VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Save your fingers - get your fake names from the i-net

Ready Rangers Liberation Front [6]
February 2005

[Back to index] [Comments]


Maybe you know this situation, you write a pretty good massmailer, i-net or P2P worm and you need some ideas for the fake names. You are sick seeing names like "Damn_Fine_Porn.mpg .exe" or "Photoshop Crack working!.exe". So what to do? Get some inspiration from the internet, go to some warez/crackz sites and copy and paste some real crack names including application name, exact version number and maybe the author of the crack. Looking a bit realer then "Micr0soft all products keygen.exe", huh?!

You wanna do some good stuff, including many names... you are now copy and paste your name number 34, stupid work, no? At this point I ask you, why do you copy and paste a already existing huge database of names? Just write a simple but effective code and get thousends of names at runtime :). So read on and see how easy it is...

How to do?

OK, what we need for this tutorial is a internet connection. Without it will not work of course. Now save this file - - local as - fakenames.txt -. Take a look, at the head of this file you see some uninteressting stuff, like popup scripts, meta tags and links. But if you go to the end of this file you see a huge list of the crack names. Thats what we want. Let's pick out one link including the name that we want to extract:

 <a href="" target=_blank>ABCalculator 1.1.0 by DBC</a>

And one more:

 <a href="" target=_blank>Aare CD Ripper v3.2 by HTBTeam</a>

Fine, now when you have a look you will fast see that every name is between (dword - 4 bytes) "ank>" and "</a>". So we have to find "ank>" and we have the start of the name. Byte by byte we search for the end "</a>" and so we have the length of the name. We know the start of the name and the length, sweet, we can extract it ;). With this method we can do so name by name, until we are at the end of the file.

Remember that this is only a example, there are more then 1.000.000 crackz/warez/serialz sites on the internet, you only have to know how the structure of the HTML files they use is.

Let's do a little to-do list for our example application:

  1. Make a random valid URL (eg w_2.shtml)
  2. Download this file
  3. Open the file
  4. Get the file size
  5. If it's not big enough goto 1.
  6. Free enough memory
  7. Read whole content in memory
  8. Close File
  9. Find start of next fake name "ank>"
  10. Find end of next fake name "</a>"
  11. Extract fake name
  12. What you wanna do with this name (in example log in a .htm file)
  13. If end of file goto 15.
  14. Jump to 9.
  15. Exit

If it sounds hard to do for you, then the only reason for this is my shitty english ;D. Just take a look at the small code, and you will see that it is pretty easy to do.

Gimme a code, please!

include "%fasminc%\"         ;equates

        call MakeURL                    ;make a random url (a-z,1-9)

        invoke URLDownloadToFile,\      ;download it baby
               0,\                      ;no activeX required
               FakeNamesURL,\           ;download this file
               FakeNamesFile,\          ;save local to this file
               0,\                      ;reserved
               0                        ;no interface

        cmp eax, 0                      ;error if it is not null
        jne ExtractNames                ;then make new URL and download again

        invoke CreateFile,\             ;open downloaded file
               FakeNamesFile,\          ;open this file (in current folder)
               GENERIC_READ,\           ;only need read access
               FILE_SHARE_READ,\        ;---""---
               0,\                      ;dont need security attributes
               OPEN_EXISTING,\          ;we want to open the file
               FILE_ATTRIBUTE_NORMAL,\  ;normal attributes
               0                        ;no template file

        cmp eax, INVALID_HANDLE_VALUE   ;if error then the download is not finished
        je WaitForDownload              ;try to open again

        mov dword [FileHandle], eax     ;save file handle

        invoke GetFileSize,\            ;get file size of downloaded file
               dword [FileHandle],\     ;via file handle
               0                        ;just get low size

        mov dword [FileSize], eax       ;save file size

        cmp eax, 7000d                  ;if its <7000 bytes, then its the error page from
        ja GetMemory                    ;if not go to get memory

        invoke CloseHandle,\            ;close handle
               dword [FileHandle]       ;to delete it

        invoke DeleteFile,\             ;delete invalid fake names file
               FakeNamesFile            ;delete this

        jmp ExtractNames                ;repeat all

        invoke GlobalAlloc,\            ;get enough memory
               GMEM_MOVEABLE,\          ;allocation attribute, moveable
               dword [FileSize]         ;that mich memory we need

        mov dword [MemHandle], eax      ;save handle

        invoke GlobalLock,\             ;get memory start
               dword [MemHandle]        ;via handle

        mov dword [MemStart], eax       ;save start

        invoke ReadFile,\               ;read whole content from file
               dword [FileHandle],\     ;open file, handle
               dword [MemStart],\       ;buffer start
               dword [FileSize],\       ;read that much
               BytesRW,\                ;bytes read
               0                        ;no overlapped structure

        invoke CloseHandle,\            ;we can close the file
               dword [FileHandle]       ;via handle

;***only for this example***
        invoke CreateFile,\             ;make the output file
               OutputFile,\             ;file name
               GENERIC_WRITE,\          ;with write access
               FILE_SHARE_WRITE,\       ;---""---
               0,\                      ;no security
               CREATE_ALWAYS,\          ;create it
               FILE_ATTRIBUTE_NORMAL,\  ;normal attributes
               0                        ;no temp file

        mov dword [FileHandle], eax     ;save handle
;***only for this example***

        mov ebx, dword [MemStart]       ;get memory start in ebx
        add ebx, 3667d                  ;go over the file header (scripts, meta, links...)
                                        ;(keep in mind that this is the structure
                                        ; of files on, if you use another site
                                        ; the structure is different!)
        push ebx                        ;save to stack

        pop ebx                         ;get file position from stack
        xor ecx, ecx                    ;set name length counter to null

        cmp dword [ebx], "</bo"         ;end of html file (you know </body></html>)
        je FindNamesEnd                 ;then goto end

        cmp dword [ebx], "ank>"         ;start of fake name?
        je GetEndOfName                 ;if so then get end of name

        inc ebx                         ;search next byte
        jmp GetStartOfName              ;go get it dude

        cmp dword [ebx], "</a>"         ;end of fake name?
        je ExtractName                  ;if so then extract the name

        inc ecx                         ;to get fake name length
        inc ebx                         ;next place
        jmp GetEndOfName                ;search it

        push ebx                        ;save current position in file

        sub ebx, ecx                    ;go to the start of string
        add ebx, 4d                     ;go after "ank>"
        sub ecx, 4d                     ;delete that "</a>"
        push ecx                        ;save length of name
        mov esi, ebx                    ;source
        mov edi, FakeName               ;destination
        rep movsb                       ;copy the whole name to FakeName

        mov dword [edi], 0              ;clear all after

; at this point you can do whatever you want
; with the fake file name! pointer to fake name
; is "FakeName"...

;***only for this example***
         pop ecx                        ;get length of name

         invoke WriteFile,\             ;write the fake name to file
                dword [FileHandle],\    ;via handle
                FakeName,\              ;write this
                ecx,\                   ;length of fake name
                BytesRW,\               ;bytes written
                0                       ;overlapped, fuck off

         invoke WriteFile,\             ;write <br> to the file
                dword [FileHandle],\    ;via handle
                Break,\                 ;write <br>
                4,\                     ;length
                BytesRW,\               ;bytes written
                0                       ;overlapped, fuck off
;***only for this example***

        jmp FindMoreNames              ;go get next name

;***only for this example***
        invoke CloseHandle,\            ;close output file
               dword [FileHandle]       ;via handle
;***only for this example***

        invoke GlobalUnlock,\           ;unlock memory
               dword [MemHandle]        ;handle

        invoke GlobalFree,\             ;free it!
               dword [MemHandle]        ;via handle

        invoke DeleteFile,\             ;delete downloaded file
               FakeNamesFile            ;this

        invoke MessageBox,\             ;show a msgbox that it's done
               "fake names extracting done",\

        invoke ExitProcess,\
               0                        ;end my friend

MakeURL:                                ;procedure
        invoke GetTickCount             ;we only want random stuff in al

        cmp al, 97d                     ;if its under "a"
        jb CharAdd                      ;then add some stuff

        cmp al, 122d                    ;if its above "z"
        ja CharSub                      ;then sub some stuff

        jmp CharIsValid                 ;kewl, now its valid

        add al, 18d                     ;add 18 and see if its now valid
        jmp CharMakeValid               ;check it

        sub al, 18d                     ;sub 18
        jmp CharMakeValid               ;now a valid character?

        mov edi, FakeNamesURL           ;pointer to url
        add edi, 23d                    ;go to the end of the string
        stosb                           ;save char at end (eg

        invoke GetTickCount             ;get al again

        cmp al, 49d                     ;if its under "1"
        jb DigitAdd                     ;the add somethin

        cmp al, 57d                     ;if its above "9"
        ja DigitSub                     ;then subtract it

        jmp DigitIsValid                ;make whole name

        add al, 3d                      ;add 3
        jmp DigitMakeValid              ;check if its now valid

        sub al, 3d                      ;sub 3
        jmp DigitMakeValid              ;chek if it is valid now

        mov byte [edi], "_"             ;eg
        inc edi                         ;go behind the "_"
        stosb                           ;save digit (eg

        mov dword [edi], ".sht"         ;
        mov dword [edi + 4], "ml"       ;
ret                                     ;return to call

        FakeNamesURL    db "",0  ;site to download file from
                        rb 10d                          ;space for file name (random)
        FakeNamesFile   db "fake.names",0               ;filename to save
        FileHandle      dd ?                            ;file handle to save
        FileSize        dd ?                            ;file size to get enough memory
        MemHandle       dd ?                            ;handle for allocate memory
        MemStart        dd ?                            ;start of memory
        BytesRW         dd ?                            ;number of bytes read/write
        OutputFile      db "FakeNames.htm",0            ;save here the names
        FakeName        rb 100d                         ;save here the fake name
        Break           db "<br>",0                     ;just to make a break

data import                                             ;import all needed api's
        library kernel32,               "KERNEL32.DLL",\
                user32,                 "USER32.DLL",\
                urlmon,                 "URLMON.DLL"

        import kernel32,\
               CreateFile,              "CreateFileA",\
               GlobalAlloc,             "GlobalAlloc",\
               GlobalLock,              "GlobalLock",\
               ReadFile,                "ReadFile",\
               GetFileSize,             "GetFileSize",\
               CloseHandle,             "CloseHandle",\
               GlobalUnlock,            "GlobalUnlock",\
               GlobalFree,              "GlobalFree",\
               WriteFile,               "WriteFile",\
               DeleteFile,              "DeleteFileA",\
               GetTickCount,            "GetTickCount",\
               ExitProcess,             "ExitProcess"

        import user32,\
               MessageBox,              "MessageBoxA"

        import urlmon,\
               URLDownloadToFile,       "URLDownloadToFileA"
end data


Funny, no? That small code and that much names ;). But keep in mind that this is only a basic example. For advanced usage you need, for example, to check if there is an internet connection or not. Also you don't need to extract only fake names for your worms. What's about subject's or body's? Maybe a report from a AV site about a new dangerous worm in the wild, and you send the cleaning program?! Or what about newsgroups and there post's. It's now in your hand to find usefull sites for your fake names, fake subjects and fake bodys. Be creative ;), have a nice day and happy coding!

DiA/rrlf :: 08.02.2005
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka