API tools faq
paste
Advertisement
Guest User

mIRC - Encrypted internal strings

a guest
Nov 26th, 2011
2,926
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.36 KB | None | 0 0
raw download clone embed print report
  1. MIRC.EXE (v7.14) - INTERNAL ENCRYPTED STRINGS
  2. by 5cougars Nov 26, 2011
  3.  
  4. INTRO: mIRC contains many, many hundreds of text strings, all in plaintext. However, it contains approx 25 strings that are encrypted, and encoded. Googling for these strings yielded only 1 result - simply a binary dump of mirc.exe, nothing useful, so it seems nobody has commented on these strings yet, which I find strange because I checked v6.35 and most of the strings exist there too.
  5.  
  6. There is a catch, however ... two of these encrypted strings don't decrypt to anything legible, whereas all the others do. On top of that, the size remains static, whereas all the others decrypt/decode to strings somewhat smaller than the ciphertext due to base64-style decoding, indicating these two strings are only encrypted - not encoded. Attempting to decrypt/decode this decrypted string proved unsuccessful, so for now it remains a mystery, pending further investigation. :)
  7.  
  8. ---
  9.  
  10. Master Encryption Key: "xyzzy" (modifying this key naturally breaks the decryption)
  11. Algorithm: Custom, uses encryption + base64-style encoding, the latter assumingly simply to make it easy for Khaled to include them directly in his source code.
  12.  
  13. The decrypt + decode algorithm is fairly large, but the encrypted and decrypted strings can easily be located here in this snippet (note that the string is decrypted a lot earlier than this, but this is a good location for easy viewing of both ciphertext and plaintext):
  14.  
  15. 00421562 |. 2BD0 sub edx, eax // ENCRYPTED
  16. 00421564 |> 0FB708 /movzx ecx, word ptr ds:[eax]
  17. 00421567 |. 66:890C02 |mov word ptr ds:[edx+eax], cx
  18. 0042156B |. 83C0 02 |add eax, 2
  19. 0042156E |. 66:85C9 |test cx, cx
  20. 00421571 |.^ 75 F1 \jnz short mirc.00421564
  21. 00421573 |. 8B7C24 18 mov edi, dword ptr ss:[esp+18] // DECRYPTED
  22.  
  23.  
  24. Encrypted strings and resulting decrypted plaintext:
  25.  
  26. "CacSyyQ="
  27. "v7.14"
  28. (Note: 7.22 = "CacSyCI=")
  29.  
  30. "F+RIiiqaSn8jQV0iNgrLrPR7tw=="
  31. "http://www.mirc.com"
  32.  
  33. "F+RIiiqaSn8jQV0iNgrLrPR79DDx"
  34. "http://www.mirc.co.uk"
  35.  
  36. "F+RIiiqaSn8jQV0iNgrLrPR7t2rxrobut3M="
  37. "http://www.mirc.com/khaled"
  38.  
  39. "F+RIiiqaSn8jQV0iNgrLrPR7t2roo4DrahdduF+5+N4Y"
  40. "http://www.mirc.com/register.html"
  41.  
  42. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZXnwndZ4wVUo/V3KpA="
  43. "http://www.mirc.co.uk/register.html"
  44.  
  45. "F+RIiiqaSn8jQV0iNgrLrPR7t2r0o5DxvjzI11Y="
  46. "http://www.mirc.com/news.html"
  47.  
  48. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YnnSKbNo4eVRg=="
  49. "http://www.mirc.co.uk/news.html"
  50.  
  51. "F+RIiiqaSn8jQV0iNgrLrPR7t2r8qZX3k1FIxvjZ"
  52. "http://www.mirc.com/forums.php"
  53.  
  54. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YHt+S3iWmGeS3E="
  55. "http://www.mirc.co.uk/forums.php"
  56.  
  57. "F+RIiiqaSn8jQV0iNgrLrPR7t2roo4Djc7hYDPnL/Aq7"
  58. "http://www.mirc.com/regabout.html"
  59.  
  60. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZXnwn9I+BVSo/Xeiss="
  61. "http://www.mirc.co.uk/regabout.html"
  62.  
  63. "F+RIiiqaSn8jQV0iNgrLrPR7t2r5oY6vtetqsjQZUfaY4C6mQPQSrCCgQX2+PA=="
  64. "http://www.mirc.com/cgi-bin/regcheck.cgi?code="
  65. // Requesting this page with an invalid code returns the following:
  66. <HTML><HEAD><TITLE></TITLE></HEAD><BODY><P id=mirc status=ready valid=0></P></BODY></HTML>
  67.  
  68. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YTlYQvYCOgIpRNk+/yxKPbMtnXks5eOwe96"
  69. "http://www.mirc.co.uk/cgi-bin/regcheck.cgi?code="
  70.  
  71. "Mtl7nl30VU/A9t0cxT9QoixQlAAqGABCrD72vLH9GNPQ4CIRzqUROu1ukqOcrtC9nJjZMQlbEp5IdysPzVqF4oAj3tuuyon8G3Py"
  72. "MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCyUNXfZ1IGbfPuay+7dDCF+uBUKygsMGZigpmiHWUz3Pfnav2ST0wBaxNxAeWu"
  73.  
  74. "Mtl7nl30VU/A9t0cxT9QoixQlAAqGABCrD72vLH9GNPQ4CIRzqUWBr8tFycpWeQyclSMsbPvLEJBwkCKrASDk7m3AjK2dom+eMLy"
  75. "MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDEwdpUIsUCUsrNx/i7bRC2G2Ye0O/53/wR2eoc+Pbpf36EIq8775FTLaA2iFWk"
  76.  
  77. "F+RIiiqaSn8jQV0iNgrLrPR7t2rvtoPjpc51AI0CCg=="
  78. "http://www.mirc.com/update.html"
  79.  
  80. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZLyxhfC1HDL3Lwu"
  81. "http://www.mirc.co.uk/update.html"
  82.  
  83. "F+RIiiqaSn8jQV0iNgrLrPR7t2r9o5OsnIk0Qg=="
  84. "http://www.mirc.com/get.html"
  85.  
  86. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YDnlG0I5vL4"
  87. "http://www.mirc.co.uk/get.html"
  88.  
  89. "F+RIiiqaSn8jQV0iNgrLrPR7t2r4o5PjTTicHAw="
  90. "http://www.mirc.com/beta.html"
  91.  
  92. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YXnJfbHiv8T4w=="
  93. "http://www.mirc.co.uk/beta.html"
  94.  
  95. "F+RIiiqaSn8jQV0iNgrLrPR7t2r/vpfrsHQreSf2Dak="
  96. "http://www.mirc.com/expired.html"
  97.  
  98. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YL6s0kfOvBbCJ39Ug=="
  99. "http://www.mirc.co.uk/expired.html"
  100.  
  101. "CfVOiXnaCzU="
  102. "version="
  103.  
  104. "G/FFiS0="
  105. "days="
  106.  
  107.  
  108.  
  109.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!