Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[CrackMe] Remove Nag

Sh4DoVV
Sh4DoVV
in CrackMe

Featured Replies

Posted

Hi Friends

Please Patch First Nag :-)

Please Report Dificaulty

Go0d Luck

Remove_Nag.zip

Edited by Teddy Rogers
Edited topic title...

it doesn't run for me :huh:

work on this ;)

it doesn't run for me too~

its a virus

Hi Friends

Please Patch First Nag :-)

Please Report Dificaulty

Go0d Luck

It' virus!

it doesn't run for me either.....

Please remove the link if the virus is

what does the virus do?

I saw that it creates C:\WINDOWS\system32\Sh4DoVV.dll but thats about it.

Could have sandbox detection?

who moved this to Malicious Software Research?

i haven't tried to reverse it but i did see it drops some dll

its made in vb and i don't think its a virus

nothing unusual on my system since i ran this ****

it seems that used dll injection because of this all AV detect it as a virus.

dropper detected so some injection technique might b used

if we use of olly for run it , so , it extract Shadovv.dll into system32 folder and detect our olly .

if we delete shadovv.dll of system32 , then terminate app and not run ...

Bye

Protection is pretty weak, in my opinion. Since it's a VB app, all calls to external functions will be done through this:

00401080   .- FF25 2C104000  JMP DWORD PTR DS:[40102C]	;  MSVBVM60.DllFunctionCall

Setting a breakpoint there will show all external functions that are used, like this one for instance:

2wm2h43.png

Detailing:

00402D74   .  47 65 74 56 65>ASCII "GetVersionExA",0
..
00402D84	  00204000	   DD Remove_N.00402000			;  ASCII "kernel32"
00402D88	  742D4000	   DD Remove_N.00402D74			;  ASCII "GetVersionExA"
..
00402D90	  D4784000	   DD Remove_N.004078D4
..
00402D9C   .  A1 DC784000	MOV EAX,DWORD PTR DS:[4078DC] // null pointer
00402DA1   .  0BC0		   OR EAX,EAX // check if null (if not null, function address is not acquired)
00402DA3   .  74 02		  JE SHORT 00402DA7 // jump or not based on above condition
00402DA5   .  FFE0		   JMP EAX // if internal function (as in pointer is not null), then jump to it
00402DA7   >  68 842D4000	PUSH 402D84 // push library
00402DAC   .  B8 80104000	MOV EAX,401080 // set EAX to VB_caller
00402DB1   .  FFD0		   CALL EAX // call MSVBVM60.DllFunctionCall; this gets address of 402D84+4
00402DB3   .  FFE0		   JMP EAX // once address is acquired, jump to API (in this case, jmp to GetVersionExA)

And so on for the rest of them. I'll post the "unpacked" file in a bit..

Not sure what nag he is speaking of, but the DLL is pretty much EMPTY..

10001000	PUSH EBP
10001001	MOV EBP,ESP
10001003	CMP DWORD PTR SS:[EBP+C],1
10001007	JNZ SHORT 1000100B
10001009	JMP SHORT 10001021
1000100B	CMP DWORD PTR SS:[EBP+C],0
1000100F	JNZ SHORT 10001013
10001011	JMP SHORT 10001021
10001013	CMP DWORD PTR SS:[EBP+C],2
10001017	JNZ SHORT 1000101B
10001019	JMP SHORT 10001021
1000101B	CMP DWORD PTR SS:[EBP+C],3
1000101F	JNZ SHORT 10001021
10001021	LEAVE
10001022	RET 0C

Edited by SunBeam

heu O_o didn't know that it's packed maybe it's a VB Packer!!

  • 2 weeks later...

it was bad,don't run in my machine!

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.