Cthulhu
January 27th, 2009, 13:14
I found this trojan that seems to be an IRC Bot according to virustotal.com
I've never seen this packer before.
PWD: malware
I've never seen this packer before.
PWD: malware
View Full Version : Malware packed with unknown packer
anom
January 27th, 2009, 16:24
The password is "malware", in case anyone's wondering.
The packer itself is a custom one, yeah, but it's fairly easy. Some self-modifying code and custom GetProcAddress/GetModuleHandle implementations (export table traversal and PEB). After some decrypting/page protecting/IAT stuff, you can employ the so-called esp trick or simply trace through that loop, you'll end up here:
Image bases are shuffled inside the IAT, ImpRec complains about invalid pointers. Just cut them and you're done.
The packer itself is a custom one, yeah, but it's fairly easy. Some self-modifying code and custom GetProcAddress/GetModuleHandle implementations (export table traversal and PEB). After some decrypting/page protecting/IAT stuff, you can employ the so-called esp trick or simply trace through that loop, you'll end up here:
Code:
.xeh:00415767 F3 A4 rep movsb
.xeh:00415769 61 popa
.xeh:0041576A 83 C2 28 add edx, 28h
.xeh:0041576D 41 inc ecx
.xeh:0041576E 81 F9 03 00+ cmp ecx, 3
.xeh:00415774 72 D2 jb short loc_415748
.xeh:00415774
.xeh:00415776 B8 B2 59 40+ mov eax, 4059B2h
.xeh:0041577B FF D0 call eax ; sub_4059B2
.xeh:0041577B
.xeh:0041577D C3 retn
Image bases are shuffled inside the IAT, ImpRec complains about invalid pointers. Just cut them and you're done.
Cthulhu
January 28th, 2009, 07:08
Quote:
| [Originally Posted by anom;78993]The password is "malware", in case anyone's wondering. |
The password was already mentioned on the original post.
anom
January 28th, 2009, 08:36
Uh damn, seems like I'm getting old, huh. 
evaluator
January 28th, 2009, 11:19
hey! packer is dumb, but seems this is VNSPOEM, which i did unpacked already here..
Cthulhu
January 29th, 2009, 13:54
Quote:
| [Originally Posted by evaluator;79002]hey! packer is dumb, but seems this is VNSPOEM, which i did unpacked already here.. |
I found no post regarding VNSPOEM here in the forum.
evaluator
January 29th, 2009, 16:20
http://www.woodmann.com/forum/showthread.php?t=11926
esther
January 30th, 2009, 02:02
*evaluator hey! packer is dumb
I am dumb,still have problems finding the oep
GetCommandLine?
GetModulehandleA?
CreateToolhelp32Snapshot?
WHATEVER?
I am dumb,still have problems finding the oep
GetCommandLine?
GetModulehandleA?
CreateToolhelp32Snapshot?
WHATEVER?
evaluator
January 30th, 2009, 11:10
go_to link above & look unpacked.. @OEP happens import resolving, bcoz @stack must be GetProcAdr, LoadLibra.. triki things
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.