Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Writing an EXE4J Configuration Extractor
Message
<blockquote data-quote="struppigel" data-source="post: 962271" data-attributes="member: 86910"><p>Wrappers, installers, builders and EXE converters often create files with their own configuration format. What do you do if you find no tool to extract it for you? You write an extractor yourself.</p><p></p><p>Get the final EXE4J extractor here: <a href="https://github.com/struppigel/Exe4jConfigExtractor" target="_blank">GitHub - struppigel/Exe4jConfigExtractor: Configuration Extractor for EXE4J PE files</a></p><p></p><p>Samples to test it on:</p><p>[URL unfurl="true"]https://bazaar.abuse.ch/sample/da9f4e87f5918c4f14200f210b72ba1c2bd9971e241d0bb5dfb4edd4faaaf736/[/URL]</p><p>[URL unfurl="true"]https://bazaar.abuse.ch/sample/1dd9e256c9e00872304d1b9c2721d00433c48934e5bfda3dea232c8787ccac03/[/URL]</p><p>[URL unfurl="true"]https://bazaar.abuse.ch/sample/862bec8c47903405f48f4ba8300e4669086d9f7f1c39bd3221303ad4e4e11c67/[/URL]</p><p>[URL unfurl="true"]https://bazaar.abuse.ch/sample/ca8b2ffab9783c5caba52cc036cbdffd2e86cfde76bedc1cef71102445f8d090/[/URL]</p><p></p><p>PortexAnalyzer: <a href="https://github.com/katjahahn/PortEx/blob/master/progs/PortexAnalyzer.jar" target="_blank">PortEx/PortexAnalyzer.jar at master · katjahahn/PortEx</a></p><p>HxD: <a href="https://mh-nexus.de/en/hxd/" target="_blank">HxD - Freeware Hex Editor and Disk Editor | mh-nexus</a></p><p>VBinDiff: <a href="https://www.cjmweb.net/vbindiff/" target="_blank">VBinDiff - Visual Binary Diff</a></p><p></p><p>0:00 Introduction</p><p>0:55 "Customer" sample, EXE4J, does not run</p><p>3:19 EXE4J Wizard overview</p><p>6:12 Looking for embedded JAR file</p><p>7:54 Checking the overlay for the config</p><p>9:12 Comparing different test files with VBinDiff to find out the structure of the config</p><p>16:51 Extracting the config of the "customer" sample</p><p>18:15 The mysterious, ever changing value in every config</p><p>19:30 What to tell a customer based on a non-runnable program</p><p>19:58 We need more tutorials about clean file analysis</p><p></p><p>Note: No actual customer sample was used. I obtained this from VT <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /></p><p></p><p>[MEDIA=youtube]RRh97sumaSI[/MEDIA]</p></blockquote><p></p>
[QUOTE="struppigel, post: 962271, member: 86910"] Wrappers, installers, builders and EXE converters often create files with their own configuration format. What do you do if you find no tool to extract it for you? You write an extractor yourself. Get the final EXE4J extractor here: [URL="https://github.com/struppigel/Exe4jConfigExtractor"]GitHub - struppigel/Exe4jConfigExtractor: Configuration Extractor for EXE4J PE files[/URL] Samples to test it on: [URL unfurl="true"]https://bazaar.abuse.ch/sample/da9f4e87f5918c4f14200f210b72ba1c2bd9971e241d0bb5dfb4edd4faaaf736/[/URL] [URL unfurl="true"]https://bazaar.abuse.ch/sample/1dd9e256c9e00872304d1b9c2721d00433c48934e5bfda3dea232c8787ccac03/[/URL] [URL unfurl="true"]https://bazaar.abuse.ch/sample/862bec8c47903405f48f4ba8300e4669086d9f7f1c39bd3221303ad4e4e11c67/[/URL] [URL unfurl="true"]https://bazaar.abuse.ch/sample/ca8b2ffab9783c5caba52cc036cbdffd2e86cfde76bedc1cef71102445f8d090/[/URL] PortexAnalyzer: [URL="https://github.com/katjahahn/PortEx/blob/master/progs/PortexAnalyzer.jar"]PortEx/PortexAnalyzer.jar at master · katjahahn/PortEx[/URL] HxD: [URL="https://mh-nexus.de/en/hxd/"]HxD - Freeware Hex Editor and Disk Editor | mh-nexus[/URL] VBinDiff: [URL="https://www.cjmweb.net/vbindiff/"]VBinDiff - Visual Binary Diff[/URL] 0:00 Introduction 0:55 "Customer" sample, EXE4J, does not run 3:19 EXE4J Wizard overview 6:12 Looking for embedded JAR file 7:54 Checking the overlay for the config 9:12 Comparing different test files with VBinDiff to find out the structure of the config 16:51 Extracting the config of the "customer" sample 18:15 The mysterious, ever changing value in every config 19:30 What to tell a customer based on a non-runnable program 19:58 We need more tutorials about clean file analysis Note: No actual customer sample was used. I obtained this from VT ;) [MEDIA=youtube]RRh97sumaSI[/MEDIA] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
