![]() ![]() The modified iMazing.exe also comes with the original digital signature, although it is no longer valid, it looks like it will locally modify the iMazing.exe, should be considered a file patch, but it seems that the hash has not changed ….As you can see, after unpacking, an iMazing.exe is released from v1, along with a script that is extremely obfuscated and almost unreadable.v1 is the compiled au3 script, I found some decompilers on GitHub, for example UnAutoIt.This data.exe is very clear after renaming, it is the script runner of AutoIt3, then v1 is unsurprisingly an AutoIt3 script, the suffix should be a3x.Step 4, delete v1, data.bin, Created_By_TNT_Team.bat.Step 3, run data.bin, an executable program with the parameter v1.As shown in the picture, this script file does the following actions.After DIE analysis, v1 is a binary file, temporarily unrecognizable.After DIE analysis, data.bin is an executable program, rename it to data.exe.The decompressed file is divided into three, the bat script is still encrypted, use the hex editor again to read it.Unzip, need password, I guess the password is t147147, oh guess right, the TNT team did not customize their own decompression tools, using WinRAR sfx self-extraction module to pass the reference decompression, decompression as shown in the picture.As you can see in the picture, it is another RAR file, not surprisingly.I can’t help but wonder what makes it look like lasagna, layer after layer without end.Step 3, delete Fix.exe and iMazing_fix.bat.The first step, run Fix.exe, the parameters are pt147147 and -d%dir%, the way this is written makes me feel that this is a compressed file, it seems to be true.This is very clear, this iMazing_fix.bat run process is as follows.There is a Fix.exe and a iMazing_fix.bat, but this bat open is garbled, use C32Asm to see the contents of the hexadecimal format, as shown in the figure. ![]() drag into the DIE, see this file seems to be a zip package, it will be decompressed, the contents are shown in the figure.As shown in the picture, after decompression is an official installation package and a Create_Fix.exe, it is this file is reported as poison, so start the investigation.I wanted to find a backup of AIS Assistant, found iMazing, and got excited to find a cracked version of iMazing for TNT, downloaded from this link for Windows but found it was Windows 11 comes with antivirus software, so I got interested in analyzing this cracked version Analysis 1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |