Author Topic: MalZilla  (Read 225605 times)

0 Members and 1 Guest are viewing this topic.

March 07, 2008, 11:51:40 pm
Reply #60

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?

Thanks for the new release!
TJS


March 07, 2008, 11:55:56 pm
Reply #61

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Another suggestion-- can we get 'format text' to work on page content (in 'download' tab)?

Thanks for the new release!
TJS



Format text is gone (with the wind).
It was useless...
It added a line-break after every semi-colon, and that does damage in a lot of cases.

I will search for a better tokenizer for formating text, but as for now I have none that is working like it should.

March 08, 2008, 12:05:21 am
Reply #62

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Another suggestion:

Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.

....

Thanks,
TJS


Isn't un-checking Auto-set referrer on Settings tab exactly that what you need?

March 08, 2008, 01:37:30 am
Reply #63

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Two responses:

Format text is _NOT_ useless! I use it almost every single time i analyze a malware page. Please don't remove it otherwise I'll be hacking at your source and recompiling a private build for myself with it. I think even in it's limited form it is a great feature to improve readability of scripts.

Referrer settings on the download tab is better because, like using a useragent/cookies/proxy sometimes you want it and sometimes you dont. In most cases, I don't particularly because i usually analyze many sites at the same time which causes me to 'share' the last site I looked at with the current one via referrer. I'm cool with having it on the settings page, but in that case, why not move the proxy, user agent and cookies options there too?

TJS

March 08, 2008, 01:38:58 am
Reply #64

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I vote to restore the format code option too :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 08, 2008, 04:38:07 am
Reply #65

sowhat-x

  • Guest


Rotflmao... ;D
Ok,seriously now...
If it's not much trouble,I also vote for it to be re-included...

March 08, 2008, 08:29:36 am
Reply #66

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi guys,

The code for that Format text was something like:

if you see a semi-colon, replace it with semi-colon + line break.

Translated to Pascal, that is exactly one line of code.
It is not a problem to bring it back, but that rule for inserting line breaks is simply wrong.
One should take care of tokens, and put a line break only if the semi-colon is the end of a token.

Biggest problem was that, if you click it 2-3 times, your text will end with a bunch of line breaks one after another.

I will really search for better solution. It should not be far away. I just need to study the code of the highlighter I'm using there - the highlighter does know where the end of tokens are.

March 08, 2008, 08:33:09 am
Reply #67

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe no worries :)

Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 08, 2008, 09:35:03 am
Reply #68

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
hehe no worries :)

Btw, did you see the code I posted in the Blenders latest thread at MR? (Malzilla couldn't work with it)
That code is full with references to DOM objects that Malzilla does not support.
After removing some of the references, I've managed to get it decoded.

btw.
Quote
This page is protected by unregistered version of Right HTML Protector

March 08, 2008, 09:39:32 am
Reply #69

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Oh right, hehe
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 09, 2008, 12:47:27 am
Reply #70

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Le Format Text Est Mort, Vive Le Format Code!

Who wants to play with new formating?
http://malzilla.sourceforge.net/test/

Pick the new exe (you already have the DLLs from previous downloads). There is new formating for Decode tab.
I'll test tomorrow how good is working with HTML code, to see how to deal with Download tab code formating.

Please test, and tell me if works well or bad for you.

Take into account that the formating can break some code from executing (code checking for function length).

March 09, 2008, 03:16:47 pm
Reply #71

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Seems to work perfectly :) ......
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 09, 2008, 04:53:11 pm
Reply #72

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
New upload to http://malzilla.sourceforge.net/test/
(overwritten the previous upload)

Please test:
Ctrl + Send to Decoder
Ctrl + Send all to Decoder
Format code on Download tab

March 09, 2008, 05:01:40 pm
Reply #73

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Works perfectly here :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 16, 2008, 02:08:30 pm
Reply #74

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Just to let you know that now we have a very own hacked version of SpiderMonkey that will let us decode these scripts where we used debugger to see the downloading link for EXE. See the bug report from TJS here: http://www.malwaredomainlist.com/forums/index.php?topic=218.msg2225#msg2225

The process is time-consuming (1-2 minutes for the script attached by TJS), but at the end you will have the source code of the exploit :)

Will upload a new version as soon as I implement this feature in the GUI.
I can't promise that I'll do this in the next few days, so if someone needs this feature urgently I can upload the hacked SpiderMonkey and the instructions on how to use manually this feature.

Happy hacking ;)