[SHARE] Unpacked Cabalmain (EU)

~~Bla.de~~ · 02/17/2010, 15:37

Unpacked Cabalmain.exe Europe

I´ve found some unpacker and completely removed the protections from the Cabalmain. I am not sure if someone else allrdy posted this, i haven´t seen it here at least so i am gonna release it. The unpacked cabalmain itself don´t start and its uploaded here and given out for share for experiments. Maybe its usefull and we can work out some nice stuff together. I add 3 pics with the different heurastics from the .exe files through the procedure.

The normal Cabalmain

The first dump of Cabalmain

The unpacked Cabalmain

a-squared;4.5.0.50;2010.02.17;-
AhnLab-V3;5.0.0.2;2010.02.16;-
AntiVir;8.2.1.170;2010.02.17;-
Antiy-AVL;2.0.3.7;2010.02.17;-
Authentium;5.2.0.5;2010.02.17;W32/Downloader.J.gen!Eldorado
Avast;4.8.1351.0;2010.02.17;-
AVG;9.0.0.730;2010.02.17;-
BitDefender;7.2;2010.02.17;-
CAT-QuickHeal;10.00;2010.02.17;W32.PoliPos
ClamAV;0.96.0.0-git;2010.02.17;-
Comodo;3969;2010.02.17;-
DrWeb;5.0.1.12222;2010.02.17;-
eSafe;7.0.17.0;2010.02.16;Suspicious File
eTrust-Vet;35.2.7308;2010.02.17;-
F-Prot;4.5.1.85;2010.02.16;W32/Downloader.J.gen!Eldorado
F-Secure;9.0.15370.0;2010.02.17;-
Fortinet;4.0.14.0;2010.02.15;-
GData;19;2010.02.17;-
Ikarus;T3.1.1.80.0;2010.02.17;-
Jiangmin;13.0.900;2010.02.17;-
K7AntiVirus;7.10.974;2010.02.15;-
Kaspersky;7.0.0.125;2010.02.17;-
McAfee;5894;2010.02.16;-
McAfee+Artemis;5894;2010.02.16;-
McAfee-GW-Edition;6.8.5;2010.02.17;-
Microsoft;1.5406;2010.02.17;-
NOD32;4874;2010.02.17;-
Norman;6.04.08;2010.02.17;-
nProtect;2009.1.8.0;2010.02.17;-
Panda;10.0.2.2;2010.02.16;Suspicious file
PCTools;7.0.3.5;2010.02.17;-
Prevx;3.0;2010.02.17;-
Rising;22.34.01.03;2010.02.11;-
Sophos;4.50.0;2010.02.17;-
Sunbelt;5682;2010.02.17;-
Symantec;20091.2.0.41;2010.02.17;Suspicious.Insigh t
TheHacker;6.5.1.4.197;2010.02.17;-
TrendMicro;9.120.0.1004;2010.02.17;-
VBA32;3.12.12.2;2010.02.16;-
ViRobot;2010.2.17.2190;2010.02.17;-
VirusBuster;5.0.21.0;2010.02.17;-

If u dont trust this scan, scan it yourself

The Alerts in there must come from decompiling the .exe file.. If you don´t feel save, don´t download it..
I just wanna share my work

Feel free to share your opinions about it

.Law. · 02/17/2010, 15:45

The cabalmain has 3 packers,not 2,it doesn't start because its not fully unpacked yet.

~~Bla.de~~ · 02/17/2010, 15:55

Quote:

Originally Posted by PunkS7yle

The cabalmain has 3 packers,not 2,it doesn't start because its not fully unpacked yet.

Ahh okay...
Well than i need to find some other tools to check the heurastic which maybe is behind the last part to get the final step.
Ty a lot again punky

And for the rest, feel free to help

Gonna go on work with the last packer again than

.Law. · 02/19/2010, 16:18

If ur looking for some files/ scripts ,drop me a pm with ur msn,I gathered mostly all of the plugins/scripts u need for it from some chinese website ;d

HellSpider · 02/27/2010, 01:10

If you wanna know why you file did not run here is why:

This is your resolved entry point of the application:

Of course the entry point is not the right one but a nice try

.

Now what happens next? The first intruction is RETN meaning the code will return to the address pointed by the current stack position (the yellow line in the picture below).

Now where does the address point? It's somewhere inside kernel32.dll...

And it calls directly ExitThread() API (exits your application). Now you probably understand why your file wont run

.

~~Bla.de~~ · 02/27/2010, 01:47

just nice