More advanced unpacking - Part II
With "More advanced unpacking - Part II" I show you how to decrypt an infamous real-life malware called WSNPOEM, (aka Infostealer.Banker.C) The binaries are usually created with a tool called ZEUS Builder, and there exist lots of different versions in the wild. I found samples with and without rootkit functionality. They are also "ontop" packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways.
1. Manual unpacking + import fixing
2. Manual unpacking + Auto import fixing
3. Auto unpacking/import fixing
Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.
hm, which peid do you
hm, which peid do you mean?
the latest version is 0.94
from http://peid.has.it
there is no 0.95 or even 1.0
ok, got it. maybe it's
ok, got it.
maybe it's another packer, but it worked well anyway and was just a hint how to deal with these extra packed wsnpoems. ;)
ollydbgscript enhanced just
ollydbgscript enhanced
just added some lines to the script on line 91:
find eip, #6a61# // find push 61
cmp $RESULT, 0 // 0 = unsuccessful
je find_importer_func // import marker not found, proceed with finding importer_func
asm $RESULT, "push -1" // fix to 0xff to import everything
find_importer_func:
changing push 61 to push -1 causes to import all functions.
i have overlooked that before.
thanx to andreas greulich for the hint.
just re-download the zipfile package.
cheers,
frank
I can't find any of the Zeus
I can't find any of the Zeus builder. Any links?
Nice
Frank ~Not~ happy with peid :(
hehe.. PEiD 0.94 says aspack, scary ;)
0.95 doest say nothing about it.. and v1.0 (recode) says: AverCryptor if you are intressted.. ofcourse ;x
Thanks for the lesson maybe there will be a third ?
videos are great its the new way of telling - by pictures :D
keep up the good work.. i also like your analysis stuff :)