Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Inside of Avp4

Z0mbie

[Back to index] [Comments]

Did you know, that there is some secret stuff inside of AVP4 files?

Yep, this is a list of some internal messages and resources, author names, plugin descriptions, comments, CLSID's, and other shit.

Secret stuff has fixed header of 0x0E bytes length, 'KLsw\x00\x00KLsw\x04\x00\x00\x00', and right after these bytes the compressed and then encrypted stuff is placed. The decrypted (just unXOR'ed -- did you prayed to XOR today?) stuff begins with header of 0x1E bytes length, including some CRC inside, and then some data, compressed with the same method as .AVC bases. Decompressed data contains header, then list of resources itself, and terminates with another CRC (probably CRC32, but who cares).

                            Secret stuff format:

             <----0x0E---->  <----0x1E----> <------ ? ----->
             KLsw00KLsw4000 [hhhhhhhhhhhcrc [hhhxxxxxxxcrc]]
             \fixed header/                 \--compressed--/
                             \-------stupidly XOR'ed-------/

Internal format of the resource list is the following:

length description
0x13 useless header
4 type (int, string, etc.)
n data (length depends on type, may be zero)
4 type
n data
...
4 CRC

So, the following objects are containing this stuff:

Plugin files Program Files\Kaspersky Lab\*.PPL (.rsrc/ovr)
Configuration files Program Files\Kaspersky Lab\*.KLR (plain)
Some libraries Program Files\KAV Shared Files\*.DLL (.rsrc)
Registry settings System Registry, in binary form (HKLM\Software\KasperskyLab\Components\101\Standalone\OptionsPagesState)

Well, rigth after we understood what the injustice kaspersky is going to do, we spent some hours and wrote a little program, called AVP4 Secret Resources Unpacker (AVP4SRU), and unpacked all the found secret stuff just for fun. And now, all the unpacked files have .SRU extension, and are available to dowload here.

greetz to Krukov - brief and to the point. Isnt it hard to code with such 2nd name? X-)

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua