Flag: Tornado!
Hurricane!
|
|
Topic created on: October 3, 2012 11:56 CDT by Imprive  .
Hello,
I am a student going for my BS in Network Engineering, and recently at my job I have been getting into Malware Analysis. Last week I managed to obtain a sample of the recent FBI moneypak virus that has been going around. It was in an .exe format so I figured it would be simply to run it through PEview to see whats up and then a debugger like Ollydbg to look under the hood.
Unfortunately the .exe is a 16-bit DOS executable. I think. When I first opened it with PEview, it only displayed the message "This program cannot be run in DOS mode". So I thought that it must be a packed 32-bit app somehow. But then I tried to run it through Ollydbg and after about 20 minutes I realized I was looking at NTVDM.exe and something called kernalba ( I think its actually kernalbase but for some reason ollydbg only showed kernalba), not the actual program.
Then I tried a short dynamic analysis to see what ran, and sure enough NTVDM.exe ran. I didn't see anything else so I wiped the computer and started over.
So now that I know I have a 16-bit DOS exe that I need to debug and I am looking for a debugger program. I heard that the IDA trial won't let me debug 16-bit and I have no clue what command I use to load this file into GRDB or even debug.exe
Do any of you guys know of a place that has GRDB or debug.exe tutorials? Or of a GUI 16-bit debugger?
Thanks,
Imprive
I have no clue what command I use to load this file into GRDB or even debug.exe
ugh
so what did you try ? didnt even try doing grdb yourapp.ext ? the most commenest way for anyone who has tapped the computer keyboard a few times
didnt that produce anyresults whatsoever ?
i find that very hard to believe for someone going into a bs eng
or the way you state your problem is .............
to load an exe / com into grdb you need to do
grdb foo.com
C:\>cd %userprofile%\my*\gr*
C:\Documents and Settings\Admin\My Documents\grdbdl96>GRDB.EXE lr.com
Get Real Debugger Version 9.6 Copyright (c) 1997-2009 David Lindauer (LADSoft)
GRDB comes with ABSOLUTELY NO WARRANTY, for details type `?g'
This is free software, and you are welcome to redistribute it
under certain conditions; type `?gr' for details
DPMI Start code hooked
History enabled
eax:00000000 ebx:00000000 ecx:0000A900 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:00000100 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1EE8 es:1EE8 fs:1EE8 gs:1EE8 ss:1EE8 cs:1EE8
1EE8:0100 E9 D9 71 jmp 72DC
Size: 0000A900
->t
eax:00000000 ebx:00000000 ecx:0000A900 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:000072DC flag:000B3202 NV UP EI PL NZ NA PO NC
ds:1EE8 es:1EE8 fs:1EE8 gs:1EE8 ss:1EE8 cs:1EE8
1EE8:72DC E8 61 36 call A940
->
C:\DOCUME~1\Admin\MYDOCU~1\grdbdl96>debug lr.com
-u
149A:0100 E9D971 JMP 72DC
149A:0103 B80000 MOV AX,0000
149A:0106 E8BF71 CALL 72C8
149A:0109 C60672AA0F MOV BYTE PTR [AA72],0F
149A:010E C70670AA0000 MOV WORD PTR [AA70],0000
149A:0114 E8EA69 CALL 6B01
149A:0117 85C0 TEST AX,AX
149A:0119 7509 JNZ 0124
149A:011B C70670AA0100 MOV WORD PTR [AA70],0001
some thing that is nearest to a gui is td turbo debugger
from ex old borland (dos gui / console based gui)
ollydbg ui is based on td
an output of same com file executed in boralnd td
Turbo Debugger Log
CPU Pentium Pro
cs:0100�E9D971 jmp 72DC �
cs:0103 B80000 mov ax,0000
cs:0106 E8BF71 call 72C8
cs:0109 C60672AA0F mov byte ptr [AA72],
cs:010E C70670AA0000 mov word ptr [AA70],
cs:0114 E8EA69 call 6B01
cs:0117 85C0 test ax,ax
cs:0119 7509 jne 0124
cs:011B C70670AA0100 mov word ptr [AA70],
cs:0121 E95C01 jmp 0280
cs:0124 E8D45E call 5FFB
cs:0127 E8C85C call 5DF2
cs:012A A36EAA mov [AA6E],ax
CPU Pentium Pro
cs:0100�E9D971 jmp 72DC �
cs:0103 B80000 mov ax,0000
cs:0106 E8BF71 call 72C8
cs:0109 C60672AA0F mov byte ptr [AA72],
cs:010E C70670AA0000 mov word ptr [AA70],
cs:0114 E8EA69 call 6B01
cs:0117 85C0 test ax,ax
cs:0119 7509 jne 0124
cs:011B C70670AA0100 mov word ptr [AA70],
cs:0121 E95C01 jmp 0280
cs:0124 E8D45E call 5FFB
cs:0127 E8C85C call 5DF2
cs:012A A36EAA mov [AA6E],ax
an output of td borland dos gui debuger debugging a com file
CPU Pentium Pro
cs:A940 BF8000 mov di,0080
cs:A943 BE80A9 mov si,A980
cs:A946 89F9 mov cx,di
cs:A948 FC cld
cs:A949�F3A4 rep movsb
cs:A94B E80400 call A952
cs:A94E BD0000 mov bp,0000
cs:A951 C3 ret
cs:A952 B84000 mov ax,0040
cs:A955 8EC0 mov es,ax
cs:A957 BF6C00 mov di,006C
cs:A95A 268A1D mov bl,es:[di]
cs:A95D 263A1D cmp bl,es:[di]
Execution history
1AA3:A94E: mov bp,0000
1AA3:A951: ret
1AA3:72DF: test bp,bp
1AA3:72E1: jne 72E5
1AA3:72E3: mov bp,ds
1AA3:72E5: mov cs:[72DA],ds
|
Wow, my first post on these forums and I can already feel the love and sense of community...
Of course I tried that, it was the first thing I tried! It's not like I've never seen a CLI before.
I cd'ed into the directory that held my file, and typed
"debug [filename]" and it simply said "file not found". Same thing with GRDB! I've tried to move the file to the C:\, no luck either.
Also, I think borderlands got rid of their old software on their site. I couldn't find the museam.
I did find a program with a gui called openwatcom but I don't think it works, everything is just zeros except for the first line, and when I try to step through it that goes to all zeros as well.
It COULD be that I am wrong once again, or this thing is obfuscated beyond belief, I really have no clue at this point in time.
|
Why trying 16-bit DOS file? why not try something of current time? Anyway if you really have to then try Sourcer from VCOMM.
It a commenting disassembler and can disect it with comments but I seen of DOS time it tends to generate garbage on complicated files. But newer version is there for 32 bit which you can use, might be better! Hope it is backward compatible. Usually ppl like them do.
And if wanna try debug.exe then type extension as well with filename on command line
ex: debug filename.exe
Then type ? to get help when once loaded at its "-" prompt. Will list the commands it supports. They are not that hard to understand. But it'll just give you disassembly. No comments. So better have Ralf Broown's Interrupt list handy by side. Have fun disassembling ....smile.
DarkAvenger
|
Hi Nicky,
Thanks for the tip I will try Sourcer.
Like I stated up above, this is a sample of the FBI moneypak malware that has been going around. It IS current time, but it appears that these crafty malware authors decided to put their program into a 16-bit app, I'm not sure if the app unpacks the actual program or what, that's what I am trying to figure out.
That command for debug does not work, please see my post above.
Thanks for replying,
Imprive
|
For debug to work type complete "file name + its extension" on command line after typing "debug". And make sure you are in that directory where file resides or else type it with complete path.
such as:
debug filename.exe
or
debug filename.com
got it! otherwise it won't load it and give you "File not found error".
yours Nicky
|
> Imprive: Wow, my first post on these forums and I can already feel the love and sense of community...
oh first impressions do matter :) the way you posed your query drew the response that it deserved :)
> It COULD be that I am wrong once again, or this thing is obfuscated beyond belief, I really have no clue at this point in time.
well then the most crudest method is the most elegant method load the crap in a simple binary file editor and start parsing it manually as if it is a blackbox dumped bin file with neither a header nor some tailers
have a scratchpad and start making notes
have internet ready to search for anything that might look like a hint
the more you stare at it the more patterns will start to emerge haven't you heard about the story where ten blind souls describing an elephant
T was six men of Indostan
To learning much inclined,
Who went to see the Elephant
(Though all of them were blind),
That each by observation
Might satisfy his mind.
ii.
The First approached the Elephant,
And happening to fall
Against his broad and sturdy side,
At once began to bawl:
"God bless me!�but the Elephant
Is very like a wall!"
iii.
The Second, feeling of the tusk,
Cried:"Ho!�what have we here
So very round and smooth and sharp?
To me 't is mighty clear
This wonder of an Elephant
Is very like a spear!"
iv.
The Third approached the animal,
And happening to take
The squirming trunk within his hands,
Thus boldly up and spake:
"I see," quoth he, "the Elephant
Is very like a snake!"
v.
The Fourth reached out his eager hand,
And felt about the knee.
"What most this wondrous beast is like
Is mighty plain," quoth he;
"'T is clear enough the Elephant
Is very like a tree!"
vi.
The Fifth, who chanced to touch the ear,
Said: "E'en the blindest man
Can tell what this resembles most;
Deny the fact who can,
This marvel of an Elephant
Is very like a fan!"
vii.
The Sixth no sooner had begun
About the beast to grope,
Than, seizing on the swinging tail
That fell within his scope,
"I see," quoth he, "the Elephant
Is very like a rope!"
viii.
And so these men of Indostan
Disputed loud and long,
Each in his own opinion
Exceeding stiff and strong,
Though each was partly in the right,
And all were in the wrong!
moral.
So, oft in theologic wars
The disputants, I ween,
Rail on in utter ignorance
Of what each other mean,
And prate about an Elephant
Not one of them has seen!
�We have to remember that what we observe is not nature in itself, but nature exposed to our method of questioning.� -Werner Heisenberg
so if you can share the binary zip it password it and upload it to some forum like woodmann.com / malware analysing forum
so some other blind man can feel the trunk and proclaim it to be a tree
else post a md5 sha1 sha256 digests of the app
so that some deaf can try comparing it with some collectors
jar like openmalware.com and google for preexisting analysis if any
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,322 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}