Jump to content
Tuts 4 You

[CrackMe] Remove Nag


Recommended Posts

what does the virus do?

I saw that it creates C:\WINDOWS\system32\Sh4DoVV.dll but thats about it.

Could have sandbox detection?

Link to comment
Share on other sites

who moved this to Malicious Software Research?

i haven't tried to reverse it but i did see it drops some dll

its made in vb and i don't think its a virus

nothing unusual on my system since i ran this ****

Link to comment
Share on other sites

if we use of olly for run it , so , it extract Shadovv.dll into system32 folder and detect our olly .

if we delete shadovv.dll of system32 , then terminate app and not run ...


Link to comment
Share on other sites

Protection is pretty weak, in my opinion. Since it's a VB app, all calls to external functions will be done through this:

00401080   .- FF25 2C104000  JMP DWORD PTR DS:[40102C]	;  MSVBVM60.DllFunctionCall

Setting a breakpoint there will show all external functions that are used, like this one for instance:



00402D74   .  47 65 74 56 65>ASCII "GetVersionExA",0
00402D84 00204000 DD Remove_N.00402000 ; ASCII "kernel32"
00402D88 742D4000 DD Remove_N.00402D74 ; ASCII "GetVersionExA"
00402D90 D4784000 DD Remove_N.004078D4
00402D9C . A1 DC784000 MOV EAX,DWORD PTR DS:[4078DC] // null pointer
00402DA1 . 0BC0 OR EAX,EAX // check if null (if not null, function address is not acquired)
00402DA3 . 74 02 JE SHORT 00402DA7 // jump or not based on above condition
00402DA5 . FFE0 JMP EAX // if internal function (as in pointer is not null), then jump to it
00402DA7 > 68 842D4000 PUSH 402D84 // push library
00402DAC . B8 80104000 MOV EAX,401080 // set EAX to VB_caller
00402DB1 . FFD0 CALL EAX // call MSVBVM60.DllFunctionCall; this gets address of 402D84+4
00402DB3 . FFE0 JMP EAX // once address is acquired, jump to API (in this case, jmp to GetVersionExA)

And so on for the rest of them. I'll post the "unpacked" file in a bit..

Not sure what nag he is speaking of, but the DLL is pretty much EMPTY..

10001000	PUSH EBP
10001001 MOV EBP,ESP
10001003 CMP DWORD PTR SS:[EBP+C],1
10001007 JNZ SHORT 1000100B
10001009 JMP SHORT 10001021
1000100F JNZ SHORT 10001013
10001011 JMP SHORT 10001021
10001013 CMP DWORD PTR SS:[EBP+C],2
10001017 JNZ SHORT 1000101B
10001019 JMP SHORT 10001021
1000101F JNZ SHORT 10001021
10001021 LEAVE
10001022 RET 0C
Edited by SunBeam
Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...