2 replies to this topic

[Nomad]

I just got done decompiling this AutoIt program for someone who said they lost their source code and only had the .exe.  I told them they had to verify it was their source by answering a few questions that only the author would really know, or someone else who's viewed the source directly.  It was definately their code.  I gave them my word that if they proved it was theirs I would give them the source back without altering it and without disclosing it... so I did.

Now without breaking that deal, I want to warn anyone I can.  This script is listed as being a TPPK program, and my virus scanner did not flag it.  What this script really does is this:

1) Gets a file here --> http://www.cronz.com..._cfa12eb43d.exe(do not download this!!!)
See the edit at the bottom of the page about this file.

2) Saves it here --> C:\Program Files\Diablo II\temp.exe

3) Runs C:\Program Files\Diablo II\Diablo II.exe

4) Logs every keystroke you make and save them to a .txt file here --> C:\WINDOWS\log\pw.txt

5) Uses _FTP functions to send this information to a specified server address.

6) All while pretending to be functioning exactly as you might expect it to, making you feel like a fool when you find out your account was jacked.

There are a few other things this does, but that about sums it up.  I really didn't want to give him his source, but I made a deal.  He probably needed the source because he had to change his FTP server because they shut him down or something, who knows.

Just be wary of where you get any of your hacks.  A lot of AutoIt programs like this are not showing up on virus scanners.  They can also do all of this while performing the functions you are expecting it to, and without you even knowing.  This script wasn't the best I've seen (like he automatically assumes everyone has D2 at C:\Program Files\Diablo II instead of using the registry to find it automatically) but it was good enough that it would've had me fooled if I didn't look at the source before running it.

Not much else to say, just be cautious.  He is probably going to change the name of the script or something since I decompiled it for him.  So it will likely be recirculated under a different prefix.

Nomad :hunter:

Edit: The file that the script downloads was written in another language.  I can't view the source and I'm sure as hell not running it.  So I have no idea what it does.

Edit: I also just had a well drawn out argument at the AutoIt forums about this.  I shouldn't have let it get to the point it did, but I did.  It seems that a few people were upset that I gave him his source code back after I realized it was malware (one person in general).  A few others said they supported my decision to honor my word and about the fact that I was honest about telling everyone what happened.  I stand behind my decision.  This script was one of hundreds out there, and I was completely honest about the entire situation.  I made a mistake by not stipulating that if it was malware, the deal was off.  All I can do is learn from my mistake and not let it happen again.  Just some info about that incase any of you seen the "discussion" since it was pretty much the hot topic of the day.  Nomad :hunter:

Edited by Nomad, 18 July 2006 - 12:35 AM.

[OTG_Whip]

You Gave Your Word Nomad.........Right or Wrong........You Gave Your Word.......You Have To Stand By Your Word, Right Or Wrong........ End Of Story.

Edited by OTG_Whip, 22 July 2006 - 02:43 AM.

[Nomad]

OTG_Whip, on Jul 22 2006, 01:42 AM, said:

You Gave Your Word Nomad.........Right or Wrong........You Gave Your Word.......You Have To Stand By Your Word, Right Or Wrong........ End Of Story.

Thanks for the support, that's how I feel about it.

I'm only posting this to warn people about the hack, incase they've downloaded it or might potentially download it.  I really don't want to get another heated topic going about whether or not I should've kept my word (I had enough of that from the AutoIt forums).  There are mixed views on this decision, and neither view is really wrong.  Which is why it's so controversial.

I made my decision and I am not ashamed of it.  I agreed to do something without knowing enough about it, that was my mistake.  That doesn't make it alright to back out of an agreement though.  That is the code of honor I try to live by.  That's a righteous view according to some, and it's not according to others.

I'd appreciate it if the discussion about my decision would end here.  Nobody is going to change my views, and any debate is going to end with hurt feelings.  This is a friendly community, and I don't want it to become unfriendly.  This was not directed at you OTG_Whip, it was directed at all future posts.

Thanks for listening,

Nomad :hunter: