Jump to content
Tuts 4 You

WINDAZ, sLOTz, FALAFEL, KSCRACKiNG


Aguila

Recommended Posts

Some guy is spreading his bot via scene releases.

Mirc.v7.0.Incl.Keymaker-WiNDAZ
Nero.v9.9.4.26.0b.Incl.Keymaker-WiNDAZ
ESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ
JESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ
Avast.Internet.Security.v5.0.545.Incl.Keymaker-WiNDAZJules.v2.0.Cracked-sLOTz
Eastern.Slots.v3.0.Cracked-sLOTz
Cortez.Treasure.v1.0.Cracked-sLOTzKaspersky.Keygen.V1.WORKiNG.WiNALL-KSCRACKiNGWINX.HD.CAMCORDER.VIDEO.CONVERTER.V3.0-FALAFEL
FRESH.VIEW.V7.94.READ.NFO-FALAFEL
FRESH.DOWNLOAD.V8.48.READ.NFO-FALAFEL
........

Let's analyze his "work".

idx.exe -> Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - Overlay : 2F7C5C... Nothing discovered

Set up some VM.

Use reflector to reveal the sourcecode. Result: .NET stub, which hides the real bot.

Use Ollydbg to unpack. BP WriteProcessMemory -> buffer / create backup, dump to file

Use some hexeditor to correct the backup.

idx_unpacked.exe -> Microsoft Visual C++ ver. ~6.0~7.0 - Overlay : 000000... Nothing discovered

Awesome, what a nice bot (you can buy...). Google: gBot v2

Selfcopy to %windir%\system32. Name: srvhost64.exe

Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Server Cache

Injecting some code to winlogon.exe, so BP WriteProcessMemory

Inside winlogon.exe -> connecting to IRC 1.privatetorrent.org

Somebody want to take over a botnet? :thumbsup:

idx.rar

Link to comment

I don't know what you are trying to do, but whatever it is, it is not very productive.

1. Don't waste your time on anti-debug stuff in malware, because there are plenty plugins which hide your debugger very well.

2. zsb.exe in your rar file is protected with VMProtect. Maybe you should read some tutorial about unpacking it (use the search), but it is a pretty hard protector, not suitable for unpacking beginners.

I only briefly looked in the rar file:

ZeuS_Builder 1.3.x.x.exe -> upx packed, completly coded in visual basic 6 (inclusive server) = not worth any dollars!

content BackConnect -> visual basic 6, nothing special = not worth any dollars!

content External VNC -> visual basic 6, nothing special = not worth any dollars!

content FreeZS-panel -> looks interesting, but it is only a webpanel (no exploit kit)

content Tools -> Freeware

content Configuration builder -> interesting, but without license a useless builder. Unpacking the builder is some other topic.

Edited by k11
Link to comment

Use the most recent version of StrongOD. You can download it from this thread: http://forum.tuts4you.com/index.php?showtopic=19480 (last page)

Remove all other hide plugins and set all ticks in StrongOD. Then debugging with Olly is no problem.

use the search, you can find a lot of information about anti-debug stuff in VMProtect. Maybe LCF-AT or quosego will help you unpack it. I think they are the best VMProtect unpackers in this forum.

Edited by k11
Link to comment
do you think its possible to beat the license key scheme... or is it not even worth trying

posible, sure.somehow.

As far as i know, vmprotect can be unpacked with this nice script by LCF_AT.

The VM i supposed to be quiet hardcore though.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...