxp and it reboots in vmware when executing the malware,telling you hardware error ,even if its not unpacked using upx -d
    esther


    Reverse the code,Reverse Your Minds First

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    Shazbot! That's impressive code

    A lot of tracing through obfuscated code, but interesting nonetheless. PEB_LDR_DATA.InInitializationOrderModuleList is used to find BaseAddress of kernel32, etc.

    Watch out for the several RDTSC checks near the end once the real PE comes to light (modify EAX after each pair of rdtsc calls to < 100000 (but not 0!) and you're safe tracing till the next pair).

    I was about to make a dump, somewhere in the final steps after the code returns to the 400000 range in the "real" PE, and damned if I didn't get careless and got caught in an SEH trap! Oh well, if I've got a few more hours to spare I'll make a real dump, if not, I've seen what it does and am somewhat satisfied for now

    One interesting tidbit - the original code requires that the file was executed through kernel32!BaseProcessStart, that stack return value is used in the code, else it hits that ExitThread call you see in the disassembly. So if you happen to use a loader that doesn't directly execute the PE through the normal BaseProcessStart loading sequence, then the code will fail from the start. I got caught in that bugaboo for quite a while since I use a custom Softice loader. Straight Olly should be OK.

  7. #7
    upx -d doesn't always work too well, i encountered an exe that had a tls callback which checked for the upx and adjusted the jmp <true entrypoint> part of the code, and another patched the entrypoint address in the pe header before upx kicked in.. the tls callback code had a simple check for 0xCC for the initial entrypoint (which is what olly does when you load the exe), and a mini debug check too, debugger detected -> adjust the entrypoint to an invalid address / some other code that behaved 'differently', otherwise continue as normal..relatively simple, but very easy to overlook

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    thanks evlncrn8 for info!
    but.. TLS are not here.]


    crash happens, bcoz in SEH hendler, code expects some valid addr in eax,
    while in XP eax=0 here.
    it looks like mlwr written for Vista. (code=6 in GetVersionEx)
    codepage=419h was amazing..

    NOD32 reports tfile.exe as - Win32/TrojanDownloader.Small.NZM trojan
    Last edited by evaluator; November 29th, 2008 at 09:01.

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    A little further information on the BaseProcessStart effect I mentioned above:

    http://www.woodmann.com/forum/showthread.php?t=12213

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    i read that; do you mean, crash can not happen??

    btw, upload you unpacked target & then we can continue to step 2: reconstructing main code from mangled ImpCalls

  11. #11
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Just a quick question from an ignorant fellow:
    When you guys go about unpacking Malware, do you do it in VMWare? Or do you ghost your hardrive, run the malware not caring if you get infected, and then analyze it?

  12. #12
    I suppose 95% of the ppl from RE uses vmware.Its has functions you can clone or snapshot your work and you can easily restore the "orginal" os and time saving for reinstalling your os ,its much more convenient than using another system to have fun with it.
    Just my 2 cents
    esther


    Reverse the code,Reverse Your Minds First

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    but on other hand, there are tricks on VMachines detection, so not so easy is world.

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    FuNdastiec Kompet1t10n i Was Sayed N0w griEt Eval

  15. #15
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    i don't understand about "poison", but you failed for tfile unpacking!
    you should continue unpacking after de-UPXed.. ok!? that is contest 1st step. (only unpack)

Similar Threads

  1. Help unpacking old malware - Malware attached
    By JimmerRobber in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: February 19th, 2013, 20:53
  2. some crushing malware unpacking
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: September 21st, 2012, 22:43
  3. New contest : crackme
    By Thigo in forum Off Topic
    Replies: 1
    Last Post: April 22nd, 2003, 08:10
  4. Krypton v0.4 unpacking contest :))
    By evaluator in forum Mini Project Area
    Replies: 5
    Last Post: September 4th, 2002, 16:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •