A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #20387  by jumbofreak
 Mon Aug 05, 2013 3:59 pm
i got hold of mystic compressor binary which is a part of recent carberp source code leak, when i looked at the commands it says pack(), register() ,test() .
But when i copy the sample like notepad.exe in the folder and type pack() command it fails , and test() command creates a subdirectories with mystic dll's . Has anyone played with it ? If so can you tell me how you did it ?
 #20396  by jumbofreak
 Tue Aug 06, 2013 11:09 am
Thanks R136a1 , that works, how did you figure out ? by looking at the x86 code, when i followed in ollydg didn't spot any usage of ":" near pack command.
 #20403  by R136a1
 Tue Aug 06, 2013 3:37 pm
@jumbofreak

You can find the checking of ":" character in subroutine 401400, after the console input was read (ReadConsoleW):
Image

@ArkKup

All versions of Mystic Compressor from Carberp source pack attached (sorted by PE Timestamp).
Attachments
PW: infected
(1.96 MiB) Downloaded 102 times
 #25046  by EP_X0FF
 Mon Jan 26, 2015 9:22 am
harikrish093 wrote:Hi, Is Mystic Compressor also used to compress safe file ?? or it is made for only to compress Rouge softwares?
It is used to obfuscate Windows executable binaries. If you use it, your result file will be likely detected as malware, because Mystic Compressor itself classified as VirTool/Obfuscator.