BJX bot unpacked

08/14/2005 03:05 jMerliN#1
I've unpacked the UPX packing on the BJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one. Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.

Though.. you can open it in IDA or your fav disasm app and browse around and find things and such, as all of the strings and functions are intact.
08/14/2005 03:09 Cryptic#2
Quote:
Originally posted by jMerliN@Aug 14 2005, 03:05
I've unpacked the UPX packing on the RJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one. Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.
Well done. Don't you mean BJX?
In that case, we need to look into the source code. Remove the US/PW sending to BJX and response-requiring mechanism. Then, we need to find out where we're getting Trojan.Bat.Deltree.m from, as well as any other suspicious code.
With that, one of our better coders might be able to make a little EPVP Version using a few similar ideas or code.
08/14/2005 03:14 jMerliN#3
Quote:
Originally posted by Cryptic+Aug 13 2005, 20:09--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Cryptic @ Aug 13 2005, 20:09)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--jMerliN@Aug 14 2005, 03:05
I've unpacked the UPX packing on the RJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one. Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.
Well done. Don't you mean BJX?
In that case, we need to look into the source code. Remove the US/PW sending to BJX and response-requiring mechanism. Then, we need to find out where we're getting Trojan.Bat.Deltree.m from, as well as any other suspicious code.
With that, one of our better coders might be able to make a little EPVP Version using a few similar ideas or code. [/b][/quote]
Some of us from FuckGaming working on one that will have a public version :)

Also, the 'trojan' that was supposedly detected is probably nothing more than a false positive. Many known trojans and viruses use a variant of UPX packing ( with a modified stub.. which is what this uses ) and something that is poorly written may see the packing method as a possible positive for a known trojan that uses the same UPX variant. If anything other than that, it may have detected the sending of information to the private IP address as a trojan-like act and matched it to a known trojan's behaviour but I am quite positive there is no virus or trojan in this bot.
08/14/2005 03:25 Matt.dk#4
Quote:
Originally posted by jMerliN@Aug 14 2005, 03:05
I've unpacked the UPX packing on the BJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one. Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.

Though.. you can open it in IDA or your fav disasm app and browse around and find things and such, as all of the strings and functions are intact.
Great work, you got that done in less then an hour and you had to figure out how to unpack an exe that was packed with a modified UPX. Now, once it goes pay to use, we should be able to easily crack the bot, and jMerlin has already said he will do so. :)

karma +
08/14/2005 06:11 Ultima#5
Quote:
Originally posted by Matt.dk+Aug 14 2005, 03:25--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Matt.dk @ Aug 14 2005, 03:25)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--jMerliN@Aug 14 2005, 03:05
I've unpacked the UPX packing on the BJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one. Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.

Though.. you can open it in IDA or your fav disasm app and browse around and find things and such, as all of the strings and functions are intact.
Great work, you got that done in less then an hour and you had to figure out how to unpack an exe that was packed with a modified UPX. Now, once it goes pay to use, we should be able to easily crack the bot, and jMerlin has already said he will do so. :)

karma + [/b][/quote]
oO

lol how lame all he did was dumping the process he hasnt fixed the OEP or the tables so the prog doesnt work and thats the main part dumping is easy fixing is the art ;)
08/14/2005 06:18 jMerliN#6
Quote:
Originally posted by Ultima@Aug 13 2005, 23:11

oO

lol how lame all he did was dumping the process he hasnt fixed the OEP or the tables so the prog doesnt work and thats the main part dumping is easy fixing is the art ;)
xD
08/14/2005 06:29 Matt.dk#7
Quote:
Originally posted by Ultima+Aug 14 2005, 06:11--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Ultima @ Aug 14 2005, 06:11)</td></tr><tr><td id='QUOTE'>
Quote:
Originally posted by -Matt.dk@Aug 14 2005, 03:25
<!--QuoteBegin--jMerliN
Quote:
@Aug 14 2005, 03:05
I've unpacked the UPX packing on the BJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one.* Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.

Though.. you can open it in IDA or your fav disasm app and browse around and find things and such, as all of the strings and functions are intact.

Great work, you got that done in less then an hour and you had to figure out how to unpack an exe that was packed with a modified UPX. Now, once it goes pay to use, we should be able to easily crack the bot, and jMerlin has already said he will do so. :)

karma +
oO

lol how lame all he did was dumping the process he hasnt fixed the OEP or the tables so the prog doesnt work and thats the main part dumping is easy fixing is the art ;) [/b][/quote]
The oem/tables have not been fixed yet, any person who can read a dumped exe knows that. The fact that its now dumped is what counts right now. Besides, as I type this I am talkin' to him, he is fixing the oem/tables right now. And it will be cracked the day the bot turns to pay to use mode, which is rumored to be, August 10th.

I didn't think it was lame, I was talking to him in TS the whole time, I'd personally like to see you go dump an exe that is packed with a modified UPX, when you don't know immidiately how to do it.
08/14/2005 06:42 Ultima#8
Quote:
Originally posted by Matt.dk+Aug 14 2005, 06:29--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Matt.dk @ Aug 14 2005, 06:29)</td></tr><tr><td id='QUOTE'>
Quote:
Originally posted by -Ultima@Aug 14 2005, 06:11
Quote:
Originally posted by -Matt.dk@Aug 14 2005, 03:25
<!--QuoteBegin--jMerliN
Quote:
Quote:
@Aug 14 2005, 03:05
I've unpacked the UPX packing on the BJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one. Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.

Though.. you can open it in IDA or your fav disasm app and browse around and find things and such, as all of the strings and functions are intact.

Great work, you got that done in less then an hour and you had to figure out how to unpack an exe that was packed with a modified UPX. Now, once it goes pay to use, we should be able to easily crack the bot, and jMerlin has already said he will do so. :)

karma +

oO

lol how lame all he did was dumping the process he hasnt fixed the OEP or the tables so the prog doesnt work and thats the main part dumping is easy fixing is the art ;)
The oem/tables have not been fixed yet, any person who can read a dumped exe knows that. The fact that its now dumped is what counts right now. Besides, as I type this I am talkin' to him, he is fixing the oem/tables right now. And it will be cracked the day the bot turns to pay to use mode, which is rumored to be, August 10th.

I didn't think it was lame, I was talking to him in TS the whole time, I'd personally like to see you go dump an exe that is packed with a modified UPX, when you don't know immidiately how to do it. [/b][/quote]
lol that shows that you don`t know what you are talking about

its decrypted and unpacked in memory when its loaded it takes about 10 seconds to load and dump it and i already did it the day i got the bot like i said its no big deal to dump it to fix the oep and the tables is the art
08/14/2005 06:45 Matt.dk#9
Quote:
Originally posted by Ultima+Aug 14 2005, 06:42--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Ultima @ Aug 14 2005, 06:42)</td></tr><tr><td id='QUOTE'>
Quote:
Originally posted by -Matt.dk@Aug 14 2005, 06:29
Quote:
Originally posted by -Ultima@Aug 14 2005, 06:11
Quote:
Originally posted by -Matt.dk@Aug 14 2005, 03:25
<!--QuoteBegin--jMerliN
Quote:
Quote:
Quote:
@Aug 14 2005, 03:05
I've unpacked the UPX packing on the BJX 1.1 bot, and as of now this unpacked version wont execute but whenever I get around to making this one run i'll post up the final one.* Anyone who cares to can go ahead and do so, it only takes a simple bit of knowledge to do so... there's just no real need till the app goes P2P.

Though.. you can open it in IDA or your fav disasm app and browse around and find things and such, as all of the strings and functions are intact.

Great work, you got that done in less then an hour and you had to figure out how to unpack an exe that was packed with a modified UPX. Now, once it goes pay to use, we should be able to easily crack the bot, and jMerlin has already said he will do so. :)

karma +

oO

lol how lame all he did was dumping the process he hasnt fixed the OEP or the tables so the prog doesnt work and thats the main part dumping is easy fixing is the art ;)

The oem/tables have not been fixed yet, any person who can read a dumped exe knows that. The fact that its now dumped is what counts right now. Besides, as I type this I am talkin' to him, he is fixing the oem/tables right now. And it will be cracked the day the bot turns to pay to use mode, which is rumored to be, August 10th.

I didn't think it was lame, I was talking to him in TS the whole time, I'd personally like to see you go dump an exe that is packed with a modified UPX, when you don't know immidiately how to do it.
lol that shows that you don`t know what you are talking about

its decrypted and unpacked in memory when its loaded it takes about 10 seconds to load and dump it and i already did it the day i got the bot like i said its no big deal to dump it to fix the oep and the tables is the art [/b][/quote]
Actually, I do know what I'm talking about. First he took a upx unpacker and tried to unpack it, he couldn't compensate for the modification so he searched online for unpacking a packed + modded upx exe, and he ended up doing what you said, dumping it from the memory using ollydbg.
08/14/2005 06:46 jMerliN#10
It's almost done anyway so stop fighting ladies >.<
08/14/2005 07:13 MrTeenie#11
Loving to see that it'll be cracked before it is even pay to use.

Oh yea and I think I read somewhere Aug 24th is when it will be.
08/14/2005 08:51 chocoman4k#12
Here is my unpacked BJX 1.1 bot .exe. Should work OK.
I finished with a router and UDP server but can't get over a little UDP protocol related bug, hope I can finish it before anyone else does :P
08/14/2005 09:45 sabbathin#13
Quote:
Originally posted by chocoman4k@Aug 13 2005, 23:51
Here is my unpacked BJX 1.1 bot .exe. Should work OK.
I finished with a router and UDP server but can't get over a little UDP protocol related bug, hope I can finish it before anyone else does :P
thats why i love you and ur job :P
08/14/2005 15:31 nickel#14
Quote:
Originally posted by chocoman4k@Aug 14 2005, 08:51
Here is my unpacked BJX 1.1 bot .exe. Should work OK.
I finished with a router and UDP server but can't get over a little UDP protocol related bug, hope I can finish it before anyone else does :P
+ lots of karma if it works =) man you rox =D