Peek into NOD32 module file
by James on Feb.05, 2010, under ReverseIt
Okey, I have been criticized by Niucool & Bananas as there is none post in this blog from me.
Feeling shamed~~~
So I decided to post something to let your guys know that I am alive.
Do you interesting antivirus engine? Do you wanna know what is it?
Hmmm, I think that I can not give u the answer. It’s a kidding 
Many people think that eset nod32 is a good antivirus, and … so do I.
Hereby, I intend to play with it and give you a short info about it.
In the nod32 AppData folder(Or other folder? I forgot it!), you may find out some data files. They called “em???_32.dat”.
What’s meaning for this name?
I guess: “e” – Eset, “m” – Module, ??? – it’s just a id number, 32 – means 32 bit(I am not sure).
Before I analyzed it, I think that these files are the virus database file.
But in fact, I am wrong. They are the extend engine module!
Basically, the file format contains 6 major parts. They are:
1. File header:
size = variant (from 0 to the first 0x0A0D0A0D), the signature and checksum included in this section,
we are not interesting in this;
2. File info:
size = 0×100, all info are text string, you can view it directly;
3. Module record header:
size = 0x1C:
offset comment
0×00 signature = 0x45FA785E
0×04 signature = 0×05
0x0C decrypt key
0×18 checksum for this section
4. Module control header:
size = 0×108, the function as PE header,
some useful values in this section:
offset comment
0xD4 entrypoint
0xD8 size of seg with access ER-
0xDC size of seg with access -R-
0xE0 size of seg with access -RW
(E – Executabe, R – Readabe, W – writable)
5. Module section array:
This is a section array, just like section table in PE structure.
The last one is “NULL” section.
section struct:
size = 0×24
00 section name(“CODE” | “DATA” | “UNPC” | “UNPR” | “RELO” | “NULL”)
04 raw offset for segment (calculate from “File Info” part);
08 checksum of segment data
0C raw size of segment
10 virtual size of segment
1C compress flag ??? (1 – compressed, other – no compressed???)
20 checksum of this section
6. Module segment array:
Like segment in PE;
The data in part 4,5 and 6 are crypted. If compressed flags is set, the data is also compressed.
To decompress, we could use zlib inflate() function.
To decrypt (note: only tested on nod32 v3.x and v4.x version, this could be changed!!!):
static unsigned char g_decrypt_table[0x288] = {
0x27, 0x45, 0xFB, 0x82, 0x66, 0x0F, 0xDC, 0x69, 0x31, 0xA7, 0xDA, 0x00, 0xAC, 0x24, 0x57, 0x8F,
0x6B, 0xA3, 0xC2, 0xAB, 0xD6, 0x54, 0xEF, 0x37, 0x49, 0x00, 0x00, 0x00, 0xF7, 0x32, 0x94, 0x0F,
0x0B, 0xB0, 0x1A, 0x92, 0x26, 0x55, 0x2C, 0x4B, 0xEE, 0x8A, 0xE3, 0x23, 0x85, 0x00, 0x00, 0x00,
0x54, 0x7A, 0x67, 0x68, 0xC1, 0x50, 0x14, 0xCC, 0xFA, 0x17, 0xDF, 0x8C, 0xB8, 0xF5, 0x7E, 0x72,
0xA7, 0x02, 0xF3, 0x34, 0x04, 0x52, 0xF1, 0x00, 0x08, 0x13, 0x10, 0xD1, 0x05, 0xEB, 0x6A, 0x8F,
0xCE, 0x66, 0xC5, 0x59, 0x82, 0xB0, 0x99, 0x61, 0x41, 0xB3, 0x1A, 0x0D, 0x82, 0x47, 0xAD, 0x56,
0x8C, 0x26, 0xB5, 0xA4, 0xC8, 0x00, 0x00, 0x00, 0x41, 0xEC, 0x9B, 0x52, 0x1F, 0x57, 0x81, 0xE1,
0xAE, 0xB3, 0x36, 0x23, 0x6F, 0x50, 0xBB, 0x74, 0x0F, 0xC0, 0x3A, 0xE2, 0xC7, 0xEA, 0x46, 0xBE,
0xE3, 0x71, 0x45, 0xBF, 0x9E, 0xDE, 0x07, 0x00, 0x00, 0x00, 0x21, 0x10, 0x42, 0x20, 0x63, 0x30,
0x84, 0x40, 0xA5, 0x50, 0xC6, 0x60, 0xE7, 0x70, 0x08, 0x81, 0x29, 0x91, 0x4A, 0xA1, 0x6B, 0xB1,
0x8C, 0xC1, 0xAD, 0xD1, 0xCE, 0xE1, 0xEF, 0xF1, 0x31, 0x12, 0x10, 0x02, 0x73, 0x32, 0x52, 0x22,
0xB5, 0x52, 0x94, 0x42, 0xF7, 0x72, 0xD6, 0x62, 0x39, 0x93, 0x18, 0x83, 0x7B, 0xB3, 0x5A, 0xA3,
0xBD, 0xD3, 0x9C, 0xC3, 0xFF, 0xF3, 0xDE, 0xE3, 0x62, 0x24, 0x43, 0x34, 0x20, 0x04, 0x01, 0x14,
0xE6, 0x64, 0xC7, 0x74, 0xA4, 0x44, 0x85, 0x54, 0x6A, 0xA5, 0x4B, 0xB5, 0x28, 0x85, 0x09, 0x95,
0xEE, 0xE5, 0xCF, 0xF5, 0xAC, 0xC5, 0x8D, 0xD5, 0x53, 0x36, 0x72, 0x26, 0x11, 0x16, 0x30, 0x06,
0xD7, 0x76, 0xF6, 0x66, 0x95, 0x56, 0xB4, 0x46, 0x5B, 0xB7, 0x7A, 0xA7, 0x19, 0x97, 0x38, 0x87,
0xDF, 0xF7, 0xFE, 0xE7, 0x9D, 0xD7, 0xBC, 0xC7, 0xC4, 0x48, 0xE5, 0x58, 0x86, 0x68, 0xA7, 0x78,
0x40, 0x08, 0x61, 0x18, 0x02, 0x28, 0x23, 0x38, 0xCC, 0xC9, 0xED, 0xD9, 0x8E, 0xE9, 0xAF, 0xF9,
0x48, 0x89, 0x69, 0x99, 0x0A, 0xA9, 0x2B, 0xB9, 0xF5, 0x5A, 0xD4, 0x4A, 0xB7, 0x7A, 0x96, 0x6A,
0x71, 0x1A, 0x50, 0x0A, 0x33, 0x3A, 0x12, 0x2A, 0xFD, 0xDB, 0xDC, 0xCB, 0xBF, 0xFB, 0x9E, 0xEB,
0x79, 0x9B, 0x58, 0x8B, 0x3B, 0xBB, 0x1A, 0xAB, 0xA6, 0x6C, 0x87, 0x7C, 0xE4, 0x4C, 0xC5, 0x5C,
0x22, 0x2C, 0x03, 0x3C, 0x60, 0x0C, 0x41, 0x1C, 0xAE, 0xED, 0x8F, 0xFD, 0xEC, 0xCD, 0xCD, 0xDD,
0x2A, 0xAD, 0x0B, 0xBD, 0x68, 0x8D, 0x49, 0x9D, 0x97, 0x7E, 0xB6, 0x6E, 0xD5, 0x5E, 0xF4, 0x4E,
0x13, 0x3E, 0x32, 0x2E, 0x51, 0x1E, 0x70, 0x0E, 0x9F, 0xFF, 0xBE, 0xEF, 0xDD, 0xDF, 0xFC, 0xCF,
0x1B, 0xBF, 0x3A, 0xAF, 0x59, 0x9F, 0x78, 0x8F, 0x88, 0x91, 0xA9, 0x81, 0xCA, 0xB1, 0xEB, 0xA1,
0x0C, 0xD1, 0x2D, 0xC1, 0x4E, 0xF1, 0x6F, 0xE1, 0x80, 0x10, 0xA1, 0x00, 0xC2, 0x30, 0xE3, 0x20,
0x04, 0x50, 0x25, 0x40, 0x46, 0x70, 0x67, 0x60, 0xB9, 0x83, 0x98, 0x93, 0xFB, 0xA3, 0xDA, 0xB3,
0x3D, 0xC3, 0x1C, 0xD3, 0x7F, 0xE3, 0x5E, 0xF3, 0xB1, 0x02, 0x90, 0x12, 0xF3, 0x22, 0xD2, 0x32,
0x35, 0x42, 0x14, 0x52, 0x77, 0x62, 0x56, 0x72, 0xEA, 0xB5, 0xCB, 0xA5, 0xA8, 0x95, 0x89, 0x85,
0x6E, 0xF5, 0x4F, 0xE5, 0x2C, 0xD5, 0x0D, 0xC5, 0xE2, 0x34, 0xC3, 0x24, 0xA0, 0x14, 0x81, 0x04,
0x66, 0x74, 0x47, 0x64, 0x24, 0x54, 0x05, 0x44, 0xDB, 0xA7, 0xFA, 0xB7, 0x99, 0x87, 0xB8, 0x97,
0x5F, 0xE7, 0x7E, 0xF7, 0x1D, 0xC7, 0x3C, 0xD7, 0xD3, 0x26, 0xF2, 0x36, 0x91, 0x06, 0xB0, 0x16,
0x57, 0x66, 0x76, 0x76, 0x15, 0x46, 0x34, 0x56, 0x4C, 0xD9, 0x6D, 0xC9, 0x0E, 0xF9, 0x2F, 0xE9,
0xC8, 0x99, 0xE9, 0x89, 0x8A, 0xB9, 0xAB, 0xA9, 0x44, 0x58, 0x65, 0x48, 0x06, 0x78, 0x27, 0x68,
0xC0, 0x18, 0xE1, 0x08, 0x82, 0x38, 0xA3, 0x28, 0x7D, 0xCB, 0x5C, 0xDB, 0x3F, 0xEB, 0x1E, 0xFB,
0xF9, 0x8B, 0xD8, 0x9B, 0xBB, 0xAB, 0x9A, 0xBB, 0x75, 0x4A, 0x54, 0x5A, 0x37, 0x6A, 0x16, 0x7A,
0xF1, 0x0A, 0xD0, 0x1A, 0xB3, 0x2A, 0x92, 0x3A, 0x2E, 0xFD, 0x0F, 0xED, 0x6C, 0xDD, 0x4D, 0xCD,
0xAA, 0xBD, 0x8B, 0xAD, 0xE8, 0x9D, 0xC9, 0x8D, 0x26, 0x7C, 0x07, 0x6C, 0x64, 0x5C, 0x45, 0x4C,
0xA2, 0x3C, 0x83, 0x2C, 0xE0, 0x1C, 0xC1, 0x0C, 0x1F, 0xEF, 0x3E, 0xFF, 0x5D, 0xCF, 0x7C, 0xDF,
0x9B, 0xAF, 0xBA, 0xBF, 0xD9, 0x8F, 0xF8, 0x9F, 0x17, 0x6E, 0x36, 0x7E, 0x55, 0x4E, 0x74, 0x5E,
0x93, 0x2E, 0xB2, 0x3E, 0xD1, 0x0E, 0xF0, 0x1E
};
static unsigned char * g_decrypt_table1 = &g_decrypt_table[0x0];
static unsigned char * g_decrypt_table2 = &g_decrypt_table[0xC];
static unsigned char * g_decrypt_table3 = &g_decrypt_table[0x1C];
static unsigned char * g_decrypt_table4 = &g_decrypt_table[0x30];
static unsigned char * g_decrypt_table5 = &g_decrypt_table[0x48];
static unsigned char * g_decrypt_table6 = &g_decrypt_table[0x68];
unsigned int get_mul_high_uint(unsigned int x, unsigned int y)
{
unsigned int z;
__asm
{
pusha
mov eax, x
mov ecx, y
mul ecx
mov z, edx
popa
}
return z;
}
void decrypt (unsigned char * buffer, int length, unsigned int xkey)
{
unsigned int m, n;
int x, i;
char c1, c2, c3, c4, c5, c6, c, cc;
// 4079BA
n = get_mul_high_uint(xkey, 0xBA2E8BA3);
n >>= 3;
c = (char)n * 0x0B;
c1 = (char)xkey - c;
// 4079CE
n = get_mul_high_uint(xkey, 0x4EC4EC4F);
n >>= 2;
c = (char)n * 0x0D;
c2 = (char)xkey - c;
// 4079E6
n = get_mul_high_uint(xkey, 0xF0F0F0F1);
n >>= 4;
c = (char)n * 0x11;
c3 = (char)xkey - c;
// 4079FE
n = get_mul_high_uint(xkey, 0xB21642C9);
n >>= 4;
c = (char)n * 0x17;
c4 = (char)xkey - c;
// 407A16
n = get_mul_high_uint(xkey, 0x8D3DCB09);
n >>= 4;
c = (char)n * 0x1D;
c5 = (char)xkey - c;
// 407A2E
m = get_mul_high_uint(xkey, 0x8421085);
n = xkey - m;
n >>= 1;
n += m;
n >>= 4;
c = (char)n * 0x1F;
c6 = (char)xkey - c;
// 407A46
if (length<=0)
return;
for (i=0; i<length; i++) {
// 407A51
c = g_decrypt_table6[c6]
^ g_decrypt_table5[c5]
^ g_decrypt_table4[c4]
^ g_decrypt_table3[c3];
// 407A84
x = c2;
// 407A90
cc = c ^ g_decrypt_table2[c2] ^ g_decrypt_table1[c1];
// 407AA4
c1 ++;
buffer[i] ^= cc;
if (c1 >= 0x0B)
c1 += 0xF5; // c1 = 0;
// 407AB6
c2 ++;
if (c2>=0x0D)
c2 += 0xF3; // c2 = 0
// 407AC6
c3 ++;
if (c3>=0x11)
c3 += 0xEF; // c3 = 0
// 407AD9
c4 ++;
if (c4>=0x17)
c4 += 0xE9; // c4 = 0
// 407AEC
c5 ++;
if (c5>=0x1D)
c5 += 0xE3; // c5 = 0
// 407AFF
c6 ++;
if (c6>=0x1F)
c6 += 0xE1; // c6 = 0
}
}
7 Comments for this entry
-
Tools for Download
SysReveal.zip v1.0.0.72 
ThreatenReveal.zip v1.0.0.24 
SysTracer.zip v1.0.0.11 Our tool-sets are under developing, only latest versions are available.
Please send your feedback to: epocsoft@gmail.com
February 6th, 2010 on 02:59
That’s the spirit!
March 2nd, 2010 on 08:42
ESET NOD32 is without a doubt my favourite AV product at the moment. I can’t believe how light the footprint is. You wouldn’t even know it was running if the icon wasn’t in the sys tray.
April 22nd, 2010 on 06:28
ESET is by far the best solution available at present and they are doing some great deals at the moment
August 15th, 2010 on 21:57
hello.I made an extraordinary think for my computer.I found a review of nod 32 in top ten best antiviruses http://www.best-antivirus.co/ and i updated it
hope it will help you,too
March 9th, 2011 on 11:07
Found your webblog on AskJeeves, great subject material, but the site looks awkward inside my browser setup, but performs fine in IE. choose figure.
March 9th, 2011 on 11:10
howdy, perhaps this post may be a bit off topic but the point is, I have been searching your web site plus it looks truly tasteful..I’m resulting in a new blog and my business is hard-pressed to make it appear great, and supply high class content. I have learned plenty here and I look ahead to more updates and could be returning.
June 24th, 2011 on 02:11
Absolutely think that you simply claimed. Your selected reason seemed to be on the internet the simplest thing to be familiar with. I explain to you, I absolutely get irritated whilst folks consider worries that they simply don’t know with regards to. You was able to hit the nail upon the top and identified out the whole thing with no complication , people usually takes a signal. Will likely be time for read more. Many thanks