Cthulhu
January 29th, 2009, 13:45
I just found this trojan. By the name of the executable section I suppose the packer's name is STPack.
But I found nothing about it.
Password: malware
But I found nothing about it.
Password: malware
View Full Version : Another unknown packer in malware
evaluator
January 29th, 2009, 16:18
mostly trojans are packed with custom-packer/crypters commonly named by AV as TR/CRYPT..
so, don't warry about them..
except if you find some interesting pack/prot methods
so, don't warry about them..
except if you find some interesting pack/prot methods
int0
January 30th, 2009, 03:46
Quote:
| [Originally Posted by Cthulhu;79026]I just found this trojan. By the name of the executable section I suppose the packer's name is STPack. But I found nothing about it. Password: malware |
Thnx for sharing, unpacking process not that hard just few SEH chains.
Microsoft: PWS:Win32/Yessim.gen
AVG: PSW.Banker5.CSX
Cthulhu
February 2nd, 2009, 13:33
I'm trying all day long to unpack this trojan without success 
If I step over the calls olly throws a message saying there was an access violation at [00000000].
So I set a breakpoint at the exeception handler at 4AB35C and everytime It breaks I can execute the function without the access violation.
After that I passed the place where it resolves some api addresses, I got here:
Now I'm stuck because at this function I got a lot of exceptions and I could not find a way to bypass them.
As you said this is easy to unpack I may be missing something very obvious
Can someone point me to the right direction?
If I step over the calls olly throws a message saying there was an access violation at [00000000].
So I set a breakpoint at the exeception handler at 4AB35C and everytime It breaks I can execute the function without the access violation.
After that I passed the place where it resolves some api addresses, I got here:
Code:
0043F000 B8 CCCF4700 MOV EAX,Proc_324.0047CFCC
0043F005 50 PUSH EAX
0043F006 64:FF35 00000000 PUSH DWORD PTR FS:[0]
0043F00D 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0043F014 33C0 XOR EAX,EAX
0043F016 8908 MOV DWORD PTR DS:[EAX],ECX ; Proc_324.004AB35C
0043F018 50 PUSH EAX
0043F019 45 INC EBP
0043F01A 43 INC EBX
0043F01B 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
0043F01C 6D INS DWORD PTR ES:[EDI],DX ; I/O command
0043F01D 70 61 JO SHORT Proc_324.0043F080
0043F01F 637432 00 ARPL WORD PTR DS:[EDX+ESI],SI
0043F023 39D4 CMP ESP,EDX ; ntdll.7C9037D8
0043F025 895F CE MOV DWORD PTR DS:[EDI-32],EBX
0043F028 3322 XOR ESP,DWORD PTR DS:[EDX]
0043F02A D1FA SAR EDX,1
0043F02C 24 47 AND AL,47
0043F02E A3 E3D99372 MOV DWORD PTR DS:[7293D9E3],EAX
0043F033 40 INC EAX
0043F034 62FD BOUND EDI,EBP ; Illegal use of register
0043F036 2243 E3 AND AL,BYTE PTR DS:[EBX-1D]
0043F039 D4 60 AAM 60
0043F03B 2A40 E7 SUB AL,BYTE PTR DS:[EAX-19]
0043F03E 0AA3 61E1EB1D OR AH,BYTE PTR DS:[EBX+1DEBE161]
0043F044 4A DEC EDX ; ntdll.7C9037D8
0043F045 41 INC ECX ; Proc_324.004AB35C
0043F046 08E8 OR AL,CH
0043F048 B2 0A MOV DL,0A
0043F04A C2 B8D4 RETN 0D4B8
Now I'm stuck because at this function I got a lot of exceptions and I could not find a way to bypass them.
As you said this is easy to unpack I may be missing something very obvious
Can someone point me to the right direction?
Cthulhu
February 3rd, 2009, 07:36
Forget the previous post. I managed to unpack it 
tbarabasz
July 20th, 2009, 13:09
Could you please tell us how you did it?
I've just got one malware with the same characteristics. I'm trying to unpack it but I couldn't go to far... it would be great if you can give some help!
Thanks in advance
I've just got one malware with the same characteristics. I'm trying to unpack it but I couldn't go to far... it would be great if you can give some help!
Thanks in advance
evaluator
July 20th, 2009, 14:28
upload it, if hard tricks you see in unpack
vect0r
July 20th, 2009, 17:17
enlighten us 
Kayaker
July 20th, 2009, 18:34
What's with the PECompact2 string in the above code? Bogus? Double packed?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.