|
|
|
|
#1
09-28-2004, 14:03
|
|||
|
|||
|
Well....
Hi guys,
I have unpacked and dumped the final version, and that's not difficult. the hard part is the nanomites. I tried using Ricnar's approach (searching for 800003 and so on..), but it seems that somethings changed in this version. Unfortunately I haven't had the time to dig deeper into it yet. But if anyone have a working approach on how to solve this, please post a few words.  regards, hobgoblin 
|
|
#2
09-28-2004, 18:07
|
|||
|
|||
|
nanomites
The nanomites in newer version need a new aproach, i make this new approach and is easy solution the nanomites in new version.
I'm founding job now and i don't write a tut in this moment, the only i say use the brain, use the imagination and new nanos are very easy to solutionate for me was more easy tan previous versions. IMAGINATION, BE FLEXIBLES Ricardo Narvaja
|
|
#3
09-28-2004, 20:39
|
|||
|
|||
|
Quote:
Code:
0062E9AB 81F2 03000080 XOR EDX,80000003 0062E9B1 3995 D4F5FFFF CMP DWORD PTR SS:[EBP-A2C],EDX 0062E9B7 0F85 BC0B0000 JNZ newsLeec.0062F579 After that there is a GetThreadContext... After that ther is a compare whre it compares the "crypted" value with the "crypted" table. Code:
0062F175 > 52 PUSH EDX --< EDX has the correct table values 0062F176 8B85 64EEFFFF MOV EAX,DWORD PTR SS:[EBP-119C] 0062F17C FF1485 A8786500 CALL DWORD PTR DS:[EAX*4+6578A8] --< crypter call 0062F183 83C4 04 ADD ESP,4 0062F186 8985 94EBFFFF MOV DWORD PTR SS:[EBP-146C],EAX 0062F18C C785 90EBFFFF 0>MOV DWORD PTR SS:[EBP-1470],0 0062F196 8B8D 64EEFFFF MOV ECX,DWORD PTR SS:[EBP-119C] 0062F19C 8B148D 88996500 MOV EDX,DWORD PTR DS:[ECX*4+659988] 0062F1A3 8995 70EEFFFF MOV DWORD PTR SS:[EBP-1190],EDX 0062F1A9 8B85 90EBFFFF MOV EAX,DWORD PTR SS:[EBP-1470] 0062F1AF 3B85 70EEFFFF CMP EAX,DWORD PTR SS:[EBP-1190] 0062F1B5 7D 5C JGE SHORT newsLeec.0062F213 0062F1B7 8B85 70EEFFFF MOV EAX,DWORD PTR SS:[EBP-1190] 0062F1BD 2B85 90EBFFFF SUB EAX,DWORD PTR SS:[EBP-1470] 0062F1C3 99 CDQ 0062F1C4 2BC2 SUB EAX,EDX 0062F1C6 D1F8 SAR EAX,1 0062F1C8 8B8D 90EBFFFF MOV ECX,DWORD PTR SS:[EBP-1470] 0062F1CE 03C8 ADD ECX,EAX 0062F1D0 898D 8CEBFFFF MOV DWORD PTR SS:[EBP-1474],ECX 0062F1D6 8B95 64EEFFFF MOV EDX,DWORD PTR SS:[EBP-119C] 0062F1DC 8B0495 28996500 MOV EAX,DWORD PTR DS:[EDX*4+659928] 0062F1E3 8B8D 8CEBFFFF MOV ECX,DWORD PTR SS:[EBP-1474] 0062F1E9 8B95 94EBFFFF MOV EDX,DWORD PTR SS:[EBP-146C] 0062F1EF 3B1488 CMP EDX,DWORD PTR DS:[EAX+ECX*4] 0062F1F2 76 11 JBE SHORT newsLeec.0062F205  .
|
|
#4
09-28-2004, 23:26
|
|||
|
|||
|
NEW APPROACH
You use mi OLD APPROACH of old tutes of armadillo, i have now a new approach completely diferent and work perfect in the last version and all versions old and new jeje.
Ricardo
|
|
#5
09-29-2004, 10:18
|
|||
|
|||
|
Interesting
Eggi or Ricardo,
Have either of you noticed the following and have insight on it's meaning: 0062EB75 . 51 PUSH ECX 0062EB76 . 0FC9 BSWAP ECX 0062EB78 . F7D1 NOT ECX 0062EB7A . 50 PUSH EAX 0062EB7B . F7D0 NOT EAX 0062EB7D . B8 6D69656C MOV EAX,6C65696D 0062EB82 . 91 XCHG EAX,ECX 0062EB83 . B9 DEC0ADDE MOV ECX,DEADC0DE 0062EB88 . 91 XCHG EAX,ECX 0062EB89 . F7D0 NOT EAX 0062EB8B . 58 POP EAX 0062EB8C . F7D1 NOT ECX 0062EB8E . 59 POP ECX 0062EB8F . 9C PUSHFD 0062EB90 . 60 PUSHAD 0062EB91 . 33DB XOR EBX,EBX 0062EB93 . 74 03 JE SHORT mytarget.0062EB98 What's the significance at location 62EB83 which caught my eye but haven't dug any deeper when I was searching and trying to figure out the nanos on this one. Since I did a search for this same data throughout the source I found the same section of code duplicated many times throughout and deduced that it is part of obfuscation. Wackyass Last edited by Wackyass; 09-29-2004 at 10:28.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Armadillo DLL unpacking | SvensK | General Discussion | 6 | 11-18-2005 04:24 |
Hybrid Mode
