[jumbofreak]

i got hold of mystic compressor binary which is a part of recent carberp source code leak, when i looked at the commands it says pack(), register() ,test() .
But when i copy the sample like notepad.exe in the folder and type pack() command it fails , and test() command creates a subdirectories with mystic dll's . Has anyone played with it ? If so can you tell me how you did it ?

[R136a1]

Hehe

I just looked at the packing option, it works as follows:

"pack:binary.exe"

[jumbofreak]

Thanks R136a1 , that works, how did you figure out ? by looking at the x86 code, when i followed in ollydg didn't spot any usage of ":" near pack command.

[ArkKup]

@jumbofreak: could you share the mystic compressor binary ? or at least the md5 of it

[Cody Johnston]

@jumbofreak: could you share the mystic compressor binary ? or at least the md5 of it

It is in the Carberp source code.

[R136a1]

@jumbofreak

You can find the checking of ":" character in subroutine 401400, after the console input was read (ReadConsoleW):


@ArkKup

All versions of Mystic Compressor from Carberp source pack attached (sorted by PE Timestamp).

[jumbofreak]

got it ,Thanks,
c1f3325763682feda9e3f9682f98b5453ce36935 - sha1 , let me know if you don't have the file , i can attach it here.

[harikrish093]

Hi, Is Mystic Compressor also used to compress safe file ?? or it is made for only to compress Rouge softwares?

[EP_X0FF]

Hi, Is Mystic Compressor also used to compress safe file ?? or it is made for only to compress Rouge softwares?

It is used to obfuscate Windows executable binaries. If you use it, your result file will be likely detected as malware, because Mystic Compressor itself classified as VirTool/Obfuscator.