1 (edited by yelingusa 2017-01-10 11:16:30)

Topic: Newbiew on NGVCK .asm files

Hi, I am very new to analyze malware and would like to understand how it works. I just download the zip file from NGVCK constructor and manage to get the .asm file. How shall I compile the file so that later can use IDA to disassemble it? Is it I have to use TASM or MS VC compiler will do?
Appreciate if someone can direct me from starting point. Thank you!
Ok, it seems like I need to use TASM to compile it into 64-bit!
Now, my next issue is when I put in IDA Pro 64-bits, it doesn't give me PE option to disassemble it. Anyone has any idea? Is it because the way I build the .asm differently which cause IDA Pro only gives me DOS or binary file option? Thanks!

Thumbs up Thumbs down

Re: Newbiew on NGVCK .asm files

yelingusa wrote:

Hi, I am very new to analyze malware and would like to understand how it works. I just download the zip file from NGVCK constructor and manage to get the .asm file. How shall I compile the file so that later can use IDA to disassemble it? Is it I have to use TASM or MS VC compiler will do?
Appreciate if someone can direct me from starting point. Thank you!
Ok, it seems like I need to use TASM to compile it into 64-bit!
Now, my next issue is when I put in IDA Pro 64-bits, it doesn't give me PE option to disassemble it. Anyone has any idea? Is it because the way I build the .asm differently which cause IDA Pro only gives me DOS or binary file option? Thanks!

You must assemble and link to 16-bit!

----
JPanic - Johnny Panic
Ex Immortal Riot/Genesis, NOP, Team MiSSiON
@JPanicVX on Twitter

Thumbs up Thumbs down

Re: Newbiew on NGVCK .asm files

Yeah, i just realized it!
Can I use MASM to compile it into 32/64-bit so that I can get a PE format out of it? TASM doesn't compile into PE does it?
Thanks!

Thumbs up Thumbs down

Re: Newbiew on NGVCK .asm files

yelingusa wrote:

Yeah, i just realized it!
Can I use MASM to compile it into 32/64-bit so that I can get a PE format out of it? TASM doesn't compile into PE does it?
Thanks!

TLINK can linx x86 32-bit code to PE... but the code from NGVCK is 16-bit *MS-DOS* code.

----
JPanic - Johnny Panic
Ex Immortal Riot/Genesis, NOP, Team MiSSiON
@JPanicVX on Twitter

Thumbs up Thumbs down

5 (edited by yelingusa 2017-01-11 10:46:41)

Re: Newbiew on NGVCK .asm files

I see...thank you very much!
I realized i can use tasm32 and tlink32 in tasm\bin folder!

Thumbs up Thumbs down

Re: Newbiew on NGVCK .asm files

JPanic wrote:
yelingusa wrote:

Yeah, i just realized it!
Can I use MASM to compile it into 32/64-bit so that I can get a PE format out of it? TASM doesn't compile into PE does it?
Thanks!

TLINK can linx x86 32-bit code to PE... but the code from NGVCK is 16-bit *MS-DOS* code.

I believe that SnakeByte's NGVCK creates self-replicators for 32bit windows PE files.

Re: Newbiew on NGVCK .asm files

SPTH wrote:
JPanic wrote:
yelingusa wrote:

Yeah, i just realized it!
Can I use MASM to compile it into 32/64-bit so that I can get a PE format out of it? TASM doesn't compile into PE does it?
Thanks!

TLINK can linx x86 32-bit code to PE... but the code from NGVCK is 16-bit *MS-DOS* code.

I believe that SnakeByte's NGVCK creates self-replicators for 32bit windows PE files.

I was thinking of the wrong generator.. sorry.

----
JPanic - Johnny Panic
Ex Immortal Riot/Genesis, NOP, Team MiSSiON
@JPanicVX on Twitter

Thumbs up Thumbs down

Re: Newbiew on NGVCK .asm files

Thanks guys! Your replies inspire me to look further.

Thumbs up Thumbs down