Skip navigation.
Home

More advanced unpacking - Part II

With "More advanced unpacking - Part II" I show you how to decrypt an infamous real-life malware called WSNPOEM, (aka Infostealer.Banker.C) The binaries are usually created with a tool called ZEUS Builder, and there exist lots of different versions in the wild. I found samples with and without rootkit functionality. They are also "ontop" packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways.

1. Manual unpacking + import fixing
2. Manual unpacking + Auto import fixing
3. Auto unpacking/import fixing

Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.

Find the information on Reconstructer.org

Nice

Frank ~Not~ happy with peid :(
hehe.. PEiD 0.94 says aspack, scary ;)
0.95 doest say nothing about it.. and v1.0 (recode) says: AverCryptor if you are intressted.. ofcourse ;x

Thanks for the lesson maybe there will be a third ?
videos are great its the new way of telling - by pictures :D

keep up the good work.. i also like your analysis stuff :)

hm, which peid do you

hm, which peid do you mean?

the latest version is 0.94
from http://peid.has.it

there is no 0.95 or even 1.0

for the public yet.. no

for the public yet.. no

ok, got it. maybe it's

ok, got it.

maybe it's another packer, but it worked well anyway and was just a hint how to deal with these extra packed wsnpoems. ;)

ollydbgscript enhanced just

ollydbgscript enhanced

just added some lines to the script on line 91:

find eip, #6a61# // find push 61
cmp $RESULT, 0 // 0 = unsuccessful
je find_importer_func // import marker not found, proceed with finding importer_func
asm $RESULT, "push -1" // fix to 0xff to import everything
find_importer_func:

changing push 61 to push -1 causes to import all functions.
i have overlooked that before.
thanx to andreas greulich for the hint.

just re-download the zipfile package.

cheers,
frank

I can't find any of the Zeus

I can't find any of the Zeus builder. Any links?

audio.dll

do u have anyway of reading the content inside audio.dll?