I don't know happened with this file

January 21, 2010

hi..can I ask for your help plz?

before i ask for your help, sorry for my bad english cos i'm from indonesia.

this file not an original from the author, cos it was infected from my computer.

lot's my file in harddrive has been infected by this.

thx 4 your help and time.

devilz's KeyGen-me N

January 21, 2010

is it passworded? because according to the rules above your post, it MUST be.

cheers

January 21, 2010

yup..if u you opened with winrar, you can see the password.

password 2 open : 0000

January 21, 2010

hi..can I ask for your help plz?
before i ask for your help, sorry for my bad english cos i'm from indonesia.
this file not an original from the author, cos it was infected from my computer.
lot's my file in harddrive has been infected by this.
thx 4 your help and time.
devilz's KeyGen-me N

January 22, 2010

thx shaddy..what about with an application which use crypto or well protected with themida or asprotect???

should i find the original oep??

January 22, 2010

thx shaddy..what about with an application which use crypto or well protected with themida or asprotect???
should i find the original oep??

If you mean the file dropped, is not protected by any protector, but is compressed. The compressor used is UPX. The functionality of this infected file is basic:

Gets the system temporary path.


.tc:0040509C lea     eax, (aGettemppatha - 4000h)[ebx] ; "GetTempPathA"
.tc:004050A2 push    eax
.tc:004050A3 push    edx
.tc:004050A4 call    edi             ; GetTempPathA

Create the file "expor.exe".


.tc:004050C4 lea     ecx, (aExpor_exe - 4000h)[ebx] ; "Expor.exe"
.tc:004050CA push    ecx
.tc:004050CB mov     ecx, esp
.tc:004050CD add     ecx, 4
.tc:004050D0 push    ecx
.tc:004050D1 call    eax             ; lstrcatA
.tc:004050D3 lea     eax, (aCreatefilea - 4000h)[ebx] ; "CreateFileA"
.tc:004050D9 push    eax
.tc:004050DA mov     edx, ds:(dGetProcAddress - 4000h)[ebx]
.tc:004050E0 push    edx
.tc:004050E1 call    edi             ; GetProcAddress
.tc:004050E3 mov     ecx, esp
.tc:004050E5 push    0
.tc:004050E7 push    80h
.tc:004050EC push    2
.tc:004050EE push    0
.tc:004050F0 push    0
.tc:004050F2 push    0C0000000h
.tc:004050F7 push    ecx
.tc:004050F8 call    eax             ; CreateFile

And writes de content of it.


.tc:004050FC lea     ecx, (aWritefile - 4000h)[ebx] ; "WriteFile"
.tc:00405102 push    ecx
.tc:00405103 push    ecx
.tc:00405104 mov     edx, ds:(dGetProcAddress - 4000h)[ebx]
.tc:0040510A push    edx
.tc:0040510B call    edi             ; GetProcAddress
.tc:0040510D pop     ecx
.tc:0040510E push    0               ; lpOverlapped
.tc:00405110 push    ecx             ; lpNumberOfBytesWritten
.tc:00405111 add     ecx, 0Ah        ; Pointer to 'MZ' deleted
.tc:00405114 mov     edx, [ecx]
.tc:00405116 push    edx             ; nNumberOfBytesToWrite
.tc:00405117 push    ecx             ; hBuffer
.tc:00405118 mov     edx, 905A4Dh
.tc:0040511D mov     [ecx], edx      ; Restore 'MZ' Header
.tc:0040511F push    esi             ; hFile
.tc:00405120 call    eax             ; Write

With this information you can locate the attachment block to dump it. (Pointer to WriteFile string + 0xA).

004051EA 00 66 00 00 03 00 00 00 04 00 00 00 FF FF 00 00 .f..........

January 22, 2010

big thank's to you shady

Sign In

I don't know happened with this file

Recommended Posts

h3201n3

HaQue

h3201n3

Shaddy

h3201n3

Shaddy

h3201n3

Create an account or sign in to comment

Create an account

Sign in

Community

Search