Well, I’ve just configured my XP VM under virtualbox, and now I tried to work on some malwares.
And here, Xylitol sent me 1 ransomware. Well, it’s kinda easy too unpack, because it’s using upx and mystic compressor.
Well, im sure, that all people know how to unpack upx, so i wont explain it here. And once i unpacked upx, i saw another packer there. Xylitol told me that it’s mystic compressor. Name isnt that important, now important thing is how to unpack this packer 🙂
Well, after doing some analysis, i found that this packer is as easy as upx. I’ve started tracing code, and found call dword ptr xxxx on the same section, where programm started, and then i hit on F7, and started analyzing another section of code (in my machine 003XXXXX). Ofcourse this section was created by VirtualAlloc, so if you do not want to lose your time on just tracing, you can just do BP on it. Anyway, i traced inside it’s call too, and after getting on 003E04D3, which is return of packer’s stub, i pressed F7, and im already on OEP 🙂
there’s no any import redirection, or any anti dumping tricks, so you can easily dump it via ollydmp and fix imports via ImportRec. So it’s easy packer.
and now the question is.. how to kill this ransomware? 😛