Page 1 of 2 12 LastLast
Results 1 to 15 of 27

Thread: AVPX 3.30 by z0mbie

  1. #1

    AVPX 3.30 by z0mbie

    I dont know do you remember but Z0mbie had coded a utility(AVPX 3.30) to unpack Kaspersky's .avc files.I had that utility before but I lost it.Since his site is closed, does anyone have that utility? Thanks very much.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  2. #2
    Not sure if i can post here z0mbie's tool but you can find them on Archive.org (http://web.archive.org/web/*/http://z0mbie.host.sk )
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Registered User
    Join Date
    Oct 2003
    Location
    Bulgaria
    Posts
    16
    hm..z0mbie. Does anyone know what happened to her? Is she still alive?

  4. #4
    mkfeldman
    Guest
    she?!!!!!!!!!!!!!!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    @Laptonic: you may check 29a zine. I think I saw that in one of ezines.
    http://vx.netlux.org/29a/

  6. #6
    I checked archive.org before.Although I can find the pages zip file is missing.I have checked 29a website and there is only avpx 1.01 is there.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  7. #7
    Laptonic?

    Where have you been?

    Nice to see old guys crawling out of the rock again. Back like the old time, eh?

    Have Phun
    Blame Microsoft, get l337 !!

  8. #8
    Thanks everyone.I have found the file thanks to one of user of this board.
    @Aimless:I lost the track of RCE, after asprotect 1.3x and armadillo.However I read this board almost everyday to learn new things from great masters.Regards.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  9. #9
    arzon
    Guest
    I'm also interested in obtaining a copy of AVPX 3.30, seems that the one floating on the net is the old version. Can someone please send me a copy?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Check links and attachments in these threads:
    http://www.wasm.ru/forum/viewtopic.php?id=11448
    http://www.cracklab.ru/f/index.php?action=vthread&forum=1&topic=5648

  11. #11
    arzon
    Guest
    Having problems registering at cracklab.ru, babelfish is intelligeble, how did you register?

    Edit: Never mind, got the english at the navbar. =)
    Last edited by arzon; April 25th, 2007 at 15:29.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12

    avc unpacker

    long time ago I was intersted in virri stuff, here is two small utilities for unpacking AVP & NOD32 data files, which I had coded those days..
    Attached Files Attached Files

  13. #13
    arzon
    Guest
    Thanks for the files.

    For NOD32, what format is the extracted pattern file in (modulennn.dat)?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    4 arzon;

    just like .AVC files every nod32 data file has a few modules encrypted/packed inside. every module comes with a header which contains some info about the module itself; when you unpack a nod32-data file, you will see these headers as ModuleHeaderxxx.dat files; the structure is as follow:

    DataBlockStruc struc
    ID dd ? ; NULL,UNPC,UNPR,STRS,SCNS,RELO
    DataOffs dd ? ; data address
    CRC dd ? ; check sum
    DataSize dd ? ; compressed data size
    RealSize dd ? ; real data size
    unk1 dd ? ;
    unk2 dd ? ;
    Packed db ? ; is packed flag
    kunk3 dd ? ;
    DataBlockStruc ends


    The first field (ID) says that what type of data is stored into the corresponding module; here is the interpretation:

    "STRS" -> module contain virus signature & name.
    "SCNS" -> executable code.
    "RELO" -> relocation table for the executable code.
    "NULL" -> guess what?

    when the module ID is SCNS, then you can load it into IDA for disassembling. the executable header is stripped off, so IDA will load it as binary file.

    As the last point, if you have decided to dig into the heart of NOD32, then unpack <NOD32.000> and analyze its executable module in IDA; you will find the main scan_engine+code_emulation_engine+etc there.

  15. #15
    For example,If I am interested in how KAV cleans one virus what should be the strategy ? I guess in signature file,there is also how to clean information.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •