Support Forums

Full Version: How to decrypt phishers
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8
Hello mates today I'm going to show you how to decrypt phisher to get out their information and stop them for good. This process is called Reverse Engineering.

Now first you need to download a good disassembler like:


Also need to download Sandboxie from here

After you done downloading the disassembler let's get start it Smile.


First you need to find a phisher of course, here is an example of a video I found in youtube it talks about how this program can change "stats" from the game runescape.:
[Image: Tutorial.jpg]

Now that we have our phisher lets run it sandboxie to see if is a real phisher or maybe a keylogger o_0.

[Image: Tutorial1.jpg]

So in this image nothing unusual just a simple phisher an ftp function in the program, or mailsystem.

Now we use String Stealer to break down the program


It should be something like this.
[Image: tutorial3.jpg]

Now to open the file in String Stealer go to:
Menu> Load Assambler> phisher.exe{This should be the phisher}
Now it should look something like this:
[Image: tutorial2.jpg]

Now most likely that you will find the email and password should be in
Form1> Button1_Click:
[Image: tutorial4-1-1.jpg]

Bingo we hit the jackpot we found the email and password of the phiser's owner. After you do this I will recommend to delete everything/change password/or even delete the email of the phisher's owner because he deserves it.
==============================================================================================================
Tools you need (an optional)

  • Red Gate's Reflector:
    This is a good Decompiler it can show you the code of the classes and methods, and how everything relates (optional):
    News about the .NET Reflector here

  • String Stealer:
    Basic dissassembler will be using during this tutorial

  • Sandboxie
    Really important you will use this to test the phishers

  • BinText:
    Optional (thanks to Elektrisk)

==============================================================================================================

Feedbacks opinions are accepted


==============================================================================================================
Credits


I wrote this tutorial, but I also give some credits to Qkyrie who taught me how to do this.
Nice little white hat tutorial. However I don't think it belongs in this thread.
Not sure where I was going to put it, and because there is no white hat section I thought the Virus Infection and Computer Security should be the right section.
wow this owns i suppose i will go do it right now lol
Just be careful and some phisher has got more complicated so you need to look to everything in the string stealer.

Good Luck Thumbsup
Yea I was making sure I didn't violate any rules from SF Smile
(10-09-2009, 01:39 PM)PaNiK Wrote: [ -> ]Where do you think it should be?

Good write up, btw. I got a sneak-peak at this Big Grin
I don't know, there isn't really any white hat section,lol.
nice although i have seen this some where else, if strings are encrypted you can always use a packet sniffer
Very nice, i didn't know you could decrypt phishers O.o
ALWAYS make sure you sandbox the youtube stuff, which is always loaded with goodies.
Pages: 1 2 3 4 5 6 7 8