Tuesday, September 24, 2013

How to extract BetaBot config info


In this article i will show you how to extract the configuration section of the bot, this section is encrypted inside the bot and decrypted while the bot is running.

Few months ago i built a tool that can extract the configuration of the bot in offline mode (that is without running the bot in debugger) i achieved that by reverse engineer and studying how to get the key from the bot and build  in order to decrypt the configuration section from the sample.

Lately when new versions of the bot came out i found that it is much simpler to extract the info i needed using a debugger than to update the tool, this method is what i am going to guide you through in this article.

In order to follow along you need an unpacked sample of the bot (you can get the one i am using in this article here, password is: infected).

This article targets the latest version of the bot (1.5), the technique presented here do work on earlier versions too.