daily pastebin goal
48%
SHARE
TWEET

mIRC - Encrypted internal strings

a guest Nov 26th, 2011 1,661 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. MIRC.EXE (v7.14) - INTERNAL ENCRYPTED STRINGS
  2. by 5cougars   Nov 26, 2011
  3.  
  4. INTRO: mIRC contains many, many hundreds of text strings, all in plaintext. However, it contains approx 25 strings that are encrypted, and encoded. Googling for these strings yielded only 1 result - simply a binary dump of mirc.exe, nothing useful, so it seems nobody has commented on these strings yet, which I find strange because I checked v6.35 and most of the strings exist there too.
  5.  
  6. There is a catch, however ... two of these encrypted strings don't decrypt to anything legible, whereas all the others do. On top of that, the size remains static, whereas all the others decrypt/decode to strings somewhat smaller than the ciphertext due to base64-style decoding, indicating these two strings are only encrypted - not encoded. Attempting to decrypt/decode this decrypted string proved unsuccessful, so for now it remains a mystery, pending further investigation. :)
  7.  
  8. ---
  9.  
  10. Master Encryption Key: "xyzzy"  (modifying this key naturally breaks the decryption)
  11. Algorithm: Custom, uses encryption + base64-style encoding, the latter assumingly simply to make it easy for Khaled to include them directly in his source code.
  12.  
  13. The decrypt + decode algorithm is fairly large, but the encrypted and decrypted strings can easily be located here in this snippet (note that the string is decrypted a lot earlier than this, but this is a good location for easy viewing of both ciphertext and plaintext):
  14.  
  15. 00421562     |.  2BD0          sub edx, eax                     // ENCRYPTED
  16. 00421564     |>  0FB708        /movzx ecx, word ptr ds:[eax]
  17. 00421567     |.  66:890C02     |mov word ptr ds:[edx+eax], cx
  18. 0042156B     |.  83C0 02       |add eax, 2
  19. 0042156E     |.  66:85C9       |test cx, cx
  20. 00421571     |.^ 75 F1         \jnz short mirc.00421564
  21. 00421573     |.  8B7C24 18     mov edi, dword ptr ss:[esp+18]   // DECRYPTED
  22.  
  23.  
  24. Encrypted strings and resulting decrypted plaintext:
  25.  
  26. "CacSyyQ="
  27. "v7.14"
  28. (Note: 7.22 = "CacSyCI=")
  29.  
  30. "F+RIiiqaSn8jQV0iNgrLrPR7tw=="
  31. "http://www.mirc.com"
  32.  
  33. "F+RIiiqaSn8jQV0iNgrLrPR79DDx"
  34. "http://www.mirc.co.uk"
  35.  
  36. "F+RIiiqaSn8jQV0iNgrLrPR7t2rxrobut3M="
  37. "http://www.mirc.com/khaled"
  38.  
  39. "F+RIiiqaSn8jQV0iNgrLrPR7t2roo4DrahdduF+5+N4Y"
  40. "http://www.mirc.com/register.html"
  41.  
  42. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZXnwndZ4wVUo/V3KpA="
  43. "http://www.mirc.co.uk/register.html"
  44.  
  45. "F+RIiiqaSn8jQV0iNgrLrPR7t2r0o5DxvjzI11Y="
  46. "http://www.mirc.com/news.html"
  47.  
  48. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YnnSKbNo4eVRg=="
  49. "http://www.mirc.co.uk/news.html"
  50.  
  51. "F+RIiiqaSn8jQV0iNgrLrPR7t2r8qZX3k1FIxvjZ"
  52. "http://www.mirc.com/forums.php"
  53.  
  54. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YHt+S3iWmGeS3E="
  55. "http://www.mirc.co.uk/forums.php"
  56.  
  57. "F+RIiiqaSn8jQV0iNgrLrPR7t2roo4Djc7hYDPnL/Aq7"
  58. "http://www.mirc.com/regabout.html"
  59.  
  60. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZXnwn9I+BVSo/Xeiss="
  61. "http://www.mirc.co.uk/regabout.html"
  62.  
  63. "F+RIiiqaSn8jQV0iNgrLrPR7t2r5oY6vtetqsjQZUfaY4C6mQPQSrCCgQX2+PA=="
  64. "http://www.mirc.com/cgi-bin/regcheck.cgi?code="
  65. // Requesting this page with an invalid code returns the following:
  66.    <HTML><HEAD><TITLE></TITLE></HEAD><BODY><P id=mirc status=ready valid=0></P></BODY></HTML>
  67.  
  68. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YTlYQvYCOgIpRNk+/yxKPbMtnXks5eOwe96"
  69. "http://www.mirc.co.uk/cgi-bin/regcheck.cgi?code="
  70.  
  71. "Mtl7nl30VU/A9t0cxT9QoixQlAAqGABCrD72vLH9GNPQ4CIRzqUROu1ukqOcrtC9nJjZMQlbEp5IdysPzVqF4oAj3tuuyon8G3Py"
  72. "MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCyUNXfZ1IGbfPuay+7dDCF+uBUKygsMGZigpmiHWUz3Pfnav2ST0wBaxNxAeWu"
  73.  
  74. "Mtl7nl30VU/A9t0cxT9QoixQlAAqGABCrD72vLH9GNPQ4CIRzqUWBr8tFycpWeQyclSMsbPvLEJBwkCKrASDk7m3AjK2dom+eMLy"
  75. "MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDEwdpUIsUCUsrNx/i7bRC2G2Ye0O/53/wR2eoc+Pbpf36EIq8775FTLaA2iFWk"
  76.  
  77. "F+RIiiqaSn8jQV0iNgrLrPR7t2rvtoPjpc51AI0CCg=="
  78. "http://www.mirc.com/update.html"
  79.  
  80. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZLyxhfC1HDL3Lwu"
  81. "http://www.mirc.co.uk/update.html"
  82.  
  83. "F+RIiiqaSn8jQV0iNgrLrPR7t2r9o5OsnIk0Qg=="
  84. "http://www.mirc.com/get.html"
  85.  
  86. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YDnlG0I5vL4"
  87. "http://www.mirc.co.uk/get.html"
  88.  
  89. "F+RIiiqaSn8jQV0iNgrLrPR7t2r4o5PjTTicHAw="
  90. "http://www.mirc.com/beta.html"
  91.  
  92. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YXnJfbHiv8T4w=="
  93. "http://www.mirc.co.uk/beta.html"
  94.  
  95. "F+RIiiqaSn8jQV0iNgrLrPR7t2r/vpfrsHQreSf2Dak="
  96. "http://www.mirc.com/expired.html"
  97.  
  98. "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YL6s0kfOvBbCJ39Ug=="
  99. "http://www.mirc.co.uk/expired.html"
  100.  
  101. "CfVOiXnaCzU="
  102. "version="
  103.  
  104. "G/FFiS0="
  105. "days="
  106.  
  107.  
  108.  
  109.  
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top