A Question About Radmin.

GovernmentSecurity.org > System Security > Beginners Section

THoRaX

Apr 5 2005, 05:26 AM

Hi guys,

i have a question about remote administrator. I was hex editing the exe file , mainly because AV detect it, and on full system scan my AV deletes it.. And i was wondering were it "calls" te AdmDll.dll file. I can't seem to find that anywere in there. I tried several things already...
AdmDll (duh

)
A.d.m.D.l.l (dots are "00" in hex)
A.D.M.D.L.L (dots are "00" in hex)
and of course i just looked at the hex data to see if i can find it somewere..
but these things didn't gave me results.. so were does the main exe file loads that DLL?

thanks in advance for the help.

THoRaX

temptation

Apr 5 2005, 07:16 AM

mhhh

i checked it with
-hiew
-winhex
-windasm (quits) probably protected
-Borg Disassembler, but nothin found ...

well i suspect, that the dllfilename is crypted ...

i found something interesting ....

QUOTE

1000:01413198 43 db 43h ;'C'
1000:01413199 61 db 61h ;'a'
1000:0141319a 6e db 6eh ;'n'
1000:0141319b 27 db 27h ;'''
1000:0141319c 74 db 74h ;'t'
1000:0141319d 20 db 20h ;' '
1000:0141319e 6c db 6ch ;'l'
1000:0141319f 6f db 6fh ;'o'
1000:014131a0 61 db 61h ;'a'
1000:014131a1 64 db 64h ;'d'
1000:014131a2 20 db 20h ;' '
1000:014131a3 6c db 6ch ;'l'
1000:014131a4 69 db 69h ;'i'
1000:014131a5 62 db 62h ;'b'
1000:014131a6 72 db 72h ;'r'
1000:014131a7 61 db 61h ;'a'
1000:014131a8 72 db 72h ;'r'
1000:014131a9 79 db 79h ;'y'
<---------------SNIPPED--------------------------->
1000:014131ea 00 db 00h
1000:014131eb 00 db 00h
1000:014131ec 72 db 72h ;'r'
1000:014131ed 65 db 65h ;'e'
1000:014131ee 73 db 73h ;'s'
1000:014131ef 00 db 00h
1000:014131f0 74 db 74h ;'t'
1000:014131f1 72 db 72h ;'r'
1000:014131f2 79 db 79h ;'y'
1000:014131f3 20 db 20h ;' '
1000:014131f4 74 db 74h ;'t'
1000:014131f5 6f db 6fh ;'o'
1000:014131f6 20 db 20h ;' '
1000:014131f7 68 db 68h ;'h'
1000:014131f8 61 db 61h ;'a'
1000:014131f9 63 db 63h ;'c'
1000:014131fa 6b db 6bh ;'k'

maybe this helps ?!?

[eXPhase

Apr 5 2005, 12:00 PM

I also tried to hexedit radmin couple of times. Someone here stated that RAdmin executable is packed with a unknow packer or something. If anyone succeeds with editting, I like to know.

THoRaX

Apr 5 2005, 01:25 PM

@temptation

i saw that weird line too yes.
i suppose that line cannot be decrypted? (the one were it calls for AdmDll.dll)
if anyone finds something which is able to decrypt the encryption, please say so here or send mea PM or something.

Thjanks for the replies guys.

satknis

Apr 5 2005, 07:42 PM

if radmin is modificated it won't start or?
tell me how you did that, pls.

THoRaX

Apr 5 2005, 08:31 PM

QUOTE(satknis @ Apr 5 2005, 07:42 PM)

if radmin is modificated it won't start or?
tell me how you did that, pls.

well i modified some thjings in it, just by hex editing. a hex editor like Hex Workshop or Ultraedit wil do fine for that. works fine.

Terminal

Apr 6 2005, 04:43 AM

Why u need admdll.dll , is it for old version??
Radmin 2.2 has a raddrv.dll and that is all it need to run along with config . And norton/mcafee doesnt detect it

fox

May 24 2005, 10:36 AM

Hi all

So this really interests me, but i'm clueless as to how use r_admin as a you've told.

So can anyone give me some pointers?

ty in advance

Paul

May 24 2005, 02:43 PM

r_server /?

Bombers

May 24 2005, 07:49 PM

The RAdmin executable is protected by something.... There is no way to hexeedit it and i never saw it either....

illwill

May 24 2005, 10:47 PM

old version is detected as a virus because that bastard illwill released a dropper for it called ghost radmin ,which av's picked the original dll and exe as a virus oops

Lanstat

May 25 2005, 10:59 AM

QUOTE(illwill @ May 24 2005, 10:47 PM)

old version is detected as a virus because that bastard illwill released a dropper for it called ghost radmin ,which av's picked the original dll and exe as a virus oops

lol your post makes me laugh. Maybe r_server.exe and dll is picked also due to hidden installation by someone using the reg settings through .bat file. Many legit programs (eg servu) are detected by few av whether is genunie or not.
If I were a developer, I would be fustrated to see my software detected as a virus by some av

btw 2.2 version is somewhat safer than previous ones.

Zer0_T

Jun 20 2005, 09:39 PM

I guess the people that coded put a good encryption on it, I tried hex-editing too, but most of the code doesn't make any sense.

seppel18

Jul 10 2005, 09:05 PM

r_server from v2.1 is packed/crypted with NOTHING, it's plain "Microsoft Visual C++ 6.0" output (checked with PEiD).

I didn't try hex editing.

But you can remove Icons,Menus,Tray-Icon (Resources) Nicely with PE-Explorer, it will run!!

Will try v2.2 now

Man, when will they finally bring v3.0 out?? When Pigs can Fly?

cduke250

Aug 1 2005, 08:04 AM

Maybe you could try booting your windows box with knoppix, and then copy the radmin files and rename them to a new windows folder, or edit them in knoppix.. Maybe there is something in the windows kernel or something that is causing you guys problems. Some sort of lame protection that windows uses to protect certain files. Worth a try.

Keep us all updated! This is interesting stuff!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.