[CrackMe] Remove Nag

[Sh4DoVV]

Hi Friends

Please Patch First Nag :-)

Please Report Dificaulty

Go0d Luck

Remove_Nag.zip

Edited March 7, 2009 by Teddy Rogers
Edited topic title...

[xsp!d3r]

it doesn't run for me

[GioTiN]

work on this

[piaoyun]

it doesn't run for me too~

[ArslanBhatti]

its a virus

[hitle_vn127]

Hi Friends

Please Patch First Nag :-)

Please Report Dificaulty

Go0d Luck

It' virus!

[Squn ★]

it doesn't run for me either.....

[TreaxeR]

Please remove the link if the virus is

[aztecx]

what does the virus do?

I saw that it creates C:\WINDOWS\system32\Sh4DoVV.dll but thats about it.

Could have sandbox detection?

[GEEK]

who moved this to Malicious Software Research?

i haven't tried to reverse it but i did see it drops some dll

its made in vb and i don't think its a virus

nothing unusual on my system since i ran this ****

[Gladiator]

it seems that used dll injection because of this all AV detect it as a virus.

[sadiqhirani]

dropper detected so some injection technique might b used

[GioTiN]

if we use of olly for run it , so , it extract Shadovv.dll into system32 folder and detect our olly .

if we delete shadovv.dll of system32 , then terminate app and not run ...

Bye

[SunBeam]

Protection is pretty weak, in my opinion. Since it's a VB app, all calls to external functions will be done through this:

00401080   .- FF25 2C104000  JMP DWORD PTR DS:[40102C]	;  MSVBVM60.DllFunctionCall

Setting a breakpoint there will show all external functions that are used, like this one for instance:

Detailing:

00402D74   .  47 65 74 56 65>ASCII "GetVersionExA",0
..
00402D84	  00204000	   DD Remove_N.00402000			;  ASCII "kernel32"
00402D88	  742D4000	   DD Remove_N.00402D74			;  ASCII "GetVersionExA"
..
00402D90	  D4784000	   DD Remove_N.004078D4
..
00402D9C   .  A1 DC784000	MOV EAX,DWORD PTR DS:[4078DC] // null pointer
00402DA1   .  0BC0		   OR EAX,EAX // check if null (if not null, function address is not acquired)
00402DA3   .  74 02		  JE SHORT 00402DA7 // jump or not based on above condition
00402DA5   .  FFE0		   JMP EAX // if internal function (as in pointer is not null), then jump to it
00402DA7   >  68 842D4000	PUSH 402D84 // push library
00402DAC   .  B8 80104000	MOV EAX,401080 // set EAX to VB_caller
00402DB1   .  FFD0		   CALL EAX // call MSVBVM60.DllFunctionCall; this gets address of 402D84+4
00402DB3   .  FFE0		   JMP EAX // once address is acquired, jump to API (in this case, jmp to GetVersionExA)

And so on for the rest of them. I'll post the "unpacked" file in a bit..

Not sure what nag he is speaking of, but the DLL is pretty much EMPTY..

10001000	PUSH EBP
10001001	MOV EBP,ESP
10001003	CMP DWORD PTR SS:[EBP+C],1
10001007	JNZ SHORT 1000100B
10001009	JMP SHORT 10001021
1000100B	CMP DWORD PTR SS:[EBP+C],0
1000100F	JNZ SHORT 10001013
10001011	JMP SHORT 10001021
10001013	CMP DWORD PTR SS:[EBP+C],2
10001017	JNZ SHORT 1000101B
10001019	JMP SHORT 10001021
1000101B	CMP DWORD PTR SS:[EBP+C],3
1000101F	JNZ SHORT 10001021
10001021	LEAVE
10001022	RET 0C

Edited March 16, 2009 by SunBeam

[xsp!d3r]

heu O_o didn't know that it's packed maybe it's a VB Packer!!

[Godkiller]

it was bad,don't run in my machine!