I'm really more just curious. I've been using IDA on the virus and reading a book about it. I've also been learning more and more about assembly. I'm proud of myself since I changed some JNZ's to JZ's to help me debug the virus
. It's also sparked my curiosity about how exactly exe's work and how to repair them when they get damaged.
But do you know anywhere where I can learn more about that 'advanced process'? And can Neo or Olly delete entire sections, or do you just change the values?
The process I was talking about is the one you referred to. If you are able to understand (basic) assembly code and edit instructions in order to make an executable behave in another way, then you may be able to patch the executable. I'm also studying assembly code and learned some basic stuff but I'm still a beginner in this field.
First, I'd recommend that you read this article
, describing how virut, another file infector, infects executables. The idea is to inject malicious code somewhere in the executable and then add a jump instruction in the beginning of the file, so when it's executed, the malicious code is executed first. Have a look at this picture, showing at left a clean executable and at right an infected one (notice the jump instruction):
So my theory is that if you replace the malicious jump instruction with NOPs, instructions that do nothing, then the executable will start normally, without jumping to the malicious code first. The malicious code will still remain in the file but inactive though.
Additionally, you can go to the jump offset, where the malicious code is and replace it all with NOPs, but that would be dangerous to override normal instructions
Now, this is just theoretical; I have no idea what the removal tool did to the files that made them useless or if tufik infection uses different tactics etc.
So if you have backups, then I think trying to fix broken files is just a waste of time, unless you are just doing it out of interest!
Additionally, Neo hex editor can compare two executable files to see their differences
, if you are interested to investigate further
If you want, I'd be happy to send you a copy of an infected file and a clean file to compare it to. I don't know if I should upload an infected file here, though. It's up to you.
As you have backup files, then I don't think we should try to fix the infected ones. However I'd be interested if you could zip
and upload an infected and a clean executable file of the same program so I can feed my curiosity