Jump to content
Tuts 4 You

I don't know happened with this file


h3201n3

Recommended Posts

hi..can I ask for your help plz?

before i ask for your help, sorry for my bad english cos i'm from indonesia.

this file not an original from the author, cos it was infected from my computer.

lot's my file in harddrive has been infected by this.

thx 4 your help and time.

devilz's KeyGen-me N

Link to comment

hi..can I ask for your help plz?

before i ask for your help, sorry for my bad english cos i'm from indonesia.

this file not an original from the author, cos it was infected from my computer.

lot's my file in harddrive has been infected by this.

thx 4 your help and time.

devilz's KeyGen-me N

Link to comment

thx shaddy..what about with an application which use crypto or well protected with themida or asprotect???

should i find the original oep??

If you mean the file dropped, is not protected by any protector, but is compressed. The compressor used is UPX. The functionality of this infected file is basic:

Gets the system temporary path.


.tc:0040509C lea eax, (aGettemppatha - 4000h)[ebx] ; "GetTempPathA"
.tc:004050A2 push eax
.tc:004050A3 push edx
.tc:004050A4 call edi ; GetTempPathA

Create the file "expor.exe".


.tc:004050C4 lea ecx, (aExpor_exe - 4000h)[ebx] ; "Expor.exe"
.tc:004050CA push ecx
.tc:004050CB mov ecx, esp
.tc:004050CD add ecx, 4
.tc:004050D0 push ecx
.tc:004050D1 call eax ; lstrcatA
.tc:004050D3 lea eax, (aCreatefilea - 4000h)[ebx] ; "CreateFileA"
.tc:004050D9 push eax
.tc:004050DA mov edx, ds:(dGetProcAddress - 4000h)[ebx]
.tc:004050E0 push edx
.tc:004050E1 call edi ; GetProcAddress
.tc:004050E3 mov ecx, esp
.tc:004050E5 push 0
.tc:004050E7 push 80h
.tc:004050EC push 2
.tc:004050EE push 0
.tc:004050F0 push 0
.tc:004050F2 push 0C0000000h
.tc:004050F7 push ecx
.tc:004050F8 call eax ; CreateFile

And writes de content of it.


.tc:004050FC lea ecx, (aWritefile - 4000h)[ebx] ; "WriteFile"
.tc:00405102 push ecx
.tc:00405103 push ecx
.tc:00405104 mov edx, ds:(dGetProcAddress - 4000h)[ebx]
.tc:0040510A push edx
.tc:0040510B call edi ; GetProcAddress
.tc:0040510D pop ecx
.tc:0040510E push 0 ; lpOverlapped
.tc:00405110 push ecx ; lpNumberOfBytesWritten
.tc:00405111 add ecx, 0Ah ; Pointer to 'MZ' deleted
.tc:00405114 mov edx, [ecx]
.tc:00405116 push edx ; nNumberOfBytesToWrite
.tc:00405117 push ecx ; hBuffer
.tc:00405118 mov edx, 905A4Dh
.tc:0040511D mov [ecx], edx ; Restore 'MZ' Header
.tc:0040511F push esi ; hFile
.tc:00405120 call eax ; Write

With this information you can locate the attachment block to dump it. (Pointer to WriteFile string + 0xA).

004051EA 00 66 00 00 03 00 00 00 04 00 00 00 FF FF 00 00 .f..........

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...