![]() The single-byte instructions are looked up in the first table, where each instruction byte itself is the table index. #Vb6 decompiler free codeFor the translation of byte codes, the virtual machine uses a function named ProcCallEngine that parses the byte code through six look-up tables. These VB6 instructions can be likened to indices which tell the VB6 VM which dedicated instruction handler to call. Visual Basic code, compiled to pseudo code, results in two- or four-byte instructions that are parsed by msvbvm60.dll. Valuable groundwork has been done by Jurriaan Bremer with VB6Tracer. Like some of the reversing challenges one finds at a Capture the Flag, or in very sophisticated runtime packers, VB6 pseudo code translates instructions to undocumented byte code and parses it through a VM – and has been doing so since the 1990s. VB6 pseudo code, on the other hand, is a mess by design. But, given that malware executes pretty linearly by nature, and the VB6 APIs are mostly assigned understandable names, native code reversing is just another colourful facet of x86 binaries. Also, the reverser must interpret the functionality of the VB6 APIs called from the binary. Meanwhile, pseudo code is VB6 byte code, interpreted by the VB6 virtual machine at runtime.įor native code reversing, it is crucial to understand the challenges of event-driven binaries. VB6 can be compiled to pseudo code or native code – neither of which is easy to understand, but the latter does at least result in x86 binary code. The inner workings of the VB6 virtual machine and the functionality of its exported functions are literally a mystery to anyone who has not taken an in-depth look at msvbvm60.dll. crying aspect of VB6 is primarily related to the fact that VB6 internals lack any sort of official documentation. Visual Basic is widely considered to produce the most hated binaries in the history of reverse engineering – indeed, on mentioning this topic to some reverse engineers, they didn’t know whether to laugh or to cry (and most of them did both). Visual Basic 6 has been the bane of analysts’ lives since the first pieces of VB6 malware reached epidemic levels at the beginning of the 2000s. My level of excitement went through the roof: there were clearly two pieces of malware from the same family, with different packers, one of which could cause a significant headache. However, a closer look at the infectors revealed that one was a C++ compiled binary, and the other a Visual Basic 6 binary. Meanwhile, the encrypted file in both cases came with the name ‘setup.dat’. Both infectors appeared with legitimate icons and names, such as ‘KShortcutCleaner.exe’ or ‘NRWConfig.exe’, and were about 75–80KB in size. The NSIS unpacking scripts don’t seem to contain any maliciousness, so it seems likely that this stage was present just to package the resulting infector and the encrypted DLL (and probably to cause even more confusion than ultimately necessary).īoth samples, once decompressed, yielded an encrypted DLL and an infector. #Vb6 decompiler free installOne binary was wrapped in a C++ protector (MD5: D4A38E03010E1DA7DE7D1B942FF222BA), while the other appeared in a Visual Basic 6 wrapper (MD5: B999D1AD460BD367275A798B5F334F37).īoth executables derived from this infection came as NSIS (Nullsoft Scriptable Install Systems) packed binaries. What made this case particularly interesting were the different runtime packers that protect Miuref against being analysed. ![]() That malicious library was identified as Miuref, a rather popular clickjack trojan. Both samples were dropped as NSIS-packed binaries containing an infector and an encrypted file which, once unpacked, resulted in a malicious DLL. Within a day, we had determined that two binaries of the same malware family were being spread via the Fiesta Exploit Kit (EK), in both cases using the same exploit for the CVE-2013-2551 vulnerability. Basing our assumption on the structure and the final payload of the infection, let’s assume there was not. I thought it was a nice coincidence that I had been assigned to that analysis, and wondered if there was any further motivation for the attack beyond just infecting anyone. A while ago, our lab spotted an infection coming from the website of a popular men’s lifestyle magazine. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |