[code]
Bitmap bitmap = (Bitmap)new ResourceManager("PItRttyRgRT", Assembly.GetExecutingAssembly()).GetObject("GmJxPAjNWpE");
byte[] array = new byte[bitmap.Width * bitmap.Height * 4];
Rectangle rect = new Rectangle(0, 0, bitmap.Width, bitmap.Height);
Marshal.Copy(bitmap.LockBits(rect, ImageLockMode.ReadWrite, bitmap.PixelFormat).Scan0, array, 0, array.Length);
int num = 0;
for (int i = 0; i < 4; i++)
{
int num2 = 1;
for (int j = 0; j < i; j++)
{
num2 *= 256;
}
num += num2 * (int)array[i];
}
byte[] array2 = new byte[num];
for (int k = 0; k < array2.Length; k++)
{
array2[k] = array[k + 4];
}
byte[] numArray = (byte[])new ResourceManager("PItRttyRgRT", Assembly.GetExecutingAssembly()).GetObject("xfWywXPJMik");
byte[] numArray2 = (byte[])new ResourceManager("PItRttyRgRT", Assembly.GetExecutingAssembly()).GetObject("aJwDGgVeNx");
尺屁吉西西杰豆诶马艾.艾诶勒比尺迪马丝勒马(尺屁吉西西杰豆诶马艾.艾儿尺维德丝弗杰吉伊(array2, numArray, numArray2));
[/code]
And I'm stumped as to what the GetObject function is supposed to parse from the resource file at those keys
ILSpy shows that they are comments of assignment to System.IO.MemoryStream
Edit:
Ripping out the resource file and looking at it in a hex editor ain't helping either
Edit:
Actually wait, "xfWywXPJMik" seems to be an encryption key and "aJwDGgVeNx" an intialization vector for [url=http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndael%28v=vs.110%29.aspx]Rijndael encryption[/url]
What do you guys use to decompile these? Messing with phising tools sounds like fun
[QUOTE=Exho;46828515]What do you guys use to decompile these? Messing with phising tools sounds like fun[/QUOTE]
You'll have most luck finding stuff that uses C#/.NET so the tools to decompile them are ILSpy and Telerik JustDecompile.
Sometimes you can find stuff stuff that uses C# as a front-end to run encrypted byte-code (like above) so you won't go far unless you understand assembly and use a disassembler
I decided to try it myself, so I found the channel and two videos had files in descryption, downloaded them.
[img_thumb]https://dl.dropboxusercontent.com/u/30693265/1/1.jpg[/img_thumb]
Then I found the email login information, I logged in without any issues.
[img]https://dl.dropboxusercontent.com/u/30693265/1/2.jpg[/img]
I changed the password, account is pretty active and also decided to spice up the profile.
[img_thumb]https://dl.dropboxusercontent.com/u/30693265/1/3.jpg[/img_thumb]
I also went into the youtube channel and hid his videos from public and deleted keylogger file links from his descryption.
[img_thumb]https://dl.dropboxusercontent.com/u/30693265/1/4.jpg[/img_thumb]
Good day.
[editline]31st December 2014[/editline]
I checked the email now, there was 42 stolen accounts, deleted all the mail.
ILSpy says the file doesn't have any managed assemblies and I cannot decompile the exe with it... I am also suprised that you guys actually find some good "key loggers" because I keep running into Surveys. Damn you phishers! Let me give you my info!
[QUOTE=Exho;46829136]ILSpy says the file doesn't have any managed assemblies and I cannot decompile the exe with it... I am also suprised that you guys actually find some good "key loggers" because I keep running into Surveys. Damn you phishers! Let me give you my info![/QUOTE]
It's probably written in some other language than .NET family.
If the phisher has a dedicated video you could check it if it has this icon
[IMG]http://i.imgur.com/dF788V9.png[/IMG]
It's pretty much a dead giveaway that the program was written with C#
Also do be careful not to run those files. You could rename the .exe files into .dll. Decompilers will still accept those as input and you are not as likely to get infected
[QUOTE=aurum481;46831147]It's probably written in some other language than .NET family.
If the phisher has a dedicated video you could check it if it has this icon
[IMG]http://i.imgur.com/dF788V9.png[/IMG]
It's pretty much a dead giveaway that the program was written with C#
Also do be careful not to run those files. You could rename the .exe files into .dll. Decompilers will still accept those as input and you are not as likely to get infected[/QUOTE]
I wouldn't be surprised if they were written in VB.NET instead of C#. Besides that a lot of them are also written in AutoIt which also has a decompiler somewhere
Hey! I finally got one! Looks like someone already hit [email]rscape746@gmail.com[/email] though cause his password was changed 3 days ago. If you want to mess with the key gen then his channel is here: [url]https://www.youtube.com/user/xpdv102/videos[/url], no viruses or anything its just a program made in Visual Basic
[I]Out to steal your moenys[/I]
[IMG]http://i.gyazo.com/0c2f3f2e9bcdd2a26e481a1257fd5137.png[/IMG]
Yeah I read through some of those, its pretty cool. If one of you guys doesn't mind, could you look through these 2 key loggers I found? I went through them with ILSpy and found nothing that seemed to send any login credientials through email and it kinda confused me as to why someone would make this.
(I uploaded them)
[url]https://www.mediafire.com/?mbwpijpaxb7beoj[/url]
[QUOTE=Exho;46832212]Hey! I finally got one! Looks like someone already hit [email]rscape746@gmail.com[/email] though cause his password was changed 3 days ago. If you want to mess with the key gen then his channel is here: [url]https://www.youtube.com/user/xpdv102/videos[/url], no viruses or anything its just a program made in Visual Basic
[I]Out to steal your moenys[/I]
[IMG]http://i.gyazo.com/0c2f3f2e9bcdd2a26e481a1257fd5137.png[/IMG][/QUOTE]
this was in visual basic?? i tried loading it in ILspy and it didn't work so i assumed it was written in something else
[editline]1st January 2015[/editline]
nevermind i got it to work, sadly they changed their password 4 days ago
Yeah, kind of a bummer. I've pretty much searched all the recent Runescape, Club Penguin, and Minecraft generators and haven't broken into any emails or anything. I've found credentials but Google's IP checker stops me each time.
Oh well, it was still pretty fun
[QUOTE=Exho;46838499]Yeah, kind of a bummer. I've pretty much searched all the recent Runescape, Club Penguin, and Minecraft generators and haven't broken into any emails or anything. I've found credentials but Google's IP checker stops me each time.
Oh well, it was still pretty fun[/QUOTE]
Use a mail client, not GMail's web interface.
[QUOTE=aurum481;46811395]So my friend got hacked by some .scr type hack. I almost fell for it before noticing the .scr extension.
I fired up ILSpy and I was met with a wall of chinese characters.
[IMG]http://i.imgur.com/vbmuDW5.png[/IMG]
There's supposedly an assembly inside that image and it uses some convoluted shit to load that bmp it into memory and subsequently decodes it into executable code.
I think I could just copy-paste the decrypting portion of code and look into it in a disassembler, but I don't think I'll be able to make any sense out of that[/QUOTE]
Feel free to upload or send me the file and I'll take a look.
[editline]2nd January 2015[/editline]
[QUOTE=Exho;46835868]Yeah I read through some of those, its pretty cool. If one of you guys doesn't mind, could you look through these 2 key loggers I found? I went through them with ILSpy and found nothing that seemed to send any login credientials through email and it kinda confused me as to why someone would make this.
(I uploaded them)
[url]https://www.mediafire.com/?mbwpijpaxb7beoj[/url][/QUOTE]
"RS07 Money Generator" does send phished accounts. Not by email, but to a website.
A bot on steam sent me one of these, decided to see if I could get anything from it so far but nothing. I'm pretty sure its .NET with what reports to be ConfuserEx v0.3.0-custom, but i can't even manage to get raw IL from it:
[img]http://i.imgur.com/A4E6Ql7.png[/img]
[QUOTE=Goz3rr;46962134]A bot on steam sent me one of these, decided to see if I could get anything from it so far but nothing. I'm pretty sure its .NET with what reports to be ConfuserEx v0.3.0-custom, but i can't even manage to get raw IL from it:
[img]http://i.imgur.com/A4E6Ql7.png[/img][/QUOTE]
I've just finished dissecting the same kind of steam stealer. It can't be directly opened by most assembly browsers.
[url=http://imgur.com/Qji7sfI][img]http://i.imgur.com/Qji7sfI.png[/img][/url]
Running it through de4dot --dont-rename makes it readable, yet very heavily obfuscated (for some reason running it without --dont-rename makes the resulting malware crash, and we'll need to be able to launch it later). Control flow obfuscation and some wonky encryption functions are everywhere.
[url=http://imgur.com/KMIntQw][img]http://i.imgur.com/KMIntQw.png[/img][/url]
But wait, what's this? That's right, it's the line that executes the unencrypted assembly containing the actual steam stealer:
[url=http://imgur.com/aG3yhXB][img]http://i.imgur.com/aG3yhXB.png[/img][/url]
Open up .Net Reflector with Reflexil plugin (or Simple Assembly Explorer), change around some IL to write the payload assembly onto the disk like this:
[url=http://imgur.com/t5YLB49][img]http://i.imgur.com/t5YLB49.png[/img][/url]
[url=http://imgur.com/w7oIyv3][img]http://i.imgur.com/w7oIyv3.png[/img][/url]
Now save the modified assembly, run it (remember to do it all in a clean VM, just to be safe) and get your deobfuscated.dll file.
The result .dll can't be opened correctly in ILSpy/.Net Reflector as well, but de4dot comes to help again and makes it openable.
[url=http://imgur.com/Ou3UdgM][img]http://i.imgur.com/Ou3UdgM.png[/img][/url]
What's inside seems to be some elaborate steam stealer malware, so probably no e-mails to steal here. Still fun though.
[QUOTE=Mikolah;46972369]What's inside seems to be some elaborate steam stealer malware, so probably no e-mails to steal here. Still fun though.[/QUOTE]
Looks like [url=http://pokestealer.com]this[/url].
Would be quite awesome if these people were sloppy at covering their tracks and ended up getting caught by authorities for virtual theft. I do recall some cases where people on Habbo Hotel (no idea if anyone knows it) got fined / sentenced for trying to make it seem like they would give the user in case coins if they'd give their password, but they got all their items taken away.
Hey guys, I've just started learning python and I have some troubling making simple functions that grab x digits numbers, makes every single digit a number and sums them up....
So I was wondering since I have an extreme curiosity in these things, if someobody could comment a piece of code or how it works.
Well I found a brand new Runescape one! This guy left his email credentials in there as well but my biggest issue is just being able to access his email! I've tried em client and Mozilla Thunderbird but it always fails to connect. It seems like you cannot bypass Gmail's ip checking...
Kids cannot use ConfuserEx.
Although if they discovered how to use it we couldn't decompile their shitty ass keyloggers anymore.
[QUOTE=Sinatra;47108509]Kids cannot use ConfuserEx.
Although if they discovered how to use it we couldn't decompile their shitty ass keyloggers anymore.[/QUOTE]
No obfuscator really protects you against reverse engineering. Not even ConfuserEx.
[QUOTE=DrTaxi;47111601]No obfuscator really protects you against reverse engineering. Not even ConfuserEx.[/QUOTE]
In most cases, ConfuserEx makes the effort needed to reverse engineer some kid's malware not worth it.
[QUOTE=geel9;34885574]This is a felony.
Every person is a felony.[/QUOTE]
It's double edged sword, the victims are not victims.. I mean, the "victims" are looking for hack or an easy buck.
[QUOTE=Rocket;47134032]I don't think you understand what victim means.[/QUOTE]
What he's saying is that if you want to cheat in multiplayer games, you're a twat and deserve to have your account stolen.
Can't say I disagree.
Heh. This has got me hooked now.
Found some FIFA phisher. Logged into the Google account, saw it was linked to a Facebook account. Sent the guy a message (in badly translated Georgian through Google Translate), changed the passwords, set FB account for deletion and deleted the Google account.
I feel like a vigilante.
[QUOTE=benbb;47136144]Heh. This has got me hooked now.
Found some FIFA phisher. Logged into the Google account, saw it was linked to a Facebook account. Sent the guy a message (in badly translated Georgian through Google Translate), changed the passwords, set FB account for deletion and deleted the Google account.
I feel like a vigilante.[/QUOTE]
You do realise that if you deleted his account he won't be able to read that?
[QUOTE=DrTaxi;47136319]You do realise that if you deleted his account he won't be able to read that?[/QUOTE]
I literally sent. 'Hello. Stop phishing. It's bad'.
He had his personal FB friended so he'll probably see it.
Not that bothered anyway.
Found another 'hack' afterwards. All these phishers seem to be Georgian/Russian. Just change p/w and delete account.
[QUOTE=DrTaxi;47135529]What he's saying is that if you want to cheat in multiplayer games, you're a twat and deserve to have your account stolen.
Can't say I disagree.[/QUOTE]
Exactly. People want to hack but get hacked instead.
Now you people are hacking people that want to hack people that want to hack and I am fine with it :v:.
[QUOTE=Fourier;47138333]Exactly. People want to hack but get hacked instead.
Now you people are hacking people that want to hack people that want to hack and I am fine with it :v:.[/QUOTE]
We have to go deeper than that.
[QUOTE=Rocket;47140183]That doesn't make it less of a crime.
"Yes, I killed him, but he killed my friend!"
"Oh, well, you're off the hook."
Does anyone care? No, absolutely not. It is technically a crime, just not one that people care about.[/QUOTE]
No, it is actually different.
Somebody plans to kill you but he gets killed instead when he wants to buy the gun :v:.
[QUOTE=Rocket;47146262]A cheater wasn't planning on infecting you with a virus. Hell, unless you play Runescape, they weren't affecting you at all.[/QUOTE]
Ok, better analogy then...
Cheater wants to rip you off with the money, he asks somebody for help but then the one who should help him rips him off.
Sorry, you need to Log In to post a reply to this thread.
