Hey, meet with us again. Now we will discuss about cracking virus. So we will know how to cracking virus.
CRACKING VIRUS TOOLS
To cracking virus, there are some tools that need, that is:
- RDG PACker Detector à To know that the virus use packer or wrapper or virus patron. Usually virus use packer to cover it self from cracker so the source code is not forced open. So to force open it we need RDG Packer Detector.
- ASPackdie à Use to force open packer or virus patron that use ASPACK patron method.
- Ollydbg à Useful to reverse engineering or see the virus source code. Although it only can see on machine language or assembly but there is the explanation from Ollydbg that help us to understand the content of the virus.
- VBDEcompiler à Useful to know what function and what API those use by the virus.
- Virus File à If there is no virus file or target, what we will crack?
CRACKING VIRUS STEPS
- Choose the victim. The target is Spider virus with exe file.
- Activate RDGPacker Detector to know that nvcpl32.exe file use what compiler and what packer, so we can choose the unpacker program to force open it. Look at the picture below:
- Obvious appear right?
Visual Basic 6.0
Aspack Detection Heuristic
The meaning about the explanation above is:
The compiler that use by the virus, can be programming language or to compile code become .exe. Because that written Visual Basic 6, so we can use VB Decompiler as a reverse engineering software.
- Then we try to force open the wrapper or the packer of the codes. To force open it run the aspackdie software and choose the file that the packer you want to break. On this article that is nvcpl32.exe, then choose open.
- If success, the file will save by Aspackdie as unPacked.exe:
- And will shown a message that written “File seems to be unpacked successfully”
- After that open ollydbg to operate the content of the virus, then choose unpacker.exe to open the content:
- Like in the picture above the content of exe file in fact is so many but I take some of them, there is a string above:
And there is a registry value “DisableRegistryTools” dan” DisableTaskMgr”, the explanation is the virus infect the registry on address:
With registry value “DisableRegistryTools” and” DisableTaskMgr”. With Olldbg we can find the message from the virus that show on computer that has been infected. Just find them.
- If you want to more clearly, try to open VBDecompiler to know what function and what API those use by the virus.
- To run VBDecompiler, just download the file on http://www.vb-decompiler.org/files/lite.rar then extract and install. Then run the vbdecompiler.
- Choose the file that you want to decompiler, don’t choose exe but choose the file that you want to break the packer that is unpacker.exe. Then click decompile, show will show like the picture below:
- Although all of the source code is not shown, but this useful to learning.
Okay, that’s the tutorial from me. Thank you.