______________________________________________________________
 |                                                              |
 | Save your fingers - get your fake names from the i-net       |#
 |        |#
 |                                                              |#
 | by DiA/rrlf (c)2005                                          |#
 | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de                 |#
 |______________________________________________________________|#
   ###############################################################



  _Overview___________________________________
 |                                            |
 | 1_Intro                                    |#
 | 2_How to do?                               |#
 | 3_Gimme a code, please!                    |#
 | 4_Outro                                    |#
 |____________________________________________|#
   #############################################



 .Disclaimer
  
    The author of this article is  NOT responsible for possible damages in case
   of informations you getting here. You do your own things with your own risk,
   please don't do anything stupid for  your own security. This document is for
   educational  purpose only.  If you do  NOT agree this, please close this for
   your own pleasure!


 .1_Intro
  
    Maybe you know this situation, you write a pretty good massmailer, i-net or
   P2P worm and you need some ideas for the fake names. You are sick seeing names
   like "Damn_Fine_Porn.mpg          .exe" or "Photoshop Crack working!.exe". So
   what to do? Get some inspiration from the internet, go to some warez/crackz
   sites and copy and paste some real crack names including application name,
   exact version number and maybe the author of the crack. Looking a bit realer
   then "Micr0soft all products keygen.exe", huh?!
   You wanna do some good stuff, including many names... you are now copy and
   paste your name number 34, stupid work, no? At this point I ask you, why do
   you copy and paste a already existing huge database of names? Just write a
   simple but effective code and get thousends of names at runtime :). So read on
   and see how easy it is...


 .2_How to do?
  
    OK, what we need for this tutorial is a internet connection. Without it will
   not work of course. Now save this file - http://crack.ms/cracks/a_1.shtml -
   local as - fakenames.txt -. Take a look, at the head of this file you see some
   uninteressting stuff, like popup scripts, meta tags and links. But if you go to
   the end of this file you see a huge list of the crack names. Thats what we want.
   Let's pick out one link including the name that we want to extract:

    <a href="crack.ms?id=19003" target=_blank>ABCalculator 1.1.0 by DBC</a>

   And one more:

    <a href="crack.ms?id=1882535" target=_blank>Aare CD Ripper v3.2 by HTBTeam</a>

   Fine, now when you have a look you will fast see that every name is between
   (dword - 4 bytes) "ank>" and "</a>". So we have to find "ank>" and we have the
   start of the name. Byte by byte we search for the end "</a>" and so we have
   the length of the name. We know the start of the name and the length, sweet,
   we can extract it ;). With this method we can do so name by name, until we are
   at the end of the file.
   Remember that this is only a example, there are more then 1.000.000 crackz/
   warez/serialz sites on the internet, you only have to know how the structure
   of the HTML files they use is.
   Let's do a little to-do list for our example application:

     1. Make a random valid URL (eg w_2.shtml)
     2. Download this file
     3. Open the file
     4. Get the file size
     5. If it's not big enough goto 1.
     6. Free enough memory
     7. Read whole content in memory
     8. Close File
     9. Find start of next fake name "ank>"
    10. Find end of next fake name "</a>"
    11. Extract fake name
    12. What you wanna do with this name (in example log in a .htm file)
    13. If end of file goto 15.
    14. Jump to 9.
    15. Exit

   If it sounds hard to do for you, then the only reason for this is my shitty
   english ;D. Just take a look at the small code, and you will see that it is
   pretty easy to do.


 .3_Gimme a code, please!
  
;-----ExtractNames.asm-----cut-----start---------------------------------------------
include "%fasminc%\win32ax.inc"         ;equates

ExtractNames:
        call MakeURL                    ;make a random url (a-z,1-9)

        invoke URLDownloadToFile,\      ;download it baby
               0,\                      ;no activeX required
               FakeNamesURL,\           ;download this file
               FakeNamesFile,\          ;save local to this file
               0,\                      ;reserved
               0                        ;no interface

        cmp eax, 0                      ;error if it is not null
        jne ExtractNames                ;then make new URL and download again

WaitForDownload:
        invoke CreateFile,\             ;open downloaded file
               FakeNamesFile,\          ;open this file (in current folder)
               GENERIC_READ,\           ;only need read access
               FILE_SHARE_READ,\        ;---""---
               0,\                      ;dont need security attributes
               OPEN_EXISTING,\          ;we want to open the file
               FILE_ATTRIBUTE_NORMAL,\  ;normal attributes
               0                        ;no template file

        cmp eax, INVALID_HANDLE_VALUE   ;if error then the download is not finished
        je WaitForDownload              ;try to open again

        mov dword [FileHandle], eax     ;save file handle

        invoke GetFileSize,\            ;get file size of downloaded file
               dword [FileHandle],\     ;via file handle
               0                        ;just get low size

        mov dword [FileSize], eax       ;save file size

        cmp eax, 7000d                  ;if its <7000 bytes, then its the error page from crack.ms
        ja GetMemory                    ;if not go to get memory

        invoke CloseHandle,\            ;close handle
               dword [FileHandle]       ;to delete it

        invoke DeleteFile,\             ;delete invalid fake names file
               FakeNamesFile            ;delete this

        jmp ExtractNames                ;repeat all

GetMemory:
        invoke GlobalAlloc,\            ;get enough memory
               GMEM_MOVEABLE,\          ;allocation attribute, moveable
               dword [FileSize]         ;that mich memory we need

        mov dword [MemHandle], eax      ;save handle

        invoke GlobalLock,\             ;get memory start
               dword [MemHandle]        ;via handle

        mov dword [MemStart], eax       ;save start

        invoke ReadFile,\               ;read whole content from file
               dword [FileHandle],\     ;open file, handle
               dword [MemStart],\       ;buffer start
               dword [FileSize],\       ;read that much
               BytesRW,\                ;bytes read
               0                        ;no overlapped structure

        invoke CloseHandle,\            ;we can close the file
               dword [FileHandle]       ;via handle

;***only for this example***
        invoke CreateFile,\             ;make the output file
               OutputFile,\             ;file name
               GENERIC_WRITE,\          ;with write access
               FILE_SHARE_WRITE,\       ;---""---
               0,\                      ;no security
               CREATE_ALWAYS,\          ;create it
               FILE_ATTRIBUTE_NORMAL,\  ;normal attributes
               0                        ;no temp file

        mov dword [FileHandle], eax     ;save handle
;***only for this example***

        mov ebx, dword [MemStart]       ;get memory start in ebx
        add ebx, 3667d                  ;go over the file header (scripts, meta, links...)
                                        ;(keep in mind that this is the structure
                                        ; of files on crack.ms, if you use another site
                                        ; the structure is different!)
        push ebx                        ;save to stack

FindMoreNames:
        pop ebx                         ;get file position from stack
        xor ecx, ecx                    ;set name length counter to null

GetStartOfName:
        cmp dword [ebx], "</bo"         ;end of html file (you know </body></html>)
        je FindNamesEnd                 ;then goto end

        cmp dword [ebx], "ank>"         ;start of fake name?
        je GetEndOfName                 ;if so then get end of name

        inc ebx                         ;search next byte
        jmp GetStartOfName              ;go get it dude

GetEndOfName:
        cmp dword [ebx], "</a>"         ;end of fake name?
        je ExtractName                  ;if so then extract the name

        inc ecx                         ;to get fake name length
        inc ebx                         ;next place
        jmp GetEndOfName                ;search it

ExtractName:
        push ebx                        ;save current position in file

        sub ebx, ecx                    ;go to the start of string
        add ebx, 4d                     ;go after "ank>"
        sub ecx, 4d                     ;delete that "</a>"
        push ecx                        ;save length of name
        mov esi, ebx                    ;source
        mov edi, FakeName               ;destination
        rep movsb                       ;copy the whole name to FakeName

        mov dword [edi], 0              ;clear all after


;****************************************
;****************************************
; at this point you can do whatever you want
; with the fake file name! pointer to fake name
; is "FakeName"...
;****************************************
;****************************************


;***only for this example***
         pop ecx                        ;get length of name

         invoke WriteFile,\             ;write the fake name to file
                dword [FileHandle],\    ;via handle
                FakeName,\              ;write this
                ecx,\                   ;length of fake name
                BytesRW,\               ;bytes written
                0                       ;overlapped, fuck off

         invoke WriteFile,\             ;write <br> to the file
                dword [FileHandle],\    ;via handle
                Break,\                 ;write <br>
                4,\                     ;length
                BytesRW,\               ;bytes written
                0                       ;overlapped, fuck off
;***only for this example***

        jmp FindMoreNames              ;go get next name

FindNamesEnd:
;***only for this example***
        invoke CloseHandle,\            ;close output file
               dword [FileHandle]       ;via handle
;***only for this example***

        invoke GlobalUnlock,\           ;unlock memory
               dword [MemHandle]        ;handle

        invoke GlobalFree,\             ;free it!
               dword [MemHandle]        ;via handle

        invoke DeleteFile,\             ;delete downloaded file
               FakeNamesFile            ;this

        invoke MessageBox,\             ;show a msgbox that it's done
               0,\
               "fake names extracting done",\
               FakeNamesURL,\
               0

        invoke ExitProcess,\
               0                        ;end my friend

MakeURL:                                ;procedure
        invoke GetTickCount             ;we only want random stuff in al

CharMakeValid:
        cmp al, 97d                     ;if its under "a"
        jb CharAdd                      ;then add some stuff

        cmp al, 122d                    ;if its above "z"
        ja CharSub                      ;then sub some stuff

        jmp CharIsValid                 ;kewl, now its valid

CharAdd:
        add al, 18d                     ;add 18 and see if its now valid
        jmp CharMakeValid               ;check it

CharSub:
        sub al, 18d                     ;sub 18
        jmp CharMakeValid               ;now a valid character?

CharIsValid:
        mov edi, FakeNamesURL           ;pointer to url
        add edi, 23d                    ;go to the end of the string
        stosb                           ;save char at end (eg http://crack.ms/cracks/m)

        invoke GetTickCount             ;get al again

DigitMakeValid:
        cmp al, 49d                     ;if its under "1"
        jb DigitAdd                     ;the add somethin

        cmp al, 57d                     ;if its above "9"
        ja DigitSub                     ;then subtract it

        jmp DigitIsValid                ;make whole name

DigitAdd:
        add al, 3d                      ;add 3
        jmp DigitMakeValid              ;check if its now valid

DigitSub:
        sub al, 3d                      ;sub 3
        jmp DigitMakeValid              ;chek if it is valid now

DigitIsValid:
        mov byte [edi], "_"             ;eg http://crack.ms/cracks/m_
        inc edi                         ;go behind the "_"
        stosb                           ;save digit (eg http://crack.ms/cracks/m_2)

        mov dword [edi], ".sht"         ; http://crack.ms/cracks/m_2.sht
        mov dword [edi + 4], "ml"       ; http://crack.ms/cracks/m_2.shtml
ret                                     ;return to call


Datas:
        FakeNamesURL    db "http://crack.ms/cracks/",0  ;site to download file from
                        rb 10d                          ;space for file name (random)
        FakeNamesFile   db "fake.names",0               ;filename to save
        FileHandle      dd ?                            ;file handle to save
        FileSize        dd ?                            ;file size to get enough memory
        MemHandle       dd ?                            ;handle for allocate memory
        MemStart        dd ?                            ;start of memory
        BytesRW         dd ?                            ;number of bytes read/write
        OutputFile      db "FakeNames.htm",0            ;save here the names
        FakeName        rb 100d                         ;save here the fake name
        Break           db "<br>",0                     ;just to make a break


Imports:
data import                                             ;import all needed api's
        library kernel32,               "KERNEL32.DLL",\
                user32,                 "USER32.DLL",\
                urlmon,                 "URLMON.DLL"

        import kernel32,\
               CreateFile,              "CreateFileA",\
               GlobalAlloc,             "GlobalAlloc",\
               GlobalLock,              "GlobalLock",\
               ReadFile,                "ReadFile",\
               GetFileSize,             "GetFileSize",\
               CloseHandle,             "CloseHandle",\
               GlobalUnlock,            "GlobalUnlock",\
               GlobalFree,              "GlobalFree",\
               WriteFile,               "WriteFile",\
               DeleteFile,              "DeleteFileA",\
               GetTickCount,            "GetTickCount",\
               ExitProcess,             "ExitProcess"

        import user32,\
               MessageBox,              "MessageBoxA"

        import urlmon,\
               URLDownloadToFile,       "URLDownloadToFileA"
end data
;-----ExtractNames.asm-----cut-----end-----------------------------------------------


 .4_Outro
  
    Funny, no? That small code and that much names ;). But keep in mind that
   this is only a basic example. For advanced usage you need, for example, to
   check if there is an internet connection or not. Also you don't need to
   extract only fake names for your worms. What's about subject's or body's?
   Maybe a report from a AV site about a new dangerous worm in the wild, and
   you send the cleaning program?! Or what about newsgroups and there post's.
   It's now in your hand to find usefull sites for your fake names, fake
   subjects and fake bodys. Be creative ;), have a nice day and happy coding!

                                                       DiA/rrlf :: 08.02.2005