Hi all,

congrats to everyone for this cool board. I'm speding some time trying to unpack this malware because looks like it's using some kind of new packer with antidebugging features.

How could I unpack this? Can you help me?

Thanks! Byez

!BE CAREFUL! MALWARE

EDIT:
zip password: malware

The malware is propably obfuscated by a public obfucation engine. Nothing serious...

Hmm, perhaps we can better help if we know where you are stuck exactly...

It wouldn't happen to be at packer EP would it? :P

With your brain.

Please, when uploading any malware be sure to do the following:

1. Change the extension to a non-executable one so that no one can accidently double click the file unless they are ready to deal with it in a safe manner. For example, rename *.exe to *.vxe.

2. Password protect the zip file and give the password.

Please note that if any files are found that are NOT protected in the above manner they will be removed.


I have made those two changes and reuploaded the file.

Regards,
Kayaker

well has got standard ollydbg thwarting measures

changed, rva and loader flags crap (view->file --> special -> peheader -> right click - modify integer -> savefile as new ) thats gone (read sotm 33 challenges results for details)

then got tls callbacks
events -> stop at system bp -> change peb->ntGlobalFlag to 0x72 (orred Loader_Show_Snap) and then watch the dbg prints to finad where is the call back

in tls callback it uses the fld tbyte olly crashing trick (view file nop the crap and save) thats gone (see ollydbg bugs section for posts regarding this)

then in tls callbacks it checks for temp break that olly sets (when you hit system start bp simply remove teh one shot bp from -> view -> break points (alt+b) right click remove

btw nice obfuscated algorithm there to check the byte 0xcc in memory

the check is fooled

it reaches the entry point in Pe header --> here statrs another round of crap obfuscation and finding kernel base and find loadlibrary address and getprocaddressing them to build import library



btw it rehashes the import address by xorring it again iirc there was an interesting post in this forum about some malware finding the import address and rehashing it again search the forum or read all one by one


single step through every instruction till you understand you will be able to unpack this in a few days if you havent unpacked ever

To get to the OEP:
Avoid the anti-olly stuff, and hide your Olly.
First follow until the "jmp esi" out of the first section. Set a breakpoint on the first section and run.
The first few times it is hit aren't important, so we skip the loops by setting breakpoint on the next section. When that hits, we set a breakpoint on the first section again.
After a few times you land at the OEP. At this time you can dump the file. If your dumper (LordPE for example) complains that it can't read, set all section rights to full access in Olly.

Now you could fix with Imprec and be done with it, but we can get a cleaner unpacked file than that. You can get the original IAT by setting a breakpoint on the .2e... section and dumping it before the imports are resolved.

Then we can remove the useless packer sections (.engine, .info and .tss), remove the raw data for the bss section and add the overlay from the original file to our dump. We fix the header values for TLS, IAT, section names, loaderflags etc and we are done!
The unpacked file is as virgin as we are going to get, the size matches exactly according to the PointerToSymbolData. We can get the debug info (which was in the overlay) with nm.

(BTW, all this is a bit harder than I make it sound)

Attached are the unpacked exe and the output of nm.

MALWARE, DOWNLOAD ON YOUR OWN RISK
pass: malware

this is a malware and i think that inject malicieus code in msn_mesenger.

Thank you, Captain Obvious!