Monday, April 13, 2020

Nullsoft Installer in IDA Pro

Just my attempt to review the start of the nullsoft installer (EasyPDfCombine)

MD5             C95772694EA68F394DAA4AC144BD40FB                                   

start
- call ds:InitCommonControls  [ initialized common controls in windows ]
- call ds:SetErrorMode (8001h) [ send critical errors to calling process, no prompt if error]
- call ds:OleInitialize   [initialize COM (component model object) library ]
- call sub_xxxxx1
        -- call ds:GetModuleHandleA [ gets handle to the KERNEL32.DLL ]
        -- call ds:LoadLibraryA [ loads KERNEL32.DLL into memory ]
        -- call ds:GetProcessAddress [ gets the address of GetDiskFreeSpaceExW method, dynamically loaded, it is not in the import table ]
- call ds:SHGetFileInfoW [ gets info like file name, attribute, ioc of file ]
- call sub_xxxxx2
        -- call ds:lstrcpynW [ makes a copy of the NSIS error message string ]
- call ds:CommandLineW [ gets the command line string for this process ]
- call sub_xxxxx2
        -- call ds:lstrcpynW [ makes a copy of the command line string  ]
- call ds:GetModuleHandleW [ gets a handle to the file of this current process ]
- call sub_xxxxx3  [ arguments are Quote(") and the Command Line String ]
        -- while character is not a Quote(")
            -- call ds:CharNextW [] to move to the next character in Command line String
- call ds:CharNextW [move past the Quote(") that was just found]
- while character is not a Space (0x20)
        -- inc eax [ move to the next letter in the command line string]
- inc eax  (past Quote(" , 0x22))
- find the flag ("/S" , 0x2f53)
- find the flag ("/NCRC", 0x2f4E435243)   (note: in assembly listed CNCR (reversed)
- call sub_xxxxx2
        -- call ds:lstrcpynW [ makes a copy of the command line string  ]
- call ds:GetTempPathW [ gets path of temp folder ]
- call ds:GetWindowsDirectoryW [ gets path of windows folder ]
- call lstrcatW [ append "Temp" to the folder so c:\windows\temp ]
- call sub_xxxxx4
     -- call sub_xxxxx5   [ did not finish ]
     -- call sub_xxxxx6   [ did not finish ]
     -- call sub_xxxxx7   [ did not finish ]
     -- call ds:CreateDirectoryW
     -- call sub_xxxxx8   [ did not finish ]
- call ds:GetTempPathW [ gets path of temp folder ]
- call lstrcatW [ append the word "Low" to the temp folder ]
       note: changes it from C:\Users\x\AppData\Local to C:\Users\x\AppData\LocalLow
- call ds:SetEnvironmentVariableW [ set T to the temp folder ]
- call ds:SetEnvironmentVariableW [ set TMP to the temp folder ]
- call ds:DeleteFileW [ ]
- ... much more ...
- call lstrcatW [ append "~nsu.tmp" to the temp folder path ]
- ... more ...
- call ds:CreateDirectoryW [ create a new temp folder ]
- call ds:SetCurrentDirectoryW [ move to the newly created folder ]
- call sub_xxxxx2
- call sub_xxxxx2
- call sub_xxxxx9 [works on CurrentVersion registry and Quick Launch registry]
- call ds:DeleteFileW
- call ds:CopyFileW
- call sub_xxxxx9 [works on CurrentVersion registry and Quick Launch registry]
- call sub_xxxxx10
    -- call ds:CreateProcess
    -- call ds:CloseHandle
- call ds:CloseHandle
- ... more ...

1 comment:

  1. I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help.

    ReplyDelete