Log in

View Full Version : Malware packed with unknown packer


Cthulhu
January 27th, 2009, 13:14
I found this trojan that seems to be an IRC Bot according to virustotal.com
I've never seen this packer before.

PWD: malware

anom
January 27th, 2009, 16:24
The password is "malware", in case anyone's wondering.

The packer itself is a custom one, yeah, but it's fairly easy. Some self-modifying code and custom GetProcAddress/GetModuleHandle implementations (export table traversal and PEB). After some decrypting/page protecting/IAT stuff, you can employ the so-called esp trick or simply trace through that loop, you'll end up here:

Code:
.xeh:00415767 F3 A4 rep movsb
.xeh:00415769 61 popa
.xeh:0041576A 83 C2 28 add edx, 28h
.xeh:0041576D 41 inc ecx
.xeh:0041576E 81 F9 03 00+ cmp ecx, 3
.xeh:00415774 72 D2 jb short loc_415748
.xeh:00415774
.xeh:00415776 B8 B2 59 40+ mov eax, 4059B2h
.xeh:0041577B FF D0 call eax ; sub_4059B2
.xeh:0041577B
.xeh:0041577D C3 retn

Image bases are shuffled inside the IAT, ImpRec complains about invalid pointers. Just cut them and you're done.

Cthulhu
January 28th, 2009, 07:08
Quote:
[Originally Posted by anom;78993]The password is "malware", in case anyone's wondering.


The password was already mentioned on the original post.

anom
January 28th, 2009, 08:36
Uh damn, seems like I'm getting old, huh.

evaluator
January 28th, 2009, 11:19
hey! packer is dumb, but seems this is VNSPOEM, which i did unpacked already here..

Cthulhu
January 29th, 2009, 13:54
Quote:
[Originally Posted by evaluator;79002]hey! packer is dumb, but seems this is VNSPOEM, which i did unpacked already here..


I found no post regarding VNSPOEM here in the forum.

evaluator
January 29th, 2009, 16:20
http://www.woodmann.com/forum/showthread.php?t=11926

esther
January 30th, 2009, 02:02
*evaluator hey! packer is dumb
I am dumb,still have problems finding the oep

GetCommandLine?
GetModulehandleA?
CreateToolhelp32Snapshot?
WHATEVER?

evaluator
January 30th, 2009, 11:10
go_to link above & look unpacked.. @OEP happens import resolving, bcoz @stack must be GetProcAdr, LoadLibra.. triki things