Jump to content
Tuts 4 You

What hell has happend?


BOSCH

Recommended Posts

My friends i have a problem!There are some days,which i try to reversing with olly and in every aplication the start assembly code is:

0049596E > $- E9 8DA6B07F JMP 7FFA0000

00495973 . 68 20 7B 4A 0>ASCII "h {J",0

00495978 . 68 78 5D 49 0>ASCII "hx]I",0...

When i recovery the windows everything it is ok,and in my reversing application the code is:

PUSH EBP

MOV EBP,ESP...

I can't find which aplication causes it!Perhaps it is a virus?I check my pc with avast and malwarebytes,but everything it is ok!

Thanks in advance!

Link to comment

That sounds like a virus.. One of those viruses that append themselves before every app.

Quite annoying to get rid of. Also once found a virus the same way..

Might want to try a different virus checker..

Link to comment

Thank you my friend for your answers,but yesterday i recovery my windows again,and i install every aplication one by one and i found that for all this thing my problem was only one,but i can't believe it,ZONEALARM FIREWALL the last version!Now if can someone tell me why i would like to know! :confused:

Edited by BOSCH
Link to comment
  • 3 weeks later...

A hint. Years ago I was known for cracking boxes with ZoneAlarm on them, and changing the filename to "zoneHAHAHAlarm.exe". There's been a massive spate of backdoors via ZoneAlarm, Norton, Adobe and other stuff (check vulpen.com).

Windows Firewall does a pretty fair job I will say. Personaly i'm using Comodo firewall and Avast to check files (i've had to send a few into them because it did'nt pick them up, overall it's not so paranoid "This file was compressed, it's a virus!" gah !).

Just for sport - AVG had an interesting feature for XP, if you tried the 60 day trial and uninstalled it, it'd continuously reboot your system.

As for the initial problem - the entry point seems VERY obfuscated if you get that on EVERY programme. Some firewalls "use" malware-like code because "you are not meant to be reversing engineering". Maybe ZoneAlarm now hooks proggies before execution and redirects them - not sure but I would not be surprised. And i'm not about to install ZoneAlarm either ;)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...