Yup was just looking out for people better safe then sorry lol anyways still got me on your msn list regain? if need i can send it to you.
"edit"
Sending you the link in pm.
Printable View
Yup was just looking out for people better safe then sorry lol anyways still got me on your msn list regain? if need i can send it to you.
"edit"
Sending you the link in pm.
errr dunno, forgot your email lol.
Thanks to Necro i got ahold of the executable....
Analysis Results so far..
Isn't binded with anything.
MD5 Hash: 63FC1950935B76EB60A127937CF309C7
File size: 199 KB
The exe is packed using UPX - UPX makes the executable smaller therefore faster so dw.
my guess would be a vb6 app? nvm autoit.
Uses/Loads:
"KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
GetOpenFileNameA
BitBlt
CoInitialize
DragFinish
GetDC
VerQueryValueA
mixerOpen"
Doesnt do anything suspicious in anubis...
but checks the regitry for this information:
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ CUAS 0 1
HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1
Using vmware to test the application...
tried all commands and nothing suspicious happens~
looks clean to me. seems genuine.
will test via ollydbg later.
tested via real comp and nothing suspicious YET.
since a trojan/virus may be set to delay for so long or delay until reboot.
currently unpacking the file.
i deem this file SAFE until further notice.
( i don't know how this app does auto-buffing tho o.o - seems like a bot that does nothing.)
From the looks of how it buffs is like.Quote:
( i don't know how this app does auto-buffing tho o.o - seems like a bot that does nothing.)
Code:; <COMPILER: v1.0.47.5>
#NoEnv
SendMode Input
SetWorkingDir %A_ScriptDir%
#Persistent
menu, tray, add
menu, tray, add, Buff Repeater (CTRL +2), BuffLoop
menu, tray, add, Buff Round (CTRL + 3), BuffRound
return
^q::ExitApp
^p::Pause
^r::Reload
^h::about()
^1::buff()
^2::buff_loop()
^3::buff_round()
IfWinNotActive, ROSE online, , WinActivate, ROSE online,
BuffLoop:
buff_loop()
return
BuffRound:
buff_round()
return
about()
{
TrayTip, Conjurer script,`n CTRL + q = quit `n CTRL + R = restart `n
}
buff()
{
Send, {F1}
Sleep, 3000
Send, {F2}
Sleep, 3000
Send, {F3}
Sleep, 3000
Send, {F4}
Sleep, 3000
Send, {F5}
Sleep, 3000
Send, {F6}
Sleep, 5000
}
buff_loop()
{
TrayTip, Activated buff repeat, Buff stay buffing ( to deactivate use CTRL+R)
counter = 0
Loop
{
Sleep, 10000
buff()
Sleep, 60000
counter++
if(counter = 200)
{
Send, {F8}
counter = 0
}
}
}
sequence()
{
Sleep, 10000
Send, {!}I will buff in 30 seconds {!} Get near please {!} {ENTER}
Sleep, 30000
buff()
}
buff_round()
{
TrayTip, Activated buff round, will cicle maps buffing ( to deactivate use CTRL+R)
counter = 0
Loop
{
IfWinActive, ROSE online
{
Send, /na Welcome to Bratok R.O.S.E, We wish you all the best fun playing in our server! {ENTER}
Sleep, 5000
Send, /na This is a automated BOT, does not respond to players or buffing requests. Buff Junon, Zant and Adventure! {ENTER}
Sleep, 1000
Send, /mm 22 565 522 {ENTER}
sequence()
Send, /mm 1 525 525 {ENTER}
sequence()
Send, /mm 2 566 521 {ENTER}
sequence()
counter++
if(counter = 50)
{
Send, {F8}
counter = 0
}
}
}
}
Quote:
Originally Posted by Regain
If its clean go ahead and re post it but in the release section. And not taking my time just have some stuff on my server been working on as well.
Done added to release section.
Ok thanks Post closed