Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-15-2004, 06:35 AM
bergheim bergheim is offline
Junior Member
 
Join Date: Apr 2004
Posts: 3
Default Reversing this Trojan: http://216.115.95.98//38ble.chm

Hi everyone!

I just found the trojan, mentioned in the subject, residing on my harddrive. Decompiling it resulted in a file called "wincfgid.exe" which I tried to disassemble.

Unfortunately the file seems to be scrambled or packed with some tool I don't know.

I would appreciate any help in finding out how to deal with this!

TIA,
Bergheim
Reply With Quote
  #2  
Old 04-16-2004, 10:30 AM
kw kw is offline
Administrator
 
Join Date: Dec 2002
Location: The Netherlands
Posts: 116
Send a message via Yahoo to kw
Default

Hello,

I checked it out, it appears to be packed with UPX. It is not unpackable through upx (commandline switch -d) however, because a scrambler has been used. So we will need to manually unpack this. For UPX this is quite a simple process, just get ProcDump and HIEW.. (google it )
For the general process, I'd say look for a tutorial on manually unpacking it. First one I found was
http://66.102.9.104/search?q=cache:9oxGVjB...&hl=en&ie=UTF-8

But there might well be better ones out there.. Have a look for yourself.. Manually unpacking is done a lot, and UPX is a common packer, so it shouldn't be hard to find a good essay about it

Make sure you don't mess things up and accidentally run the trojan.exe... Like I did. *cough*

laters,
KW
__________________
"It's people like this that make you realize how little you've accomplished. It is a sobering thought, for instance, that when Mozart was my age, he had been dead for two years." - Tom Lehrer
Reply With Quote
  #3  
Old 04-17-2004, 07:15 AM
bergheim bergheim is offline
Junior Member
 
Join Date: Apr 2004
Posts: 3
Default

Ooops :-)

Thanks for your reply and the link to the tutorial!

What did happen when you accidentially run the trojan?

Thanks again,
Bergheim
Reply With Quote
  #4  
Old 04-17-2004, 08:30 AM
kw kw is offline
Administrator
 
Join Date: Dec 2002
Location: The Netherlands
Posts: 116
Send a message via Yahoo to kw
Default

Only minor problems, nothing I couldn't fix (as far as I know of course )
But still, it gave me quite a scare ;-)
What happened was by the way, was that I placed an infinite loop (EBFE) at the wrong location, one that never got executed. So execution proceeded as normal..
http://its.mine.nu/misc_crap/not_good.png shows what I saw then
Afterwards I did some cleaning etc, so I should be ok now anyway

KW
__________________
"It's people like this that make you realize how little you've accomplished. It is a sobering thought, for instance, that when Mozart was my age, he had been dead for two years." - Tom Lehrer
Reply With Quote
  #5  
Old 04-17-2004, 10:47 AM
bergheim bergheim is offline
Junior Member
 
Join Date: Apr 2004
Posts: 3
Default

I'm glad nothing serious happened to your machine :-)

I worked through the unpacking tutorial you talked about and found an OEP of 1040, the 61E9 but I'm still struggeling with the EBFE trick (even though I understand what it does) - furthermore SoftIce won't run under my XP Pro - for what reason ever...

But there's a whole Sunday to come ;-)

Thanks for your help!

Begheim
Reply With Quote
  #6  
Old 10-12-2004, 02:45 AM
nrindah0 nrindah0 is offline
Member
 
Join Date: Oct 2004
Location: America's Hat
Posts: 6
Send a message via MSN to nrindah0
Default

Poor kw, wounded in the line of duty.

Aren't these not the best moderators?

Reply With Quote
  #7  
Old 10-17-2004, 04:44 AM
nrindah0 nrindah0 is offline
Member
 
Join Date: Oct 2004
Location: America's Hat
Posts: 6
Send a message via MSN to nrindah0
Default

The link appears to be broken.

I'd actually like to have a look at it myself and wouldn't
mind if you could aid me in obtaining a copy.

Thanks.
Reply With Quote
  #8  
Old 10-18-2004, 09:02 AM
kw kw is offline
Administrator
 
Join Date: Dec 2002
Location: The Netherlands
Posts: 116
Send a message via Yahoo to kw
Default

I no longer have the file, maybe the original poster does?

-kw
__________________
"It's people like this that make you realize how little you've accomplished. It is a sobering thought, for instance, that when Mozart was my age, he had been dead for two years." - Tom Lehrer
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.