My friend asked me how viruses can be spread from cracked game exes since he plays DOTA on a pirated Warcraft install on a private network. After I explained it to him, he ask me how come I never blogged about it, what a good question! So today I will blog about some basic methods to packing. I will describe 4 different ways to pack files.
The first is packing using Resource Files, one of the easier ways to do so. In VC++ u can create/import resource files to your VC++ project. That is the easy part. The next part is slightly trickier, u need to extract the resource into a file on the system then somehow execute it. To do that you run the following calls:
hRes = FindResource(…);
hResLoad = LoadResource(…, hRes);
hFile = CreateFile(…);
WriteFile (hFile, …);
With the file created you just do WinExec or something else =)
The 2nd method is similar, but not using Resource Files which can be easy to detect. It requires more work on your part. Basically you need a 2nd program to convert binary data into a string format which you can copy and paste into your VC++ code as a array or string variable. I don’t post code on this cuz there are many ways, eg read 1024 bytes, B64 it, print to output file, or convert to binary-coded string, then B64 it, etc. Bottom line is, convert the binary data to the string. Then your code just reverse it. One note, make sure to strip any trailing padding that some convertor code might add eg B64 likes to add “==” at the end of strings that are too short. Shell code makes use of this technique to hide assembly calls in code.
The 3rd and 4th way are just using existing tools. One way is to use InstallShield. Yes, InstallShield. It gives you a very nice GUI to add files, even to execute which file after unpacking. What you need tho is a original package that used InstallShield, then rebuild the package yourself, except you add in your own files. Simple right?
The 4th way is like the 3rd way, but you might not have InstallShield, cuz later version of VC++ dun have InstallShield free. But you have WinZip, 7-Zip, WinRAR rite? All of them have the ability to create self-extracting archives or SFX. What this SFX is is that it embed the unarchiver program to the SFX then treats the SFX exe as a archive file eg ZIP. A SFX exe you can still open using the archiver tool so it’s not ideal, eg if you created the SFX using WinZip you can open the SFX exe in WinZip and see the contents. Which is still not too bad if you had the original SFX and just re-SFXed it.
You can combine the 1st/2nd techniques with the 3rd/4th techniques, but you need to know how to use ResHacker or a similar tool. The neat thing about 3rd/4th techniques is that with social engineering it might work better since your victim might think since it came from InstallShield or WinZip it is safe =)
There are more advanced techniques eg unpack direct to memory, or using eggdrop instead of unpacking, but I won’t discuss them today =)
Recent Comments