______________________________________________________________ | | | Save your fingers - get your fake names from the i-net |# | »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» |# | |# | by DiA/rrlf (c)2005 |# | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de |# |______________________________________________________________|# ############################################################### _Overview___________________________________ | | | 1_Intro |# | 2_How to do? |# | 3_Gimme a code, please! |# | 4_Outro |# |____________________________________________|# ############################################# .Disclaimer »»»»»»»»»» The author of this article is NOT responsible for possible damages in case of informations you getting here. You do your own things with your own risk, please don't do anything stupid for your own security. This document is for educational purpose only. If you do NOT agree this, please close this for your own pleasure! .1_Intro »»»»»»» Maybe you know this situation, you write a pretty good massmailer, i-net or P2P worm and you need some ideas for the fake names. You are sick seeing names like "Damn_Fine_Porn.mpg .exe" or "Photoshop Crack working!.exe". So what to do? Get some inspiration from the internet, go to some warez/crackz sites and copy and paste some real crack names including application name, exact version number and maybe the author of the crack. Looking a bit realer then "Micr0soft all products keygen.exe", huh?! You wanna do some good stuff, including many names... you are now copy and paste your name number 34, stupid work, no? At this point I ask you, why do you copy and paste a already existing huge database of names? Just write a simple but effective code and get thousends of names at runtime :). So read on and see how easy it is... .2_How to do? »»»»»»»»»»»» OK, what we need for this tutorial is a internet connection. Without it will not work of course. Now save this file - http://crack.ms/cracks/a_1.shtml - local as - fakenames.txt -. Take a look, at the head of this file you see some uninteressting stuff, like popup scripts, meta tags and links. But if you go to the end of this file you see a huge list of the crack names. Thats what we want. Let's pick out one link including the name that we want to extract: <a href="crack.ms?id=19003" target=_blank>ABCalculator 1.1.0 by DBC</a> And one more: <a href="crack.ms?id=1882535" target=_blank>Aare CD Ripper v3.2 by HTBTeam</a> Fine, now when you have a look you will fast see that every name is between (dword - 4 bytes) "ank>" and "</a>". So we have to find "ank>" and we have the start of the name. Byte by byte we search for the end "</a>" and so we have the length of the name. We know the start of the name and the length, sweet, we can extract it ;). With this method we can do so name by name, until we are at the end of the file. Remember that this is only a example, there are more then 1.000.000 crackz/ warez/serialz sites on the internet, you only have to know how the structure of the HTML files they use is. Let's do a little to-do list for our example application: 1. Make a random valid URL (eg w_2.shtml) 2. Download this file 3. Open the file 4. Get the file size 5. If it's not big enough goto 1. 6. Free enough memory 7. Read whole content in memory 8. Close File 9. Find start of next fake name "ank>" 10. Find end of next fake name "</a>" 11. Extract fake name 12. What you wanna do with this name (in example log in a .htm file) 13. If end of file goto 15. 14. Jump to 9. 15. Exit If it sounds hard to do for you, then the only reason for this is my shitty english ;D. Just take a look at the small code, and you will see that it is pretty easy to do. .3_Gimme a code, please! »»»»»»»»»»»»»»»»»»»»»»» ;-----ExtractNames.asm-----cut-----start--------------------------------------------- include "%fasminc%\win32ax.inc" ;equates ExtractNames: call MakeURL ;make a random url (a-z,1-9) invoke URLDownloadToFile,\ ;download it baby 0,\ ;no activeX required FakeNamesURL,\ ;download this file FakeNamesFile,\ ;save local to this file 0,\ ;reserved 0 ;no interface cmp eax, 0 ;error if it is not null jne ExtractNames ;then make new URL and download again WaitForDownload: invoke CreateFile,\ ;open downloaded file FakeNamesFile,\ ;open this file (in current folder) GENERIC_READ,\ ;only need read access FILE_SHARE_READ,\ ;---""--- 0,\ ;dont need security attributes OPEN_EXISTING,\ ;we want to open the file FILE_ATTRIBUTE_NORMAL,\ ;normal attributes 0 ;no template file cmp eax, INVALID_HANDLE_VALUE ;if error then the download is not finished je WaitForDownload ;try to open again mov dword [FileHandle], eax ;save file handle invoke GetFileSize,\ ;get file size of downloaded file dword [FileHandle],\ ;via file handle 0 ;just get low size mov dword [FileSize], eax ;save file size cmp eax, 7000d ;if its <7000 bytes, then its the error page from crack.ms ja GetMemory ;if not go to get memory invoke CloseHandle,\ ;close handle dword [FileHandle] ;to delete it invoke DeleteFile,\ ;delete invalid fake names file FakeNamesFile ;delete this jmp ExtractNames ;repeat all GetMemory: invoke GlobalAlloc,\ ;get enough memory GMEM_MOVEABLE,\ ;allocation attribute, moveable dword [FileSize] ;that mich memory we need mov dword [MemHandle], eax ;save handle invoke GlobalLock,\ ;get memory start dword [MemHandle] ;via handle mov dword [MemStart], eax ;save start invoke ReadFile,\ ;read whole content from file dword [FileHandle],\ ;open file, handle dword [MemStart],\ ;buffer start dword [FileSize],\ ;read that much BytesRW,\ ;bytes read 0 ;no overlapped structure invoke CloseHandle,\ ;we can close the file dword [FileHandle] ;via handle ;***only for this example*** invoke CreateFile,\ ;make the output file OutputFile,\ ;file name GENERIC_WRITE,\ ;with write access FILE_SHARE_WRITE,\ ;---""--- 0,\ ;no security CREATE_ALWAYS,\ ;create it FILE_ATTRIBUTE_NORMAL,\ ;normal attributes 0 ;no temp file mov dword [FileHandle], eax ;save handle ;***only for this example*** mov ebx, dword [MemStart] ;get memory start in ebx add ebx, 3667d ;go over the file header (scripts, meta, links...) ;(keep in mind that this is the structure ; of files on crack.ms, if you use another site ; the structure is different!) push ebx ;save to stack FindMoreNames: pop ebx ;get file position from stack xor ecx, ecx ;set name length counter to null GetStartOfName: cmp dword [ebx], "</bo" ;end of html file (you know </body></html>) je FindNamesEnd ;then goto end cmp dword [ebx], "ank>" ;start of fake name? je GetEndOfName ;if so then get end of name inc ebx ;search next byte jmp GetStartOfName ;go get it dude GetEndOfName: cmp dword [ebx], "</a>" ;end of fake name? je ExtractName ;if so then extract the name inc ecx ;to get fake name length inc ebx ;next place jmp GetEndOfName ;search it ExtractName: push ebx ;save current position in file sub ebx, ecx ;go to the start of string add ebx, 4d ;go after "ank>" sub ecx, 4d ;delete that "</a>" push ecx ;save length of name mov esi, ebx ;source mov edi, FakeName ;destination rep movsb ;copy the whole name to FakeName mov dword [edi], 0 ;clear all after ;**************************************** ;**************************************** ; at this point you can do whatever you want ; with the fake file name! pointer to fake name ; is "FakeName"... ;**************************************** ;**************************************** ;***only for this example*** pop ecx ;get length of name invoke WriteFile,\ ;write the fake name to file dword [FileHandle],\ ;via handle FakeName,\ ;write this ecx,\ ;length of fake name BytesRW,\ ;bytes written 0 ;overlapped, fuck off invoke WriteFile,\ ;write <br> to the file dword [FileHandle],\ ;via handle Break,\ ;write <br> 4,\ ;length BytesRW,\ ;bytes written 0 ;overlapped, fuck off ;***only for this example*** jmp FindMoreNames ;go get next name FindNamesEnd: ;***only for this example*** invoke CloseHandle,\ ;close output file dword [FileHandle] ;via handle ;***only for this example*** invoke GlobalUnlock,\ ;unlock memory dword [MemHandle] ;handle invoke GlobalFree,\ ;free it! dword [MemHandle] ;via handle invoke DeleteFile,\ ;delete downloaded file FakeNamesFile ;this invoke MessageBox,\ ;show a msgbox that it's done 0,\ "fake names extracting done",\ FakeNamesURL,\ 0 invoke ExitProcess,\ 0 ;end my friend MakeURL: ;procedure invoke GetTickCount ;we only want random stuff in al CharMakeValid: cmp al, 97d ;if its under "a" jb CharAdd ;then add some stuff cmp al, 122d ;if its above "z" ja CharSub ;then sub some stuff jmp CharIsValid ;kewl, now its valid CharAdd: add al, 18d ;add 18 and see if its now valid jmp CharMakeValid ;check it CharSub: sub al, 18d ;sub 18 jmp CharMakeValid ;now a valid character? CharIsValid: mov edi, FakeNamesURL ;pointer to url add edi, 23d ;go to the end of the string stosb ;save char at end (eg http://crack.ms/cracks/m) invoke GetTickCount ;get al again DigitMakeValid: cmp al, 49d ;if its under "1" jb DigitAdd ;the add somethin cmp al, 57d ;if its above "9" ja DigitSub ;then subtract it jmp DigitIsValid ;make whole name DigitAdd: add al, 3d ;add 3 jmp DigitMakeValid ;check if its now valid DigitSub: sub al, 3d ;sub 3 jmp DigitMakeValid ;chek if it is valid now DigitIsValid: mov byte [edi], "_" ;eg http://crack.ms/cracks/m_ inc edi ;go behind the "_" stosb ;save digit (eg http://crack.ms/cracks/m_2) mov dword [edi], ".sht" ; http://crack.ms/cracks/m_2.sht mov dword [edi + 4], "ml" ; http://crack.ms/cracks/m_2.shtml ret ;return to call Datas: FakeNamesURL db "http://crack.ms/cracks/",0 ;site to download file from rb 10d ;space for file name (random) FakeNamesFile db "fake.names",0 ;filename to save FileHandle dd ? ;file handle to save FileSize dd ? ;file size to get enough memory MemHandle dd ? ;handle for allocate memory MemStart dd ? ;start of memory BytesRW dd ? ;number of bytes read/write OutputFile db "FakeNames.htm",0 ;save here the names FakeName rb 100d ;save here the fake name Break db "<br>",0 ;just to make a break Imports: data import ;import all needed api's library kernel32, "KERNEL32.DLL",\ user32, "USER32.DLL",\ urlmon, "URLMON.DLL" import kernel32,\ CreateFile, "CreateFileA",\ GlobalAlloc, "GlobalAlloc",\ GlobalLock, "GlobalLock",\ ReadFile, "ReadFile",\ GetFileSize, "GetFileSize",\ CloseHandle, "CloseHandle",\ GlobalUnlock, "GlobalUnlock",\ GlobalFree, "GlobalFree",\ WriteFile, "WriteFile",\ DeleteFile, "DeleteFileA",\ GetTickCount, "GetTickCount",\ ExitProcess, "ExitProcess" import user32,\ MessageBox, "MessageBoxA" import urlmon,\ URLDownloadToFile, "URLDownloadToFileA" end data ;-----ExtractNames.asm-----cut-----end----------------------------------------------- .4_Outro »»»»»»» Funny, no? That small code and that much names ;). But keep in mind that this is only a basic example. For advanced usage you need, for example, to check if there is an internet connection or not. Also you don't need to extract only fake names for your worms. What's about subject's or body's? Maybe a report from a AV site about a new dangerous worm in the wild, and you send the cleaning program?! Or what about newsgroups and there post's. It's now in your hand to find usefull sites for your fake names, fake subjects and fake bodys. Be creative ;), have a nice day and happy coding! DiA/rrlf :: 08.02.2005