Reversing - Writing an EXE4J Configuration Extractor

Описание: Wrappers, installers, builders and EXE converters often create files with their own configuration format. What do you do if you find no tool to extract it for you? You write an extractor yourself.

Get the final EXE4J extractor here: https://github.com/struppigel/Exe4jCo...

Malware analysis courses: https://malwareanalysis-for-hedgehogs...
Buy me a coffee: https://ko-fi.com/struppigel
Follow me on Twitter:   / struppigel  

Samples to test it on:
https://bazaar.abuse.ch/sample/da9f4e...
https://bazaar.abuse.ch/sample/1dd9e2...
https://bazaar.abuse.ch/sample/862bec...
https://bazaar.abuse.ch/sample/ca8b2f...

PortexAnalyzer: https://github.com/katjahahn/PortEx/b...
HxD: https://mh-nexus.de/en/hxd/
VBinDiff: https://www.cjmweb.net/vbindiff/

0:00 Introduction
0:55 "Customer" sample, EXE4J, does not run
3:19 EXE4J Wizard overview
6:12 Looking for embedded JAR file
7:54 Checking the overlay for the config
9:12 Comparing different test files with VBinDiff to find out the structure of the config
16:51 Extracting the config of the "customer" sample
18:15 The mysterious, ever changing value in every config
19:30 What to tell a customer based on a non-runnable program
19:58 We need more tutorials about clean file analysis



Note: No actual customer sample was used. I obtained this from VT ;)