Windows Pro Defence (FakeVimes)
Attachments
two samples. password: infected
(3.08 MiB) Downloaded 59 times
(3.08 MiB) Downloaded 59 times
A forum for reverse engineering, OS internals and malware analysis
Xylitol wrote:AVG Antivirus 2011What is the password for it? I don't find it
Fake AVG
https://www.virustotal.com/file-scan/re ... 1296506326
http://www.virustotal.com/file-scan/rep ... 1296506331
https://www.virustotal.com/file-scan/re ... 1296506334
kg:Code: Select allrc.386 .model flat, stdcall option casemap :none include windows.inc include user32.inc include kernel32.inc include C:\masm32\macros\macros.asm includelib user32.lib includelib kernel32.lib DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD RandomAP PROTO :DWORD,:DWORD RandomN PROTO :DWORD,:DWORD .const IDD_MAIN equ 1000 IDB_EXIT equ 1001 IDC_NAME equ 1002 IDC_SERIAL equ 1005 IDB_GENERATE equ 1006 IDB_ABOUT equ 1007 .data Rndm dd 0 b10 db "0123456789012345",0 Base26A db "ABCDEFGHIJKLMNOP",0 tab db "-",0 hc db "XYL",0 .data? hInstance dd ? szSerial db 100h dup(?) szSerial2 db 100h dup(?) szFinal db 100h dup(?) .code start: invoke GetModuleHandle, NULL mov hInstance, eax invoke DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0 invoke ExitProcess, eax DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD mov eax,uMsg .if eax == WM_INITDIALOG invoke LoadIcon,hInstance,200 invoke SendMessage, hWnd, WM_SETICON, 1, eax .elseif eax == WM_COMMAND mov eax,wParam .if eax == IDB_EXIT invoke SendMessage, hWnd, WM_CLOSE, 0, 0 .elseif eax == IDB_GENERATE invoke RandomAP,3,addr szSerial invoke RandomN,2,addr szSerial2 invoke lstrcpy,addr szFinal,addr szSerial invoke lstrcat,addr szFinal,addr szSerial2 invoke lstrcat,addr szFinal,addr tab invoke RtlZeroMemory,addr szSerial,sizeof szSerial invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2 invoke RandomAP,3,addr szSerial invoke RandomN,2,addr szSerial2 invoke lstrcat,addr szFinal,addr szSerial invoke lstrcat,addr szFinal,addr szSerial2 invoke lstrcat,addr szFinal,addr tab invoke RtlZeroMemory,addr szSerial,sizeof szSerial invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2 invoke RandomAP,3,addr szSerial invoke RandomN,2,addr szSerial2 invoke lstrcat,addr szFinal,addr szSerial invoke lstrcat,addr szFinal,addr szSerial2 invoke lstrcat,addr szFinal,addr tab invoke RtlZeroMemory,addr szSerial,sizeof szSerial invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2 invoke RandomAP,3,addr szSerial invoke RandomN,3,addr szSerial2 invoke lstrcat,addr szFinal,addr szSerial invoke lstrcat,addr szFinal,addr szSerial2 invoke lstrcat,addr szFinal,addr tab invoke RtlZeroMemory,addr szSerial,sizeof szSerial invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2 invoke RandomN,2,addr szSerial2 invoke lstrcat,addr szFinal,addr hc invoke lstrcat,addr szFinal,addr szSerial2 invoke RtlZeroMemory,addr szSerial,sizeof szSerial invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2 invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal invoke RtlZeroMemory,addr szSerial,sizeof szSerial invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2 invoke RtlZeroMemory,addr szFinal,sizeof szFinal .endif .elseif eax == WM_CLOSE invoke EndDialog, hWnd, 0 .endif xor eax,eax ret DlgProc endp RandomAP Proc Length_:DWORD,OutPut:DWORD mov ecx,Length_ mov esi,offset Base26A mov edi,OutPut .repeat invoke GetTickCount add Rndm,eax add Rndm,'abcd' mov eax,Rndm rol Rndm,4 and eax,0Fh mov al,byte ptr [esi+eax] stosb dec ecx .until ecx == 0 Ret RandomAP endp RandomN Proc Length_:DWORD,OutPut:DWORD mov ecx,Length_ mov esi,offset b10 mov edi,OutPut .repeat invoke GetTickCount add Rndm,eax add Rndm,'abcd' mov eax,Rndm rol Rndm,4 and eax,0Fh mov al,byte ptr [esi+eax] stosb dec ecx .until ecx == 0 Ret RandomN endp end start
Code: Select all;This Resource Script was generated by WinAsm Studio. #define IDD_MAIN 1000 #define IDB_EXIT 1001 #define IDC_SERIAL 1005 #define IDB_GENERATE 1006 IDD_MAIN DIALOGEX 10,10,268,19 CAPTION "Fake AVG Keygen" FONT 8,"Tahoma" STYLE 0x90c80804 EXSTYLE 0x00000188 BEGIN CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000 CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000 CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000 END