1. Post #41
    Dotmister's Avatar
    May 2008
    898 Posts
    Some stuff about reverse engineering network protocols should in the OP.

    Wireshark - http://www.wireshark.org/
    Charles (If it's an HTTP/HTTPS API/whatever) - http://www.charlesproxy.com/
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Informative Informative x 2Agree Agree x 2 (list)

  2. Post #42
    Tamschi's Avatar
    December 2009
    3,608 Posts
    CFF Explorer can edit PE and .NET headers, disassemble x86 (16bit), x86, x64 and MSIL, realign files, edit signatures and debug info, find dependencies, edit resources and imports and also is a hex editor.

    I used it to make an ILSpy32.exe that can debug 32bit-only assemblies on a 64bit system.

    Edited:

    It's also freeware and can add itself as shell extension for .exe and .dll.

    Edited:

    IDA (the free version) only works properly if you run it as admin at least once.

  3. Post #43
    Map in a box's Avatar
    July 2009
    7,410 Posts
    SO USEFUL!
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Dumb Dumb x 1 (list)

  4. Post #44
    Dennab
    January 2012
    270 Posts
    except searching for anything being far far slower. patching being more labor intensive. both are completely situational, and what you use depends on what you want to do.
    get a better computer noob
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 4Agree Agree x 1Dumb Dumb x 1 (list)

  5. Post #45
    Gold Member
    chonks's Avatar
    April 2009
    1,138 Posts
    I have an antivirus impostor in the form of an exe if anybody wants to take a look at it. Also, will I get banned for linking to a virus download even if I warn first?

  6. Post #46
    Respected User
    JSharpe's Avatar
    January 2008
    891 Posts
    If you're interested in reverse engineering software as a hobby try this website: http://crackmes.de/

    It's safe, think of it like the projecteuler of software reverse engineering.

    You basically download other peoples programs (full source code included) and each one has a level of difficulty, your task the majority of the time is to basically crack the software, and then patch it; however some of the harder/more complex ones require more work. There's a range of different languages used and various security techniques put in place.

    If you're up to it you can also post your own software for others to crack, and like project euler you can also download the solutions of problems by other people.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 1 (list)

  7. Post #47
    Gold Member
    TamTamJam's Avatar
    December 2008
    5,290 Posts
    I tried.
    Is this just the email and password encrypted? Using bintext.
    Reply With Quote Edit / Delete Reply Windows 7 Canada Show Events Disagree Disagree x 1 (list)

  8. Post #48
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    I tried.
    Is this just the email and password encrypted? Using bintext.
    Tried reflector to see if it is .net? if so becomes a lot easier

  9. Post #49
    Gold Member
    TamTamJam's Avatar
    December 2008
    5,290 Posts
    Tried reflector to see if it is .net? if so becomes a lot easier
    Yeah it runs in reflector, I don't really know what to do now. I've searched for emails/passwords.

  10. Post #50
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    Yeah it runs in reflector, I don't really know what to do now. I've searched for emails/passwords.
    in reflector set the language to visual basic then just follow what the code does, especially look for the class NetworkCredentials being used.
    Reply With Quote Edit / Delete Reply United Kingdom Show Events Dumb Dumb x 1 (list)

  11. Post #51
    PENISCORP DIRECTOR
    Gran PC's Avatar
    August 2007
    3,114 Posts
    in reflector set the language to visual basic
    Why not C#?
    Reply With Quote Edit / Delete Reply Windows 7 Spain Show Events Agree Agree x 4 (list)

  12. Post #52
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    Why not C#?
    The original language for most of theese uses VB, meaning it has that My. junk and other vb specific stuff , which looks a lot better when reflected back to VB rather then C# as in C# you get some weird syntax to do such.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 1 (list)

  13. Post #53
    Map in a box's Avatar
    July 2009
    7,410 Posts
    It's still easier to read in C#
    Reply With Quote Edit / Delete Reply Windows XP United States Show Events Agree Agree x 8 (list)

  14. Post #54
    I bought a title for $1.
    sambooo's Avatar
    March 2011
    3,057 Posts
    The original language for most of theese uses VB, meaning it has that My. junk and other vb specific stuff , which looks a lot better when reflected back to VB rather then C# as in C# you get some weird syntax to do such.
    Doesn't My just translate to this in C# though?
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 5 (list)

  15. Post #55
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    It's still easier to read in C#
    Fair enough, I allways found it easier to read in original language myself, but I suppose thats just because I know both VB and C#

    Edited:

    Doesn't My just translate to this in C# though?
    Not exactly
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 2 (list)

  16. Post #56
    Gold Member
    Kirth's Avatar
    July 2009
    429 Posts
    Me translates to this. "My" is just a kiddy wrapper around .NET's namespaces and classes. My.Computer.FileSystem => IO.File. Bet you a candy bar the compiler outputs the the same intermediate language in both cases.
    Reply With Quote Edit / Delete Reply Windows 7 Belgium Show Events Dumb Dumb x 1Agree Agree x 1 (list)

  17. Post #57
    Crescent fresh
    Perl's Avatar
    January 2011
    1,029 Posts
    Does anyone know how to unpack WinLicense?

  18. Post #58
    ..............
    nekosune's Avatar
    February 2009
    1,827 Posts
    Me translates to this. "My" is just a kiddy wrapper around .NET's namespaces and classes. My.Computer.FileSystem => IO.File. Bet you a candy bar the compiler outputs the the same intermediate language in both cases.
    It seems to output a My class into each executable. ie each and every exe you make with vb has this extra class added.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 2Agree Agree x 1 (list)

  19. Post #59
    Mr.Heal's Avatar
    January 2012
    128 Posts
    Messing around with a runescape one. This guy was semi intelligent about it. He has two emails, one he uses to send and the other he gets the user name and passwords in. I got into the sending account and changed everything, but I can't get into the receiving one. I couldn't guess where his mother was born..

    Edit: Right, I checked the "Sent mail" and got a bunch of emails. Sent off a batch email warning everyone about it. It shocks me these people can fall for this.
    Reply With Quote Edit / Delete Reply Windows 7 Canada Show Events Agree Agree x 1 (list)

  20. Post #60
    Se1f_Distruct's Avatar
    April 2011
    633 Posts
    How do you remove .net reactor? V4 is a PAIN!
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 2 (list)

  21. Post #61
    Gold Member
    Alternative Account's Avatar
    February 2009
    261 Posts
    Some stuff about reverse engineering network protocols should in the OP.

    Wireshark - http://www.wireshark.org/
    Charles (If it's an HTTP/HTTPS API/whatever) - http://www.charlesproxy.com/
    Use http://www.fiddler2.com/fiddler2/ instead if you're using Windows. It's free, and can do most of the things Charles can do.
    Reply With Quote Edit / Delete Reply Windows 7 Germany Show Events Informative Informative x 1 (list)

  22. Post #62
    Austech2's Avatar
    April 2011
    112 Posts
    This is a pretty good tutorial series for just just getting started with reverse engineering an using ollyDbg: http://tuts4you.com/download.php?list.17
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Informative Informative x 1 (list)

  23. Post #63
    Gold Member
    Hugg's Avatar
    January 2008
    2,346 Posts
    This is a pretty good tutorial series for just just getting started with reverse engineering an using ollyDbg: http://tuts4you.com/download.php?list.17
    Thanks, seems to a good series of tutorials. I have never done reverse engineering before and I managed to reverse the first ''assignment'' :D
    Reply With Quote Edit / Delete Reply Windows 7 Sweden Show Events Winner Winner x 2 (list)

  24. Post #64

    October 2010
    185 Posts
    I know this thread is pretty much dead but maybe someone will help me with a Project Neptune keylogger. This is the call to decrypt the email and password
    Code:
    Module1.string_18 = Module1.smethod_20(Module1.smethod_20(Module1.string_18, "Application.StartupPath"), Module1.string_5)
        Module1.string_19 = Module1.smethod_20(Module1.smethod_20(Module1.string_19, "Application.StartupPath"), Module1.string_5)
    smethod_20 is the decryption function. So i understand that it takes the encrypted string decodes it with a key "Application.StartupPath" and then decrypts the result with a key.
    If i try this procedure with and online Triple DES decoder i just get gibberish and If i try to make a separate VB project with just the Decryption function i get errors.
    http://pastebin.com/7rwsDYZ6
    This is the decryption function and the error i get is "Type 'Byte' has no constructors"

  25. Post #65
    voodooattack's Avatar
    October 2009
    1,994 Posts
    The last time I spoke about something I 'reverse engineered' on FP I nearly got banned.
    I don't want to.

  26. Post #66
    Gold Member
    Neo Kabuto's Avatar
    November 2008
    5,641 Posts
    The last time I spoke about something I 'reverse engineered' on FP I nearly got banned.
    I don't want to.
    Well, I remember there was a thread about keylogger whaling that didn't end in any bannings a while back, so I'm assuming that at least is alright to do.

  27. Post #67
    TVC

    April 2010
    300 Posts
    Add this for C#, it was created after Reflector went commercial: http://www.jetbrains.com/decompiler/
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Useful Useful x 2 (list)

  28. Post #68
    Gold Member
    ruarai's Avatar
    December 2009
    1,386 Posts
    Was decomplying roblox "hacks" and found someone was using their real email to send passwords to. He has google+ with his real email. Silly Dylan Poski. Also, I managed to get into his google account by randomly selecting any city over and over

    Edited:

    Jesus fuck now I know why people care about google taking data. He hasn't turned anything off!
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Funny Funny x 1 (list)

  29. Post #69

    October 2010
    185 Posts
    I know this thread is pretty much dead but maybe someone will help me with a Project Neptune keylogger. This is the call to decrypt the email and password
    Code:
    Module1.string_18 = Module1.smethod_20(Module1.smethod_20(Module1.string_18, "Application.StartupPath"), Module1.string_5)
        Module1.string_19 = Module1.smethod_20(Module1.smethod_20(Module1.string_19, "Application.StartupPath"), Module1.string_5)
    smethod_20 is the decryption function. So i understand that it takes the encrypted string decodes it with a key "Application.StartupPath" and then decrypts the result with a key.
    If i try this procedure with and online Triple DES decoder i just get gibberish and If i try to make a separate VB project with just the Decryption function i get errors.
    http://pastebin.com/7rwsDYZ6
    This is the decryption function and the error i get is "Type 'Byte' has no constructors"
    Any ideas ?

  30. Post #70
    Hates php
    high's Avatar
    May 2006
    2,415 Posts
    Decided to finally setup a VM for debugging some malware. Decided to take a look at that common 'native' one I saw on youtube which was bothering me. After some debugging I found out the config file is just a simple RC4 with an embedded key. The key is only different between the RAT versions. So the config/tcp connection are both encrypted with a static key that is shared between the RATs.

    So I was wondering the name of the RAT. Nice enough they put it right in the config.

    Code:
    #BEGIN DARKCOMET DATA --
    MUTEX={DC_MUTEX-NVN5HT4}
    SID={EpicBot}
    FWB={0}
    NETDATA={Dopeboi.no-ip.org:82}
    GENCODE={2LHpV4m6fruc}
    INSTALL={1}
    COMBOPATH={2}
    EDTPATH={MSDCSC\\msdcsc.exe}
    KEYNAME={MicroUpdate}
    EDTDATE={16/04/2007}
    PERSINST={1}
    MELT={0}
    CHANGEDATE={0}
    DIRATTRIB={6}
    FILEATTRIB={6}
    OFFLINEK={1}
    #EOF DARKCOMET DATA --
    Some of the stream which I got off anubis. I don't have a proper VM setup yet to monitor more.

    Code:
    Recv: BF7CAB464EFB
    Recv: IDTYPE
    
    SENT: A57DAD495BEC
    SENT: SERVER
    
    RECV: B15D8B4C57F0BE8B06F81828F1C13103C7F43F8AFAFA23123A4BDB4B6B
    RECV: GetSIN192.35.222.150|77150216
    
    SENT: 9F5699707BCDCAC25DB56972AB8F3208DBEB398FA8FF2611214ADC4A7DECFB995E122E4DA9ECB6E057FC4F034E0DAAB90FFC2E96FFDEB457FDCEE1F410F53CB9597E092DEBB4CFD45723898FF3E2C89B7103A93D9943A0CF633CAD924640750185706EB7893CB449E2DE7F4E8FA3508A8CF6977E2F45A423A90037A8E28E1C66161E162E9A47E6845F57622AC7CBA5D40F600E7B2A1653712B1DD85FB336DBFF8268A3189359B5BF64DD9202A27BF52BD7119A6FFFBFB3D9E455D138C130E3798DF51244259837648380EB5FE4C6D00C9B8FFF1DF0842E6FC9E31AFEC22EE0CE44ABE671273210DFF61436713EA0BF8A5A0005E4E361806E35598AE8458A64DC8C9400A6B4DB51DC32FFC0CB56E11BFBDDD9D3BDEB43AD19CC2A1289
    SENT: infoesEpicBot|192.35.222.150 / [192.168.0.2] : 82|pc9 / Administrator|77150216|67s|Windows XP Service Pack 3 [2600] 32 bit ( C:\ )|x||AT|C:\Program Files\Common Files\exec.exe|{72ea41102604-fa90-fb75-190d2fdbc934-2435281929}|80%|German (Austria) AT /  -- |02.03.2011 at 15:30:13|5.2.0
    
    RECV: B27DAC544AF6C2F00DE11961EEC3334DDFF1
    RECV: DESKTHMB972|100|64
    
    RECONNECT
    
    RECV: BF7CAB464EFB
    RECV: IDTYPE
    
    SENT: A270AA525C87B880
    SENT: THUMB972
    
    SENDS IMG
    With how common darkcomet is, it makes me want to make an emulator to fuck with people that use it.

    Anyways here is how you can tell if its darkcomet.

    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Useful Useful x 1Winner Winner x 1 (list)

  31. Post #71
    Gold Member
    ruarai's Avatar
    December 2009
    1,386 Posts
    Any ideas ?
    Have you tried the easy put it into a console application technique?

    Edited:

    Actually, you might have to find all those individual strings before you can, and where the application starts.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Agree Agree x 1 (list)

  32. Post #72
    Dog
    What's worse than biting into an apple and finding a dick?
    Dog's Avatar
    March 2011
    3,770 Posts
    Some skiddy gave me a stealer saying it was a botnet.

    http://www.mediafire.com/?6n024y7stnjkmi0 Have fun.

    Open in sandboxie obviously.
    Reply With Quote Edit / Delete Reply Windows 7 New Zealand Show Events Funny Funny x 1 (list)

  33. Post #73
    Gold Member
    ruarai's Avatar
    December 2009
    1,386 Posts
    botnet in the form of an exe. interesting.

    Edited:

    Heres an anubis report about it: http://anubis.iseclab.org/?action=re...2e&format=html

    Cant see where it contacts him about all the stuff it steals, but hey, free for the taking if someone finds it.
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Informative Informative x 1 (list)

  34. Post #74
    Crescent fresh
    Perl's Avatar
    January 2011
    1,029 Posts
    Some skiddy gave me a stealer saying it was a botnet.

    http://www.mediafire.com/?6n024y7stnjkmi0 Have fun.

    Open in sandboxie obviously.
    I bet it's the guy in your title.

  35. Post #75
    boy i sure do love it when my title doesnt fit
    LuaChobo's Avatar
    December 2009
    6,495 Posts
    I bet it's the guy in your title.
    It's the guy that has been convincing people to DDoS facepunch recently
    Reply With Quote Edit / Delete Reply Windows 7 Australia Show Events Informative Informative x 1 (list)

  36. Post #76
    Se1f_Distruct's Avatar
    April 2011
    633 Posts
    botnet in the form of an exe. interesting.

    Edited:

    Heres an anubis report about it: http://anubis.iseclab.org/?action=re...2e&format=html

    Cant see where it contacts him about all the stuff it steals, but hey, free for the taking if someone finds it.
    It uploads accounts to a password protected php panel somewhere. It's probably iStealer.
    Reply With Quote Edit / Delete Reply United States Show Events Agree Agree x 2 (list)

  37. Post #77
    Gold Member
    ruarai's Avatar
    December 2009
    1,386 Posts
    oldish bump, but does anyone know of a better de-obfuscater than de4dot?
    Most obfuscators aren't being recognised any more and it de4dot hasn't been updated in a long time.