App 13 contains a virus...?

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

App 13 contains a virus...?

Post by haha01haha01 on Tue May 05, 2009 12:42 pm
([msg=23201]see App 13 contains a virus...?[/msg])

So, today i started working on Application 13. I quickly understood that exactly as the description said, the application is well-protected and the solution should not involve reversing. However, since i believe that cracking application should be done only through a debugger, i decided to give reversing a try before using the delay based brute forcing that needs to be done, as mentioned in the other topic about this application. i opened it in ollydbg and quickly unpacked yoda's protector, but when i tried to fix the imports using ImpREC, my antivirus claimed that the unpacked file is a virus of type "Type_Win32". Now, dont get me wrong: i dont believe my anti virus 100% of the time, especially when its meaningless names like that one (or "Win32.Packer" for packed exes, "Win32.Injector" for injectors, etc.). However, when i googled the name i got several results claiming its a real malware. Im not blaming the HTS staff for anything, but can i at least get a logical explanation as to why was it detected as a virus? :|
There are 11 types of people in the world - those who understand binary, those who don't and those who already heard this joke.
User avatar
haha01haha01
Poster
Poster
 
Posts: 133
Joined: Tue Jan 13, 2009 10:08 am
Location: HackThisSite.org
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by Defience on Tue May 05, 2009 1:41 pm
([msg=23204]see Re: App 13 contains a virus...?[/msg])

haha01haha01 wrote:So, today i started working on Application 13. I quickly understood that exactly as the description said, the application is well-protected and the solution should not involve reversing. However, since i believe that cracking application should be done only through a debugger, i decided to give reversing a try before using the delay based brute forcing that needs to be done, as mentioned in the other topic about this application. i opened it in ollydbg and quickly unpacked yoda's protector, but when i tried to fix the imports using ImpREC, my antivirus claimed that the unpacked file is a virus of type "Type_Win32". Now, dont get me wrong: i dont believe my anti virus 100% of the time, especially when its meaningless names like that one (or "Win32.Packer" for packed exes, "Win32.Injector" for injectors, etc.). However, when i googled the name i got several results claiming its a real malware. Im not blaming the HTS staff for anything, but can i at least get a logical explanation as to why was it detected as a virus? :|


I don't have an answer for that...maybe someone else does, but I am curious as to the method you're attempting to use for this app when most write a program to solve it.
User avatar
Defience
Addict
Addict
 
Posts: 1275
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by haha01haha01 on Tue May 05, 2009 1:49 pm
([msg=23206]see Re: App 13 contains a virus...?[/msg])

Defience wrote:
haha01haha01 wrote:So, today i started working on Application 13. I quickly understood that exactly as the description said, the application is well-protected and the solution should not involve reversing. However, since i believe that cracking application should be done only through a debugger, i decided to give reversing a try before using the delay based brute forcing that needs to be done, as mentioned in the other topic about this application. i opened it in ollydbg and quickly unpacked yoda's protector, but when i tried to fix the imports using ImpREC, my antivirus claimed that the unpacked file is a virus of type "Type_Win32". Now, dont get me wrong: i dont believe my anti virus 100% of the time, especially when its meaningless names like that one (or "Win32.Packer" for packed exes, "Win32.Injector" for injectors, etc.). However, when i googled the name i got several results claiming its a real malware. Im not blaming the HTS staff for anything, but can i at least get a logical explanation as to why was it detected as a virus? :|


I don't have an answer for that...maybe someone else does, but I am curious as to the method you're attempting to use for this app when most write a program to solve it.
i was told the protections on this one are good, and i wanna see how deep can i get. since i dont know how good is this application protected (i only got past the unpacking), i pretty much have a 50% chance of being owned by the developers, giving up and using the normal method and 50% chance of getting past everything and finding the password the good old way.

anyway, ill try running it on my test comp tomorrow and see if its a false positive or an actual malware.

EDIT: okay, this is weird. i think Imprec screwed the app somehow when i dumped it. i tried dumping again with OllyDump and there is no virus alert. i also fixed the imports with imprec, and the application is working fine (unpack successful). now that i think about it, the ImpRec dump didnt have the regular icon... hmm......
anyway, problem (somehow) solved, topic can be locked\deleted. excuse me for not trying different dumps :)

EDIT2: o yea. finally removed all the protections and understood how the timer interruption works and how to trace it. now i completely understand this algorithm.
Image
only thing left is decrypting (or brute forcing?) these four password ciphers and im done with this mission :P
Last edited by haha01haha01 on Wed May 06, 2009 9:36 am, edited 2 times in total.
There are 11 types of people in the world - those who understand binary, those who don't and those who already heard this joke.
User avatar
haha01haha01
Poster
Poster
 
Posts: 133
Joined: Tue Jan 13, 2009 10:08 am
Location: HackThisSite.org
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by Defience on Wed May 06, 2009 8:58 am
([msg=23249]see Re: App 13 contains a virus...?[/msg])

It won't hurt to leave this post up in case someone else comes across something similar.
User avatar
Defience
Addict
Addict
 
Posts: 1275
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by yeswekey on Fri Jul 31, 2009 2:01 pm
([msg=27718]see Re: App 13 contains a virus...?[/msg])

omg... that IS a virus.... i'm not sure how much threat it poses to a computer... i dont hav antivirus as my system config is very poor and it consumes system resources..

when i ran this app13, the result was a EnableWindow(FindWindow("Shell_TrayWnd", NULL), 0);

I had to write my own prog to enable my start menu and taskbar. i could ve restarted explorer.. but had many imp windows open.

i request HTS staffs to remove app 13 :)
yeswekey
New User
New User
 
Posts: 4
Joined: Fri Jul 31, 2009 1:13 pm
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by Defience on Fri Jul 31, 2009 5:13 pm
([msg=27730]see Re: App 13 contains a virus...?[/msg])

It doesn't need removed.
User avatar
Defience
Addict
Addict
 
Posts: 1275
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by yeswekey on Sat Aug 01, 2009 7:45 am
([msg=27753]see Re: App 13 contains a virus...?[/msg])

fine :)
yeswekey
New User
New User
 
Posts: 4
Joined: Fri Jul 31, 2009 1:13 pm
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by quangntenemy on Fri Nov 29, 2013 2:30 am
([msg=78341]see Re: App 13 contains a virus...?[/msg])

The AV scan from virustotal gave a detection ratio of 29 out of 46: https://www.virustotal.com/en/file/bf35 ... /analysis/ Also the fact that the app is heavily protected against debugging sounds kinda fishy. Has anyone tried to fully examine it?
quangntenemy
New User
New User
 
Posts: 4
Joined: Sat May 10, 2008 11:48 pm
Blog: View Blog (0)


Re: App 13 contains a virus...?

Post by Goatboy on Fri Nov 29, 2013 2:06 pm
([msg=78345]see Re: App 13 contains a virus...?[/msg])

quangntenemy wrote:The AV scan from virustotal gave a detection ratio of 29 out of 46: https://www.virustotal.com/en/file/bf35 ... /analysis/ Also the fact that the app is heavily protected against debugging sounds kinda fishy. Has anyone tried to fully examine it?

51 months. 51 months ago this thread received its last reply. 51 months ago I was living in a different state, in a different relationship, in a different school at a different job. 51 months ago Snowden was a nobody, Obama had just become somebody, and HTS weighed more cuz Monica was here.

For god's sake let this thread die. You would have to have dug pretty deep to find this one.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2782
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)



Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests