Monday, January 25, 2010
Magic-PS-Final (Hack yahoo Messenger)
MagicPS is a software trojan to steal Yahoo! Messenger passwords are very common and popular. Many people have become victims of MagicPS. Most of them do not know the password has been lost. The rest is known to have lost their password by the MPS, but do not know who steal passwords hidden aspects of who you are ..
Currently, MagicPS 1.5 will have a life, support for password theft with Yahoo! Messenger latest version - Yahoo! Messgenger 6. You can use the NAV scan it, but not that bad guys trick your stomach drop MagicPS is he who ...
Here is the analysis of SE MagicPS May 1, learn how to store information, encrypted ... the MPS, to the word, get Yahoo! ID of the assembly center who has stolen your password by MPS. And end all is a small tool, help you discover your attacker.
First, using MPS creator, create a file Sender.exe. Thug select the Send Y! Mess Pass and Auto Startup. Create MPS India.
MPS will create a file creator Sender.exe. We chose the run, MPS will become regsvr.exe file. Password of Y! Mess will be sent to Yahoo ID: mothafuckin_attacker.
http://vxervn.com/src/cmpsyid-src/creator.JPG
Olly used to load this file Sender.exe. Oooops, look at the code view window of Olly, in his experience, Thug realized this was definitely Sender.exe MPS packed, encrypted.
http://vxervn.com/src/cmpsyid-src/1.JPG
Load PEiD see what it is packed with packer, UPX-Scrambler RC1.x -> ® ol © Ont. Oopps not know what is more ... The strings behind are not identified what, Thug must unpack mò so ...
http://vxervn.com/src/cmpsyid-src/2.JPG
Typically, the packer usually have to unpack in many closed loop, then, the work done unpacking, decoding, EIP will point to the truth of the Entry Point EXE file is packed by the packer through the command JMP or CALL. JMP or CALL command is custom packer that can "willow road" or are sunk in the garbage code generated by the packer. Here, have this experience, press PageDown Thug 3 times, and met at opcode offset:
CODE 0040FADF: .- E9 D452FFFF JMP Sender.00404DB8.
http://vxervn.com/src/cmpsyid-src/3.JPG
Here then, orders can JMP to jump to 99.99% is real entry point. Put a break point in this 0040FADF offset, press F9. Press F7 once more, Thug landed here:
http://vxervn.com/src/cmpsyid-src/4.JPG
Experience, as seen in prolog 404DB9 offset 404DB8 and this is the real entry point of the file is then packed. He3, try MagicPS yahooID the attacker can save plain text not in any .. Press Alt + M, in turn choose the section of Sender.exe then search string "mothafuckin_attacker":
http://vxervn.com/src/cmpsyid-src/5a.JPG
Results: The string is not in any section, including stack. So, make sure the string has been encrypted or hidden MPS file Sender.exe.
Encryption capability yahooID MPS is higher than it looks (spiritual feel ), So start checking Thug MPS generator, is to file to create the file Sender.exe. Why check MPS generator? Thug judgments because that MPS generator will encode the string "mothafuckin_attacker" for the file then Sender.exe. Sender.exe will be available in a decoder to decode this string. Repeat as before, load the file into the MPS-15-SE.exe Olly. File MPS-15 is also packed SE.exe then.
Okie, after the dump is complete MPS-15-SE dumb.exe the file, load Thug dumb.exe to Olly. At this point, our job is to find the code to encrypt the string "mothafuckin_attacker," from which to find the byte has been encoded by this string.
Experience to get text from text box value, Delphi coder will use imported API: API GetWindowTextA Since it is imported to JMP API should address this section are generally the code is being executed. Therefore, press PgUp a few times, Thug find the following address:
CODE 00402538-FF25 BC114100 JMP DWORD PTR DS: [<& user32.GetWindowText>; USER32.GetWindowTextA
Put a Breakpoint here. Press F9. Left-create a file Sender.exe different options as at first:
http://vxervn.com/src/cmpsyid-src/1.JPG
Create button MPS. Control is returned to Olly. Press F8 to run it through this API, press F7 a few times more, Thug gradually be offset on the following:
CODE FF 00408E55 8D4430 LEA EAX, DWORD PTR DS: [EAX + ESI-1]
http://vxervn.com/src/cmpsyid-src/catch_yid.JPG
Here, we see EAX and EDX points to the string "MPS: Magic_h2001. Press F7 to F8 with the Thug realize this is the starting point of encryption. Seems strings in turn is encrypted here, the beginning of this coding is offset 00408E55. What we need is the process of encoding the string "mothafukin_attacker, should continue to press F9 again to a number of times through the rapid encoding of strings such as" regsvr.exe "or" Error code ... ", we have to string of concern:
http://vxervn.com/src/cmpsyid-src/catch_yid2.JPG
He3, which, continued analyze string "mothafuckin_attacker" will be encoded into something. Next we need to find the offset that yahooID encrypted Where is contained. Press F8 a few times, Thug here.
http://vxervn.com/src/cmpsyid-src/enc_1.JPG
Thus, character "m" has been converted into the encoding byte 0Dh. Byte 0Dh is located just before the string "othafuckin_attacker. Since then, the character encoding will be saved at offset contains characters not encoded earlier. So, in this case will yahooID located at offset 00169338h.
Press Alt + M, dump memory starting at offset 00140000. Scroll the mouse down, we need to find that string in the memory:
http://vxervn.com/src/cmpsyid-src/memory.JPG
India consecutive F8 several times more. We had a string encoded as follows:
http://vxervn.com/src/cmpsyid-src/memory2.JPG
Done and Why? I was waiting, missed where MPS is encoded strings on the two stars? Still more carefully, Thug put a Breakpoint on write at offset 00169338h - offset start of the string. Press F9, Olly stop. Observations on the first byte encoding other, Thug Now that it continues to be encrypted again (carefully spreads out, he3 ). As this case, as you can see, 0Dh byte encryption on encrypted into a byte 0BFh. And the results are:
http://vxervn.com/src/cmpsyid-src/memory3.JPG
Are you to doubt: "Encryption is the 3rd copy?. He3, but the Left F9 to do (remember that we still to Breakpoint on write start offset in this yahooID). But, how happy, MPS is encoded only two times ...
Okie, done then. MPS generator to run. I get Sender.exe file. Completion of the first. (Note that the file was created Sender.exe new Sender.exe did not the first article)
Open file Sender.exe just created, repeat the previous steps has to unpack the files from memory. Thug eagerly ran to look for newly encoded string above in the section, for the purpose set Breakpoint on access in yahooID offset contains the encrypted, then decrypt the code that was ...
Find the hex byte follows (the byte string of our encrypted two times):
CODE BF C4 C6 C1 B7 C1 D1 BA C9 FA CC C2 BF D3 D2 C4 C9 D0 CD D7
But, many real life cheating, do not find the BYTE THIS SECTION IN ANY KIND. E hem, so, MPS set out in section yahooID encryption and data encryption is (probably is common with many other secret data is encrypted) is not in memory map. Author MPS quite high hand. But, if so, MPS must ensure that data read from the file . He3, so is not out 2 API: SetFilePointer and Readfile then. Okie, this is an imported APIz, so press Ctrl + Home, Thug in the JMP address this, set Breakpoint here. Press F9 to run Sender.exe.
Olly stop at the point just set Breakpoint. Here, we are interested in data on the stack:
http://vxervn.com/src/cmpsyid-src/stack.JPG
From the stack is found, move the cursor files from FILE_BEGIN, move to 3800h (14,336 bytes). On the other hand, we know that MPS will create permanent file regsvr.exe running in memory. Find the file in your computer, Thug find file: c: \ WINDOWS \ REGSVR.EXE. Press Ctrl + Alt + Del, that in the process is running REGSVR.EXE. So, MPS can read data from this file REGSVR.EXE. (Later, when checking, Thug in MPS file when run will copy the file Sender.exe REGSVR.EXE and Tapi32init.exe file located in% systemroot%. Last reboot, the file will automatically run Tapi32init.exe Win at boot). Check the file in bytes long, Thug has file size: 14.728 bytes. Size is larger file offset pointer points to. Therefore, the MPS reading a data from offset 3800h since the start file on, the MPS data length 188h bytes (392 bytes). And, can (can) in the data contains both encrypted yahooID of us.
Continue to press F8 when returned to the main program. Left Alt + M, observing all the mind see the change. In the program box (Alt + C), I press F8 row. Found that the memory starting from about 00143930h constantly changing and appears in plain text never appears. Continue to press F8 and consecutive observations on the memory. Have:
http://vxervn.com/src/cmpsyid-src/yidplain.JPG
He3, from which we abstract the offset is offset 0040512Dh where MPS start decoding yahooID. Completion of the 2nd.
As above, we see yahooID was decoded after passing through MPS 0040512Dh offset, meaning the data was encrypted MPS load somewhere in memory. Therefore, Thug press Ctrl + B to find the byte encoding in all the memory. Yes!! There it is:
http://vxervn.com/src//cmpsyid-sr...d_in_memory.JPG
Note that before the first byte on a byte offset 16h = 22 (the length of the string "mothafuckin_attacker" + 2). After a series of byte 2 byte encoding 0B2h 60h. Remember this. Why? Your attention nhé, the data seems to be something related to each other. First, the byte 16h is separated from the data before it is 2 byte 00h. Monday, 16h Left of the length of our string plus 2 bytes. Therefore, judged that two adjacent byte last byte yahooID encryption related encryption ...
Press Alt + C, back window code. Press F8 repeatedly, Thug have found that the code used to decrypt the MPS. You remember that MPS encoding 2 times right? Here, we also found two code to decode ... paragraph 1: from 0040293Dh to 0040298Ah. Paragraph 2: 0040298Ch to 004029D0h. Because the process of analyzing this a bit lengthy, so Thug wrote the following to your comment as for reference.
http://vxervn.com/src/cmpsyid-src/decrypt_code.JPG
Completion of the 3rd.
Then, to test his hypothesis type, Thug Sender.exe rebuild the file structure of yahooID true that encryption of data stored in the following format:
CODE CC DD AA BBBB ... BBBBBBBBB
.
With a length AA + yahooID 2. CC and DD is the second key to decrypt yahooID. Offset of yahooID encrypted file located in the MPS (filesize - 392) + 0B2h. Is fixed offset offset - offset fixed (You can check by Hiew). Have calculated the number dĩ Thug MPS file size because the function of binder to pair them with a trojan exe file pe-healthy MPS file size should be changed.
Completion of the 4th.
Finally, Thug CoverYID writing programs, to find out who's yahooID attacked, install MPS on the victim's computer, yahooID that the victim's password to be sent. This program will scan the process is running, to disable the "Disable Taskmgr" of the MPS. After the MPS process to run hidden, CoverYID yahooID automatically decode the attacker from MPS process and inform you. Looking at the console of CoverYID, you will find the full path of the MPS file is running. MPS simultaneously CoverYID will patch process, the purpose of running, it will automatically jump to the command ExitProcess;) This is just extra features, Thug written for fun, because you can use the anti-virus - trojan as NAV to destroy it. Points of interest here is You know who you are attackers, Then from there, depending on your imagination, but as of retaliatory attacks (For example, pretending to send a mail from the MPS, pretend as mail-sender automated MPS , With great content type: "Because one of your victims used a firewall to protect his computer, so to complete MagicPS feature, you should download this file attached in this mail and run it normally. Your victims' firewall will be disabled. And password'll be sent successfully. MagicPS mail-sender "- Translation:" As one of the victims of the firewall you use to protect your computer, so to complete all of the features of MagicPS, you should download the attachment and run it normally. Victim's firewall will be disabled. Password will be sent a smooth way. MagicPS mail-sender "). He3, of course attached file is a trojan then children, sometimes using both MagicPS then again ... more or he3. Get fat it fried it. The kind like, knowing where your enemy what you think will sell greed + + incredibly yahooID you his, and so is ... Or simply step into YM, send mess to name a few bad stomach question # & ^ #$%$@#% something This depends on your ability to imagine
Note: CoverYID running on WinNT - fully tested 100% work on Win2k, Win2k3, WinXP SP 1 and Win9x is Thug ... lazy and partly because there is no computer at home should not support the OS Win9x this. Hope your sympathy: P
Introduce more then, this is the link you can download CoverYID:
Link: http://vxervn.com/src/cmpsyid-src/coveryid.exe
Screenshot:
http://vxervn.com/src/cmpsyid-src/coveryid.JPG
http://vxervn.com/src/cmpsyid-src/screenshot2.JPG
If anyone would like to quote this in mind, the complete add author:
"(c) Thug4Lif3 - HVA forum" not a thief in their own right.: diablo:
__________________
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment