Log in

View Full Version : Very suspicious packed file

LLXX
August 22nd, 2007, 17:53
This is a packed EXE and DLL, and while the antivirus multiscanner doesn't detect anything, I wouldn't trust it.

Note: Trace this in a hex editor or other static environment. If you really want to use OllyDbg/SoftICE/etc... you have been warned.

My trace follows in the next post.

pass:mulware
SUSPICIOUS MALWARE
LLXX
August 22nd, 2007, 18:26
Code:
00430000: 6801904A00                   push      004A9001

00430005: E801000000                   call      0043000B

0043000A: C3                           retn

0043000B: C3                           retn

...

004A9001: 60                           pushad

004A9002: E803000000                   call      004A900A

--> skip a byte 0E9

004A9008: EB04                         jmps      004A900E



004A900A: 5D                           pop       ebp

004A900B: 45                           inc       ebp

004A900C: 55                           push      ebp

004A900D: C3                           retn



004A900E: E801000000                   call      004A9014



004A9014: 5D                           pop       ebp ; ebp = 0004a9013

004A9015: BBEDFFFFFF                   mov       ebx,0FFFFFFED

004A901A: 03DD                         add       ebx,ebp ; ebx = 004a9000

004A901C: 81EB00900A00                 sub       ebx,000A9000 ; ebx = 00400000

004A9022: 807D4D01                     cmp       b,[ebp][004D],001 ; [004a9060] = 00

004A9026: 750C                         jne       004A9034



004A9034: 8D4553                       lea       eax,[ebp][0053] ; eax = 004a9066

004A9037: 50                           push      eax ; stack: 004a9066

004A9038: 53                           push      ebx ; stack: 004a9066 00400000

004A9039: FFB5E50B0000                 push      d,[ebp][00000BE5] ; stack: 004a9066 00400000 004a9bf8

004A903F: 8D4535                       lea       eax,[ebp][0035] 

004A9042: 50                           push      eax ; stack: 004a9066 00400000 004a9bf8 004a9048

004A9043: E982000000                   jmp       004A90CA



004A90CA: 6681EAE342                   sub       dx,42E3 ; useless

004A90CF: E805000000                   call      004A90D9

[5 junk bytes omitted]

004A90D9: 81E23722D036                 and       edx,36D02237 ; useless

004A90DF: 5B                           pop       ebx ; ebx = 004a90d4

004A90E0: 0FB7F7                       movzx     esi,di ; useless

004A90E3: 81C3AE0A0000                 add       ebx,00000AAE ; ebx = 004a9b82

004A90E9: E90A000000                   jmp       004A90F8



004A90F8: B979020000                   mov       ecx,00000279 ; 633

[...]

; start of first decryption loop (633 dords = 2532 bytes) downwards, beginning at 004a9b82 downto 004a919e

004A9102: FF33                         push      d,[ebx] ; [004a9b82] = D8F8BCED

[...]

004A910D: 58                           pop       eax ; eax = d8f8bced

[...]

004A9114: 81E84FCFC376                 sub       eax,76C3CF4F ; eax = 6234ed9e

[...]

004A9120: 81F0DC86A320                 xor       eax,20A386DC ; eax = 42976b42

004A9126: E905000000                   jmp       004A9130



004A9130: 81E8E5A3DF62                 sub       eax,62DFA3E5 ; eax = DFB7C75D

[...]

004A9138: 50                           push      eax ; stack+: dfb7c75d

[...]

***WRITE TO MEMORY

004A913C: 8F03                         pop       d,[ebx] ; [004a9b82] = dfb7c75d

[...]

004A9141: 81EB0B114056                 sub       ebx,5640110B

[...]

004A914B: 81C307114056                 add       ebx,56401107 ; net result: ebx -= 4;

[...]

004A9157: 49                           dec       ecx

004A9158: 0F851E000000                 jne       004A917C

004A915E: E905000000                   jmp       004A9168



004A9168: E935000000                   jmp       004A91A2



004A917C: E90D000000                   jmp       004A918E



004A918E: E96FFFFFFF                   jmp       004A9102



004A91A2: (inside first encrypted area)
First decryption loop: sub,xor,sub dordwise.
blabberer
August 23rd, 2007, 13:13
has that thont.dll got a manifest file or some other crap associated with it ?

i get an error
and googling like this
Results 1 - 2 of 2 for failed to probe manifest file c0150002. (0.26 seconds)
yields this page

http://www.groupsrv.com/dotnet/post-418179.html
quetzalcoatl
August 23rd, 2007, 15:12
hey there. arent that thont.dll and xfs.exe just a un/repacker tool? please see http://forum.ragezone.com/f173/unpacking-repack-xfs2-gbwc-211035/ ("http://forum.ragezone.com/f173/unpacking-repack-xfs2-gbwc-211035/")
its notable that filenames are exact and filesizes are almost the same..
btw. thont.dll exports' (gzip, inflate, deflate etc) would tell that this really is gzip-like un/packing library

edit: heh. i have just noticed that the post's author has been banned..
blurcode
August 23rd, 2007, 15:34
yeah i am also banned there
LLXX
August 23rd, 2007, 18:32
Quote:
[Originally Posted by quetzalcoatl;67975]hey there. arent that thont.dll and xfs.exe just a un/repacker tool? please see http://forum.ragezone.com/f173/unpacking-repack-xfs2-gbwc-211035/ ("http://forum.ragezone.com/f173/unpacking-repack-xfs2-gbwc-211035/")
its notable that filenames are exact and filesizes are almost the same..
btw. thont.dll exports' (gzip, inflate, deflate etc) would tell that this really is gzip-like un/packing library

edit: heh. i have just noticed that the post's author has been banned..
That's where he must've got it from. A friend was complaining about strange activity on his computer and I did an entropy scan, found a lot of files packed with the usual (ASpack, UPX, FSG, etc.) and these two.

Trace #2, second decryption loop. It looks like this code was produced by an automatic polymorphic encryptor generator, as this second loop looks much like the first. (Orthogonality of i386 arch makes the generation of such a trivial task.)
Code:
004A91A2: E807000000                   call      004A91AE ; NRC



004A91AE: E80D000000                   call      004A91C0 ; NRC



004A91C0: B891CF3116                   mov       eax,01631CF91 ; useless

004A91C5: 5F                           pop       edi

004A91C6: 58                           pop       eax

004A91C7: E812000000                   call      004A91DE



004A91DE: 51                           push      ecx ; useless

004A91DF: 5B                           pop       ebx

004A91E0: 5E                           pop       esi ; esi = 004a91cc

004A91E1: 8BFE                         mov       edi,esi

004A91E3: 81C6B5090000                 add       esi,000009B5 ; esi = 004a9b81

[...]

004A91EE: 682D020000                   push      0000022D ; 557 dords

[...]

004A91F8: 59                           pop       ecx

[...]

; beginning of decryption loop

004A91FD: FF36                         push      d,[esi]

004A91FF: E913000000                   jmp       004A9217



004A9217: 5A                           pop       edx ; encrypted dord

004A9218: 81F2351A730D                 xor       edx,0D731A35

004A921E: 0F8003000000                 jo        004A9227  ; it doesn't matter if this jumps or not...

004A9224: 668BFA                       mov       di,dx     ; ...because this instruction does not contribute

004A9227: 81F2CA7EFC05                 xor       edx,05FC7ECA

004A922D: 56                           push      esi

004A922E: 0F840C000000                 je        004A9240 ; zero or not...

004A9234: E907000000                   jmp       004A9240 ; jumps anyway.



004A9240: 58                           pop       eax ; useless

004A9241: 81EA3BB85F55                 sub       edx,555FB83B

[...]

004A924C: 52                           push      edx

004A924D: 8F06                         pop       d,[esi] ; store decrypted dord

[...] ; useless instruction-- only esi and ecx are important registers

004A9251: 83EE04                       sub       esi,04

004A9254: E810000000                   call      004A9269 ; NRC



004A9269: E80B000000                   call      004A9279 ; NRC



004A9279: 80C4D6                       add       ah,-02A ; as if this instruction would do anything

004A927C: 5F                           pop       edi

004A927D: 5B                           pop       ebx

004A927E: 49                           dec       ecx

004A927F: 0F852A000000                 jne       004A92AF

004A9285: E911000000                   jmp       004A929B



004A929B: E931000000                   jmp      .0004A92D1



004A92AF: 0F8B05000000                 jnp       004A92BA ; equivalent split path

[...]

004A92BA: E93EFFFFFF                   jmp       004A91FD ; jump back to decryption



004A92D1: (start of encrypted area: 2228 bytes in length 004a92d1 thru 004a9b84 inclusive)
As with above, ecx holds the loop counter, although the index register and decryption accumulator are different (esi and edx respectively, instead of previous ebx and eax), as is the algorithm applied. In addition, we note the use of several NRCs and the injection of frivolous code (dealing with the matters of the other unused registers), as well as equivalency paths (922e and 92af).
JMI
August 23rd, 2007, 19:24
In the referenced Thread, the originator, a true "emotional and mental midget," noted, in Post #14 that:

"this tool is made with some error algorithm, this is first version"

Regards,
LLXX
August 26th, 2007, 00:16
Part 3 (of 10 or so). Slightly different strategy this time.
Code:
004A92D1: B408                         mov       ah,08 ; useless

004A92D3: E812000000                   call      004A92EA ; NRC



004A92EA: 5F                           pop       edi ; edi = 004a92d8

[...]

004A92F1: 81C7AA080000                 add       edi,000008AA ; edi = 004a9b82

004A92F7: E909000000                   jmp       004A9305



004A9305: BA00000000                   mov       edx,00000000

004A930A: 81E30D2A9C02                 and       ebx,029C2A0D



004A9310: 8B0C17                       mov       ecx,[edi][edx] ; get encrypted dord

[...]

004A9316: 81E950F20F33                 sub       ecx,330FF250

004A931C: 81E949BC7E53                 sub       ecx,537EBC49

004A9322: E812000000                   call      004A9339 ; NRC



004A9339: 5B                           pop       ebx

004A933A: 81E94E99CA53                 sub       ecx,53CA994E

[...]

004A9345: 51                           push      ecx

[...]

004A934A: 8F0417                       pop       d,[edi][edx] ; put encrypted dord

[...]

004A9350: E90A000000                   jmp       004A935F



004A935F: 83EA04                       sub       edx,04 ; loop index

[...]

004A9365: 81FA14F8FFFF                 cmp       edx,FFFFF814 ; -2028

004A936B: 0F851A000000                 jne       004A938B

[...]

004A9374: E921000000                   jmp       004A939A



004A938B: E980FFFFFF                   jmp       004A9310



004A939A: (start of encrypted section. 2028 bytes [004a939a...004a9b85])
Simply amounts to subtracting (mod 2^32) da5947e7 from each dord.

In other news, palindrome post number! (http://www.woodmann.com/forum/showpost.php?p=68086)
JMI
August 26th, 2007, 01:12
Uh Oh! Now they're going to have to get out their "Funk and Wagnalls" and look that up!

We wouldn't want them to get that confused with "Paladin .... "Have Gun - Will Travel" (1957), but most here are too young for that reference anyway.

Regards,
Kayaker
August 26th, 2007, 01:52
Quote:
[Originally Posted by LLXX;68086]In other news, palindrome post number! (http://www.woodmann.com/forum/showpost.php?p=68086)


OK I'll bite.

How many palindromic numbered posts has this board had so far?

I'll say 779.

What is the date and time of the 198th palindromic post?

Kayaker
JMI
August 26th, 2007, 05:23
Uh Oh, MATH! Where's my pocket calculator.

Way further digression! When I was finishing College, 'pocket calculators' had not yet been invented, let alone manufactured or affordably available, and although 'electric' calculators were 'available,' 'electronic' ones were still not widely available or in use. At the time, there was nothing generally 'portable', let alone able to 'fit' in a 'pocket.'

I was taking an accounting class to finish some 'general' requirements for graduation and could never add a large, or long column of numbers twice and readily come up with the same result, so I learned to use a "soroban." I had used a "slide rule" to some extent in High School for some of the 'math' I had taken, but it wasn't useful for what should have been 'simple' addition.

!. What is a soroban?

2. Where was it invented?

and for extra credit,

3. How does it differ from a "Chinese 'Suan Pan'?

I remember that at the time, a skilled practioner of the 'soroban', which I never became, could actually out perform many of the available electric calculators of the time. The soroban I used actually fit in my shirt pocket easily and I still have it and occasionally get it out and play with it, usually after my eyes won't focus very well from staring at a computer monitor for too long a period of time!

Regards,
LLXX
August 26th, 2007, 07:16
You're really testing me aren't you

Quote:
How many palindromic numbered posts has this board had so far?

1-9 : 9
11-99 : 9
101 - 999 : 9*10=90
1001 - 9999 : 9*10=90
10001 - 59995 : 5*10*10=500
60006 - 67976 : 8*10=80
68086 : 1
9+9+90+90+450+80+1 = 779
Quote:
What is the date and time of the 198th palindromic post?
11-05-2001 03:16 AM (http://www.woodmann.com/forum/showpost.php?p=9999)
@JMI:
- Abacus
- Japan
- One less bead on the top and bottom

...and here is part 4:
Code:
004A939A: 0FB7C7                       movzx     eax,di ; probably useless

004A939D: E808000000                   call      004A93AA ; NRC



004A93AA: E90B000000                   jmp       004A93BA



004A93BA: 59                           pop       ecx ; ecx = 004a93a2

[...]

004A93C3: 81C1DE070000                 add       ecx,000007DE ; ecx = 004a9b80

[...]

004A93CC: BEB6772E7C                   mov       esi,7C2E77B6

004A93D1: 81EEEE752E7C                 sub       esi,7C2E75EE ; esi = 000001c8 = 456 dords (1824 bytes)

[...]

004A93DD: 8B11                         mov       edx,[ecx] ; get encrypted dord

[...]

004A93E8: 81EAEFB7CF52                 sub       edx,52CFB7EF

[...]

004A93F4: 81EAFC52567E                 sub       edx,7E5652FC

[...]

004A93FD: 81EA854DF242                 sub       edx,42F24D85 ; edx -= 0x14185870

[...]

004A940E: 8911                         mov       [ecx],edx ; put encrypted dord

004A9410: E810000000                   call      004A9425 ; NRC



004A9425: E90B000000                   jmp       004A9435



004A9435: 58                           pop       eax

004A9436: 83E902                       sub       ecx,02

004A9439: 68674D4576                   push      76454D67

004A943E: 51                           push      ecx

004A943F: E80E000000                   call      004A9452 ; NRC



004A9452: 5F                           pop       edi ; return addr

004A9453: 58                           pop       eax ; ecx

004A9454: 5B                           pop       ebx ; 76454d67

004A9455: 49                           dec       ecx

004A9456: 49                           dec       ecx ; decrement by 4

[...]

004A9459: 83EE01                       sub       esi,01

004A945C: 0F857BFFFFFF                 jne       004A93DD

[...]

(start of encrypted area: 1824 bytes [004a9464..004a9b83)
Another simple subtraction encryption.

(I'm saving the interesting part, coming up, for the next post )
naides
August 26th, 2007, 07:22
JMI:
I'm sure you appreciate the subtle Irony that you, precisely you, is posting such a challenge.

In the times of Google, a few keystrokes are more than sufficient . . .
JMI
August 26th, 2007, 10:41
And I knew that irony "precisely"! But, it gets some folks who might not otherwise do so, to actually attempt to SEARCH!

Write any 3-digit number, e.g. 123, then write the number with the digits in reverse order. Then subtract the smaller from the larger, always using three digits for the result, reverse those digits again and add this time.

No matter which 3-digits you may choose, one can give you the answer without having received any information about your number. The final answer will always be: ______

Regards,