

-----Original Message-----
From:			eris@theplague.net
Sent:			Wednesday, January 12, 2000 7:47 PM
To:			dlystad@psi-software.com
Cc:
Subject:			RE: WhineBot (txt)


Oh also I never really wanted to understand the encryption unless it was
trivial, but I did need to find out what all the paramaters and global
variables used in the encryption were so i can track them down (ie: I
wouldn't of guessed it uses 2 keys for the encryption but it does)

eris




-----Original Message-----
From:			eris@theplague.net
Sent:			Wednesday, January 12, 2000 7:47 PM
To:			dlystad@psi-software.com
Cc:
Subject:			RE: WhineBot (txt)


>I think you are looking deeper into this than you really need to.  Think
>about it...  In order to perform the encryption on the message, the message
>must first be stored in a buffer.  Then the encryption is run on that
>buffer.  Same with the receive..  the buffer has to be extracted to a
>buffer, then parsed for the data.  I don't think you have to mess with the
>encrytion.

Exactly but i can't read the buffer on the fly because its on the stack, so
I either need a way to export it prior to encryption, or to bust the
encryption. Suggest another way for me! Prob is its a stack operation, and
I have no way of knowing when or where it is on the stack

eris




-----Original Message-----
From:			eris@theplague.net
Sent:			Wednesday, January 12, 2000 7:16 PM
To:			dlystad@psi-software.com
Cc:
Subject:			RE: WhineBot (txt)


Ok this stuff is exceptionally nasty. I've definately convinced myself that
I know where the encryption algorithm is. I tried dechipering it but its
pretty nasty. I think I understand it well enough to rip it now. I don't
exactly know what's all going on, but I've found out where the starting
data is.. Well I've KINDOF found it. Its being passed through ecx into the
function so I'll have to do some backtracking to find out where the 2 keys
are being stored globally. BTW the key does not change as time progresses,
at least not that I've noticed yet.

I'm pretty sure I can do something similar for the decryption stuff. So
here are two options I have right now... I still think I could modify the
EXE to JMP to some of those NOP areas and rig up a DLL call to compress
with a flag to let it know its a fake call. This would work really well
because I'd never have to touch that encryption stuff, dechiper it, rip it,
figure out where the keys are stored, etc. I don't think ripping would be
hard. But what do I do once I rip it if I don't know how the key is being
stored? I'm sure its being set up on login, but christ, that's gonna suck
to rip the encryption and write a client to figure it out. I think
eventually maybe this is the preferred method since I could run without a
client, run several bots on the same machine, etc. But I think this will be
a nightmare to figure out. The exe mod on the other hand is equally nuts.
As a plus i'd have easy access to the nonencrypted data but.. anytime you
imbed your own machine language into an exe you've been in one too many car
accidents... hehe

Let me know your thoughts..

eris



-----Original Message-----
From:			eris@theplague.net
Sent:			Tuesday, January 11, 2000 8:46 PM
To:			dlystad@psi-software.com
Cc:
Subject:			RE: WhineBot (txt)


Its really weird. Hopefully you'll have some time tonight when you're done
working.. Outgoing data is definately being compressed with zlib. Although
I've found some calls in the disassemble, it does not APPEAR as though
uncompress is being called, at least not under normal circumstances (I have
zlib recompiled now and am writing a file whne compress or uncompress is
called, and only the compress one is being written)...

eris




-----Original Message-----
From:			eris@theplague.net
Sent:			Tuesday, January 11, 2000 1:46 PM
To:			dlystad@psi-software.com
Cc:
Subject:			RE: WhineBot (txt)


Do you have the SS disassembly handy? I'd really like to take a peek..
Thanks :)

eris


