xiaojiam Posted December 12, 2008 Posted December 12, 2008 (edited) Xiaojiam's keygenme #02 ! name: Xiaojiam's Keygen.zip size: 562 kb code: yiyuyan date: 12.12.2008 About: A so easy Keygen ..... Rules: 1) No patching ; 2) Find serial for your name ; 3) Make a Keygen ; Xiaojiam__s_Keygen.zip Edited December 12, 2008 by xiaojiam
GioTiN Posted December 12, 2008 Posted December 12, 2008 is very very easy , if i have free time , i write a keygen for you Name : GioTiN - Under SEH Team Code : EA23IOI Regards , GioTiN
xiaojiam Posted December 12, 2008 Author Posted December 12, 2008 (edited) I'm wating for you ! Edited December 12, 2008 by xiaojiam
Morpher Posted December 12, 2008 Posted December 12, 2008 This is my keygen, hope it works http://rapidshare.com/files/172808304/Xiao...Keygen.rar.html
Teddy Rogers Posted December 14, 2008 Posted December 14, 2008 The [keygenme] tag has been added to your topic title.Please remember to follow and adhere to the topic title format - thankyou![This is an automated reply]
ghandi Posted December 23, 2008 Posted December 23, 2008 (edited) I downloaded this file today to take a look. Loaded the keygenme into Olly and looked at the code, to see what i was getting myself into. Imagine my surprise when i found that the executable decrypts a dll file that is attached as an overlay, saves it to the users temp directory and then loads it, looking for a function call CreateNewSock.Now, call me pessimistic, but that doesn't sound like a necessary function for a keygenme to be performing. I sent a copy of the keygenme to virustotal.org and it flagged multiple hits with the scanners there, although a lot still didn't detect anything amiss.'Trojan-Dropper.Win32.Flystud' was the most common name, so with that information i then proceeded to ask google for the verdict... According to the posts i read, this wasn't something that can be removed properly & easily. It opens a UDP port and downloads whatever the instigator has configured it to grab and install/run, also making changes in the windows system.The difference with this keygenme is that there isn't a self-executable in the payload, just this dll.I am not sure what to think of this, because i haven't had too much trouble with virii/trojans before, except the odd infected file downloaded and quarantined. I have opened the dropped dll with OllyDbg and it imports the winsock functions: connect, closesocket, bind and accept. (These are what the malware uses to access the internet.)Is this a framework that has been used by VX skiddies, thus being labelled as malware without deeper inspection? Any information would be helpful, so to that end, can somebody who actually knows what they are doing please take a look at this keygenme and verify:* If this is indeed malware, not just a mechanism that the AV's have flagged as a malware.* If this does indeed perform the functions that it would set out to achieve if it were malware, those being to open the port and d/l a file.If i am wrong, i apologize in advance. However, one can never be too careful...HR,Ghandi Edited December 23, 2008 by ghandi
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now