In this video we can see that the code is making a tcp connection to 77.87.178.66 The SSL crypted connection to 445 can be redirected to my sha0proxy.pl
PokerStars communication is secure bescause they check the certificates.
If we patch the call dword ptr DS:[7145C] (connect) to make our fake connection to the evilserver, it will not work because of the certificates validations. But cards can be sended to the evil-host. The trojanized client can be distributed to the users.
Conclusion: The software always must be downloaded from an official font by a clear url.
PokerStars communication is secure bescause they check the certificates.
If we patch the call dword ptr DS:[7145C] (connect) to make our fake connection to the evilserver, it will not work because of the certificates validations. But cards can be sended to the evil-host. The trojanized client can be distributed to the users.
Conclusion: The software always must be downloaded from an official font by a clear url.
Comentarios