Windows Malicious Software Tool removes 7Loader

Discussion in 'Windows 7' started by ioniancat21, Nov 11, 2009.

  1. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #41 nononsence, Nov 12, 2009
    Last edited by a moderator: Apr 20, 2017
    LOL MS does not need any help from MDL members to reverse the encryption method, anyone that has had to manualy unpack an executable has the skills.

    Code:
    findstr /C:"SLIC" * >out.txt
    
    finds the loader file :)

    Code:
    CWQNH: --set-root= --set-root --ignore-cd --ignore-floppies (cd) --debug --forceful= --mode= Unknown mode selected. 0 = default, 1 = alt, 2 = low mem SLIC
    CWQNH:  - Decrpyting SLIC...
    CWQNH: SLIC Embedded SLIC data is not valid for this version.  - Processing RSDP @ %x...
    CWQNH:  - Found existing SLIC table in XSDT
    CWQNH:  - Found existing SLIC table in RSDT
    CWQNH:  - Skipping; replacing existing SLIC table instead
    CWQNH: No free memory for SLIC. Something went horribly wrong. No modifications will be made. This should never happen here (30). 
    CWQNH:  - Installing SLIC table...
    CWQNH: SLIC table pointer isn't what it should be (RSDT). SLIC table pointer isn't what it should be (XSDT).  - Correcting XSDT...
    CWQNH:  - RSDT SLIC pointer: %x -> %x
    CWQNH:  - XSDT SLIC pointer: %x -> %x
    CWQNH:[--ebx=EBX] [--edx=EDX] [--sdi] [--disable-a20] FILE Load the chain-loader FILE. If --force is specified, then load it forcibly, whether the boot loader signature is present or not. LS:LO specifies the load address other than 0000:7C00. LL specifies the length of the boot image(between 512 and 640K). CS:IP specifies the address where the boot image will gain control. EBX/EDX specifies the EBX/EDX register value when the boot image gets control. Use --sdi if FILE is a System Deployment Image, which is of the Windows XP RAM boot file format. Use --disable-a20 if you wish to turn off A20 when transferring control to the boot image. SL specifies length in bytes at the beginning of the image to be skipped when loading. checkrange checkrange RANGE COMMAND Return true if the return value of COMMAND is in RANGE and false otherwise. checktime checktime min hour dom month dow Check time. Clear the screen cmp cmp FILE1 FILE2 Compare the file FILE1 with the FILE2 and inform the different values if any. color NORMAL [HIGHLIGHT [HELPTEXT [HEADING]]] Change the menu colors. The color NORMAL is used for most lines in the menu, and the color HIGHLIGHT is used to highlight the line where the cursor points. If you omit HIGHLIGHT, then the inverted color of NORMAL is used for the highlighted line. If you omit HELPTEXT and/or HEADING, then NORMAL is used. The format of a color is "FG/BG". FG and BG are symbolic color names. A symbolic color name must be one of these: black, blue, green, cyan, red, magenta, brown, light-gray, dark-gray, light-blue, light-green, light-cyan, light-red, light-magenta, yellow and white. You can prefix "blink-" to FG if you want a blinking foreground color. commandline Enter command-line prompt mode. configfile configfile FILE Load FILE as the configuration file. dd dd if=IF of=OF [bs=BS] [count=C] [skip=IN] [seek=OUT] [buf=ADDR] [buflen=SIZE] Copy file IF to OF. BS is blocksize, default to 512. C is blocks to copy, default is total blocks in IF. IN specifies number of blocks to skip when read, default is 0. OUT specifies number of blocks to skip when write, default is 0. Skipped blocks are not touched. Both IF and OF must exist. dd can neither enlarge nor reduce the size of OF, the leftover tail of IF will be discarded. OF cannot be a gzipped file. If IF is a gzipped file, it will be decompressed automatically when copying. dd is dangerous, use at your own risk. To be on the safe side, you should only use dd to write a file in memory. ADDR and SIZE are used for user-defined buffer. debug [on | off | normal | status | INTEGER] Turn on/off or display/set the debug level. default [NUM | `saved' | FILE] Set the default entry to entry number NUM (if not specified, it is 0, the first entry), or to the entry number saved by savedefault if the key word `saved' is specified, or to the entry number previously saved in the specified file FILE. When FILE is specified, all subsequent `savedefault' commands will save default entry numbers into FILE. displaymem Display what GRUB thinks the system address space map of the machine is, including all regions of physical RAM installed. embed embed STAGE1_5 DEVICE Embed the Stage 1.5 STAGE1_5 in the sectors after MBR if DEVICE is a drive, or in the "bootloader" area if DEVICE is a FFS partition. Print the number of sectors which STAGE1_5 occupies if successful. emulateslic emulateslic [--debug] [--forceful] [--mode=X] Installs a new SLIC table or replaces an existing one in memory. Include the --debug switch to view some debugging information. --forceful will skip some safety checks. Use cautiously. --mode=X will set the loader method errnum Return the error number. errorcheck errorcheck [on | off | status] Turn on/off or display the error check mode, or toggle it if no argument. fallback NUM... Go into unattended boot mode: if the default boot entry has any errors, instead of waiting for the user to do anything, it immediately starts over using the NUM entry (same numbering as the `default' command). This obviously won't help if the machine was rebooted by a kernel that GRUB loaded. find find [--set-root[=DIR]] [--ignore-floppies] [--ignore-cd] [FILENAME] [CONDITION] Search for the filename FILENAME in all of partitions and print the list of the devices which contain the file and suffice CONDITION. CONDITION is a normal grub command, which return non-zero for TRUE and zero for FALSE. If the option --set-root is used and FILENAME is found on a device, then stop the find immediately and set the device as new root. If the option --ignore-floppies is present, the search will bypass all floppies. And --ignore-cd will skip (cd). foreground foreground RRGGBB Sets the foreground color when in graphics mode.RR is red, GG is green, and BB blue. Numbers must be in hexadecimal. fstest fstest [on | off | status] Turn on/off or display the fstest mode, or toggle it if no argument. geometry geometry [--tune] [--sync] [DRIVE] Print the information for drive DRIVE or the current root device if DRIVE is not specified. If --tune is specified, the geometry will change to the tuned value. If --sync is specified, the C/H/S values in partition table of DRIVE and H/S values in BPB of each primary partition of DRIVE(or BPB of floppy DRIVE) will be updated according to the current geometry of DRIVE in use. gfxmenu gfxmenu FILE Use the graphical menu from FILE. halt halt [--no-apm] Halt your system. If APM is avaiable on it, turn off the power using the APM BIOS, unless you specify the option `--no-apm'. help help [--all] [PATTERN ...] Display helpful information about builtin commands. Not all commands aren't shown without the option `--all'. hiddenflag hiddenflag [--set | --clear] [PARTITION] Hide/unhide PARTITION by setting/clearing the "hidden" bit in its partition type code, or report the hidden status. The default partition is the current root device. hiddenmenu Hide PARTITION by setting the "hidden" bit in its partition type code. The default partition is the current root device. initrd FILE [FILE ...] Load an initial ramdisk FILE for a Linux format boot image and set the appropriate parameters in the Linux setup area in memory. For Linux 2.6+ kernels, multiple cpio files can be loaded. install install [--stage2=STAGE2_FILE] [--force-lba] STAGE1 [d] DEVICE
    CWQNH:title Windows with SLIC Loader (pointer) (default)
    CWQNH:title Windows with SLIC Loader (bootmgr)
    CWQNH:title Windows with SLIC Loader (use alternative method)
    CWQNH:title Windows with SLIC Loader (use low memory method)
    CWQNH:title Windows with SLIC Loader (full debug output)
    CWQNH:title Windows with SLIC Loader (more forceful - may crash)
    
    
     
  2. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,534
    67,251
    300
    #42 Daz, Nov 12, 2009
    Last edited: Nov 12, 2009
    *sigh*

    Woke up late, walk past my PC only to see a reply thats based off something I'm having to repeat... again.

    I have said multiple times in my own thread that them strings will soon be encrypted the same as the SLIC (random encryption). You keep trying to want to prove some point but you are not proving anything as you ain't reading whats already been said. What works now won't soon and then even if you point out the file it doesn't identify that theres a SLIC in that file nor can you find the SLIC in memory and link it back to the file.

    Just please read a little, I don't like to repeat myself this much and would have thought you would have a good understanding about public safety and SLIC locations in general. The issue here is people provide too much information on how to do something and then before they know it it stops working, then the people to blame are the ones for talking about it. Why do you think I don't talk about my encryption or let anyone else use it, because it's the only secure way to do it and it keeps the public that bit safer. Anyone trying to poke at it or investigate it just to try and prove a point puts everyone else at risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nononsence

    nononsence MDL Addicted

    Aug 18, 2009
    806
    826
    30
    #43 nononsence, Nov 12, 2009
    Last edited by a moderator: Apr 20, 2017
    you said the above, correct?

    Code:
    findstr /C:"SLIC" * 
    
    found where the SLIC is CORRECT?
     
  4. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,534
    67,251
    300
    #44 Daz, Nov 12, 2009
    Last edited: Nov 12, 2009
    It doesn't find the SLIC, it finds a word. You can't prove that that file does anything, whats to say I create a text file that contains "slic" -- exactly, its not a 100% sure way to find anything and can result in false positives. Not everyones setup is the same so you can't even target it at a specific partition either.

    My point is I told you I'm working on encrypting stuff and I stated in my thread from the get go that I'm going to improve on it more. You just keep pushing for something like you want to prove a point, so if you keep pushing enough and spill some code and if MS use it do you want to be to blame and have people angry at you? I'm sure you don't.

    You just ain't following what I'm saying at all. I say it will become encrypted soon and you wont find "SLIC" or any other key word either, so then what? Try to find something else to prove some point instead? There is no point to be proven, nobody wants it to be. It's like me publishing some code which will find every file modification made to WAT and restoring it just to prove that I think thats a total waste of time if you expect Windows updates to remain fully working.

    I'm just not even going to reply again, I have said it will be encrypted too many times now and you won't be able to find "SLIC" which means your current argument falls flat on its face. I will let the next release do the talking, I don't need to say anything more on this subject.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. LaptoniC

    LaptoniC MDL Novice

    Jul 27, 2009
    11
    0
    0
    You argument is nonsense. Sorry for the pun. Even a bad reverser like me can decrypt the stuff. If it runs, we can decrypt it. Microsoft is dealing with polymorphic,metamorphic engines and you say they can't decrypt that one. There are bootkits that reside in MBR even in BIOS code. AV detect this but not yours? I am not saying that they will ban that loader. Maybe they won't maybe they don't care. However you shouldn't be so bold about your statements.
     
  6. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,534
    67,251
    300
    @ LaptoniC
    I have said the above, said the encryption is private, people know my executable is in ASM and so it is 10x harder than the others that I can decompile blindfolded. I'm saying why aid MS at all by even talking about it, dropping hints and/or code. It's a bad move that just puts people at risk and people trying to boast that they can try to decrypt stuff need to just stop while they think they are ahead because nobody wants anything.

    Loaders have been working since Vista, mine is now better hidden than the others so do I think its a little safer -- yes. Now take patches, people seem to think they will be fine even with Windows updates on which I think is what really is nonsense. But do I point things out, show code on how to detect and reverse them? No because its a d*ck move.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. HSChronic

    HSChronic MDL Expert

    Aug 25, 2007
    1,214
    64
    60
    yeah I agree with Daz, 1. Don't talk about how to reverse engineer the f**king things that is just inviting trouble 2. I would listen to Daz since he is the engineer of the program and controls the source code.

    Also quit speculating because it does nothing but spread FUD.
     
  8. santoshcoolhere

    santoshcoolhere MDL Member

    Jan 3, 2009
    137
    4
    10
    havent u guys read the licence terms of Malicious Software Removal tool ???? It says that it identifies nd removes the crapware from the system.It WILL NOT interfere with the windows licencing/activation component nor ny data will be collected.
    @ioniancat21
    That prblm is not caused by Malicious Software Removal Tool.But M$ is preventing loaders to work if u try activating windows with ur Internet Connected.Becareful.DISCONNECT frm the internet.
     
  9. 911medic

    911medic MDL Guru

    Aug 13, 2008
    5,777
    504
    180
    This thread has gotten WAYYYYY past funny...it is heading into very sad.....;):rolleyes:

    (as most do these days it seems...)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. LaptoniC

    LaptoniC MDL Novice

    Jul 27, 2009
    11
    0
    0
    I don't want to comment anymore. Good luck on your loader.
     
  11. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,534
    67,251
    300
    #51 Daz, Nov 12, 2009
    Last edited: Nov 12, 2009
    @ 911medic
    I agree, it's not very on topic anymore and I'm tired of having to repeat stuff I have already said. Hopefully Yen or one of the mods will lock the thread up, it's silly now and stuff like this only spreads FUD as HSChronic rightly said.

    @ LaptoniC
    That is machine code wrapped with a framework around it which could take a long time to dig through. It doesn't decompile like the rest either due to how it's packed up, it's much more secure vs other stuff you may find online.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. burfadel

    burfadel MDL EXE>MSP/CAB

    Aug 19, 2009
    2,627
    3,856
    90
    #52 burfadel, Nov 12, 2009
    Last edited: Nov 12, 2009
    Hey if you don't want to use it just buy the bloody thing already! If you use the argument that his loader, one that he has spent a lot of his own time on developing to help others, its fallible, then the only other alternatives to not buying Windows 7 are either not using it or using a bios mod, something that is no less fallible than the Daz's loader. Both methods are and will be quite effective for a long time I'd expect. You may argue that a bios mod is 'safe' wereas a loader is not, but at least if the loader fails to install for some reason its extremely easy to rectify. On the other hand, if a bios mod fails, either through a failed ROM write (contradicting but correct terms) or a botched patch process, then you're effectively stuffed. Backup bios methods employed by manufacturers are not definitely 100 percent fail proof.

    The easiest way to win your argument is to buy Windows 7 and not use either method!

    And thanks Daz for spending time developing a free tool that benefits others.
     
  13. daz411

    daz411 MDL Novice

    Aug 29, 2009
    32
    0
    0
    This thread is a little ridiculous if you ask me. It's pretty much arguing what the lottery numbers are going to be for this weekend. We have no idea what MS is going to do. For now the sun is shining so lets enjoy the loaders and if the time comes then we'll deal with it.
     
  14. Brandypuff

    Brandypuff MDL Novice

    Oct 12, 2009
    32
    0
    0
    No problem here

    I just installed the MRT and am still activated.

    DAZ, thanks for all your effort and hard work with this activation stuff