0
I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe
As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode,
looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code.
The problem is that there does not seem to be much information on how to unpack these, I found two
http://www.opensc.ws...king-runpe.html
http://interestingma...cryptrunpe.html
which both have easy steps but I don't seem to be able to follow these.
If I run it and then attach to it ollydbg runs in the address 77A50000 + 13BFFE, trying to dump this using ollydump i get a crashed
ollydbg.
If I run it with ollydbg2 and have the debug child option enabled I get a debugging session with a modified executable that starts at
00401394, but this seems to be a runpe too. I tried to dump this to the disk but I'm not able to rebuild the exe so it is runnable.
Could anyone point me in the right direction or explain how I should unpack this
Here is the link to the virus (AFAIK original link):
---EDIT-- See Attatched File, Password: tuts4you
Here's a link to a ThreatExperts report
http://www.threatexp...9b470aa98f2a416
Thanks for your help, Phasip.
Attached Files
-
dirtypics.zip 310.58K
33 downloads
Edited by Phasip, 07 December 2010 - 02:40 PM.
