Unpacking simple ransomware


Well, I’ve just configured my XP VM under virtualbox, and now I tried to work on some malwares.

And here, Xylitol sent me 1 ransomware. Well, it’s kinda easy too unpack, because it’s using upx and mystic compressor.

Well, im sure, that all people know how to unpack upx, so i wont explain it here. And once i unpacked upx, i saw another packer there. Xylitol told me that it’s mystic compressor. Name isnt that important, now important thing is how to unpack this packer 🙂

Well, after doing some analysis, i found that this packer is as easy as upx. I’ve started tracing code, and found call dword ptr xxxx on the same section, where programm started, and then i hit on F7, and started analyzing another section of code (in my machine 003XXXXX). Ofcourse this section was created by VirtualAlloc, so if you do not want to lose your time on just tracing, you can just do BP on it. Anyway, i traced inside it’s call too, and after getting on 003E04D3, which is return of packer’s stub, i pressed F7, and im already on OEP 🙂

it’s 004018A0

there’s no any import redirection, or any anti dumping tricks, so you can easily dump it via ollydmp and fix imports via ImportRec. So it’s easy packer.

and now the question is.. how to kill this ransomware? 😛

.
Advertisements
  1. #1 by Xylitol on March 28, 2011 - 5:31 am

    hehe congratz 😀
    and now the question is.. how to kill this ransomware? // you’ll see, that more lame than the packer 🙂

  2. #2 by qpt0001rcelab on March 30, 2011 - 2:30 pm

    I would like to learn some shit about it 😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: