Thursday, November 3, 2011

Cracking The Fake Gmail Password Hacking Software - So you think you are an Hacker??


Hello friends. Going really busy these days but I had to find out time to write about this post as there are really smart people who believe that they can hack Gmail accounts by using a tool. Well the truth is they can hack, but there is a second phase of the tool as well.

 This tool is called "Gmail Hacker" and you can find a very very detailed (yet stupid) tutorial here.


A quick detail about the tool - The tool asks you to enter your Gmail Id and password and then it creates another binder which you have to mail to your friend telling him that its a Gmail account hacker. The tool will ask your friend to enter his details correctly in order to receive the hacked password through email. Once he enters his details an error appears and nothing happens. On your part you will receive the password of your friend in your email id (as claimed by the super intelligent author of article linked above).

Well it sounds quiet funny to me. Why? Consider I am a notorious hacker and I designed this tool. So will I drop the opportunity to hack 2 accounts by using the effort of someone else??I dont think so.

If you use this tool and make your friend fool to somehow use the binder then what exactly happens?? In turn the creator of this tool fools both of you together. Now that's called SOCIAL ENGINEERING.

Well the tutorial explains the use of social engineering that you can implement to hack your friends gmail account but the real social engineering behind the tool is still unknown. The designer of this software ( Anon code named "Q") is inturn getting the email address and password of you and your friend whom you want to target. So you really think you can do social engineering being a script kiddie? Well think again because there is an even smarter social engineering acting on your head. The tool compromises both you and your friends security. Even if you craft a fake account(referring to the very very detailed tutorial linked above) but still if your friend enters his correct details, the coder of this tool gets an original account.

Well I hope most of the things are clear in your mind about the tool. So lets d-assemble it to analyse it deeply.

What happens when you downlaod this tool and execute it? Antivirus flags it as a virus. Thats true, it is a malware(i will explain below how it is a malware). Let us analyse the instructions of the tool. Suppose you disable your antivirus and allow the software to run. What happens then? Look at the first few lines of the instructions.

The software immediately starts modifying the kernel and copies it in 13 different locations of the memory. The image maybe unclear. Click to zoom it. It also adds itself as the start up program by modifying the netapi32.dll file. This file is used to parse the tree structure of folders in your operating system. Once you open any folder, this tool auto starts in background. You can find the background process by going to the task manager. Whenever you will try to close netapi32.dll, it will start again once you click on any folder. This is the reason why it acts as a malware. I didnt go too much in detail as to what malicious activities this tool intends to perform on the user computer so cant talk about it. So now the tool is sitting hidden in your system, lets see what else it does. Its going to be really funny.
Let us dig deeper in the tool.
Scroll down more into the main thread of the program to analyse what it does further. You will find something similar to the one shown in figure.


Once it is done with copying it in the registry, it moves ahead to create the binder with the information you entered in it. Immediately the binder starts pushing values in the registers and also starts passing values in the registry. Once the binder generates the error. It will ask you to click ok. But the real trick is that it actually asks the admin right to establish a random connection. Look at the figure below.


Now why the hell is this software trying to set up random connections? Ever tried analyzing a keygen? This is the same concept. It is trying to figure out a connection with the designer of this tool. You can analyse it by enabling the windows firewall again and adding break points at every random port listed in the instructions of this code. You will find that every time your firewall will prompt for a request to establishing a random connection.

Now if accessing values from the registries goes fine then the details are mailed to an unknown location. The location and other key details are in encrypted form so it cant be figured out from dasm. So you can see the smartness of the tool designer(real cracker) . What happens when the process of recovering values from registries fails ?  Check out the next figure.


The error will  produce some crap information about the error. Once you click ok, The instruction set immideately jumps to pop out all the information from registry and create data packets out of it. This can be very easily analysed by again adding break points after the error shown in figure and placing a code replace at every JMP and JE set of instructions.

Now coming down to the end of the main thread of this tool you will find lots of "Superfluous prefix" . What are they ?
These are basically used for code morphing in order to fool the debugger and confuse it so that it cannot read the encrypted software(google it for more info). This is a pure indication of a malicious activity. You will find hundreds of such instructions to hide the information from debuggers.


This last image shows how the addition of superfluous prefix prevents the decoding of the set of input and output locations and thus preventing the identity of the original coder of this tool. The first few lines actually try to set up an ESMTP/SMTP message to mail instructions to you which may  contain the info of your friend but the later instructions which are encrypted sends the info to the designer of this tool.
Again you can analyse the instructions by adding break points and then checking netstat -a command to see the open ports on your sytem that are used to send the instructions.

This tool has been really designed in a superb and secure manner. As I have already told you about the code name of the designer of this tool. You can Google it to find out who he is and it will tell you why the tool is so nicely coded.

I wrote this post to teach a lesson to those who claim themselves as hackers but they dont even realize the real meaning of it. Hacking doesnt mean to use a tool to break password. Hacking doesnt only mean how to hack gmail or facebook. The world of hacking is too big to learn. So be a learner , you will automatically become a known hacker. Be good, be true.

DARKLORD!!

5 comments:

  1. Thanks For the Info
    Really Helpful!!

    ReplyDelete
  2. nice tut.... thanx

    ReplyDelete
  3. Very useful articles. I and my friend to do some research. I am very glad to see such information, I find the very long period of time, was finally I found, thank you.

    ReplyDelete
  4. The great posts have become a great fan of this information of this wonderful site. This block is very nice for the way of designing. I am very much thanks to this website and using great services.

    ReplyDelete