Reverse Engineering Thread March 2012 - Developers

This is a pretty good tutorial series for just just getting started with reverse engineering an using ollyDbg: [url]http://tuts4you.com/download.php?list.17[/url]

[QUOTE=Austech2;35182151]This is a pretty good tutorial series for just just getting started with reverse engineering an using ollyDbg: [url]http://tuts4you.com/download.php?list.17[/url][/QUOTE] Thanks, seems to a good series of tutorials. I have never done reverse engineering before and I managed to reverse the first ''assignment'' :D

I know this thread is pretty much dead but maybe someone will help me with a Project Neptune keylogger. This is the call to decrypt the email and password [code]Module1.string_18 = Module1.smethod_20(Module1.smethod_20(Module1.string_18, "Application.StartupPath"), Module1.string_5) Module1.string_19 = Module1.smethod_20(Module1.smethod_20(Module1.string_19, "Application.StartupPath"), Module1.string_5) [/code] smethod_20 is the decryption function. So i understand that it takes the encrypted string decodes it with a key "Application.StartupPath" and then decrypts the result with a key. If i try this procedure with and online Triple DES decoder i just get gibberish and If i try to make a separate VB project with just the Decryption function i get errors. [URL]http://pastebin.com/7rwsDYZ6[/URL] This is the decryption function and the error i get is "Type 'Byte' has no constructors"

The last time I spoke about something I 'reverse engineered' on FP I nearly got banned. I don't want to. :tinfoil:

[QUOTE=voodooattack;35785708]The last time I spoke about something I 'reverse engineered' on FP I nearly got banned. I don't want to. :tinfoil:[/QUOTE] Well, I remember there was [URL=http://facepunch.com/threads/1166226]a thread about keylogger whaling that didn't end in any bannings[/URL] a while back, so I'm assuming that at least is alright to do.

Add this for C#, it was created after Reflector went commercial: [url]http://www.jetbrains.com/decompiler/[/url]

[QUOTE=demoTron;35785681]I know this thread is pretty much dead but maybe someone will help me with a Project Neptune keylogger. This is the call to decrypt the email and password [code]Module1.string_18 = Module1.smethod_20(Module1.smethod_20(Module1.string_18, "Application.StartupPath"), Module1.string_5) Module1.string_19 = Module1.smethod_20(Module1.smethod_20(Module1.string_19, "Application.StartupPath"), Module1.string_5) [/code] smethod_20 is the decryption function. So i understand that it takes the encrypted string decodes it with a key "Application.StartupPath" and then decrypts the result with a key. If i try this procedure with and online Triple DES decoder i just get gibberish and If i try to make a separate VB project with just the Decryption function i get errors. [URL]http://pastebin.com/7rwsDYZ6[/URL] This is the decryption function and the error i get is "Type 'Byte' has no constructors"[/QUOTE] Any ideas ?

Decided to finally setup a VM for debugging some malware. Decided to take a look at that common 'native' one I saw on youtube which was bothering me. After some debugging I found out the config file is just a simple RC4 with an embedded key. The key is only different between the RAT versions. So the config/tcp connection are both encrypted with a static key that is shared between the RATs. So I was wondering the name of the RAT. Nice enough they put it right in the config. [code]#BEGIN DARKCOMET DATA -- MUTEX={DC_MUTEX-NVN5HT4} SID={EpicBot} FWB={0} NETDATA={Dopeboi.no-ip.org:82} GENCODE={2LHpV4m6fruc} INSTALL={1} COMBOPATH={2} EDTPATH={MSDCSC\\msdcsc.exe} KEYNAME={MicroUpdate} EDTDATE={16/04/2007} PERSINST={1} MELT={0} CHANGEDATE={0} DIRATTRIB={6} FILEATTRIB={6} OFFLINEK={1} #EOF DARKCOMET DATA --[/code] Some of the stream which I got off anubis. I don't have a proper VM setup yet to monitor more. [code]Recv: BF7CAB464EFB Recv: IDTYPE SENT: A57DAD495BEC SENT: SERVER RECV: B15D8B4C57F0BE8B06F81828F1C13103C7F43F8AFAFA23123A4BDB4B6B RECV: GetSIN192.35.222.150|77150216 SENT: 9F5699707BCDCAC25DB56972AB8F3208DBEB398FA8FF2611214ADC4A7DECFB995E122E4DA9ECB6E057FC4F034E0DAAB90FFC2E96FFDEB457FDCEE1F410F53CB9597E092DEBB4CFD45723898FF3E2C89B7103A93D9943A0CF633CAD924640750185706EB7893CB449E2DE7F4E8FA3508A8CF6977E2F45A423A90037A8E28E1C66161E162E9A47E6845F57622AC7CBA5D40F600E7B2A1653712B1DD85FB336DBFF8268A3189359B5BF64DD9202A27BF52BD7119A6FFFBFB3D9E455D138C130E3798DF51244259837648380EB5FE4C6D00C9B8FFF1DF0842E6FC9E31AFEC22EE0CE44ABE671273210DFF61436713EA0BF8A5A0005E4E361806E35598AE8458A64DC8C9400A6B4DB51DC32FFC0CB56E11BFBDDD9D3BDEB43AD19CC2A1289 SENT: infoesEpicBot|192.35.222.150 / [192.168.0.2] : 82|pc9 / Administrator|77150216|67s|Windows XP Service Pack 3 [2600] 32 bit ( C:\ )|x||AT|C:\Program Files\Common Files\exec.exe|{72ea41102604-fa90-fb75-190d2fdbc934-2435281929}|80%|German (Austria) AT / -- |02.03.2011 at 15:30:13|5.2.0 RECV: B27DAC544AF6C2F00DE11961EEC3334DDFF1 RECV: DESKTHMB972|100|64 RECONNECT RECV: BF7CAB464EFB RECV: IDTYPE SENT: A270AA525C87B880 SENT: THUMB972 SENDS IMG [/code] With how common darkcomet is, it makes me want to make an emulator to fuck with people that use it. Anyways here is how you can tell if its darkcomet. [thumb]http://img337.imageshack.us/img337/9671/xanayvaudxlr4.png[/thumb]

Some skiddy gave me a stealer saying it was a botnet. [url]http://www.mediafire.com/?6n024y7stnjkmi0[/url] Have fun. Open in sandboxie obviously.

[QUOTE=Dog;37672752]Some skiddy gave me a stealer saying it was a botnet. [url]http://www.mediafire.com/?6n024y7stnjkmi0[/url] Have fun. Open in sandboxie obviously.[/QUOTE] I bet it's the guy in your title.

[QUOTE=ruarai;37673262]botnet in the form of an exe. interesting. [editline]15th September 2012[/editline] Heres an anubis report about it: [url]http://anubis.iseclab.org/?action=result&task_id=1f23dc43f9a72c964ed105cb95801532e&format=html[/url] Cant see where it contacts him about all the stuff it steals, but hey, free for the taking if someone finds it.[/QUOTE] It uploads accounts to a password protected php panel somewhere. It's probably iStealer.