Hazar + Orbit30 server contact

Discussion in 'Windows 7' started by jackdor, Aug 2, 2009.

  1. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    #1 jackdor, Aug 2, 2009
    Last edited: Aug 2, 2009
    Hazar + Orbit30 server contact try to call home

    please can some explain why Hazar + Orbit30 new lo*der trys to contact a server and in the code there is a lot of html code that as nothink to do with the lo*derside whats it up to and why please help me understand
     
  2. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,482
    66,557
    300
    Depends on:
    A) Where you got it from
    B) Whos upload it was

    I have launched it in a sandbox and it done nothing, I have used Wireshark and still it's still done nothing and I have gone as far as reading the source code for the actual main program and thats clean.

    If there was something in it it would have to be in the "7lo*der By Orbit30 & Hazar v1.2.exe" since that ones a little harder to unpack directly. From all my results though it looks clean...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    the one that Hazar up loaded

    Content-Length: HTTP *»G .?AVProgressMonitor@@ *»G .?AVGzip@@ Invalid GZip ID Failed to read CRC Failed to read comment Failed to read original filename Failed to read extra field Failed to read XLEN Invalid GZip compression method Failed to read 1st 10 bytes. UncompressedSize CompressedSize Not enough data for trailing CRC32 or ISIZE Buffer would have been overrun Gzip data too small Failed to open temp file for ungzip. destFile tmpFile Failed to move temp file to destination Failed to unGzip output file *»G .?AVDigestMD5@@  *»G .?AVOutput@@ *»G .?AVPackageExchange@@ *»G .?AVHttpClient@@ Saving cookies... Aborted to avoid infinite redirects. Got 301/302 redirect, but no new location. location Failed to construct new URL This is actually a page-not-found error. PageNotFound Proxy-Authorization: Basic Adding Basic Proxy Authentication Header Authorization: Basic login Adding Basic Authentication Header Not auto-adding cookies. No cookie jar found. Cookie: AddingCookie CookieDir Auto-adding any accumulated cookies. Connection: Host: User-Agent: Referer: Accept-Language: Accept-Charset: Accept-Encoding:
    Accept-Encoding: gzip
    Authorization: NTLM Accept: -
    Range: bytes= If-Modified-Since: If-None-Match: HTTP/1.1
    ? GET Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
    Accept-Language: en-us
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
    Connection: keep-alive
    Keep-Alive: 300
    Accept-Language: en-us,en;q=0.5
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
     
  4. peterpaulw

    peterpaulw MDL Novice

    Dec 2, 2007
    36
    0
    0
    Did your firewall give an alert from that file? If yes, could you post it here.
     
  5. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    i did not run it i just run it through a hex editor found that code and more that dont look right to me this lo*der as no reason to have code of that nature in it
     
  6. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,482
    66,557
    300
    I just run it in Wireshark again but this time on my laptop, same deal -- nothing outbound and nothing inbound. I don't fancy having to install Nod32 myself just to do that check...

    To be honest I just think that's within the file to scramble it, it makes it harder to unpack. Anyone thats saying its calling out to something needs to run Wireshark themselves and find out the exact url path its using (not just the IP).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. peterpaulw

    peterpaulw MDL Novice

    Dec 2, 2007
    36
    0
    0
    #7 peterpaulw, Aug 2, 2009
    Last edited by a moderator: May 23, 2017
    I agree! There is more info here:

    http://forums.mydigitallife.net/threads/7328

    So far two users reported firewall alerts. The data you saw comes from Chilkat HTTP, which is an activx component integrated into the main .exe for whatever reason.
     
  8. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    this is not just junk code just take a quick look at it this is trying to connect to some think

    VCacheControl@@ WSAStartup error: 0x%x The lpWSAData is not a valid pointer. Limit on the number of tasks supported by the Windows Sockets implementation has been reached. A blocking Windows Sockets 1.1 operation is in progress. The version of Windows Sockets support requested is not provided by this particular Windows Sockets implementation. The underlying network subsystem is not ready for network communication. ws2_32_DLL_Version Using ws2_32.dll version %d,%d *»G .?AVChilkatSocket@@ Failed to bind to local IP address BindPort BindIpAddr Failed to read registry: CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ProxyEnable ProxyEnable Failed to read registry: CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ProxyServer /Software/Microsoft/Windows/CurrentVersion/Internet Settings ProxyServer Check to make sure the connection is not blocked by a firewall or anti-virus port filtering. Error %x WSAEPROVIDERFAILEDINIT The requested service provider could not be loaded or initialized. WSAEINVAL An invalid argument was supplied. WSAEACCES An attempt was made to access a socket in a way forbidden by its access permissions. WSAEADDRINUSE Only one usage of each socket address
     
  9. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    now i don't think this as been done by Hazar i think this is orbits input it looks to me that he has taken somthink that good and made it bad. if i am wrong then i will apologize but it dont look good
     
  10. JakeL

    JakeL MDL Novice

    Aug 1, 2009
    5
    0
    0
    I did a whole reverse engineering of the program this morning.

    The lo*der, which is a .Net application (had to unpack the native packer) does not contain any HTTP code. The lo*der is so big because whoever programmed it is a complete idiot and decided that each OEM Button is linked to a different EXE binded into the larger one (resource) (lo*der.exe (main app (gui screen)). :p It would of been easier to have a master bat that gets modified at runtime to the user choice of button. Just shows you that orbit30 is a terrible programmer.

    Secondly, the compression program generates a VLD.exe inside a EXE archive. This is used to link the exe to the content contained in the exe archive. In other words, when the user clicks on the .exe, VLD.exe is pre-programmed to execute the batch file to insert the oem info into system32.

    The actual lo*der is win32, it uses an MS tool to modify the bootstrapper. It installs a modified Linux for Dos bootstrapper to emulate the SLIC tables.

    The only thing that is a bit malicious is hstart.exe. This is used to bring up dialogs in the VBScript. And I confirm it to do nothing else.

    What you find in the hex editor is either from VLD.exe or vtk script. These are scripts bundled with 7lo*der! And vtk has HTTP and Phone APIs calls. It was renamed from slmgr.vbs. This is a script from MS: SLMGR.vbs, Vista's Licensing Manager.

    TO NOTE: I reversed 1.0, by orbit30 and hazar.

    So there you have it. Orbit30 shouldn't deserve the reputation he is getting. The lo*der is directly ripped from the chinese. Hell, the namespace of the program is still named VistaLoader.
     
  11. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    thanks JakeL. it did not look good to me but i think i see were you are coming from thanks again. i think i will stick with Hazar original loader no tish in it :)
     
  12. JakeL

    JakeL MDL Novice

    Aug 1, 2009
    5
    0
    0
    They all have the same codebase, so it doesn't matter. Same loader is on both ends. Orbit30's version just has bloat in it!
     
  13. SongRemainsTheSame

    SongRemainsTheSame MDL Novice

    Jul 20, 2009
    28
    0
    0
    Jackdor and Jakel, please be kind enough to develop a new l**der with a new super-optimized codebase + an awesome GUI, or a totally new concept to render all windows genuine forever, so that you will be heroes! ;)
     
  14. EarlZ

    EarlZ MDL Junior Member

    Aug 1, 2009
    52
    0
    0
    So when can we expect your loader that is free of junk code and is more optimized than orbit/haradz's code?
     
  15. german237

    german237 MDL Novice

    Aug 1, 2009
    37
    0
    0
    Orbit30 friend! Wanted to know if yours is version 1.2 and Hazar or just a malicious, greetings !
     
  16. vadim

    vadim MDL Novice

    Jul 30, 2009
    16
    1
    0
    #16 vadim, Aug 2, 2009
    Last edited: Nov 19, 2009
    ..........
     
  17. Bloodbat

    Bloodbat MDL Novice

    Aug 1, 2009
    38
    0
    0
    I won't reverse engineer the thing, it's sensible to check if it contacts somewhere because...well...paranoia is good...but give the guy a break if he wrote the thing in vb.net (specially after a couple of months)...he's brave...the thing's hideous.
    Also, why have a "master" bat that gets modified when you can generate it on the fly with variables? (textwriter being the simplest method) Also if you're using a .bat it probably means you don't need to call the evil WinAPI (which is rather painful to do in .net, MFC, straight C, Delphi and probably MINGW...trust me), so the best optimization, in the end, would be to do it directly in .net, after all, the program already asks for "elevation".
    If the .exes are in one big res. file probably the bloat comes from the images used for the OEM stuff (and the pretty UI pictures...and the music...[rather...useless...but some people seem to like having the logo in Sys. Info])
    So...maybe, the best course would be to do a compressing the images that compose the UI, leave the OEM ones in all their "crispy" quality and remove
    the music.
    Just my two cents, anyway, thanks Hazar and Orbit, the thing works, and that's what matters...specially in this day and age...~10 megs download in seconds...

    Bloodbat
     
  18. Bagheera

    Bagheera MDL Member

    Jul 21, 2009
    146
    0
    10
    I used to program in tp/delphi and lately in vb. But what the hack... when i have to find out the methods (these loaders use) to write a app for all you demanding cry-babies it costs me alot of time.. and as grandpa i am starting winhexing on bioses again... also i have to learn alot about complexe networking right now.. (study packet/frame sniffing)... so i DONT have the time to do it all by myself... i love the youngsters who solves common problems by making loaders that work! I don't care about size (these days ; ) ) and if they are right programmed in a decent manner... how many times will you use the loader from hazar/orbit30? ..run the loader and be happy..

    Orbit30 and Hazar thnxs and don't be affended!....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    #19 jackdor, Aug 2, 2009
    Last edited: Aug 2, 2009
    (OP)
    if you dont ask the qustion why then its for you to do and let your computer die
    i just asked becouse it did not look right
    "please can some explain why Hazar + Orbit30 new lo*der trys to contact a server and in the code there is a lot of html code that as nothink to do with the lo*derside whats it up to and why please help me understand"

    and i also said if i am wrong than will apologize

    Hazar + Orbit30 i me apologize but it still did'nt look good
     
  20. jackdor

    jackdor MDL Member

    Jun 20, 2009
    127
    0
    10
    you should learn to read whole thread rather than make smart arse comments