Hazar + Orbit30 server contact

jackdor · Aug 2, 2009

Hazar + Orbit30 server contact try to call home

please can some explain why Hazar + Orbit30 new lo*der trys to contact a server and in the code there is a lot of html code that as nothink to do with the lo*derside whats it up to and why please help me understand

Daz · Aug 2, 2009

Depends on:
A) Where you got it from
B) Whos upload it was

I have launched it in a sandbox and it done nothing, I have used Wireshark and still it's still done nothing and I have gone as far as reading the source code for the actual main program and thats clean.

If there was something in it it would have to be in the "7lo*der By Orbit30 & Hazar v1.2.exe" since that ones a little harder to unpack directly. From all my results though it looks clean...

jackdor · Aug 2, 2009

the one that Hazar up loaded

Content-Length: HTTP *»G .?AVProgressMonitor@@ *»G .?AVGzip@@ Invalid GZip ID Failed to read CRC Failed to read comment Failed to read original filename Failed to read extra field Failed to read XLEN Invalid GZip compression method Failed to read 1st 10 bytes. UncompressedSize CompressedSize Not enough data for trailing CRC32 or ISIZE Buffer would have been overrun Gzip data too small Failed to open temp file for ungzip. destFile tmpFile Failed to move temp file to destination Failed to unGzip output file *»G .?AVDigestMD5@@ *»G .?AVOutput@@ *»G .?AVPackageExchange@@ *»G .?AVHttpClient@@ Saving cookies... Aborted to avoid infinite redirects. Got 301/302 redirect, but no new location. location Failed to construct new URL This is actually a page-not-found error. PageNotFound Proxy-Authorization: Basic Adding Basic Proxy Authentication Header Authorization: Basic login Adding Basic Authentication Header Not auto-adding cookies. No cookie jar found. Cookie: AddingCookie CookieDir Auto-adding any accumulated cookies. Connection: Host: User-Agent: Referer: Accept-Language: Accept-Charset: Accept-Encoding:
Accept-Encoding: gzip
Authorization: NTLM Accept: -
Range: bytes= If-Modified-Since: If-None-Match: HTTP/1.1
? GET Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Accept-Language: en-us
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Connection: keep-alive
Keep-Alive: 300
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

peterpaulw · Aug 2, 2009

jackdor said: ↑

please can some explain why Hazar + Orbit30 new lo*der trys to contact a server and in the code there is a lot of html code that as nothink to do with the lo*derside whats it up to and why please help me understand
Click to expand...

Did your firewall give an alert from that file? If yes, could you post it here.

jackdor · Aug 2, 2009

i did not run it i just run it through a hex editor found that code and more that dont look right to me this lo*der as no reason to have code of that nature in it

Daz · Aug 2, 2009

I just run it in Wireshark again but this time on my laptop, same deal -- nothing outbound and nothing inbound. I don't fancy having to install Nod32 myself just to do that check...

To be honest I just think that's within the file to scramble it, it makes it harder to unpack. Anyone thats saying its calling out to something needs to run Wireshark themselves and find out the exact url path its using (not just the IP).

peterpaulw · Aug 2, 2009

You need to login to view this posts content.

jackdor · Aug 2, 2009

this is not just junk code just take a quick look at it this is trying to connect to some think

VCacheControl@@ WSAStartup error: 0x%x The lpWSAData is not a valid pointer. Limit on the number of tasks supported by the Windows Sockets implementation has been reached. A blocking Windows Sockets 1.1 operation is in progress. The version of Windows Sockets support requested is not provided by this particular Windows Sockets implementation. The underlying network subsystem is not ready for network communication. ws2_32_DLL_Version Using ws2_32.dll version %d,%d *»G .?AVChilkatSocket@@ Failed to bind to local IP address BindPort BindIpAddr Failed to read registry: CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ProxyEnable ProxyEnable Failed to read registry: CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ProxyServer /Software/Microsoft/Windows/CurrentVersion/Internet Settings ProxyServer Check to make sure the connection is not blocked by a firewall or anti-virus port filtering. Error %x WSAEPROVIDERFAILEDINIT The requested service provider could not be loaded or initialized. WSAEINVAL An invalid argument was supplied. WSAEACCES An attempt was made to access a socket in a way forbidden by its access permissions. WSAEADDRINUSE Only one usage of each socket address

jackdor · Aug 2, 2009

now i don't think this as been done by Hazar i think this is orbits input it looks to me that he has taken somthink that good and made it bad. if i am wrong then i will apologize but it dont look good

JakeL · Aug 2, 2009

I did a whole reverse engineering of the program this morning.

The lo*der, which is a .Net application (had to unpack the native packer) does not contain any HTTP code. The lo*der is so big because whoever programmed it is a complete idiot and decided that each OEM Button is linked to a different EXE binded into the larger one (resource) (lo*der.exe (main app (gui screen)). It would of been easier to have a master bat that gets modified at runtime to the user choice of button. Just shows you that orbit30 is a terrible programmer.

Secondly, the compression program generates a VLD.exe inside a EXE archive. This is used to link the exe to the content contained in the exe archive. In other words, when the user clicks on the .exe, VLD.exe is pre-programmed to execute the batch file to insert the oem info into system32.

The actual lo*der is win32, it uses an MS tool to modify the bootstrapper. It installs a modified Linux for Dos bootstrapper to emulate the SLIC tables.

The only thing that is a bit malicious is hstart.exe. This is used to bring up dialogs in the VBScript. And I confirm it to do nothing else.

What you find in the hex editor is either from VLD.exe or vtk script. These are scripts bundled with 7lo*der! And vtk has HTTP and Phone APIs calls. It was renamed from slmgr.vbs. This is a script from MS: SLMGR.vbs, Vista's Licensing Manager.

TO NOTE: I reversed 1.0, by orbit30 and hazar.

So there you have it. Orbit30 shouldn't deserve the reputation he is getting. The lo*der is directly ripped from the chinese. Hell, the namespace of the program is still named VistaLoader.

jackdor · Aug 2, 2009

thanks JakeL. it did not look good to me but i think i see were you are coming from thanks again. i think i will stick with Hazar original loader no tish in it

JakeL · Aug 2, 2009

They all have the same codebase, so it doesn't matter. Same loader is on both ends. Orbit30's version just has bloat in it!

SongRemainsTheSame · Aug 2, 2009

Jackdor and Jakel, please be kind enough to develop a new l**der with a new super-optimized codebase + an awesome GUI, or a totally new concept to render all windows genuine forever, so that you will be heroes!

EarlZ · Aug 2, 2009

JakeL said: ↑

I did a whole reverse engineering of the program this morning.

The lo*der, which is a .Net application (had to unpack the native packer) does not contain any HTTP code. The lo*der is so big because whoever programmed it is a complete idiot and decided that each OEM Button is linked to a different EXE binded into the larger one (resource) (lo*der.exe (main app (gui screen)). It would of been easier to have a master bat that gets modified at runtime to the user choice of button. Just shows you that orbit30 is a terrible programmer.

Secondly, the compression program generates a VLD.exe inside a EXE archive. This is used to link the exe to the content contained in the exe archive. In other words, when the user clicks on the .exe, VLD.exe is pre-programmed to execute the batch file to insert the oem info into system32.

The actual lo*der is win32, it uses an MS tool to modify the bootstrapper. It installs a modified Linux for Dos bootstrapper to emulate the SLIC tables.

The only thing that is a bit malicious is hstart.exe. This is used to bring up dialogs in the VBScript. And I confirm it to do nothing else.

What you find in the hex editor is either from VLD.exe or vtk script. These are scripts bundled with 7lo*der! And vtk has HTTP and Phone APIs calls. It was renamed from slmgr.vbs. This is a script from MS: SLMGR.vbs, Vista's Licensing Manager.

TO NOTE: I reversed 1.0, by orbit30 and hazar.

So there you have it. Orbit30 shouldn't deserve the reputation he is getting. The lo*der is directly ripped from the chinese. Hell, the namespace of the program is still named Vistalo*der.
Click to expand...

So when can we expect your loader that is free of junk code and is more optimized than orbit/haradz's code?

german237 · Aug 2, 2009

orbit30 said: ↑

Give me a break man, ive only been using vb for 2 months, its all still new to me, its not big or clever to be ripping me to pieces like this.
Ive only ever tried to be a friend to everyone man.
Another thing is 'I never stole any code from Hazar' the exe or fix as its called was made for me. It was only the following day i found it to be Hazar's. Please man enough with this already
Click to expand...

Orbit30 friend! Wanted to know if yours is version 1.2 and Hazar or just a malicious, greetings !

vadim · Aug 2, 2009

..........

Bloodbat · Aug 2, 2009

JakeL said: ↑

I did a whole reverse engineering of the program this morning.

The lo*der, which is a .Net application (had to unpack the native packer) does not contain any HTTP code. The lo*der is so big because whoever programmed it is a complete idiot and decided that each OEM Button is linked to a different EXE binded into the larger one (resource) (lo*der.exe (main app (gui screen)). It would of been easier to have a master bat that gets modified at runtime to the user choice of button. Just shows you that orbit30 is a terrible programmer.
[...]
Click to expand...

I won't reverse engineer the thing, it's sensible to check if it contacts somewhere because...well...paranoia is good...but give the guy a break if he wrote the thing in vb.net (specially after a couple of months)...he's brave...the thing's hideous.
Also, why have a "master" bat that gets modified when you can generate it on the fly with variables? (textwriter being the simplest method) Also if you're using a .bat it probably means you don't need to call the evil WinAPI (which is rather painful to do in .net, MFC, straight C, Delphi and probably MINGW...trust me), so the best optimization, in the end, would be to do it directly in .net, after all, the program already asks for "elevation".
If the .exes are in one big res. file probably the bloat comes from the images used for the OEM stuff (and the pretty UI pictures...and the music...[rather...useless...but some people seem to like having the logo in Sys. Info])
So...maybe, the best course would be to do a compressing the images that compose the UI, leave the OEM ones in all their "crispy" quality and remove
the music.
Just my two cents, anyway, thanks Hazar and Orbit, the thing works, and that's what matters...specially in this day and age...~10 megs download in seconds...

Bloodbat

Bagheera · Aug 2, 2009

I used to program in tp/delphi and lately in vb. But what the hack... when i have to find out the methods (these loaders use) to write a app for all you demanding cry-babies it costs me alot of time.. and as grandpa i am starting winhexing on bioses again... also i have to learn alot about complexe networking right now.. (study packet/frame sniffing)... so i DONT have the time to do it all by myself... i love the youngsters who solves common problems by making loaders that work! I don't care about size (these days ; ) ) and if they are right programmed in a decent manner... how many times will you use the loader from hazar/orbit30? ..run the loader and be happy..

Orbit30 and Hazar thnxs and don't be affended!....

jackdor · Aug 2, 2009

if you dont ask the qustion why then its for you to do and let your computer die
i just asked becouse it did not look right
"please can some explain why Hazar + Orbit30 new lo*der trys to contact a server and in the code there is a lot of html code that as nothink to do with the lo*derside whats it up to and why please help me understand"

and i also said if i am wrong than will apologize

Hazar + Orbit30 i me apologize but it still did'nt look good

jackdor · Aug 2, 2009

SongRemainsTheSame said: ↑

Jackdor and Jakel, please be kind enough to develop a new l**der with a new super-optimized codebase + an awesome GUI, or a totally new concept to render all windows genuine forever, so that you will be heroes!
Click to expand...

you should learn to read whole thread rather than make smart arse comments

Hazar + Orbit30 server contact

jackdor MDL Member

Daz MDL Developer / Admin
Staff Member

jackdor MDL Member

peterpaulw MDL Novice

jackdor MDL Member

Daz MDL Developer / Admin
Staff Member

peterpaulw MDL Novice

jackdor MDL Member

jackdor MDL Member

JakeL MDL Novice

jackdor MDL Member

JakeL MDL Novice

SongRemainsTheSame MDL Novice

EarlZ MDL Junior Member

german237 MDL Novice

vadim MDL Novice

Bloodbat MDL Novice

Bagheera MDL Member

jackdor MDL Member

jackdor MDL Member

Hazar + Orbit30 server contact

jackdor MDL Member

Daz MDL Developer / Admin Staff Member

jackdor MDL Member

peterpaulw MDL Novice

jackdor MDL Member

Daz MDL Developer / Admin Staff Member

peterpaulw MDL Novice

jackdor MDL Member

jackdor MDL Member

JakeL MDL Novice

jackdor MDL Member

JakeL MDL Novice

SongRemainsTheSame MDL Novice

EarlZ MDL Junior Member

german237 MDL Novice

vadim MDL Novice

Bloodbat MDL Novice

Bagheera MDL Member

jackdor MDL Member

jackdor MDL Member

Daz MDL Developer / Admin
Staff Member

Daz MDL Developer / Admin
Staff Member