Jay Taylor's notes

back to listing index

Decompiling an illegal 'patch' application - does it secretly install or run malware? - Part 2

[web search]
Original source (jiffie.blogspot.com)
Tags: windows decompilation piracy patch jiffie.blogspot.com
Clipped on: 2018-08-03

Wednesday, May 20, 2015

Decompiling an illegal 'patch' application - does it secretly install or run malware? - Part 2

Recently I looked inside an illegal application patch, that 'unlocks' an application by messing with the license code checks of the application. I was convinced that the patch would do not only that, but also install some form of malware on the computer. As it turns out: that particular patch didn't.

So I decided to take a look into another one. As opposed to the previous patch application, this one wasn't written in .NET, so not only the decompilation will not be as easy, also the decomiled sources will probably not be as meaningful.

Image (Asset 1/25) alt=

For decompilation, there is of course Boomerang, which is free and open source, but I decided to see if there is an online 'decompilation as a service'. Turns out there is at https://retdec.com/:

Image (Asset 2/25) alt= OK - let's run the patch through this decompiler:

Image (Asset 3/25) alt= OK - you can inspect a whole bunch of things here, but you can also just download everything. That's what I did. In the downloaded zip, there is the decompiled machine code, the call graphs and decompiled C code.

Looking a the callgraph, I didn't see anything that got my alarm bells going or anything. Again, an attempt was made to mess with the applications .dll files.
Image (Asset 4/25) alt=
So let's see if I can make anything from the C code:

Image (Asset 5/25) alt=
At the bottom of the file - the external function calls are listed. Turns out the application calls into the Windows API, seems to be messing with some files and things, but nothing really surprising. OK, let's see what this looks like in code:

Image (Asset 6/25) alt=
Image (Asset 7/25) alt=

I found code that I didn't really grasp and had to start Googling. The code tries to get a handle for the running process and then starts looking for dlls. That's remarkable since the patch application is just one .exe file. There are no dlls with the application - let alone something called 'dup2dispatcher.dll'.

... or are there? That brought me to this post: https://blog.malwarebytes.org/intelligence/2013/03/obfuscation-malwares-best-friend/ which talks about packers - and how it is often used to disguise malware. Although I haven't seen any malicious code yet, I'm a bit more suspicious of course.

Inspecting the application with the ExeInfo tool, reveals the dup2patcher.dll, which is packed inside the EXE:


Image (Asset 8/25) alt=
Image (Asset 9/25) alt=

So - the patch logic or malicous code could be in there. It seems like that .rsrc section holds the actual dll source and you can save it off to your disk. Insepecting the bytecode revealed this XML section at the bottom, which is an assembly manfiest:

Image (Asset 10/25) alt=

I can read this, which makes me think that none of the obfuscation techniques were applied as suggested in the mentioned blogpost. However, I'm not able to inspect this code with DotPeek.

So ... I'm afraid this is how far I could come. As you can see - the only dependent assembly is Windows.Common.Controls. Since the patch probably has some kind of windows form - that all makes sense. I would have expected system.web in case the assembly went out to connect to some remote box or download some kind of executable.

However - I haven't been able to look inside this dll, so this is where it ends for me. If you have any tips - please drop me a line or suggestion.

1 comment:

  1. Image (Asset 11/25) alt=

Rss feeds

Posts
Comments

Search This Blog

Popular Posts

Labels

.NET (61) C# (27) JavaScript (22) Azure (16) Architecture (14) AngularJS (12) ASP.NET vNext (10) Git (8) Interceptors (7) PluralSight (7) Scott Hanselman (7) Visual Studio 2015 (7) Cloud computing (6) Code Quality (6) Continuous Delivery (6) Continuous Integration (6) Machine Learning (6) TFS (6) Unit Testing (6) Common.Logging (5) NDepend (5) Ninject (5) Node.js (5) Personal achievements (5) SQL Server (5) SignalR (5) Ubuntu (5) Visual Studio 2012 (5) Windows 10 (5) hanselminutes (5) DevOps (4) ElasticSearch (4) GitHub (4) HTML5 (4) JSON (4) Micro Services (4) Open Source (4) Puppet (4) ReSharper (4) SQL (4) TeamCity (4) web (4) AI (3) ASP.NET MVC (3) Async/Await (3) CI (3) EF (3) ESXI (3) Entity Framework (3) F# (3) IoC (3) JQuery (3) Mock (3) NuGet (3) PowerShell (3) Serialization (3) Sublime Text (3) TypeScript (3) Ubuntu Server 12.10 (3) Unity (3) VSO builds (3) Vagrant (3) Visual Studio Online (3) XML (3) html (3) windbg.exe (3) .NET on Linux (2) .Net Rocks (2) ARM (2) Azure Machine Learning (2) C# v6 (2) CLR (2) CQRS (2) CSS (2) Chrome (2) Chrome DevTools (2) Code Contracts (2) Code Metrics (2) CodeMirror (2) Data Science (2) Databases (2) Debugging (2) Distributed Systems (2) Functional Programming (2) Hypervisor (2) IDE (2) IL (2) Interview series (2) Knockout.js (2) Linux (2) Localization (2) MSDN (2) NDC (2) NLog (2) PHP (2) Patterns (2) QUnit (2) R (2) Reactive Extensions (2) Server (2) T4 Templates (2) TDD (2) Twitter Bootstrap (2) VMWare (2) Visual Studio 2013 (2) Web Deploy (2) WebApi (2) WebApi2 (2) Windows 10. Windows on Mac (2) Yeoman! (2) ildasm.exe (2) personal reflection (2) sublime (2) ALM (1) ANT (1) AOP (1) API (1) Active Directory Domain Services (1) Agile (1) Algorithm design (1) Assert (1) BDD (1) BlanketJS (1) BootCamp (1) Bootable USB stick (1) Bower (1) Branching Strategy (1) Breeze.js (1) Business Intelligence (1) CAP Theorem (1) CLI (1) Channel9 (1) Chocolatey (1) CloudFlare (1) Code Review (1) CodeDigger (1) CodePlex (1) CodedUI (1) Coding Horror (1) Conferences (1) Cypher (1) DNVM (1) DNX (1) Demo (1) Docker (1) Durandal (1) Elmah (1) ElmahR (1) Event Source (1) Excel (1) FakeDbSet (1) Fakes (1) FireBase (1) GitFlow (1) Google Maps (1) Google Polymer (1) Grunt (1) Hello world (1) History API (1) Hyper V server (1) IDisposable (1) IIS (1) Integrated Lights Out (1) JIRA (1) JIT (1) JSON Schema (1) Jeff Atwood (1) Kibana (1) LESS (1) MVVM (1) Make (1) Martin Fowler (1) Meetup (1) MemSQL (1) Microsoft Test Manager (1) Model Validation (1) Monad (1) Money Medic API (1) MoneyMedic API (1) Moq (1) MySQL (1) NServiceBus (1) Nancy (1) Neo4j (1) Network Policy (1) Networking (1) NoSQL (1) OOP design (1) OWIN (1) Oak (1) Office 2016 (1) PDF Forms (1) Play (1) Pre-conditions (1) Proliant DL380 G5 (1) R Studio (1) RDP (1) RESX (1) Roy Osherove (1) Rx (1) SASS (1) SCRUM (1) SOLID (1) SPA (1) SSIS (1) Scala (1) Security (1) Session variables (1) Software Quality (1) SpecFlow (1) StackOverflow (1) Static IP (1) SyntaxHighlighter (1) ToString() (1) UI Testing (1) Unobtrusive (1) VPN (1) Validation (1) Version Control (1) Visual Studio Code (1) Watcher (1) Web Development (1) Web Essentials (1) WebRTC (1) Windows Server 2012 (1) XPath (1) XSLT (1) Xamarin (1) YUMI (1) Yii (1) asp.net (1) code-generation (1) histogram (1) iLO (1) iTextSharp (1) infrastructure-as-code (1) memory profiling (1) mvc (1) podcast (1) ref (1) virusses (1) wcf (1) xkcd (1) xrdp (1) zen-coding (1) zone.js (1)
2012 Jochen van Wylick. Awesome Inc. theme. Powered by Blogger.