Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Steamunlocked malware?
Message
<blockquote data-quote="struppigel" data-source="post: 1055836" data-attributes="member: 86910"><p>Hello there. I have not much time this weekend. But just from checking this file vs the original version's entry point, it is clearly patched. The patched code is unreadable because it manipulates the stack pointer. The original NvStTest in contrast is clearly readable. This patch alone is reason enough to declare it as malware because it is a modification that has nothing to do there and the file hasn't been signed by the publisher. [USER=103400]@SkeletalDemise[/USER] is very spot on with observations and analysis.</p><p></p><p>[SPOILER="some images from binary diffing"]</p><p></p><p>Entry point of clean NvStTest:</p><p></p><p>[ATTACH=full]278370[/ATTACH]</p><p></p><p>Entry point of manipulated NvStTest (cannot be decompiled):</p><p></p><p>[ATTACH=full]278371[/ATTACH]</p><p></p><p>BinDiff of both files</p><p></p><p>[ATTACH=full]278368[/ATTACH]</p><p></p><p>Diff for both files of PortEx, black byteplot on the left means same code/data. It is mostly the code near the entry point and some resources and the (missing) certificate that have been changed.</p><p></p><p>[ATTACH=full]278369[/ATTACH]</p><p></p><p>If this was a legitimate software update, you would expect something different:</p><ol> <li data-xf-list-type="ol">not only entry point code changes</li> <li data-xf-list-type="ol">certificate would be there</li> <li data-xf-list-type="ol">code would be readable</li> <li data-xf-list-type="ol">many functions with small differences due to recompilation (this file was not recompiled, some of the sections even have the same hash)</li> </ol><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p>This blacksoul rule detects msvcp140.dll. I would not take it seriously.</p></blockquote><p></p>
[QUOTE="struppigel, post: 1055836, member: 86910"] Hello there. I have not much time this weekend. But just from checking this file vs the original version's entry point, it is clearly patched. The patched code is unreadable because it manipulates the stack pointer. The original NvStTest in contrast is clearly readable. This patch alone is reason enough to declare it as malware because it is a modification that has nothing to do there and the file hasn't been signed by the publisher. [USER=103400]@SkeletalDemise[/USER] is very spot on with observations and analysis. [SPOILER="some images from binary diffing"] Entry point of clean NvStTest: [ATTACH type="full" alt="mainfun_clean.png"]278370[/ATTACH] Entry point of manipulated NvStTest (cannot be decompiled): [ATTACH type="full" alt="mainfun_mal.png"]278371[/ATTACH] BinDiff of both files [ATTACH type="full" alt="bindiff.png"]278368[/ATTACH] Diff for both files of PortEx, black byteplot on the left means same code/data. It is mostly the code near the entry point and some resources and the (missing) certificate that have been changed. [ATTACH type="full" alt="diff_portex.png"]278369[/ATTACH] If this was a legitimate software update, you would expect something different: [LIST=1] [*]not only entry point code changes [*]certificate would be there [*]code would be readable [*]many functions with small differences due to recompilation (this file was not recompiled, some of the sections even have the same hash) [/LIST] [/SPOILER] This blacksoul rule detects msvcp140.dll. I would not take it seriously. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
