Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
What is a stealer and how to work with it
Message
<blockquote data-quote="Ghosthunter" data-source="post: 550" data-attributes="member: 6"><p>You can briefly describe the functionality of the code as follows: we create a new exception handler and place it at 13147C62. Code emulators that are unable to properly determine the program execution logic assume that after infinite recursion at address 13147C58, control will be transferred to the next instruction (JMP pinch_pa.13145555), as a result of which they direct further investigation of the code execution logic along the wrong path. In fact, the stack overflows, an exception is thrown, and the program continues its work safely. By doing this, we are eliminating four more antivirus programs (only 27 out of 43 utilities managed to do the job and recognize malicious code).</p><p></p><p>So, we sent almost half of the antivirus programs for a walk through the forest – what's next? Now we will deal with more sophisticated ways of anti-debugging and the simplest anti-emulation.</p><p></p><p>It may seem to many that the above is already enough to successfully distribute Trojans, because we have halved the chances of being detected. This is true, but we have cut out only the most wretched antivirus programs that do not meet the requirements of the time at all. In the course of experiments, I found out that powerful code emulation can also be handled, and quite easily!</p><p></p><p>To warm up, we will insert several small pieces of code into the experimental pinch, which will "close the eyes" of several antivirus programs (and at the same time many low-skilled reversers). At the address 13147C90, I placed a cryptor similar to the one described above, which encrypts the anti-debugging code we wrote (4Ch bytes, starting from the address 13147C30). You will find its code on Yandex. Disk, but the volume of the article does not allow you to give it here. Thus, we have hidden some details of our mechanism from some heuristic mechanisms, making it more difficult to work with the need for multi-stage unpacking.</p><p></p><p>Code:</p><p>13147C90 - NEW OEP</p><p></p><p>length of code 4c</p><p></p><p>13147c30 - start of code</p><p></p><p>13147c7c -end of code</p><p></p><p>13147C90 60 PUSHAD</p><p></p><p>13147C91 B9 4C000000 MOV ECX,4C</p><p></p><p>13147C96 8B91 307C1413 MOV EDX,DWORD PTR DS:[ECX+13147C30]</p><p></p><p>13147C9C 83F2 54 XOR EDX,54</p><p></p><p>13147C9F 8991 307C1413 MOV DWORD PTR DS:[ECX+13147C30],EDX</p><p></p><p>13147CA5 ^E2 EF LOOPD SHORT kadabra_.13147C96</p><p></p><p>13147CA7 61 POPAD</p><p></p><p>jmp 13147c30</p><p></p><p>There is a very interesting technique that gives a very good effect, which introduces some debuggers and antivirus programs into a stupor. Its name is zeroing the entry point. Indeed, the situation when the PE header, located at zero offset relative to ImageBase, is simultaneously executable code looks completely implausible. However, it is more than possible. Open the debug file in WinHex and look at the data bytes located at the very beginning of the file: 4D 5A 00 00 (yes, this is the letter signature " MZ " located at the beginning of the PE file!). Looking at the same PE header in the debugger (to do this, go to the address 13140000h), we will see the following picture::</p><p></p><p>Code:</p><p>13140000 4D DEC EBP</p><p></p><p>13140001 5A POP EDX</p><p></p><p>13140002 0000 ADD BYTE PTR DS:[EAX],AL</p><p></p><p>13140004 0100 ADD DWORD PTR DS:[EAX],EAX</p><p></p><p>...</p><p></p><p>13140028 0000 ADD BYTE PTR DS:[EAX],AL</p><p></p><p>It seems that the first two instructions are quite harmless and can be executed without the risk of "dropping" the program. Unfortunately, they are followed by only two null bytes, and we can't spoil the MZ header by writing an intersegment five-byte transition to anti-debugging code. After thinking for half a minute, you can find the right solution. Take a look at 13140028. Here you can find much more than five zero bytes. An elephant is unlikely to fit here, but a long walk is quite enough! So, we proceed as follows: we change the zero bytes, starting from address 13140002, to the following instruction:</p><p></p><p>Code:</p><p>13140002 EB 24 JMP SHORT 13140028</p><p></p><p>and bytes located at address 13140028 to the following code:</p><p></p><p>Code:</p><p>13140028 -E9 637C0000 JMP 13147c90</p><p></p><p>After completing the procedures, all that remains is to save the program, open it for editing in LordPE and reset the "EntryPoint" field. So, everything works, and two more antivirus programs have given up: now only 25 out of 43 find dangerous code in our test sample.</p><p></p><p>Studies have shown that the pinch contains four sections, two of which–. conf and .data-contain data that can be considered by antivirus programs as a constant and entered in the signature database. Therefore, you need to encrypt them as well.</p><p></p><p>To do this, we completely remove the rasterization code, replacing it in OllyDbg with zeros, and we see that our sample still burns like a pinch! We conclude that either antivirus programs search through our code, or they check image base. We try to change the Image base – and, indeed, we dismiss four more antivirus programs..</p><p></p><p>When I was preparing for this article, a lot of images, information and nostalgia popped up in my head, which I will tell you today.</p><p></p><p>I'll start a little with my story, 2-3 years ago my first purchased program was stealer, I thought "you just need to buy a stealer and I'll hack everyone"</p><p></p><p>A week later, the first disappointment overtook me.</p><p></p><p>It turned out that buying "just a stealer" is not enough. By itself, the stealer is just a tool that will not bring any profit without a certain scheme (cycle) of work.</p><p></p><p>You need traffic to the stealer build, you need a crypt (mutation) of the file, since antivirus programs will not allow the victim to run your stylus and so on.</p><p></p><p><strong>Myself I concluded at the same time</strong> <strong>for</strong>:</p><p></p><p>To get a profit, you need a cycle:</p><p></p><p></p><p>If you remove any of the components of this scheme, you will not see a profit.</p><p></p><p>Over time, I tested many tools (stealers-clippers-botnets-warriors-khvnts - hrdp), learned how to encrypt my files myself, and learned how to process logs for various requests, but a new problem appeared - <strong>traffic</strong>.</p><p></p><p>First, you need to determine the logs of which CA (target audience) you want to see in your dashboard.</p><p></p><p>If carding, then these are the banks of Yusa-Europe, pp, amozon-ebey. If it is a crypt, then links of exchanges by the type of Bitrex or ebit.</p><p></p><p>I tried almost ALL the methods of attracting traffic, and there are a lot of them as it turned out).</p><p></p><p>There are a lot of them, and it took quite a long time to try them all, some of them no longer work, some of them have low efficiency, and some of them shoot very well.</p><p></p><p>In this article, I will discuss several effective methods for attracting traffic:</p><p></p><p>1) Install Exchanges (or PPI Affiliate Programs)</p><p></p><p>Strait installations-prices, and how to pour it yourself. $ 200 for 1000 installs</p><p></p><p>When I was preparing for this article, a lot of images, information and nostalgia popped up in my head, which I will tell you today.</p><p></p><p>I'll start a little with my story, 2-3 years ago my first purchased program was stealer, I thought "you just need to buy a stealer and I'll hack everyone"</p><p></p><p>A week later, the first disappointment overtook me.</p><p></p><p>It turned out that buying "just a stealer" is not enough. By itself, the stealer is just a tool that will not bring any profit without a certain scheme (cycle) of work.</p><p></p><p>You need traffic to the stealer build, you need a crypt (mutation) of the file, since antivirus programs will not allow the victim to run your stylus and so on.</p><p></p><p>For myself, I made a conclusion at the same time:</p><p></p><p>To get a profit, you need a cycle:</p><p></p><p>A good tool + a good cryptographic file+ traffic + competent log processing = profit</p><p></p><p>If you remove any of the components of this scheme, you will not see a profit.</p><p></p><p>Over time, I tested many tools (stealers-clippers-botnets-warriors-khvnts - hrdp), learned how to encrypt my files myself, and learned how to process logs for various requests, but a new problem appeared - traffic.</p><p></p><p>First, you need to determine the logs of which CA (target audience) you want to see in your dashboard </p><p> </p><p></p><p>If carding, then these are the banks of Yusa-Europe, pp, amozon-ebey. If it is a crypt, then links of exchanges by the type of Bitrex or ebit.</p><p></p><p>I tried almost ALL the methods of attracting traffic, and there are a lot of them as it turned out).</p><p></p><p>There are a lot of them, and it took quite a long time to try them all, some of them no longer work, some of them have low efficiency, and some of them shoot very well.</p><p></p><p>In this article, I will discuss several effective methods for attracting traffic:</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 550, member: 6"] You can briefly describe the functionality of the code as follows: we create a new exception handler and place it at 13147C62. Code emulators that are unable to properly determine the program execution logic assume that after infinite recursion at address 13147C58, control will be transferred to the next instruction (JMP pinch_pa.13145555), as a result of which they direct further investigation of the code execution logic along the wrong path. In fact, the stack overflows, an exception is thrown, and the program continues its work safely. By doing this, we are eliminating four more antivirus programs (only 27 out of 43 utilities managed to do the job and recognize malicious code). So, we sent almost half of the antivirus programs for a walk through the forest – what's next? Now we will deal with more sophisticated ways of anti-debugging and the simplest anti-emulation. It may seem to many that the above is already enough to successfully distribute Trojans, because we have halved the chances of being detected. This is true, but we have cut out only the most wretched antivirus programs that do not meet the requirements of the time at all. In the course of experiments, I found out that powerful code emulation can also be handled, and quite easily! To warm up, we will insert several small pieces of code into the experimental pinch, which will "close the eyes" of several antivirus programs (and at the same time many low-skilled reversers). At the address 13147C90, I placed a cryptor similar to the one described above, which encrypts the anti-debugging code we wrote (4Ch bytes, starting from the address 13147C30). You will find its code on Yandex. Disk, but the volume of the article does not allow you to give it here. Thus, we have hidden some details of our mechanism from some heuristic mechanisms, making it more difficult to work with the need for multi-stage unpacking. Code: 13147C90 - NEW OEP length of code 4c 13147c30 - start of code 13147c7c -end of code 13147C90 60 PUSHAD 13147C91 B9 4C000000 MOV ECX,4C 13147C96 8B91 307C1413 MOV EDX,DWORD PTR DS:[ECX+13147C30] 13147C9C 83F2 54 XOR EDX,54 13147C9F 8991 307C1413 MOV DWORD PTR DS:[ECX+13147C30],EDX 13147CA5 ^E2 EF LOOPD SHORT kadabra_.13147C96 13147CA7 61 POPAD jmp 13147c30 There is a very interesting technique that gives a very good effect, which introduces some debuggers and antivirus programs into a stupor. Its name is zeroing the entry point. Indeed, the situation when the PE header, located at zero offset relative to ImageBase, is simultaneously executable code looks completely implausible. However, it is more than possible. Open the debug file in WinHex and look at the data bytes located at the very beginning of the file: 4D 5A 00 00 (yes, this is the letter signature " MZ " located at the beginning of the PE file!). Looking at the same PE header in the debugger (to do this, go to the address 13140000h), we will see the following picture:: Code: 13140000 4D DEC EBP 13140001 5A POP EDX 13140002 0000 ADD BYTE PTR DS:[EAX],AL 13140004 0100 ADD DWORD PTR DS:[EAX],EAX ... 13140028 0000 ADD BYTE PTR DS:[EAX],AL It seems that the first two instructions are quite harmless and can be executed without the risk of "dropping" the program. Unfortunately, they are followed by only two null bytes, and we can't spoil the MZ header by writing an intersegment five-byte transition to anti-debugging code. After thinking for half a minute, you can find the right solution. Take a look at 13140028. Here you can find much more than five zero bytes. An elephant is unlikely to fit here, but a long walk is quite enough! So, we proceed as follows: we change the zero bytes, starting from address 13140002, to the following instruction: Code: 13140002 EB 24 JMP SHORT 13140028 and bytes located at address 13140028 to the following code: Code: 13140028 -E9 637C0000 JMP 13147c90 After completing the procedures, all that remains is to save the program, open it for editing in LordPE and reset the "EntryPoint" field. So, everything works, and two more antivirus programs have given up: now only 25 out of 43 find dangerous code in our test sample. Studies have shown that the pinch contains four sections, two of which–. conf and .data-contain data that can be considered by antivirus programs as a constant and entered in the signature database. Therefore, you need to encrypt them as well. To do this, we completely remove the rasterization code, replacing it in OllyDbg with zeros, and we see that our sample still burns like a pinch! We conclude that either antivirus programs search through our code, or they check image base. We try to change the Image base – and, indeed, we dismiss four more antivirus programs.. When I was preparing for this article, a lot of images, information and nostalgia popped up in my head, which I will tell you today. I'll start a little with my story, 2-3 years ago my first purchased program was stealer, I thought "you just need to buy a stealer and I'll hack everyone" A week later, the first disappointment overtook me. It turned out that buying "just a stealer" is not enough. By itself, the stealer is just a tool that will not bring any profit without a certain scheme (cycle) of work. You need traffic to the stealer build, you need a crypt (mutation) of the file, since antivirus programs will not allow the victim to run your stylus and so on. [B]Myself I concluded at the same time[/B] [B]for[/B]: To get a profit, you need a cycle: If you remove any of the components of this scheme, you will not see a profit. Over time, I tested many tools (stealers-clippers-botnets-warriors-khvnts - hrdp), learned how to encrypt my files myself, and learned how to process logs for various requests, but a new problem appeared - [B]traffic[/B]. First, you need to determine the logs of which CA (target audience) you want to see in your dashboard. If carding, then these are the banks of Yusa-Europe, pp, amozon-ebey. If it is a crypt, then links of exchanges by the type of Bitrex or ebit. I tried almost ALL the methods of attracting traffic, and there are a lot of them as it turned out). There are a lot of them, and it took quite a long time to try them all, some of them no longer work, some of them have low efficiency, and some of them shoot very well. In this article, I will discuss several effective methods for attracting traffic: 1) Install Exchanges (or PPI Affiliate Programs) Strait installations-prices, and how to pour it yourself. $ 200 for 1000 installs When I was preparing for this article, a lot of images, information and nostalgia popped up in my head, which I will tell you today. I'll start a little with my story, 2-3 years ago my first purchased program was stealer, I thought "you just need to buy a stealer and I'll hack everyone" A week later, the first disappointment overtook me. It turned out that buying "just a stealer" is not enough. By itself, the stealer is just a tool that will not bring any profit without a certain scheme (cycle) of work. You need traffic to the stealer build, you need a crypt (mutation) of the file, since antivirus programs will not allow the victim to run your stylus and so on. For myself, I made a conclusion at the same time: To get a profit, you need a cycle: A good tool + a good cryptographic file+ traffic + competent log processing = profit If you remove any of the components of this scheme, you will not see a profit. Over time, I tested many tools (stealers-clippers-botnets-warriors-khvnts - hrdp), learned how to encrypt my files myself, and learned how to process logs for various requests, but a new problem appeared - traffic. First, you need to determine the logs of which CA (target audience) you want to see in your dashboard If carding, then these are the banks of Yusa-Europe, pp, amozon-ebey. If it is a crypt, then links of exchanges by the type of Bitrex or ebit. I tried almost ALL the methods of attracting traffic, and there are a lot of them as it turned out). There are a lot of them, and it took quite a long time to try them all, some of them no longer work, some of them have low efficiency, and some of them shoot very well. In this article, I will discuss several effective methods for attracting traffic: [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
What is a stealer and how to work with it
Top