News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Win32ASM Programming 2nd Edition (From China) - ver UASM x64

Started by LiaoMi, August 27, 2017, 10:15:23 AM

Previous topic - Next topic

aw27


habran

OK, I have succeeded to extract it :t
Thanks LiaoMi :biggrin:

It is nice to see that UASM is becoming INTERNATIONALLY preferred assembler ;)
Cod-Father

avcaballero

What a mess. Why not make a simple 7zip or do it in several 7zip files? The 32 bits version seems to be good

Finally I've got it from mega

Vortex

Hi caballero,

The nested archives protected with password method is a nasty trick aimed to "escape" or "avoid" online scanners. Extracted the contents of the zip and 7z archive and created a new one without password. Uploaded it to Jotti :

https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx


PUA.Win.Packer.Upx-4
Win32/Kryptik.FD
Win64:Evo-gen
Trojan-Dropper.Win32.Small


Naturally, the original archive will look "safe" and "innocent" :

https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx

In my opinion, members of the forum should not post links to such type of nested archives protected with passwords.

LiaoMi

Quote from: Vortex on August 27, 2017, 09:30:45 PM
Hi caballero,

The nested archives protected with password method is a nasty trick aimed to "escape" or "avoid" online scanners. Extracted the contents of the zip and 7z archive and created a new one without password. Uploaded it to Jotti :

https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx


PUA.Win.Packer.Upx-4
Win32/Kryptik.FD
Win64:Evo-gen
Trojan-Dropper.Win32.Small


Naturally, the original archive will look "safe" and "innocent" :

https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx

In my opinion, members of the forum should not post links to such type of nested archives protected with passwords.

Similar detections were in the examples of UASM, my antivirus nod or symantec does not allow downloading such archives, for example, a file from a project "luoyunbin\Chapter13\HideProcess9x" which was not converted to x64 UASM, the rest of the examples can be useful, it is important that these examples were done by the Chinese for self-study in order to use UASM. In any case, I also would not like to see such archives.

jj2007

Quote from: Vortex on August 27, 2017, 09:30:45 PM
PUA.Win.Packer.Upx-4
Win32/Kryptik.FD
Win64:Evo-gen
Trojan-Dropper.Win32.Small

The "packer" is probably a false positive, but the rest is not so harmless...
What is Win32/Kryptik.FD
Trojan-Dropper.Win32.Small

Many of us have experienced false positives. This is natural with non-mainstream code, the AV are just too dumb to distinguish experimental assember code from malware. But two of the above are definitely not harmless, and besides, honest programmers do not hide their stuff in nested password-protected archives uploaded to obscure sites 8)

Vortex

QuoteBut two of the above are definitely not harmless, and besides, honest programmers do not hide their stuff in nested password-protected archives uploaded to obscure sites.

I agree with Jochen. It's important to provide simple archives containing clean material and not stuff like protected and nested archives.

Yuri

Quote from: jj2007 on August 27, 2017, 11:04:45 PM
honest programmers do not hide their stuff in nested password-protected archives uploaded to obscure sites 8)
Sometimes it's inevitable. See what is found in my DLL written in GoAsm: https://www.virustotal.com/en/file/d3dd443066c777964c6c001060a2bb7fb245817a41f1cea9f9e404b0db721a8a/analysis/1479014195/. Did I put all that in it? Of course not. The DLL is clean. However, some trojan makers have used it with their malicious scripts, and now it's also flagged as malware by a bunch of AVs. Due to that, my previous site was blocked by the hoster and I had to move to another and put the DLL in an archive protected with a password. What else could I do? Negotiate with 20+ AV companies?

hutch--


jj2007

Quote from: Yuri on August 28, 2017, 06:06:43 PMSometimes it's inevitable ... What else could I do? Negotiate with 20+ AV companies?

Right, it is not that simple. If Jotti flags my installer as clean, it is sheer luck, as inside there are several routines that are a) unique (SSE2 code...) and b) could be used by anybody to produce malware, as you rightly state. What we are doing here is not mainstream, so we are subject to special attention. I must admit I don't have a simple solution for this problem. Attacking AV companies publicly for their dumb software damaging honest business might have some effect, but I'm not optimistic.

hutch--

There are two things here, make sure the code is squeaky clean with no crap in it AND put a manifest and version control block in the files within the zip file. Apart from that, this is why there is an AV sh*t list in the forum, nothing like a bit of bad publicity to make them improve their performance.

Yuri

Quote from: hutch-- on August 29, 2017, 03:59:40 PM
Yuri,

Rename the DLL and post it elsewhere.

What for? In case you meant remove the link from this forum, I've done that.

hutch--

No no, if the named file is blacklisted by AV companies, call it something else and post it somewhere else.

Vortex

Hi Yuri,

I have an old SFX archive example coded with GoAsm. The sample uses Jeremy Collake's JCALG1 compression library. Jotti and virustotal are reporting that the SFX archive is "infected" Of course, this is a false-positive. I tried the technique splitting the executable into multiple files. The idea is to present those file fragments to the AV engines as meaningless binary data files "missing" the important block IMAGE_NT_HEADERS and the sections text and data. Splitting the executable into three parts :

Part 1,  32 bytes , only the first half of IMAGE_DOS_HEADER
Part 2,  32 bytes , second half of IMAGE_DOS_HEADER
Part 3,   the rest of the file

You can use a file splitter. I used dd adapted to Windows :

http://www.chrysocome.net/dd

Split.bat :

dd if=Sfxdemo.exe of=Sfxdemo.exe.01 bs=32 count=1

dd if=Sfxdemo.exe of=Sfxdemo.exe.02 bs=32 count=1 skip=1

dd if=Sfxdemo.exe of=Sfxdemo.exe.03 bs=32 skip=2


Result :

    Size File name

  24.064 Sfxdemo.exe
      32 Sfxdemo.exe.01
      32 Sfxdemo.exe.02
  24.000 Sfxdemo.exe.03


A simple batch file can be presented to the end user to combine the parts, no need of external tools. Double clicking the batch file :

copy /b Sfxdemo.exe.01+Sfxdemo.exe.02+Sfxdemo.exe.03 Sfxdemo.exe

Analysis of Sfxdemo.exe :

https://virusscan.jotti.org/en-US/filescanjob/oh2870yoks

Analysis of the files Sfxdemo.exe.01, Sfxdemo.exe.02 and Sfxdemo.exe.03 :

https://virusscan.jotti.org/en-US/filescanjob/jz07f1ek2k,4peo8klxce,265bda0ds8

Analysis by virustotal :

Sfxdemo.exe.01 :

https://virustotal.com/#/file/9a25e59e4ddb7fede5ee68a2b728912a009c98c7f29b3d1e7745d4b3e8e6d0c3/detection

Sfxdemo.exe.02 :

https://virustotal.com/#/file/a2461009f610d333b185ea0e8d7836d26ca7333b0c0cd8609c4c24073e6dc091/detection

Sfxdemo.exe.03 :

https://virustotal.com/#/file/a5feb198bdd2c5d3177f8621ea5869ee9845991e13270490f19b8abde3fa63ce/detection

Sfxdemo.exe :

https://virustotal.com/#/file/e94fd2fa54056cd0f18fc51177ccfdf4ecc63a333ef6f78ae8e2fa71dfc73186/detection

Yuri

Thanks, Vortex, that's an interesting technique, I'll keep it in mind. However, it's also a trick and so it may seem as suspicious to a user as an archive with a password. In both cases everything depends on whether the user trusts you or not.