TinyPE NG is Out

Here you go guys:
http://ragestorm.net/tiny/tinypeng.exe

Source will be released withing a couple of weeks.
Have fun :)
Meanwhile I will be in Turkey for the weekend to relax and leave the bits behind.

Kix$

This entry was posted on Thursday, January 17th, 2008 at 12:24 am and is filed under Assembly, Portable Executable, Win32. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “TinyPE NG is Out”

  1. Russell Osterlund says:
    January 17, 2008 at 12:58 pm

    Hi.

    Here is a short analysis of what TinyPE NG is doing (run on WinXP):
    0x7C90117E (1): 8D442410 LEA EAX,[ESP+0x10]
    0x55558000: DEC EBP
    0x55558001: POP EDX
    0x55558002 (1): 8B5D09 MOV EBX,DWORD PTR [EBP+0x9]
    0x55558005 (1): 91 XCHG EAX,ECX
    0x55558006 (1): B156 MOV CL,0x56
    0x55558008 (1): B3D1 MOV BL,0xD1
    0x5555800A (1): EB08 JMP 0x55558014
    0x55558014 (1): 305C19C7 XOR BYTE PTR [ECX+EBX-0x39],BL
    0x55558018 (1): E2FA LOOP 0x55558014 ; decrypts memory range 55558099-555580EF
    0x5555801A (1): 53 PUSH EBX
    0x5555801B (1): 6A12 PUSH 0x12
    0x5555801D (1): 51 PUSH ECX
    0x5555801E (1): EB68 JMP 0x55558088
    0x55558088 (1): 51 PUSH ECX
    0x55558089 (1): EB16 JMP 0x555580A1
    0x555580A1 (1): C643C72E MOV BYTE PTR [EBX-0x39],0x2E
    0x555580A5 (1): 53 PUSH EBX
    0x555580A6 (1): B3BC MOV BL,0xBC
    0x555580A8 (1): 53 PUSH EBX
    0x555580A9 (1): 51 PUSH ECX
    0x555580AA (1): 6A01 PUSH 0x1
    0x555580AC (1): FF7384 PUSH DWORD PTR [EBX-0x7C]
    0x555580AF (1): FF539A CALL DWORD PTR [EBX-0x66] ; GetProcAddress call on tinypeng; EXPORT ordinal 1
    urlmon and a bunch of other DLLs are loaded as a result of this call with EAX pointing to URLDownloadToFile.
    0x555580B2 (1): FFD0 CALL EAX
    ;EAX = URLDownloadToFile
    2nd parameter: http://ragestorm.net/.exe
    3rd parameter: urlmon.URLDownloadToFileA
    0x555580B4 (1): 48 DEC EAX
    0x555580B5 (1): 78F5 JS 0x555580AC
    0x555580AC (2): FF7384 PUSH DWORD PTR [EBX-0x7C]
    0x555580AF (2): FF539A CALL DWORD PTR [EBX-0x66] ; GetProcAddress call on tinypeng; EXPORT ordinal 12
    0x555580B2 (2): FFD0 CALL EAX ; EAX = WinExec; 1st Parameter: .exe
    0x555580B4 (2): 48 DEC EAX
    0x555580B4 (2): 48 DEC EAX
    0x555580B5 (2): 78F5 JS 0x555580AC
    0x555580B7 (1): BCD1D1D1D1 MOV ESP,0xD1D1D1D1
    0x555580BC (1): 48 DEC EAX
    0x555580BD (1): 7474 JE 0x55558133
    0x555580BF (1): 703A JO 0x555580FB
    0x555580C1 (1): 2F DAS
    0x555580C2 (1): 2F DAS
    0x555580C3 (1): 7261 JB 0x55558126
    0x555580C5 (1): 67657374 JAE BYTE PTR GS:[0x5555813D
    stack is blown away and program abnormally terminates with an ACCVIO

    The only piece I need to figure out is the clever use of the 1st GetProcAddress call to force the load of URLMON and why that is happening.

    Thank you for the interesting puzzle.

  2. Russell Osterlund says:
    January 17, 2008 at 1:02 pm

    One more comment. I captured the downloaded file that runs and displays the messagebox and it is a regular old PE-style file. :O)

  3. arkon says:
    January 20, 2008 at 12:15 pm

    you don’t need to capture that file, as it says on your computer untouched, prolly the directory which you ran the tinype executable itself.
    about the second ordinal, it’s 12 in hexadecimal…
    winexec acts the same as the first export… anyway it’s export forwarding.

  4. Bob says:
    June 18, 2014 at 4:08 am

    So, where’s the source code? :)

Leave a Reply