1. Post #1
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    So I've whaling keyloggers since 2 days ago and I must say it's is fun as hell I've already gotten a few scriptkiddies that encrypted with TripleDES but left the key out in the open in plaintext, however I'm trying to do some more advanced ones and I'm stuck. There are very little guides and tutorials on this subject and most of them are only talking basics.

    So I was hoping if someone with VB .Net knowledge here could me out with a problem.
    I'm stuck on this "Me.keyz = Form1.DecryptTripleDES("2yXIKDKfQXwEmvODFkDJAQ==", Conversions.ToString(&H3AD7F3A9))"

    This is obviously the key to decrypt it all, but I have no idea what "Conversions.ToString(&H3AD7F3A9))" does or how to interpret it.

    Clicking on "Form1.DecryptTripleDES" shows a simple encypter http://pastebin.com/1wuQGhWf like on almost all encrypters i've found.

    Can someone point me in the right direction?
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Funny Funny x 16Dumb Dumb x 2 (list)

  2. Post #2
    Person
    geel9's Avatar
    June 2008
    9,136 Posts
    So I've whaling keyloggers since 2 days ago and I must say it's is fun as hell I've already gotten a few scriptkiddies that encrypted with TripleDES but left the key out in the open in plaintext, however I'm trying to do some more advanced ones and I'm stuck. There are very little guides and tutorials on this subject and most of them are only talking basics.

    So I was hoping if someone with VB .Net knowledge here could me out with a problem.
    I'm stuck on this "Me.keyz = Form1.DecryptTripleDES("2yXIKDKfQXwEmvODFkDJAQ==", Conversions.ToString(&H3AD7F3A9))"

    This is obviously the key to decrypt it all, but I have no idea what "Conversions.ToString(&H3AD7F3A9))" does or how to interpret it.

    Clicking on "Form1.DecryptTripleDES" shows a simple encypter http://pastebin.com/1wuQGhWf like on almost all encrypters i've found.

    Can someone point me in the right direction?
    Stick the code into an empty project and see what you get.

  3. Post #3
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    So I made this quickly and shit doesn't work, yet has all the required code

    http://pastebin.com/SDqi1Gvd

  4. Post #4
    -Ana's Avatar
    July 2009
    953 Posts
    DecryptTripleDES("2yXIKDKfQXwEmvODFkDJAQ==", Convert.ToString(&H3AD7F3A9))

    gives back 123456789
    Reply With Quote Edit / Delete Reply Windows 7 Finland Show Events Funny Funny x 33Winner Winner x 1Informative Informative x 1Programming King Programming King x 1 (list)

  5. Post #5
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    DecryptTripleDES("2yXIKDKfQXwEmvODFkDJAQ==", Convert.ToString(&H3AD7F3A9))

    gives back 123456789
    wait what? How did you get to that number?
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Funny Funny x 8 (list)

  6. Post #6
    Dennab
    July 2009
    12,246 Posts
    By running it probably.
    Reply With Quote Edit / Delete Reply Windows XP Professional x64 United States Show Events Zing Zing x 14Agree Agree x 5Programming King Programming King x 1Funny Funny x 1 (list)

  7. Post #7
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    Ana, could you explain to me how you do it? I have no clue where to start.

    also I ran 123456789 in my 3DES decryptor as the key and it doesn't work. :(
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Friendly Friendly x 1 (list)

  8. Post #8
    -Ana's Avatar
    July 2009
    953 Posts
    Reply With Quote Edit / Delete Reply Windows 7 Finland Show Events Programming King Programming King x 16 (list)

  9. Post #9
    Crescent fresh
    Perl's Avatar
    January 2011
    1,343 Posts
    I just copied the decryption function and ran it.



    Edited:

    but this is from another logger :P

  10. Post #10
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    I just copied the decryption function and ran it.



    Edited:

    but this is from another logger :P
    Wont work because you are using System.Net as key

    Edited:

    Dear fucking lord, thank you so much!
    10k phished runescape logs was the result, but the knowledge to decrypt these is fucking priceless.

    Love you man
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Winner Winner x 30Friendly Friendly x 1Optimistic Optimistic x 1 (list)

  11. Post #11
    Gold Member
    Alternative Account's Avatar
    February 2009
    217 Posts
    If the keylogger sends its logs via E-Mail, don't forget to hijack the receiving and/or sending E-Mail account if the credentials are stored in the application.
    Change the password, change the security question, delete the account.
    This'll prevent the further collection of logs of all installed keyloggers by the phisher.
    Reply With Quote Edit / Delete Reply Windows 7 Germany Show Events Agree Agree x 12Optimistic Optimistic x 2 (list)

  12. Post #12
    Gold Member
    BackwardSpy's Avatar
    May 2008
    6,521 Posts
    Just out of interest, where/how are you getting hold of these keyloggers? I want to play around with some of them :P
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 3 (list)

  13. Post #13
    Gold Member
    ZenX2's Avatar
    February 2009
    6,251 Posts
    Oh wow, I found a pastebin with at least a couple hundred of those ahfdojsdjfj== things a while ago.
    So, they're just keys?

  14. Post #14
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    Oh wow, I found a pastebin with at least a couple hundred of those ahfdojsdjfj== things a while ago.
    So, they're just keys?
    3DES encryption you need a key (a random word) to decrypt them.

    Just out of interest, where/how are you getting hold of these keyloggers? I want to play around with some of them :P
    Go to youtube type in "runescape hack(or facebook, wow etc whatever you want) +mediafire -sharecash -tinyurl - -cod -mw3"
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Funny Funny x 23 (list)

  15. Post #15
    Person
    geel9's Avatar
    June 2008
    9,136 Posts
    It's always so fun to whale.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1 (list)

  16. Post #16
    Gold Member
    gparent's Avatar
    January 2005
    3,944 Posts
    3DES encryption you need a key (a random word) to decrypt them.



    Go to youtube type in "runescape hack(or facebook, wow etc whatever you want) +mediafire -sharecash -tinyurl - -cod -mw3"
    Sweet Google Hacking there. Are a lot of these keyloggers really easy to reverse? I wonder what percentage is written by morons and what percentage is written by people with a clue.

  17. Post #17
    Gold Member
    Darwin226's Avatar
    January 2009
    5,177 Posts
    Sweet Google Hacking there. Are a lot of these keyloggers really easy to reverse? I wonder what percentage is written by morons and what percentage is written by people with a clue.
    Found one that had the actual program in a resource, as an assembly, encrypted.
    I was about to dig through it since the decryption key is right there but unfortunately the code won't even run. Something about wrong padding.

    The code that get's the "real" assembly is obfuscated too so that doesn't make it any easier.
    I also like how he used Rijndael like it's going to make the whole thing more secure. With the key right there, you might as well just ROT13 the whole thing.
    Reply With Quote Edit / Delete Reply Windows 7 Croatia Show Events Funny Funny x 8 (list)

  18. Post #18
    Dennab
    July 2009
    12,246 Posts
    Its probably just to throw people off from trying to get it.

  19. Post #19
    Hates php
    high's Avatar
    May 2006
    2,377 Posts
    3DES encryption you need a key (a random word) to decrypt them.



    Go to youtube type in "runescape hack(or facebook, wow etc whatever you want) +mediafire -sharecash -tinyurl - -cod -mw3"
    I laughed at one of the descriptions

    Code:
    Hello, I'm a faggot. I did not encrypt my keylogger and a superior being took my account.
    My Username and Password are caseyboogaard@gmail.com :* 123angel123
    My phone number is +16162380428
    Please visit joowz.com it's my favorite website on the internet.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 74Winner Winner x 1 (list)

  20. Post #20
    Person
    geel9's Avatar
    June 2008
    9,136 Posts
    Most of these are just one standard keylogger that people use.

  21. Post #21
    Gold Member
    Hentie's Avatar
    May 2010
    2,154 Posts
    In elementary school, one of my friends downloaded a runescape gold generator and he asked me if it was a virus. The answer is pretty obvious. But the funny thing is, I didn't need to decompile anything, I just looked at the exe in notepad.

    I got an FTP server and a password (in plaintext) and a shitload of logs. I deleted the files and folders in the FTP server and disabled it, but I kept backups. The guy kept his entire source code on the server. If I can find it I can upload it for you guys, but this was years ago so I don't know if it still exists on my ancient computer.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Winner Winner x 27Funny Funny x 6 (list)

  22. Post #22

    October 2010
    193 Posts
    This is so much fun. Decompiled one of those "Hacks". He is using a test email to send the passwords to his real one. I have the password to the test one and i'm going to send a "FBI" message to him from it
    Reply With Quote Edit / Delete Reply Windows 7 Lithuania Show Events Funny Funny x 24 (list)

  23. Post #23
    Gold Member
    marcin1337's Avatar
    May 2006
    829 Posts
    This is so much fun. Decompiled one of those "Hacks". He is using a test email to send the passwords to his real one. I have the password to the test one and i'm going to send a "FBI" message to him from it
    Whats a good decompiler?

  24. Post #24

    October 2010
    193 Posts
    Whats a good decompiler?
    I use .NET reflector it's a 30 day trial though, but it works really well
    Reply With Quote Edit / Delete Reply Windows 7 Lithuania Show Events Friendly Friendly x 3 (list)

  25. Post #25
    Gold Member
    marcin1337's Avatar
    May 2006
    829 Posts
    Code:
    [StandardModule]
    internal sealed class googleiscool
    {
        // Fields
        private static string supgoogleurcool;
    }
    what
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 36 (list)

  26. Post #26
    Simspelaaja's Avatar
    June 2008
    559 Posts
    I use ILSpy, it is free and open source.

    http://wiki.sharpdevelop.net/ilspy.ashx
    Reply With Quote Edit / Delete Reply Windows Vista Finland Show Events Useful Useful x 5Winner Winner x 1Agree Agree x 1 (list)

  27. Post #27
    BBgamer720's Avatar
    November 2011
    462 Posts

    Go to youtube type in "runescape hack(or facebook, wow etc whatever you want) +mediafire -sharecash -tinyurl - -cod -mw3"
    Not Sharecash. That site is fucking horrible. Have to complete a silly 'survey' offering you loads of scams. If you use fake information then it doesn't let you download (I haven't actually tried with real information because I'm not a dumb fuck, but I'm sure it would work).
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 59Funny Funny x 3Agree Agree x 1 (list)

  28. Post #28
    Gold Member
    BackwardSpy's Avatar
    May 2008
    6,521 Posts
    Not Sharecash. That site is fucking horrible. Have to complete a silly 'survey' offering you loads of scams. If you use fake information then it doesn't let you download (I haven't actually tried with real information because I'm not a dumb fuck, but I'm sure it would work).
    ... which is why he's omitting it from the search.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Agree Agree x 51Zing Zing x 7Funny Funny x 1Informative Informative x 1 (list)

  29. Post #29
    I made WAYWO a better place
    OldFusion's Avatar
    September 2011
    1,261 Posts
    A lot of botnet clients you can find on youtube are poorly encrypted and communicate with IRC servers,
    the way they work is they connect to a public IRC server/channel in a hidden channel,
    the owner goes to the same channel and activates the bots with a password, the password is packed in the executable.

    So the way you go about those is to just decrypt the password and connection info and then command the bots to update their core to your own version where you hex the connection info and such and the botnet is yours.

    Back in the days when bots where still worth something and IRC was a safe place to keep your bots, this was a rather easy way to make some money.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree x 4Winner x 2Programming King x 2Informative x 2Useful x 1 (list)

  30. Post #30
    BBgamer720's Avatar
    November 2011
    462 Posts
    ... which is why he's omitting it from the search.
    God damn it. Didn't see that. My eyes have deceived me.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Friendly Friendly x 6Dumb Dumb x 2 (list)

  31. Post #31
    Gold Member
    Phreebird's Avatar
    April 2009
    331 Posts


    Seems completely legit.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 72Agree Agree x 3 (list)

  32. Post #32
    Hates php
    high's Avatar
    May 2006
    2,377 Posts
    Some dumbass kid put his personal email/password into his keylogger.

    Code:
    Name: BILAL HJIOUAJ
    Date of Birth: 05/05/1994
    Email: mcmaster9911@gmail.com
    U.S. Citizen: Yes
    Permanent Address: <withheld>
    <withheld> TX 78660
    County: <withheld>
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Funny Funny x 40Useful Useful x 1 (list)

  33. Post #33
    Gold Member
    ZenX2's Avatar
    February 2009
    6,251 Posts
    I am so confused about why so many "hacks" and stuff are in visual basic.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Programming King Programming King x 1 (list)

  34. Post #34
    Exxon's Avatar
    January 2012
    325 Posts
    I am so confused about why so many "hacks" and stuff are in visual basic.
    It's easy to do.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 4 (list)

  35. Post #35
    ..............
    nekosune's Avatar
    February 2009
    1,705 Posts
    I found this in pastebin
    http://pastebin.com/AxyV7Mvm
    it actually contains a crypted assembly it decrypts, then runs.

    Edited:

    I now have a decrypted version of that Assembly. combing through it now

    Edited:

    it contained a crypted version of something that decrypts ANOTHER PE.
    I think I am down to the final layer now, seeing as it this assembly called: servernamewithoutexe

    Edited:

    and that seems to be a non .net executable sadly.

  36. Post #36
    dailydose
    Thugaim's Avatar
    May 2009
    766 Posts
    I just got a 30k views Guild Wars bot, I get an account every 1 to 3 hours that works.
    Easy way to packrat my main
    Reply With Quote Edit / Delete Reply Windows 7 Netherlands Show Events Dumb Dumb x 11Artistic Artistic x 1Funny Funny x 1 (list)

  37. Post #37
    ..............
    nekosune's Avatar
    February 2009
    1,705 Posts
    well, it seems they have found a way to block reflector.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Dumb Dumb x 1Disagree Disagree x 1 (list)

  38. Post #38
    Person
    geel9's Avatar
    June 2008
    9,136 Posts
    I just got a 30k views Guild Wars bot, I get an account every 1 to 3 hours that works.
    Easy way to packrat my main
    This is a felony.

    Every person is a felony.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 10Disagree Disagree x 1Friendly Friendly x 1Funny Funny x 1 (list)

  39. Post #39
    Gold Member
    Phreebird's Avatar
    April 2009
    331 Posts
    I just got a 30k views Guild Wars bot, I get an account every 1 to 3 hours that works.
    Easy way to packrat my main
    So your taking the accounts that the keyloggers get?
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1 (list)

  40. Post #40
    ..............
    nekosune's Avatar
    February 2009
    1,705 Posts
    This guy is clever, used variable names of odd characters.

    Edited:

    Well I hit a snag here, it uploads everything to a website, not IRC.
    Reply With Quote Edit / Delete Reply Windows 7 United Kingdom Show Events Friendly Friendly x 1 (list)