Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 0168c367d43097950b812f1ab28d108e
SHA1SUM : afb7070af5aec8b2091fe9b7986a0e439a76f905

architecture: i386, flags 0x0000010b:
HAS_RELOC, EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00407b70

Characteristics 0x818e
executable
line numbers stripped
symbols stripped
little endian
32 bit words
big endian

Time/Date Sat Jun 20 00:22:17 1992
Magic 010b (PE32)
MajorLinkerVersion 2
MinorLinkerVersion 25
SizeOfCode 00007200
SizeOfInitializedData 00013200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000007b70
BaseOfCode 0000000000001000
BaseOfData 0000000000009000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00021000
SizeOfHeaders 00000400
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000004000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 000000000000b000 0000077a Import Directory [parts of .idata]
Entry 2 000000000000f000 00011554 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 000000000000e000 00000b00 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 000000000000d000 00000018 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .idata at 0x40b000

The Import Tables (interpreted .idata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk

PE File Base Relocations (interpreted .reloc section contents)

Sections:
Idx Name Size VMA LMA File off Algn
0 CODE 00007130 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 DATA 00000418 00409000 00409000 00007600 2**2
CONTENTS, ALLOC, LOAD, DATA
2 BSS 00000000 0040a000 0040a000 00007c00 2**2
CONTENTS
3 .idata 0000077a 0040b000 0040b000 00007c00 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .tls 00000000 0040c000 0040c000 00008400 2**2
CONTENTS
5 .rdata 00000018 0040d000 0040d000 00008400 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA, SHARED
6 .reloc 00000b00 0040e000 0040e000 00008600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA, SHARED
7 .rsrc 00011554 0040f000 0040f000 00009200 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA, SHARED

PeRdr by Frediano Ziglio. Build Dec 27 2007
Runtime Error: Unable to read from file
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 2A425E19 Sat Jun 20 00:22:17 1992
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00021000
Code Base: 00001000 Size: 00007200
Data Base: 00009000 Size: 00013200
Entry Point: 00007B70 (file offset 00006F70)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: CODE RVA: 00001000 Offset: 00000400 Size: 00007200 Flags: 60000020 (CER)
2: DATA RVA: 00009000 Offset: 00007600 Size: 00000600 Flags: C0000040 (DRW)
3: BSS RVA: 0000A000 Offset: 00007C00 Size: 00000000 Flags: C0000000 (RW)
4: .idata RVA: 0000B000 Offset: 00007C00 Size: 00000800 Flags: C0000040 (DRW)
5: .tls RVA: 0000C000 Offset: 00008400 Size: 00000000 Flags: C0000000 (RW)
6: .rdata RVA: 0000D000 Offset: 00008400 Size: 00000200 Flags: 50000040 (DSR)
7: .reloc RVA: 0000E000 Offset: 00008600 Size: 00000C00 Flags: 50000040 (DSR)
8: .rsrc RVA: 0000F000 Offset: 00009200 Size: 00011600 Flags: 50000040 (DSR)

This program must be run under Win32
CODE
`DATA
.idata
.tls
.rdata
P.reloc
P.rsrc
StringX
TObject
YZXu
tSVW
t:VW
SVWU
C<"u1S
Q<"u8S
7CF;
7CF;
]_^[
Ht Ht.
QSVW
_^[Y]
r/f=
w)f%
SVWR
w%9
~ExC[)
2_^[
@v:k
@aQY
E@|o
BkU'9
PPRTj
YYZX
YZXtp
VWUd
SPRQ
T$(j
Ph|"@
SVWU
]_^[
ZTUWVSPRTj
]_^[
SVWU
]_^[
SVWU
]_^[
SVWU
]_^[
;_^[
SVWU
]_^[
t!R:
t-Rf;
t f;J
SVWRP
Z_^[X
uXJt
uAJt
u:Jt
It1S
t&J|
N|*9
tVSVWU
]_^[
t1SVW