+- Support Forums (https://www.supportforums.net)
+-- Forum: Categories (https://www.supportforums.net/forumdisplay.php?fid=87)
+--- Forum: Virus Protection, Removals, and HJT Team (https://www.supportforums.net/forumdisplay.php?fid=56)
+---- Forum: Computer Security, Firewalls, and Antivirus (https://www.supportforums.net/forumdisplay.php?fid=10)
+---- Thread: How to decrypt phishers (/showthread.php?tid=854)
How to decrypt phishers - Acekidd01 - 10-09-2009
Hello mates today I'm going to show you how to decrypt phisher to get out their information and stop them for good. This process is called Reverse Engineering.
Now first you need to download a good disassembler like:
Spoiler (Click to View)
Also need to download Sandboxie from here
After you done downloading the disassembler let's get start it
.First you need to find a phisher of course, here is an example of a video I found in youtube it talks about how this program can change "stats" from the game runescape.:
![[Image: Tutorial.jpg]](http://i194.photobucket.com/albums/z91/EAZY_MONEY154/Tutorial.jpg)
Now that we have our phisher lets run it sandboxie to see if is a real phisher or maybe a keylogger o_0.
![[Image: Tutorial1.jpg]](http://i194.photobucket.com/albums/z91/EAZY_MONEY154/Tutorial1.jpg)
So in this image nothing unusual just a simple phisher an ftp function in the program, or mailsystem.
Now we use String Stealer to break down the program
It should be something like this.
![[Image: tutorial3.jpg]](http://i194.photobucket.com/albums/z91/EAZY_MONEY154/tutorial3.jpg)
Now to open the file in String Stealer go to:
Menu> Load Assambler> phisher.exe{This should be the phisher}
Now it should look something like this:
![[Image: tutorial2.jpg]](http://i194.photobucket.com/albums/z91/EAZY_MONEY154/tutorial2.jpg)
Now most likely that you will find the email and password should be in
Form1> Button1_Click:
![[Image: tutorial4-1-1.jpg]](http://i194.photobucket.com/albums/z91/EAZY_MONEY154/tutorial4-1-1.jpg)
Bingo we hit the jackpot we found the email and password of the phiser's owner. After you do this I will recommend to delete everything/change password/or even delete the email of the phisher's owner because he deserves it.
==============================================================================================================
Tools you need (an optional)
- Red Gate's Reflector:
This is a good Decompiler it can show you the code of the classes and methods, and how everything relates (optional):
News about the .NET Reflector here
- String Stealer:
Basic dissassembler will be using during this tutorial
- Sandboxie
Really important you will use this to test the phishers
- BinText:
Optional (thanks to Elektrisk)
==============================================================================================================
Feedbacks opinions are accepted
==============================================================================================================
Credits
I wrote this tutorial, but I also give some credits to Qkyrie who taught me how to do this.
RE: How to decrypt phishers - Michael - 10-09-2009
Nice little white hat tutorial. However I don't think it belongs in this thread.
RE: How to decrypt phishers - Acekidd01 - 10-09-2009
Not sure where I was going to put it, and because there is no white hat section I thought the Virus Infection and Computer Security should be the right section.
RE: How to decrypt phishers - juan9087 - 10-09-2009
wow this owns i suppose i will go do it right now lol
RE: How to decrypt phishers - Acekidd01 - 10-09-2009
Just be careful and some phisher has got more complicated so you need to look to everything in the string stealer.
Good Luck
RE: How to decrypt phishers - Acekidd01 - 10-09-2009
Yea I was making sure I didn't violate any rules from SF
RE: How to decrypt phishers - Michael - 10-09-2009
(10-09-2009, 01:39 PM)PaNiK Wrote: Where do you think it should be?I don't know, there isn't really any white hat section,lol.
Good write up, btw. I got a sneak-peak at this
RE: How to decrypt phishers - brett7 - 10-09-2009
nice although i have seen this some where else, if strings are encrypted you can always use a packet sniffer
RE: How to decrypt phishers - Lazydude2000 - 10-09-2009
Very nice, i didn't know you could decrypt phishers O.o
RE: How to decrypt phishers - Monoxide - 10-09-2009
ALWAYS make sure you sandbox the youtube stuff, which is always loaded with goodies.