A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #8531  by disturbed
 Sun Sep 11, 2011 8:21 pm
Hi Guys,

Can someone plase help and show me how to unpack Ransom Pornorolik?
Live sample for example hxxp://makemepornosexxx.ru/ss12o/video/videos12.avi.exe

Thanks! :D
Much Appreciate
disturbed
 #8533  by disturbed
 Mon Sep 12, 2011 5:56 am
Thanks EP_X0FF !

I am not sure the variant I have posted and Xylitol's one are packed with the same packer. I saw Xylitol's great movie and that's why I have decided to try it myself.
Can you please just check if this is the same packer?

Thanks
disturbed
 #8534  by nullptr
 Mon Sep 12, 2011 9:26 am
Using OllyDbg:

BPx VirtualAlloc ->Return to user ->Follow buffer assigned (eax) in dump.
Trace through the two decryption cycles and you'll see the unpacked binary in the allocated buffer.
Trace til it gets written back to 0x00400000 base and arrives at OEP then dump.

Lazy mans way:
BPx VirtualAlloc ->Return to user ->Follow buffer assigned (eax) in dump.
BPx ZwWriteVirtualMemory
Dump buffer and trim to size 0x9800