26 replies to this topic

[Kyle]

Requirements:
Virus Scanner (Your own will likely work, but AVG located here)
PE Explorer (located here)
Install both files as necessary.

Purpose:
PE Explorer: To check for password stealers within a program.
AVG/your virus scanner: To check for viruses within a program.
------------------------------------------------------------------------------------------------------------------

Now, open PE explorer. Your window will look like this. From this screen, you can select the program you want to check by clicking the yellow folder in the upper left corner, as shown here, and browsing for it.

From their, you will be given the opportunity to buy the full version of PE Explorer. Click continue, and move on to the next step.

Now, you should be looking at a window very similar to this. From here, you will click on the blue scroll-looking button at the top, shown here.

Two windows will pop up, and without changing anything, press the "Start Now" button on the front window.

You should now be looking at a very crowded and confusing page, looking something like this. In the top box, you want to scroll over so the last column is at the left most viewing point of the box, as shown here.

Now, you actually start checking the program. Press ctrl+f to bring up the search box, and type http, like this. Continue pressing ctrl+f and enter to search the whole program. If any of the links go anywhere but neopets.com, there is a very good chance the program is attempting to steal your username and password.
Example of clean program: Here
Example of a Password stealing program: Here
------------------------------------------------------------------------------------------------------------------

For the purpose of this guide, I will be using AVG, although your virus scanning program will almost certainly work.

Find the program you want to scan, and right click. A menu like this will show up. Select "Scan with AVG". If a virus is found, something similar to this will show up. If the program is virus free, a window looking similar to this will show up.

Disclaimer: If you use these techniques and somehow a password stealer or virus gets past you, I am NOT responsible for your account. These are the methods I have used and they have never failed me, but that doesn't mean they are completely full-proof.
This guide was written by Kyle, and distributed ONLY to Neocodex.us. Enjoy!

Edited by Kyle, 21 May 2012 - 11:37 AM.

[Kyle]

No problem. Its a guide I had been wanting to write for a while

[Cataliste]

I'll just Mew11 all my evil programs then.

[Kyle]

I'll just Mew11 all my evil programs then.

Isn't that packing in such a way that its harder to detect?

If so, its more of a beginners guide to checking, and I didn't get into/know how to check when thats the case.

[Mumei]

I think this is a great idea to have a guide, yes - we check every program that's submitted here, but please remember we can't check every line of code (first we don't usually ask for the source, we only check the object, and secondly it's always possible to miss things as we're only human and do not guarantee the programs posted here are 100% free of malware, only that we've checked them and didn't spot anything) so if anyone spots something in a program PM one of the Admin/Sr programmers/programmers here and we'll investigate it immediately.


if you really want a comprehensive guide, you may also add into it a network sniffer mini guide (eg ethereal) and use of Hex Editors

most anti virus scanners use signatures to identify malware, so a home built program will not often get picked up unless all they've done is bind into the code an already existing virus

also another thing to mention, is to identify all the calls to the communication protocol they are using (eg Wrapper) - i would investigate a program if there is a call to the wrapper with a call to a decrypt function just before it.
other things to check for are any POP protocols (calling any installed email programs, hosted email servers, or including an email server in the code)
any programs that contain 2 methods for HTTP communication (using 2 wrappers, or a wrapper and web browser)
check for any unnecessary security protocol (a daily doer does not need an encrypt/decrypt function within it, so you have to ask why it's there - what data is it hiding etc....)

[Chew]

thanks for the guide. I ran this on some other auto programs I use on other game sites and I actually found two programs that had some suspicious http's in them. thanks again

[Hazard]

yea thanks for the guide...heavily needed just in case those thief's

[Kyle]

thanks for the guide. I ran this on some other auto programs I use on other game sites and I actually found two programs that had some suspicious http's in them. thanks again

That was basically the main goal of this. I saw lots of people getting scammed from programs from other sites. So if you chose to use programs from other sites, at least you can use a guide from Codex to check them.

[Cataliste]

Also, get UPX. Try to decompress the file with UPX to make sure it is not packed. Though anyone really wanting to get people would use Mew11, The dumber one's may use UPX. Viral signatures are distorted with UPX packing.

[the_skip]

Also to be double sure use a packet sniifer or somethign liek wpe pro and put fals information in and see if it goes to anywhere else but neopets. they cannot hide the post data from a packet sniffer unless they are good, but then you'll have to watch them take your account

[Stephen]

Also, get UPX. Try to decompress the file with UPX to make sure it is not packed. Though anyone really wanting to get people would use Mew11, The dumber one's may use UPX. Viral signatures are distorted with UPX packing.

Isn't UPX packing close to useless nowadays anyway?
Most people wouldn't pack with UPX anymore, and morphine is close to useless because of paranoid anti-virus software.. to my knowledge anyway.

I'll do my research later, hacking, packing, and maltivity isn't really my area of knowledge, but I wouldn't mind knowing more of course.

[Sorrow]

Good ! Thanks!

[Member]

I want to thank you for the information! It just confirmed that I had been had. I was searching for my answer and yound this forum. The PE Explorer (with your instructions) found the bad news for me. Do not use the "Altador Cup Hack" listed by jugularfreeman on youtube. The code shows a link where he is stealing your Log in info!

I royally screwwed up and my 6 year account is gone
GREAT Thread with Very Useful Information!! please do keep pinned!

Edit by Kitsune: I edited out your links as it is safer for our users this way.

[permeability]

Thank you for this. I'm always paranoid when I use programmes, haha!

[emerych]

never use programs off youtube..... thats a pretty self explanatory one

[gaelle]

Wow very nice and useful guide ! We know programs on neocodex are sure but I often download neopets programs found on google so that will be very useful !

[nonotjj]

heh, youtube programs is the quickest way to have your acct stolen... at least for WoW, I'm pretty sure it's the same for neo.

[shesamessx]

Thanks for this! 

At first I was skeptical with this site, but then I got to thinking, if you have a whole community of people, someone would have piped up that they lost their account, you know?

This will help if I ever decide to use other programs xD

[GrenadeApple]

Thanks for the guide i already had AVG but i didn't have PE Explorer.

[jonnykun]

nice guide.
just wondering, has anyone ever seen a bad program put up on a reputable site ?
trying to assess the risk of pw stealing progs on good sites.

[Reemer]

Just a little tip, after you search for http once, you can press the F3 button to continue searching for http instead of pressing ctrl+f and hitting Find Next over and over.

[Intrusion]

Excellent,will keep this in mind if I use any programs besides a Codex program.

[picole]

I loved the guide, always I had fear of a program that stole passwords

[zevrom]

Thanks, Some programs are really untrustworthy