How To Manually Decompile A Key Stealer

[Woodhouse]

This is only going to work if the keystealer is coded in VB or C#. Most of them are. As far as if it's coded in any other C-based language, then it will take a lot more work. Mainly being that there is no program that fully and nicely decompiles C-based programs. Your best bet is IDA Pro and even then you'll have to do some "manual labor".
Requirements:

• A .NET decompiler. I'm using .NET Reflector 8 Pro in this tutorial however I do prefer SAE
• A Free YouTube DayZ Hack (Key Stealer) or any other program you find suspicious that's coded in Visual Basic or C# (or any supported language)

Step 1. Open up the assembly in your decompiler



Step 2. Expand the assembly till you get to this point



Step 3. Expand the 2nd curly bracket selection. It might not always be named "Windows Application 1" but you should recognize that it will usually be the 2nd curly bracket or 3rd general selection down. Continue to expand till your screen looks like mine.



Step 4. This is clearly a keystealer. You'll see strings like "SetKey" and "GetKey" referring to taking and resetting your registry key to a bogus one. This one in particular set your registry to 00000000000000000000 (I know I missed a few zeros) as you can see from "key.SetValue("Key",...)."



Step 5. The website or email where the keys are sent to can usually be found within the "Forum1_Button1" selection. I don't actual stealer website is just before the php website extention. You can't simply type the URL to get the keys. You'd have to know your way around that. You can also hit "F3" to do a quick search. Hit Ctrl + S to search for a string. Then type "http". It should bring up the website fairly quickly.



It took me a while to find this standard stealer. It's not always going to looks like this. A lot of them are obfuscated which would require you to dump and clean the executable. Some of them are confused with Confuser 1.9, in which you would have to manually unpack it. It's not hard, I just don't feel like making a tutorial on it :P. .NET decompilers are fairly easy to use so even if you get one that doesn't look the same as the one presented here, you should be able find what you are looking for.

If you don't feel like going through all of that, you can simply:

Step 1. Right click on the assembly you loaded and hit Analyze.



Step 2. Expand until your screen looks like mine. Path of expansion is Depends On\mscorlib. As you can see, even though the executable was Confused, you're still able to see the dependencies of the program which have to deal with your registry.




As far as getting into the user account of the stealer site or the email where the keys are sent to, you can either brute force their account if you have their username or email address or get Sandboxie, a process freezer and a packet sniffer. I'm not really at liberty to teach everyone how to do this for obvious reasons. I haven't even tried doing it myself (packet sniffer method). If I have some spare time I might try it out .

FAQ:
Why not just use Master's Key Stealer Checker?

• You'll probably feel more accomplished doing it on your own.
• You can actually look through the assembly and see how the stealer works.
• You can see where the keys are directed to.

How can I make a keystealer using this?

• Reverse engineering using strictly the assembly is pretty hard. Even if you do know what you're doing. I suggest reading up on reverse engineering

[Daelso]

This needs to be stickied ASAP. Very helpful and should deter any of the idiots who try and post stealers here.

[KidoThe]

Chicken, another great post. You still spelt biscuit wrong but this should definitely be stickied. @NormenJaydenFBI @Flengo

[Distraught]

So this is what you have been working on all day. Good work.

[darkangel1]

His Keystealer finder actually does work on obfuscated stuff, But this still deserves to be a sticky, :X

[Woodhouse]

His Keystealer finder actually does work on obfuscated stuff, But this still deserves to be a sticky, :X

I stand corrected :P

---------- Post added at 03:51 PM ---------- Previous post was at 03:35 PM ----------

It seems like this has become a free thank thread

[[MPGH]Flengo]

Got my glue out.

[Arrxzon]

good job
thanks

[Vibrations]

Not going to lie, but great post @chickeninabiskit
I used to dislike you, but now I think I'm in love

[TornChewy]

Good job! Congrats

[ultiamtehack]

I lolled a bit hard. .NET reflector? What if it's not coded as a .NET program?

[Woodhouse]

I lolled a bit hard. .NET reflector? What if it's not coded as a .NET program?

Why would you laugh out load? I already said that this wouldn't work for non- .NET modules but to be honest, I'd say about 97% (my rough estimate) of all keystealers are. Like I said, if it's not, then you'll be looking to use IDA Pro.

[Don Omar]

Kinda feels like some copy pasta from something I read on hack forums.

[Woodhouse]

Kinda feels like some copy pasta from something I read on hack forums.

Nope. Definitely not. 100% me. Didn't even know there was a DayZ section and/or keystealers being posted there. To be honest, I can't even remember my password. Feel free to pm me the link.

[Don Omar]

Nope. Definitely not. 100% me. Didn't even know there was a DayZ section and/or keystealers being posted there. To be honest, I can't even remember my password. Feel free to pm me the link.

Looked it up, it wasn't related to DayZ and hadn't been bumped in awhile. It was in their whaling section, and was dealing with RS accounts and what not.

Edit: SAE is pretty nice as well.