[THoRaX]

Hi guys,

i have a question about remote administrator. I was hex editing the exe file , mainly because AV detect it, and on full system scan my AV deletes it.. And i was wondering were it "calls" te AdmDll.dll file. I can't seem to find that anywere in there. I tried several things already...
AdmDll (duh :P )
A.d.m.D.l.l (dots are "00" in hex)
A.D.M.D.L.L (dots are "00" in hex)
and of course i just looked at the hex data to see if i can find it somewere..
but these things didn't gave me results.. so were does the main exe file loads that DLL?

thanks in advance for the help.

THoRaX

[temptation]

mhhh

i checked it with
-hiew
-winhex
-windasm (quits) probably protected
-Borg Disassembler, but nothin found ...

well i suspect, that the dllfilename is crypted ...

i found something interesting ....

Quote

1000:01413198 43                  db    43h    ;'C'
1000:01413199 61                  db    61h    ;'a'
1000:0141319a 6e                  db    6eh    ;'n'
1000:0141319b 27                  db    27h    ;'''
1000:0141319c 74                  db    74h    ;'t'
1000:0141319d 20                  db    20h    ;' '
1000:0141319e 6c                  db    6ch    ;'l'
1000:0141319f 6f                  db    6fh    ;'o'
1000:014131a0 61                  db    61h    ;'a'
1000:014131a1 64                  db    64h    ;'d'
1000:014131a2 20                  db    20h    ;' '
1000:014131a3 6c                  db    6ch    ;'l'
1000:014131a4 69                  db    69h    ;'i'
1000:014131a5 62                  db    62h    ;'b'
1000:014131a6 72                  db    72h    ;'r'
1000:014131a7 61                  db    61h    ;'a'
1000:014131a8 72                  db    72h    ;'r'
1000:014131a9 79                  db    79h    ;'y'
<---------------SNIPPED--------------------------->
1000:014131ea 00                  db    00h
1000:014131eb 00                  db    00h
1000:014131ec 72                  db    72h    ;'r'
1000:014131ed 65                  db    65h    ;'e'
1000:014131ee 73                  db    73h    ;'s'
1000:014131ef 00                  db    00h
1000:014131f0 74                  db    74h    ;'t'
1000:014131f1 72                  db    72h    ;'r'
1000:014131f2 79                  db    79h    ;'y'
1000:014131f3 20                  db    20h    ;' '
1000:014131f4 74                  db    74h    ;'t'
1000:014131f5 6f                  db    6fh    ;'o'
1000:014131f6 20                  db    20h    ;' '
1000:014131f7 68                  db    68h    ;'h'
1000:014131f8 61                  db    61h    ;'a'
1000:014131f9 63                  db    63h    ;'c'
1000:014131fa 6b                  db    6bh    ;'k'

maybe this helps ?!?

[[eXPhase]

I also tried to hexedit radmin couple of times. Someone here stated that RAdmin executable is packed with a unknow packer or something. If anyone succeeds with editting, I like to know.

[THoRaX]

@temptation

i saw that weird line too yes.
i suppose that line cannot be decrypted? (the one were it calls for AdmDll.dll)
if anyone finds something which is able to decrypt the encryption, please say so here or send mea PM or something.

Thjanks for the replies guys.

[satknis]

if radmin is modificated it won't start or?
tell me how you did that, pls.

[THoRaX]

satknis, on Apr 5 2005, 07:42 PM, said:

if radmin is modificated it won't start or?
tell me how you did that, pls.

<{POST_SNAPBACK}>

well i modified some thjings in it, just by hex editing. a hex editor like Hex Workshop or Ultraedit wil do fine for that. works fine.

[Terminal]

Why u need admdll.dll , is it for old version??
Radmin 2.2 has a raddrv.dll and that is all it need to run along with config . And norton/mcafee doesnt detect it ;)

[fox]

Hi all

So this really interests me, but i'm clueless as to how use r_admin as a you've told.

So can anyone give me some pointers?

ty in advance

[Bombers]

The RAdmin executable is protected by something.... There is no way to hexeedit it and i never saw it either....

[illwill]

old version is detected as a virus because that bastard illwill released a dropper for it called ghost radmin ,which av's picked the original dll and exe as a virus oops :D

[Lanstat]

illwill, on May 24 2005, 10:47 PM, said:

old version is detected as a virus because that bastard illwill released a dropper for it called ghost radmin ,which av's picked the original dll and exe as a virus  oops  :D

<{POST_SNAPBACK}>

lol your post makes me laugh. Maybe r_server.exe and dll is picked also due to hidden installation by someone using the reg settings through .bat file. Many legit programs (eg servu) are detected by few av whether is genunie or not.
If I were a developer, I would be fustrated to see my software detected as a virus by some av <_<
btw 2.2 version is somewhat safer than previous ones.

[Zer0_T]

I guess the people that coded put a good encryption on it, I tried hex-editing too, but most of the code doesn't make any sense.

[seppel18]

r_server from v2.1 is packed/crypted with NOTHING, it's plain "Microsoft Visual C++ 6.0" output (checked with PEiD).

I didn't try hex editing.

But you can remove Icons,Menus,Tray-Icon (Resources) Nicely with PE-Explorer, it will run!! B)

Will try v2.2 now :P



Man, when will they finally bring v3.0 out?? When Pigs can Fly?

[cduke250]

Maybe you could try booting your windows box with knoppix, and then copy the radmin files and rename them to a new windows folder, or edit them in knoppix.. Maybe there is something in the windows kernel or something that is causing you guys problems. Some sort of lame protection that windows uses to protect certain files. Worth a try. ;)

Keep us all updated! This is interesting stuff!