Here I thought we would analyze a cracked program you would find on the internet. Only do this if you have Cuckoo Sandbox or a secure virtual machine as I’m using to download the .exe. We never know what we are dealing with and most warez programs have malware binded to it. Usually botnets, stealers, or keyloggers or it could be the legit program. Here we are going to use IDA Pro. – https://twitter.com/ro0ted/
A cracked commview.
I already know commview is made in Delphi so let’s load it into exeinfoPE to see if it’s altered.
I see two things here..
1.) I do not want to throw this in Ollydbg since Olly executes this. I want trust a static analyst over a live one at this moment as the Source shows otherwise than Borland.
2.) I see it has overlay data on it.
OVL = Overlay Data
Lets see if it’s crypted:
Let’s load it in IDA Pro
Always want to read this in case we get any errors of any kind which usually mean the targets packed. I’m not talking about it being crypted that’s different. I’m talking about if the code was obfuscated; altered so we can’t fuck with it.
Doesn’t look like it here:
It doesn’t appear to be packed our it would show the packers name right there usually. Not to mention we see in the navigation bar it appears the .exe broke apart the file. Remember this is your browsing bar. You can immediately tell if the file is packed just buy browsing it. It appears its in chunks:
If it was packed you would see only two colors or one….That shows IDA could not break apart the .exe.
Let’s load the patcher in exeinfoPE..
Okay the patcher shows Borland which means the program is probably binded and the Strange File in the diagnose shows its crypted. Therefore I still do not want to run the program in Ollydbg. Often what people do is steal a legit patcher to the main binded file.
And if you aren’t using a secure virtual machine not VMware alone..you surely do not want to open it in Ollydbg or any suspicious files for that matter as it will execute as that’s the difference between a Debugger (Olly) vs a disassembler (IDA Pro in this case). If you are reading this and that’s exactly what you plan to do…I would say don’t because that’s fucking retarded.
Stat Zero Test:
Not crypted or packed.
This is probably a legit patcher.
Another way to tell that it’s not packed by doing a compiler search which only appears to non packed files:
Before we load it in IDA Pro let’s use the Delphi Entry Point corrector:
OEP = Original Entry Point
This is the start. We can open this in Olly.
The real files to analyze:
Never load a suspicious file in Resource Hacker as it will execute the .exe kinda like a debugger. You can still see the resources in 7-Zip.
Try to open the Overlay data of the binded suspected .exe not the patch.
The patch looks clean. It’s not the suspicious .exe here as it loads fine in IDA Pro.
Load the OVL in Notepad++
..we won’t be able to see much:
So yeah we can see the ware is infected with a bot. We don’t need to run it or scan it on Virus Total. We can just analyze it ourselves. Virus Total doesn’t give you the bots login info anyways :P.
This file was found on Youtube.
Check out my other tuts in my series…. “What the Blackhats don’t want you to know”
Never trust Warez or Cracked Programs +
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.