Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MIRC.EXE (v7.14) - INTERNAL ENCRYPTED STRINGS
- by 5cougars Nov 26, 2011
- INTRO: mIRC contains many, many hundreds of text strings, all in plaintext. However, it contains approx 25 strings that are encrypted, and encoded. Googling for these strings yielded only 1 result - simply a binary dump of mirc.exe, nothing useful, so it seems nobody has commented on these strings yet, which I find strange because I checked v6.35 and most of the strings exist there too.
- There is a catch, however ... two of these encrypted strings don't decrypt to anything legible, whereas all the others do. On top of that, the size remains static, whereas all the others decrypt/decode to strings somewhat smaller than the ciphertext due to base64-style decoding, indicating these two strings are only encrypted - not encoded. Attempting to decrypt/decode this decrypted string proved unsuccessful, so for now it remains a mystery, pending further investigation. :)
- ---
- Master Encryption Key: "xyzzy" (modifying this key naturally breaks the decryption)
- Algorithm: Custom, uses encryption + base64-style encoding, the latter assumingly simply to make it easy for Khaled to include them directly in his source code.
- The decrypt + decode algorithm is fairly large, but the encrypted and decrypted strings can easily be located here in this snippet (note that the string is decrypted a lot earlier than this, but this is a good location for easy viewing of both ciphertext and plaintext):
- 00421562 |. 2BD0 sub edx, eax // ENCRYPTED
- 00421564 |> 0FB708 /movzx ecx, word ptr ds:[eax]
- 00421567 |. 66:890C02 |mov word ptr ds:[edx+eax], cx
- 0042156B |. 83C0 02 |add eax, 2
- 0042156E |. 66:85C9 |test cx, cx
- 00421571 |.^ 75 F1 \jnz short mirc.00421564
- 00421573 |. 8B7C24 18 mov edi, dword ptr ss:[esp+18] // DECRYPTED
- Encrypted strings and resulting decrypted plaintext:
- "CacSyyQ="
- "v7.14"
- (Note: 7.22 = "CacSyCI=")
- "F+RIiiqaSn8jQV0iNgrLrPR7tw=="
- "http://www.mirc.com"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx"
- "http://www.mirc.co.uk"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2rxrobut3M="
- "http://www.mirc.com/khaled"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2roo4DrahdduF+5+N4Y"
- "http://www.mirc.com/register.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZXnwndZ4wVUo/V3KpA="
- "http://www.mirc.co.uk/register.html"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2r0o5DxvjzI11Y="
- "http://www.mirc.com/news.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YnnSKbNo4eVRg=="
- "http://www.mirc.co.uk/news.html"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2r8qZX3k1FIxvjZ"
- "http://www.mirc.com/forums.php"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YHt+S3iWmGeS3E="
- "http://www.mirc.co.uk/forums.php"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2roo4Djc7hYDPnL/Aq7"
- "http://www.mirc.com/regabout.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZXnwn9I+BVSo/Xeiss="
- "http://www.mirc.co.uk/regabout.html"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2r5oY6vtetqsjQZUfaY4C6mQPQSrCCgQX2+PA=="
- "http://www.mirc.com/cgi-bin/regcheck.cgi?code="
- // Requesting this page with an invalid code returns the following:
- <HTML><HEAD><TITLE></TITLE></HEAD><BODY><P id=mirc status=ready valid=0></P></BODY></HTML>
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YTlYQvYCOgIpRNk+/yxKPbMtnXks5eOwe96"
- "http://www.mirc.co.uk/cgi-bin/regcheck.cgi?code="
- "Mtl7nl30VU/A9t0cxT9QoixQlAAqGABCrD72vLH9GNPQ4CIRzqUROu1ukqOcrtC9nJjZMQlbEp5IdysPzVqF4oAj3tuuyon8G3Py"
- "MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCyUNXfZ1IGbfPuay+7dDCF+uBUKygsMGZigpmiHWUz3Pfnav2ST0wBaxNxAeWu"
- "Mtl7nl30VU/A9t0cxT9QoixQlAAqGABCrD72vLH9GNPQ4CIRzqUWBr8tFycpWeQyclSMsbPvLEJBwkCKrASDk7m3AjK2dom+eMLy"
- "MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDEwdpUIsUCUsrNx/i7bRC2G2Ye0O/53/wR2eoc+Pbpf36EIq8775FTLaA2iFWk"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2rvtoPjpc51AI0CCg=="
- "http://www.mirc.com/update.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6ZLyxhfC1HDL3Lwu"
- "http://www.mirc.co.uk/update.html"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2r9o5OsnIk0Qg=="
- "http://www.mirc.com/get.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YDnlG0I5vL4"
- "http://www.mirc.co.uk/get.html"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2r4o5PjTTicHAw="
- "http://www.mirc.com/beta.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YXnJfbHiv8T4w=="
- "http://www.mirc.co.uk/beta.html"
- "F+RIiiqaSn8jQV0iNgrLrPR7t2r/vpfrsHQreSf2Dak="
- "http://www.mirc.com/expired.html"
- "F+RIiiqaSn8jQV0iNgrLrPR79DDx6YL6s0kfOvBbCJ39Ug=="
- "http://www.mirc.co.uk/expired.html"
- "CfVOiXnaCzU="
- "version="
- "G/FFiS0="
- "days="
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement