- Apr 9, 2020
- 659
- Content source
- https://www.youtube.com/watch?v=RRh97sumaSI
Wrappers, installers, builders and EXE converters often create files with their own configuration format. What do you do if you find no tool to extract it for you? You write an extractor yourself.
Get the final EXE4J extractor here: GitHub - struppigel/Exe4jConfigExtractor: Configuration Extractor for EXE4J PE files
Samples to test it on:
bazaar.abuse.ch
bazaar.abuse.ch
bazaar.abuse.ch
bazaar.abuse.ch
PortexAnalyzer: PortEx/PortexAnalyzer.jar at master · katjahahn/PortEx
HxD: HxD - Freeware Hex Editor and Disk Editor | mh-nexus
VBinDiff: VBinDiff - Visual Binary Diff
0:00 Introduction
0:55 "Customer" sample, EXE4J, does not run
3:19 EXE4J Wizard overview
6:12 Looking for embedded JAR file
7:54 Checking the overlay for the config
9:12 Comparing different test files with VBinDiff to find out the structure of the config
16:51 Extracting the config of the "customer" sample
18:15 The mysterious, ever changing value in every config
19:30 What to tell a customer based on a non-runnable program
19:58 We need more tutorials about clean file analysis
Note: No actual customer sample was used. I obtained this from VT
Get the final EXE4J extractor here: GitHub - struppigel/Exe4jConfigExtractor: Configuration Extractor for EXE4J PE files
Samples to test it on:
MalwareBazaar | Browse Checking your browser
MalwareBazaar | Browse Checking your browser
MalwareBazaar | Browse Checking your browser
MalwareBazaar | Browse Checking your browser
PortexAnalyzer: PortEx/PortexAnalyzer.jar at master · katjahahn/PortEx
HxD: HxD - Freeware Hex Editor and Disk Editor | mh-nexus
VBinDiff: VBinDiff - Visual Binary Diff
0:00 Introduction
0:55 "Customer" sample, EXE4J, does not run
3:19 EXE4J Wizard overview
6:12 Looking for embedded JAR file
7:54 Checking the overlay for the config
9:12 Comparing different test files with VBinDiff to find out the structure of the config
16:51 Extracting the config of the "customer" sample
18:15 The mysterious, ever changing value in every config
19:30 What to tell a customer based on a non-runnable program
19:58 We need more tutorials about clean file analysis
Note: No actual customer sample was used. I obtained this from VT
