Here you go guys:
http://ragestorm.net/tiny/tinypeng.exe
Source will be released withing a couple of weeks.
Have fun :)
Meanwhile I will be in Turkey for the weekend to relax and leave the bits behind.
Kix$
Here you go guys:
http://ragestorm.net/tiny/tinypeng.exe
Source will be released withing a couple of weeks.
Have fun :)
Meanwhile I will be in Turkey for the weekend to relax and leave the bits behind.
Kix$
Hi.
Here is a short analysis of what TinyPE NG is doing (run on WinXP):
0x7C90117E (1): 8D442410 LEA EAX,[ESP+0x10]
0x55558000: DEC EBP
0x55558001: POP EDX
0x55558002 (1): 8B5D09 MOV EBX,DWORD PTR [EBP+0x9]
0x55558005 (1): 91 XCHG EAX,ECX
0x55558006 (1): B156 MOV CL,0x56
0x55558008 (1): B3D1 MOV BL,0xD1
0x5555800A (1): EB08 JMP 0x55558014
0x55558014 (1): 305C19C7 XOR BYTE PTR [ECX+EBX-0x39],BL
0x55558018 (1): E2FA LOOP 0x55558014 ; decrypts memory range 55558099-555580EF
0x5555801A (1): 53 PUSH EBX
0x5555801B (1): 6A12 PUSH 0x12
0x5555801D (1): 51 PUSH ECX
0x5555801E (1): EB68 JMP 0x55558088
0x55558088 (1): 51 PUSH ECX
0x55558089 (1): EB16 JMP 0x555580A1
0x555580A1 (1): C643C72E MOV BYTE PTR [EBX-0x39],0x2E
0x555580A5 (1): 53 PUSH EBX
0x555580A6 (1): B3BC MOV BL,0xBC
0x555580A8 (1): 53 PUSH EBX
0x555580A9 (1): 51 PUSH ECX
0x555580AA (1): 6A01 PUSH 0x1
0x555580AC (1): FF7384 PUSH DWORD PTR [EBX-0x7C]
0x555580AF (1): FF539A CALL DWORD PTR [EBX-0x66] ; GetProcAddress call on tinypeng; EXPORT ordinal 1
urlmon and a bunch of other DLLs are loaded as a result of this call with EAX pointing to URLDownloadToFile.
0x555580B2 (1): FFD0 CALL EAX
;EAX = URLDownloadToFile
2nd parameter: http://ragestorm.net/.exe
3rd parameter: urlmon.URLDownloadToFileA
0x555580B4 (1): 48 DEC EAX
0x555580B5 (1): 78F5 JS 0x555580AC
0x555580AC (2): FF7384 PUSH DWORD PTR [EBX-0x7C]
0x555580AF (2): FF539A CALL DWORD PTR [EBX-0x66] ; GetProcAddress call on tinypeng; EXPORT ordinal 12
0x555580B2 (2): FFD0 CALL EAX ; EAX = WinExec; 1st Parameter: .exe
0x555580B4 (2): 48 DEC EAX
0x555580B4 (2): 48 DEC EAX
0x555580B5 (2): 78F5 JS 0x555580AC
0x555580B7 (1): BCD1D1D1D1 MOV ESP,0xD1D1D1D1
0x555580BC (1): 48 DEC EAX
0x555580BD (1): 7474 JE 0x55558133
0x555580BF (1): 703A JO 0x555580FB
0x555580C1 (1): 2F DAS
0x555580C2 (1): 2F DAS
0x555580C3 (1): 7261 JB 0x55558126
0x555580C5 (1): 67657374 JAE BYTE PTR GS:[0x5555813D
stack is blown away and program abnormally terminates with an ACCVIO
The only piece I need to figure out is the clever use of the 1st GetProcAddress call to force the load of URLMON and why that is happening.
Thank you for the interesting puzzle.
One more comment. I captured the downloaded file that runs and displays the messagebox and it is a regular old PE-style file. :O)
you don’t need to capture that file, as it says on your computer untouched, prolly the directory which you ran the tinype executable itself.
about the second ordinal, it’s 12 in hexadecimal…
winexec acts the same as the first export… anyway it’s export forwarding.
So, where’s the source code? :)