Trying to decrypt VB .Net keyloggers - Developers

[QUOTE=supersnail11;34914739]Variable names like ఋ mean that it's Project Neptune.[/QUOTE] Not necessarily. There are allot other .net programs that rename their variables to similar characters.

So how do you deal with assemblies in resources? The one I got loaded one into a byte array and then called some functions on it. I managed to just write the whole byte array to a file and it works. Opened that with ILSpy but I think this one is way over my head. A lot of WriteProcessMemory, ReadProcessMemory and obfuscated to all hell. Any ideas what I could try?

I wonder if you can use that "corrupted" text for variable names. So you have variable names that extend vertically and are just incredibly unreadable. They also block out other code.

[QUOTE=Darwin226;34915339]So how do you deal with assemblies in resources? The one I got loaded one into a byte array and then called some functions on it. I managed to just write the whole byte array to a file and it works. Opened that with ILSpy but I think this one is way over my head. A lot of WriteProcessMemory, ReadProcessMemory and obfuscated to all hell. Any ideas what I could try?[/QUOTE] Use simple assembly explorer and de4dotnet (deobfusicator) It sounds like it's a crypter that uses runpe..

[QUOTE=marvincmarvin;34915525]Use simple assembly explorer and de4dotnet (deobfusicator) It sounds like it's a crypter that uses runpe..[/QUOTE] De4DotNet did nothing to the code. Tried it. And yes, it is that runpe thing. What's that?

[QUOTE=Darwin226;34915574]De4DotNet did nothing to the code. Tried it. And yes, it is that runpe thing. What's that?[/QUOTE] Runpe injects a executable's byte code into a process and runs it inside of said process. Try simple assembly explorer's default deobfuscator, odds are it isn't actually obfuscated, it's just the creator's poop attempt at "polymorphism" by random variable name generation.

Ah, Done my good thing for today, Sent out about 1k emails to people who had their stuff stolen from this guy. Explain'in how to avoid it happening again.

I found a project neptune keylogger gmail with 3k emails, but google locked me out saying the account was under temporary suspension. That's good, but damn 3k people got logged.

[QUOTE=marvincmarvin;34915672]Runpe injects a executable's byte code into a process and runs it inside of said process. Try simple assembly explorer's default deobfuscator, odds are it isn't actually obfuscated, it's just the creator's poop attempt at "polymorphism" by random variable name generation.[/QUOTE] Great. So do I actually have to know how to read IL or is there something else Simple Assembly Explorer can do for me?

I feel like a lot of the ones that I encounter with a recently changed password is because of you guys.

[IMG_THUMB]http://i1227.photobucket.com/albums/ee431/Marvino_Countrymano/Untitled.png[/IMG_THUMB] [IMG_THUMB]http://i1227.photobucket.com/albums/ee431/Marvino_Countrymano/Untitled2.png[/IMG_THUMB] [EDITLINE]...[/editlInE] [QUOTE=Darwin226;34916291]Great. So do I actually have to know how to read IL or is there something else Simple Assembly Explorer can do for me?[/QUOTE] You should probably learn msil if you plan on editing .net assemblies with sae, but you don't have to.

[QUOTE=marvincmarvin;34916477][IMG_THUMB]http://i1227.photobucket.com/albums/ee431/Marvino_Countrymano/Untitled.png[/IMG_THUMB] [IMG_THUMB]http://i1227.photobucket.com/albums/ee431/Marvino_Countrymano/Untitled2.png[/IMG_THUMB] [EDITLINE]...[/editlInE] You should probably learn msil if you plan on editing .net assemblies with sae, but you don't have to.[/QUOTE] Thanks for all your help man. Maybe I can do something good now :D [editline]29th February 2012[/editline] Got one of them. Decided to send him a message to his Youtube channel. I said that I alerted the proper authorities and that he should be expecting to be contacted by them in the near future. He replies with my IP saying "Thanks for the IP. I'll be spreading it around" Now I'm definitely fucked... :P

[QUOTE=Darwin226;34916544]Thanks for all your help man. Maybe I can do something good now :D [editline]29th February 2012[/editline] Got one of them. Decided to send him a message to his Youtube channel. I said that I alerted the proper authorities and that he should be expecting to be contacted by them in the near future. He replies with my IP saying "Thanks for the IP. I'll be spreading it around" Now I'm definitely fucked... :P[/QUOTE] Afaik people that say that don't have a fucking clue what they're talking about.

[QUOTE=Ratzz;34918462]Afaik people that say that don't have a fucking clue what they're talking about.[/QUOTE] Which is implied by the fact that they used a visual basic keylogger.

[QUOTE=supersnail11;34918912]Which is implied by the fact that they used a visual basic keylogger.[/QUOTE] One I just found is rather clever, it searches for emule, and other peer to peers, and copies the exe to there, renames it, and adds in what is needed to upload to emule. so not only does it send off a load of stuff, it uses your pc to spread like a virus too. By the way, inspired by you, I made a program that i can run on a folder, and it will rename all executables inside to a safe version, so exe becomes ex_ etc, that way I cant be caught by the same sneaky trick

I got one unencrypted, but google's giving me the "you're not from where they are" bullshit. I asked the guy if he can get on Yahoo or IRC with me (so I can either get his real email or his IP to find his real location)

Did all the work to decrypt one, gmail tells me password changed 7 days ago... [editline]29th February 2012[/editline] Shame, this other one was just a scam for surveys, asks for a liscence key, and the next form is a fake, not even an attempt at an email.

[QUOTE=supersnail11;34914739]Just find the encoded strings and the key, and then use this: [url]http://www.tools4noobs.com/online_tools/decrypt/[/url] (TripleDES)[/QUOTE] Don't make things harder for yourself. Just change the il around a little and have it print the strings in a messagebox..

[QUOTE=marvincmarvin;34920484]Don't make things harder for yourself. Just change the il around a little and have it print the strings in a messagebox..[/QUOTE] I don't use the online one, I have a small C# application that I put chunks of code in that I found in the application to decode them.

I emailed one the guys that I got his E-Mail from and he's like [quote]Using reflector doesn't make you pr01337h4x0r... Skid.[/quote] Then sends another E-Mail with [quote]Brb... let me start my Blackshades & Enjoy being hit...[/quote] Oh the irony.... If you don't get it Blackshadess is a popular RAT tool on some skid breading ground call Hackforums.

[QUOTE=Doritos_Man;34920578]I emailed one the guys that I got his E-Mail from and he's like Then sends another E-Mail with Oh the irony.... If you don't get it Blackshadess is a popular RAT tool on some skid breading ground call Hackforums.[/QUOTE] Because you totally used his Keylogger and then didn't run an antivirus.

[QUOTE=supersnail11;34920657]Because you totally used his Keylogger and then didn't run an antivirus.[/QUOTE] Wasn't a keylogger virus. It uploaded your Minecraft login file to GMail and sent it to him

[cpp] [url]http://www.youtube.com/watch?v=nM0h6c9Awmc[/url] "om.75019@gmail.com", "@37857@37857" [/cpp] Can't use it as it has that stupid google location lock

[QUOTE=nekosune;34920714][cpp] [url]http://www.youtube.com/watch?v=nM0h6c9Awmc[/url] "om.75019@gmail.com", "@37857@37857" [/cpp] Can't use it as it has that stupid google location lock[/QUOTE] Nothing important on it. Wait I found a bunch of logs in the trash.

[QUOTE=Doritos_Man;34920752]Nothing important on it. Wait I found a bunch of logs in the trash.[/QUOTE] nice, well, i cant get at it anyway so :S

I feel all smart now because I figured out the IL opcodes all by myself. The result is this: [url]http://www.youtube.com/watch?v=WrCpYjYhXjo[/url]

Well found one that downloads a file named coco.exe, this seems to be something called coco.exe, and another one that loads assembly from itself. [editline]29th February 2012[/editline] I hate this use number of unprintable characters as function name .NET allows now

Apparently, closing a GMail account allows the address to be reregistered. So this guy: [url]http://www.youtube.com/watch?v=LhAHuzKM3ak[/url] did the same fucking thing, and I got him again. This time I'm gonna remove all the logs but keep the account up.

How come none of them try to send your saved passwords? That should be possible, right?

[QUOTE=Darwin226;34922792]How come none of them try to send your saved passwords? That should be possible, right?[/QUOTE] You mean the web browsers? They are encrypted.