A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #10525  by EP_X0FF
 Thu Dec 22, 2011 1:06 pm
Tigzy wrote:MaxSS was not supposed to alter only partition table?
Only in current version.
 #10526  by Tigzy
 Thu Dec 22, 2011 1:08 pm
Well, I need to review my classics :D
Ok. Will implement something to decrypt MBR. Some of you got a TDL4 dump for testing purpose? I only got VMs at work, so can't infect a physical machine.
 #10528  by EP_X0FF
 Thu Dec 22, 2011 1:22 pm
Tigzy wrote:Some of you got a TDL4 dump for testing purpose? I only got VMs at work, so can't infect a physical machine.
Take any dropper from TDL4 dedicated thread (Alureon.DX, not Alureon.FE) and infect VM. It should work.
 #10533  by Tigzy
 Thu Dec 22, 2011 2:55 pm
A little help for decryption?

I got the key (0x147 and the begin offset 0x2A).
How the ROR is done? do we shift any byte 0x47 times (don't think so) or do we take all bytes shifted 0x47 times?
 #10534  by rkhunter
 Thu Dec 22, 2011 3:01 pm
Tigzy wrote:A little help for decryption?

I got the key (0x147 and the begin offset 0x2A).
How the ROR is done? do we shift any byte 0x47 times (don't think so) or do we take all bytes shifted 0x47 times?
What tool you are using for decryption?
 #10536  by EP_X0FF
 Thu Dec 22, 2011 3:15 pm
Tigzy wrote:A little help for decryption?

I got the key (0x147 and the begin offset 0x2A).
How the ROR is done? do we shift any byte 0x47 times (don't think so) or do we take all bytes shifted 0x47 times?
Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture