OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Packer Name	Packer Author	Classification	Analysis By	Last Updated
EduBot (GaoPoly)	Ago?	Crypter	quig	April 30 2005

Allocation	Anti-Debug	Anti-Disassembly	Section Name	Sample
None	no	no	.edubot	N/A

Notes
Gaobot/Phatbot polymorph on install crypter. Sample was a Gaobot, viral body overwritten with as, crypter still operates until OEP then crash.

Transfer Command

0044031B   895424 34        MOV DWORD PTR SS:[ESP+34],EDX
0044031F   FFE2             JMP EDX

Entry Point Signature

00440000 > E9 55000000      JMP 0044005A                             ; 0044005A
00440005   5A               POP EDX
00440006   56               PUSH ESI
00440007   57               PUSH EDI
00440008   50               PUSH EAX
00440009   51               PUSH ECX
0044000A   53               PUSH EBX
0044000B   89D3             MOV EBX,EDX
0044000D   E8 48010000      CALL 0044015A                     Pe Header stuff?
00440012   8DB3 2C000000    LEA ESI,DWORD PTR DS:[EBX+2C]
00440018   8DBB 35000000    LEA EDI,DWORD PTR DS:[EBX+35]
0044001E   C783 78000000 0F>MOV DWORD PTR DS:[EBX+78],0F
00440028   E8 C0000000      CALL 004400ED                     LoadLibraryStuff
0044002D   8983 55000000    MOV DWORD PTR DS:[EBX+55],EAX
00440033   8DBB 44000000    LEA EDI,DWORD PTR DS:[EBX+44]
00440039   C783 78000000 0D>MOV DWORD PTR DS:[EBX+78],0D
00440043   E8 A5000000      CALL 004400ED                     LoadLibraryStuff
00440048   8983 51000000    MOV DWORD PTR DS:[EBX+51],EAX
0044004E   53               PUSH EBX
0044004F   E8 7E010000      CALL 004401D2                     Into Final RUn
00440054   5B               POP EBX
00440055   5B               POP EBX
00440056   59               POP ECX
00440057   58               POP EAX
00440058   5F               POP EDI
00440059   5E               POP ESI
0044005A   E8 A6FFFFFF      CALL 00440005                            ; 00440005
0044005F   0000             ADD BYTE PTR DS:[EAX],AL
00440061   0000             ADD BYTE PTR DS:[EAX],AL
00440063   0000             ADD BYTE PTR DS:[EAX],AL

004401D2   8B4B 28          MOV ECX,DWORD PTR DS:[EBX+28]
004401D5   81F9 01000000    CMP ECX,1
004401DB  ^74 E4            JE SHORT 004401C1                        ; 004401C1
004401DD   89D9             MOV ECX,EBX
004401DF   2B4B 04          SUB ECX,DWORD PTR DS:[EBX+4]
004401E2   66:31C9          XOR CX,CX
004401E5   894B 24          MOV DWORD PTR DS:[EBX+24],ECX
004401E8   034B 08          ADD ECX,DWORD PTR DS:[EBX+8]
004401EB   89CE             MOV ESI,ECX
004401ED   8B4B 0C          MOV ECX,DWORD PTR DS:[EBX+C]
004401F0   31D2             XOR EDX,EDX
004401F2   8B43 10          MOV EAX,DWORD PTR DS:[EBX+10]
004401F5   D10C16           ROR DWORD PTR DS:[ESI+EDX],1
004401F8   81C2 04000000    ADD EDX,4
004401FE   39CA             CMP EDX,ECX
00440200  ^7C F3            JL SHORT 004401F5                        ; 004401F5
00440202   90               NOP
00440203   90               NOP
00440204   90               NOP
00440205   90               NOP
00440206   90               NOP
00440207   90               NOP
...............many nops..................
00440275   8B4B 24          MOV ECX,DWORD PTR DS:[EBX+24]
00440278   034B 1C          ADD ECX,DWORD PTR DS:[EBX+1C]
0044027B   89CE             MOV ESI,ECX
0044027D   8B4B 20          MOV ECX,DWORD PTR DS:[EBX+20]
00440280   31D2             XOR EDX,EDX
00440282   8B43 10          MOV EAX,DWORD PTR DS:[EBX+10]
00440285   D10C16           ROR DWORD PTR DS:[ESI+EDX],1
00440288   81C2 04000000    ADD EDX,4
0044028E   39CA             CMP EDX,ECX
00440290  ^7C F3            JL SHORT 00440285                        ; 00440285
00440292   90               NOP
00440293   90               NOP
00440294   90               NOP
00440295   90               NOP
00440296   90               NOP
00440297   90               NOP
...............many more nops..................
00440305   C743 28 01000000 MOV DWORD PTR DS:[EBX+28],1
0044030C   8B4B 14          MOV ECX,DWORD PTR DS:[EBX+14]
0044030F   8B53 24          MOV EDX,DWORD PTR DS:[EBX+24]
00440312   01CA             ADD EDX,ECX
00440314   5B               POP EBX
00440315   5B               POP EBX
00440316   5B               POP EBX
00440317   59               POP ECX
00440318   58               POP EAX
00440319   5F               POP EDI
0044031A   5E               POP ESI
0044031B   895424 34        MOV DWORD PTR SS:[ESP+34],EDX
0044031F   FFE2             JMP EDX           -------------------jmp OEP
00440321   0000             ADD BYTE PTR DS:[EAX],AL
00440323   0000             ADD BYTE PTR DS:[EAX],AL
00440325   0000             ADD BYTE PTR DS:[EAX],AL

Known Unpackers

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit