Skip navigation.

Reversing Challenges

Special Alphabets in Base64 encoding


Hi All,

Reversing TDSS: The x64 Dollar Question

| |

In the two years since the Win32/Olmarik family of malware programs (also known as TDSS, TDL and Alureon) started to evolve, its authors have implemented a notably sophisticated mechanism for bypassing various protective measures and security mechanisms embedded into the operating system. Read more here Reverse Engineering Malware

The fourth version of the TDL rootkit family (TDL4) is the first reliable and widely spread bootkit to target x64 operating systems (Windows Vista and Windows 7). Since TDL4 started to spread actively in August 2010, several versions of the malware have been released. By comparison with its predecessors, TDL4 is not just characterized by modification of existing code, but to all intents and purposes can be regarded as new malware. Among the many changes that have been applied as it developed, the most radical were those made to its mechanisms for self-embedding into the system and surviving reboot. One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and Windows 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals. In this article, we consider the PPI (Pay Per Install) distribution model used by both TDL3 and TDL4, and the initial installation.

Problem Unpacking Netsky-Q FSG 1.0


I am trying to unpack Netsky-Q Worm (md5 hash:3018e99857f31a59e0777396ae624a8f). PEiD shows the packer as FSG 1.0 -> dulek/xt and the only way that i found to unpack this is a manual unpacking technique by kienmanowa of REA. In this technique we introduce a breakpoint and run this malware sample to that point and use OllyDump to change the Characteristics and Entry Point. But OllyDump is not allowing me to edit the Characteristics. Can anybody help me out with this?

Reverse Engineering Malware for beginners.


Can someone please help me with an article that teaches you how to reverse engineer malware. I would really like to learn.
Also, it would help if i can have a sample of a virus that is extremely basic and easy to reverse engineer.


Heap memory layout in Windows 7 ...


Hello guys ...

Any body here , try to reverse the heap memory layout in Windows 7 . I have seen many documents all they are for older windows version ..

I tried myself to reverse the rtlheapalloc function .. but it become headache to me ...

any suggestions please



Antivirus XP 2008 - Unpacking and Patching


Hello, someone can unpack and patch AV XP 08? That would be very nice. It's not easy and not hard.

Download Antivirus XP 2008 Installer here:

1. Unpack the exe
2. Find the right way to patch it
3. post the pattern for patching the registration jump

This is the registered version:

Sample of UltraDefragger Scareware

| | | |

Anybody with sample of misleading app, UltraDefragger ?

Reversing the source of the ZeroAccess crimeware rootkit

| |

We recently undertook a project to update the hands-on labs in our Reverse Engineering Malware course, and one of our InfoSec Resources Authors, Giuseppe "Evilcry" Bonfa, defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit:

Part 1

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.

Windows "DbgHelp.dll" Export name stack overflow vulnerability

The malwares in wild are exploiting this vulnerability. This vulnerabilty allows remote code to be executed while a debugger loads a specially crafted executable using Microsoft's Dbghelp.dll(ver 5.x).

When I was trying to load the malware that uses this trick it made olly debugger to exit. The below link has some interesting stuff about this vulnerability.

Trojan.Fadeluxnet aka Fake Stuxnet Cleaner

| | | |

Hi, can anybody supply me a sample of Trojan.Fadeluxnet which claims to be a Stuxnet Cleaner but deletes all the data present in C: drive !

Syndicate content