Real AV ?!?

Hmmm..Real Antivirus? or just another rouge AV...

quick check of trojan's downloaded file

Some bots and trojans are using simple encryption to download other component. When you trace malware, you might see some url to be downloaded, but when you manually fetch it, its nothing by a gibberish data. First they download a relatively small file say, ff.rar, from malicious web hosting site. The file is not actually a RAR achive but contains data that looks encrypted. But when try to decrypt it, the file may contain the actual link of the malicious file or component to be downloaded by the malware.

Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL

Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.

Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:

00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe

Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe

Reverse Engineering Links

Gathered from different sources (eg. my own bookmarks, forum, blog, etc):

http://www.openrce.org
http://woodmann.net/collaborative/tools/index.php/Category:Hardware_Reversing_Tools
http://www.woodmann.com/crackz/index.html
http://www.woodmann.com/forum/index.php
http://www.codebreakers-journal.com/
http://www.tuts4you.com/download.php?list.17
http://www.tuts4you.com/
http://www.exetools.com/
http://ap0x.jezgra.net/
http://www.crackmes.de/
http://www.reverse-engineering.info/
http://www.w00zl3.net/
http://korupt.wordpress.com/
http://www.reteam.org/
http://www.reconstructer.org
http://www.antirootkit.com
http://www.rootkit.com
http://evilcry.netsons.org
http://evilcodecave.wordpress.com
http://offensivecomputing.net/
http://zairon.wordpress.com/
http://www.ivanlef0u.tuxfamily.org/
http://arteam.accessroot.com/
http://uninformed.org/
http://dvlabs.tippingpoint.com/
http://www.matasano.com/log/category/reversing/
http://reversengineering.wordpress.com/
http://indefinitestudies.wordpress.com/2008/09/25/automatic-unpacking/
http://www.quequero.org/Reversing
http://www.codeproject.com/KB/cpp/funccaller.aspx
http://www.datarescue.com/laboratory/
http://www.nynaeve.net
http://www.datasecurity-event.com/downloads.html
http://xchg.info/ARTeam/Tutorials/
http://www.reverse-engineering.net/
http://www.reversing.be/

Others:
http://www.intel.com/products/processor/manuals/

VS2005 compiled exe error

The following error shows when you transferred or copied your VS2005 compiled program to other machine. This is I think

c:\test> BlueFish.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.

Similar problem discussion about SxS (side-by-side) issue can be found here.
Another similar discussion I found from this link.

Anyway, I tried changing settings in my VS2005 which just worked fine, but not sure if its the correct solution. Here;s the settings as screenshots: