Cracking AgentKing aka Copartner

[KageKhan]

This is my first thread so please forgive me for being a little noobish. I know how to use the "Search" option so please don't suggest it. This is not to ask a question and the topics concerning this general information exchange have been closed because people are waiting for "someone" to crack it. I would like to say that this won't crack itself and if we pull together as a community and exchange our ideas maybe we can get somewhere. I have even seen that puzzlebird has taken a look into this on one of the threads but I don't believe it's fair to leave EVERYTHING up to him. Anyways, this has been unpacked and an idea of finding the ip address in the unpacked version and changing it to the address of the server emulator was suggested (). I know that the ip address that AgentKing attempts to connect to is: 211.147.250.119 on port 80 and I believe that the server emulator listens for all connections to your local connection (127.0.0.1 port 80 ?) pwnstar said that he believed the ip address to be at 00031EFC & 00031F18 and I looked there myself and didn't find any recognizable resemblance to 211.147.250.119 What I saw was "asp pasp /passip/ com . 2299 810 800 %s id r" If anyone has any suggestions on where to go from here, I would love to hear your insight.

[DM2000]

# move

[Killer_Kel]

well the link to the post you are on about is not clean
so dont use anyway



AntiVir 7.3.0.19 12.20.2006 no virus found
Authentium 4.93.8 12.20.2006 no virus found
Avast 4.7.892.0 12.19.2006 no virus found
AVG 386 12.19.2006 no virus found
BitDefender 7.2 12.20.2006 no virus found
CAT-QuickHeal 8.00 12.19.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.20.2006 no virus found
DrWeb 4.33 12.20.2006 no virus found
eSafe 7.0.14.0 12.19.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.91 12.20.2006 no virus found
eTrust-Vet 30.3.3264 12.20.2006 no virus found
Ewido 4.0 12.19.2006 no virus found
Fortinet 2.82.0.0 12.20.2006 no virus found
F-Prot 3.16f 12.20.2006 no virus found
F-Prot4 4.2.1.29 12.20.2006 no virus found
Ikarus T3.1.0.27 12.20.2006 no virus found
Kaspersky 4.0.2.24 12.20.2006 no virus found
McAfee 4922 12.19.2006 no virus found
Microsoft 1.1904 12.20.2006 no virus found
NOD32v2 1930 12.20.2006 no virus found
Norman 5.80.02 12.19.2006 no virus found
Panda 9.0.0.4 12.19.2006 Suspicious file
Prevx1 V2 12.20.2006 no virus found
Sophos 4.12.0 12.18.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.134 12.18.2006 no virus found
UNA 1.83 12.19.2006 no virus found
VBA32 3.11.1 12.19.2006 no virus found
VirusBuster 4.3.19:9 12.19.2006 no virus found

[SoulSaint]

i tried to login with username "username_test" and password "password_test" and got these results..

this is from the client:

Code:

POST /passip/pasp.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: AgentKing
Host: 8008102299.com
Content-Length: 103
Cache-Control: no-cache

g=100410fc1a23d692da98193d85aa7b3582e5df2cd3fb741797e7c7e4c3a11a4ce7e46000d41d8cd98f0b24e980998ecf8427e

and this is from the server:

Code:

HTTP/1.1 302 Object moved
Date: Wed, 20 Dec 2006 08:52:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://202.109.124.19/passip/pasp.asp?g=100410fc1a23d692da98193d85aa7b3582e5df2cd3fb741797e7c7e4c3a11a4ce7e46000d41d8cd98f0b24e980998ecf8427e
Content-Length: 262
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSAAAACR=NOKHBMHAGKPODLOAHLMCEHOM; path=/
Cache-control: private


Object MovedThis object may be found here.

[Tw3ak]

Quote:

Originally posted by Killer_Kel@Dec 20 2006, 09:49
well the link to the post you are on about is not clean
so dont use anyway



AntiVir 7.3.0.19 12.20.2006* no virus found
Authentium 4.93.8 12.20.2006* no virus found
Avast 4.7.892.0 12.19.2006* no virus found
AVG 386 12.19.2006* no virus found
BitDefender 7.2 12.20.2006* no virus found
CAT-QuickHeal 8.00 12.19.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.20.2006* no virus found
DrWeb 4.33 12.20.2006* no virus found
eSafe 7.0.14.0 12.19.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.91 12.20.2006* no virus found
eTrust-Vet 30.3.3264 12.20.2006* no virus found
Ewido 4.0 12.19.2006* no virus found
Fortinet 2.82.0.0 12.20.2006* no virus found
F-Prot 3.16f 12.20.2006* no virus found
F-Prot4 4.2.1.29 12.20.2006* no virus found
Ikarus T3.1.0.27 12.20.2006* no virus found
Kaspersky 4.0.2.24 12.20.2006* no virus found
McAfee 4922 12.19.2006* no virus found
Microsoft 1.1904 12.20.2006* no virus found
NOD32v2 1930 12.20.2006* no virus found
Norman 5.80.02 12.19.2006* no virus found
Panda 9.0.0.4 12.19.2006 Suspicious file
Prevx1 V2 12.20.2006* no virus found
Sophos 4.12.0 12.18.2006* no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.134 12.18.2006* no virus found
UNA 1.83 12.19.2006* no virus found
VBA32 3.11.1 12.19.2006* no virus found
VirusBuster 4.3.19:9 12.19.2006 no virus found

lol your a noob there is nothing malicious in it..I hate noobs on this forum that think that jotti crap is accurate what so ever and think it's like a warm blanket to keep em warm on a cold night LOL Half the stuff on here that IS infected is done so in a way that jotti crap would say it was clean anyway only the blatenly stupid people use keyloggers and trojans that that picks up...And most of the things that set it off are nothing more then PE headers and packers the way co-part vessel work is by monitoring certain actions you would normally perform yourself like movement and keypresses hp/mp ect it is those things that jotti labels as "suspicious" when it is actually a false positive.

[Tombstone]

Quote:

Originally posted by Tw3ak@Dec 20 2006, 04:04
lol your a noob there is nothing malicious in it..I hate noobs on this forum that think that jotti **** is accurate what so ever and think it's like a warm blanket to keep em warm on a cold night LOL Half the stuff on here that IS infected is done so in a way that jotti **** would say it was clean anyway only the blatenly stupid people use keyloggers and trojans that that picks up...And most of the things that set it off are nothing more then PE headers and packers the way co-part vessel work is by monitoring certain actions you would normally perform yourself like movement and keypresses hp/mp ect it is those things that jotti labels as "suspicious" when it is actually a false positive.

lol wow you're like so right omg, virus scans are bogus and useless so let's just all stop using Jotti, in fact let's don't use any kind of antivirus software at all to scan the files we download, let's just download like madmen and immediately initiate every .exe we can get our hands on from now on, **** yea!!!11123fourfive

[pink_panther]

Quote:

Originally posted by Tombstone+Dec 20 2006, 10:14--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Tombstone @ Dec 20 2006, 10:14)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--Tw3ak@Dec 20 2006, 04:04
lol your a noob there is nothing malicious in it..I hate noobs on this forum that think that jotti **** is accurate what so ever and think it's like a warm blanket to keep em warm on a cold night LOL Half the stuff on here that IS infected is done so in a way that jotti **** would say it was clean anyway only the blatenly stupid people use keyloggers and trojans that that picks up...And most of the things that set it off are nothing more then PE headers and packers the way co-part vessel work is by monitoring certain actions you would normally perform yourself like movement and keypresses hp/mp ect it is those things that jotti labels as "suspicious" when it is actually a false positive.

lol wow you're like so right omg, virus scans are bogus and useless so let's just all stop using Jotti, in fact let's don't use any kind of antivirus software at all to scan the files we download, let's just download like madmen and immediately initiate every .exe we can get our hands on from now on, **** yea!!!11123fourfive



[/b][/quote]
Thats not what he means ******, stfu. however, He is right tho, Jotti picks up alot of things that arnt dangerous at all.

[SoulSaint]

Quote:

Originally posted by pink_panther+Dec 20 2006, 10:49--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (pink_panther @ Dec 20 2006, 10:49)</td></tr><tr><td id='QUOTE'>

Quote:

Quote:

lol wow you're like so right omg, virus scans are bogus and useless so let's just all stop using Jotti, in fact let's don't use any kind of antivirus software at all to scan the files we download, let's just download like madmen and immediately initiate every .exe we can get our hands on from now on, fuck yea!!!11123fourfive

Thats not what he means retard, stfu. however, He is right tho, Jotti picks up alot of things that arnt dangerous at all. [/b][/quote]
lol in case you didnt catch it i think he was being sarcastic so enough flaming already.

[Tombstone]

Quote:

Originally posted by pink_panther@Dec 20 2006, 04:49
Thats not what he means ******, stfu. however, He is right tho, Jotti picks up alot of things that arnt dangerous at all.

Lol noob, you're the sharpest tard on the short bus aren't you. It's called sarcasm dipshit, look it up. Who the hell are you anyway with a name like Pink Panther and a fuzzy little bee flying around in your avatar, you're obviously gay so go suck on one and think before you speak to me again.

[noelm]

Quote:

Originally posted by Tw3ak+Dec 20 2006, 10:04--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Tw3ak @ Dec 20 2006, 10:04)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--Killer_Kel@Dec 20 2006, 09:49
well the link to the post you are on about is not clean
so dont use anyway



AntiVir 7.3.0.19 12.20.2006* no virus found
Authentium 4.93.8 12.20.2006* no virus found
Avast 4.7.892.0 12.19.2006* no virus found
AVG 386 12.19.2006* no virus found
BitDefender 7.2 12.20.2006* no virus found
CAT-QuickHeal 8.00 12.19.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.20.2006* no virus found
DrWeb 4.33 12.20.2006* no virus found
eSafe 7.0.14.0 12.19.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.91 12.20.2006* no virus found
eTrust-Vet 30.3.3264 12.20.2006* no virus found
Ewido 4.0 12.19.2006* no virus found
Fortinet 2.82.0.0 12.20.2006* no virus found
F-Prot 3.16f 12.20.2006* no virus found
F-Prot4 4.2.1.29 12.20.2006* no virus found
Ikarus T3.1.0.27 12.20.2006* no virus found
Kaspersky 4.0.2.24 12.20.2006* no virus found
McAfee 4922 12.19.2006* no virus found
Microsoft 1.1904 12.20.2006* no virus found
NOD32v2 1930 12.20.2006* no virus found
Norman 5.80.02 12.19.2006* no virus found
Panda 9.0.0.4 12.19.2006 Suspicious file
Prevx1 V2 12.20.2006* no virus found
Sophos 4.12.0 12.18.2006* no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.134 12.18.2006* no virus found
UNA 1.83 12.19.2006* no virus found
VBA32 3.11.1 12.19.2006* no virus found
VirusBuster 4.3.19:9 12.19.2006 no virus found

lol your a noob there is nothing malicious in it..I hate noobs on this forum that think that jotti crap is accurate what so ever and think it's like a warm blanket to keep em warm on a cold night LOL Half the stuff on here that IS infected is done so in a way that jotti crap would say it was clean anyway only the blatenly stupid people use keyloggers and trojans that that picks up...And most of the things that set it off are nothing more then PE headers and packers the way co-part vessel work is by monitoring certain actions you would normally perform yourself like movement and keypresses hp/mp ect it is those things that jotti labels as "suspicious" when it is actually a false positive. [/b][/quote]
You can't get mad at the guy that scanned for no reason. The guy that posted had 5 posts and 0 karma.

[KageKhan]

Ok so when I attempted to connect to 8008102299.com on my browser my computer logged the ip as the same as I previously posted (211.147.250.119 port 80) The only thing I don't truly understand is how you would go about trying to change the hex to connect to your localhost... I was also sort of thinking if one of us (I don't mind doing it) got a month subscription to this to record the outgoing/incoming packets of a succesful login so that we could recreate the server emulator (I read this somewhere in I believe and I know it has been mentioned that we need a new server emulator) I know that QOProxy does something similiar to what the server emulator does (or I think so) because they both listen to the localhost for connectivity (QOProxy does, I'm not too sure about the server emulator but even so you could still design the new server emulator to run in the same way). So really all we would have to do is change the ip address the new agent king connects to, to the local host and then recreate a new server emulator to return the correct packet to the agent king program to allow it to run. The only problem we may run into with this is that I'm guessing they will have a time stamp in the packet and if it doesn't match our computers clock it may not run... this is just a guess because thats what I would do to stop people from attempting something like this.

[SoulSaint]

not sure if it is as simple as that..
tw3ak mentioned that there is alot of checks in the program. also i saw you posting that you wanted to create your own bot as i also have been thinking of, actually i already starting in the little.. made the injector to load the dll into conquer so far lol but if you are on irc we can have a chat about it there some time if you like

edit: i write in c/c++ so if thats your language we could find something out..
i can also show you how hooks work etc as ive done this many times before.

[blacknosk]

Has anybody tried using a transparent http proxy yet? If you can't figure out how to change the ip address in the program itself, just set your computer to have everything go through your proxy and then set up iptables or squid if it can do it to forward to whatever ip address the emulator is on. Does that make sense? I haven't ever used this program and have never ran/downloaded it. But if somebody points me to the server emulator thing I read about, I'll try this out on my own.

[KageKhan]

lol c/c++ Soul? Yeeeaaaa I know a little of each... I know more java than anything though... I have heard that c# is similiar to java sooo I guess I could work in that too... As far as IRC goes, I don't use it... only because well... no REAL reason, I use yahoo messenger though. I'm beginning to think that creating our own WOULD be the best solution as we could maintain as a community etc as I'm sure you read in my other post (thats all directed at SoulSaint, not trying to say you all read every one of my insignificant posts) Anyways we can start turning this into the thread to create our own so if you could start posting links to guide me in the right direction to get me started with windows hooking I'd be VERY thankful and of course I'll post whatever I create in it's un-assembled version lol hopefully I wont run into any problems but if I do maybe you could browse over my code and give me suggestions.

[Rancid-Milk-Man]

What about editing the host file in

C:&#092;WINDOWS&#092;system32&#092;drivers&#092;et c ?