![]() The modified iMazing.exe also comes with the original digital signature, although it is no longer valid, it looks like it will locally modify the iMazing.exe, should be considered a file patch, but it seems that the hash has not changed ….As you can see, after unpacking, an iMazing.exe is released from v1, along with a script that is extremely obfuscated and almost unreadable.v1 is the compiled au3 script, I found some decompilers on GitHub, for example UnAutoIt.This data.exe is very clear after renaming, it is the script runner of AutoIt3, then v1 is unsurprisingly an AutoIt3 script, the suffix should be a3x.Step 4, delete v1, data.bin, Created_By_TNT_Team.bat.Step 3, run data.bin, an executable program with the parameter v1.As shown in the picture, this script file does the following actions.After DIE analysis, v1 is a binary file, temporarily unrecognizable. ![]() ![]() After DIE analysis, data.bin is an executable program, rename it to data.exe.The decompressed file is divided into three, the bat script is still encrypted, use the hex editor again to read it.Unzip, need password, I guess the password is t147147, oh guess right, the TNT team did not customize their own decompression tools, using WinRAR sfx self-extraction module to pass the reference decompression, decompression as shown in the picture.As you can see in the picture, it is another RAR file, not surprisingly. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |