gloom
January 5th, 2009, 20:34
Hi everyone! Happy New Year and Merry Christmass to All researchers and reverse engineers! 
today i have caught virus from one of warez sites and have decided to research its file - boot.com (actually it's usual .exe, size about 30 kb). i can't understand what packer of this. PEiD can't detect packer too.
Some code from EP:
data:00401EC4 start proc near
data:00401EC4 xor edx, eax
data:00401EC6 jmp loc_401415
data:00401EC6 start endp
data:00401415 loc_401415: ; CODE XREF: start+2j
data:00401415 xor eax, eax
data:00401417 call sub_4010FB
data:00401417 sub_401400 endp ; sp-analysis failed
data:004010FB sub_4010FB proc near ; CODE XREF: sub_401400+17p
data:004010FB mov ecx, ecx
data:004010FD add esp, 4
data:00401100 sub eax, 0FFFFFFFFh
data:00401103 call sub_40171E
data:00401103 sub_4010FB endp ; sp-analysis failed
data:0040171E sub_40171E proc near ; CODE XREF: sub_4010FB+8p
data:0040171E mov ecx, ecx
data:00401720 add esp, 4
data:00401723
data:00401723 loc_401723: ; CODE XREF: sub_401BCF+18j
data:00401723 push 0A7E2DCE3h
data:00401728 mov [esp+0], eax
data:0040172B ror dword ptr [esp+0], 0Ch
data:0040172F and dword ptr [esp+0], 0F00000h
data:00401736 rol dword ptr [esp+0], 0Ch
data:0040173A mov eax, [esp+0]
data:0040173D mov ecx, ecx
data:0040173F add esp, 4
data:00401742 call sub_4018D9
data:00401742 sub_40171E endp ; sp-analysis failed
Attached boot.zip with password - "damnmalware" include boot.com
Thank to everybody!

today i have caught virus from one of warez sites and have decided to research its file - boot.com (actually it's usual .exe, size about 30 kb). i can't understand what packer of this. PEiD can't detect packer too.
Some code from EP:
data:00401EC4 start proc near
data:00401EC4 xor edx, eax
data:00401EC6 jmp loc_401415
data:00401EC6 start endp
data:00401415 loc_401415: ; CODE XREF: start+2j
data:00401415 xor eax, eax
data:00401417 call sub_4010FB
data:00401417 sub_401400 endp ; sp-analysis failed
data:004010FB sub_4010FB proc near ; CODE XREF: sub_401400+17p
data:004010FB mov ecx, ecx
data:004010FD add esp, 4
data:00401100 sub eax, 0FFFFFFFFh
data:00401103 call sub_40171E
data:00401103 sub_4010FB endp ; sp-analysis failed
data:0040171E sub_40171E proc near ; CODE XREF: sub_4010FB+8p
data:0040171E mov ecx, ecx
data:00401720 add esp, 4
data:00401723
data:00401723 loc_401723: ; CODE XREF: sub_401BCF+18j
data:00401723 push 0A7E2DCE3h
data:00401728 mov [esp+0], eax
data:0040172B ror dword ptr [esp+0], 0Ch
data:0040172F and dword ptr [esp+0], 0F00000h
data:00401736 rol dword ptr [esp+0], 0Ch
data:0040173A mov eax, [esp+0]
data:0040173D mov ecx, ecx
data:0040173F add esp, 4
data:00401742 call sub_4018D9
data:00401742 sub_40171E endp ; sp-analysis failed
Attached boot.zip with password - "damnmalware" include boot.com
Thank to everybody!