 |
essays |
|---|
(¯`·.¸ Teleport Pro V1.29 (Build 1107) ¸.·´¯)
by Faulpelz
published at fravia's searchlores in January 2001
Slightly edited by fravia+
|
essays |
|---|
TARGET: Teleport Pro V1.29 (Build 1107)
After reading NOOS essay I re-checked my findings today (late, but who cares...)
1)
:0041A110 50 push eax
as you can see the 'call 4108AB' returns a counter in EAX so let's take a look at it.
* Referenced by a CALL at Addresses:0040919E, :0040E748, :0040FC53, :0041089D
ok, now let's take a look at some of them...
:0041A114 <- do something (what?) after >300 connections
:0041A13A <- get update.txt after >240 connections
:0041A34D <- do something (what?) after >60 connections
Ok, some of the references are just to display the progress etc.,
2)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
* Possible StringData Ref from Data Obj ->"This program has been altered, "
3)
First I have to apologize for my 'false' (not so false at all) warning.
Everything what Noos wrote in Delving deeper into Teleport Pro 1.29
(October 2000) was correct, so I asked Fravia+ to remove my old essay.
I was a little bit to 'voreilig' - sorry guys... Anyway, I want to made some
additions to Noos's essay:
TENMAX does not retrieve any data about you (except your IP) , but there are several
hidden triggers inside the code i.e. look at this:
:0041A111 8D4DEC lea ecx, dword ptr [ebp-14]
:0041A114 E89267FFFF call 004108AB
:0041A119 81382C010000 cmp dword ptr [eax], 0000012C <- 300 connections?
:0041A11F 0F8EF5010000 jle 0041A31A <- skip if lower or equal
:0041A125 51 push ecx
:0041A126 8B8E96100000 mov ecx, dword ptr [esi+00001096]
:0041A12C 8BC4 mov eax, esp
:0041A12E 8965E4 mov dword ptr [ebp-1C], esp
:0041A131 8908 mov dword ptr [eax], ecx
:0041A133 8D45E4 lea eax, dword ptr [ebp-1C]
:0041A136 50 push eax
:0041A137 8D4DEC lea ecx, dword ptr [ebp-14]
:0041A13A E86C67FFFF call 004108AB
:0041A13F 8138F0000000 cmp dword ptr [eax], 000000F0 <- 240 connections?
:0041A145 0F8ECF010000 jle 0041A31A <- skip if lower or equal
:0041A14B 389E95100000 cmp byte ptr [esi+00001095], bl
:0041A151 0F843D010000 je 0041A294 <- get update.txt from tenmax.com
:00411B05, :00419F00, :0041A114, :0041A13A, :0041A34D, :0041A42C, :00426165
:004108AB 8B09 mov ecx, dword ptr [ecx]
:004108AD 8B442404 mov eax, dword ptr [esp+04]
:004108B1 2B4C2408 sub ecx, dword ptr [esp+08]
:004108B5 8908 mov dword ptr [eax], ecx
:004108B7 C20800 ret 0008
quite a lot references ...
but others should be worth to take a closer look at... Unfortunatly
I don't have the time to do this now. I just wanted to show you some
of the *obvious* triggers (if they would use random numbers it
wouldn't be SO obvious - maybe there are allready some random's inside...)
I am still not sure if Teleport is so harmless as it seems to be...
Take a closer look at ALL references, if you have the time! I bet that one
of those references is near to the 'registered?' check because AFAIK Teleport
has some internal fetch-limits, but as we don't want to cr*ck this target you
should ignore it (if you can ;) - we are just looking for sniffing actions...
We can remove these checks (to speed up Teleport) with an Hex-Editor
and modify the trigger-values to i.e 0xffffffff OR change the jle's
etc., but if you do it you have to remove the silly selfcheck of
Teleport:
|:0040B4C8(U)
|
:0040B4CC 3BFB cmp edi, ebx
:0040B4CE 5F pop edi
:0040B4CF 741C je 0040B4ED
:0040B4D1 A1EC964700 mov eax, dword ptr [004796EC]
:0040B4D6 3B30 cmp esi, dword ptr [eax]
:0040B4D8 7413 je 0040B4ED <- i.e change '74' to 'EB' (jmps)
:0040B4DA 53 push ebx (of course there are other ways, too)
:0040B4DB 53 push ebx
->"possibly by a virus; program execution "
->"will stop now."
|
:0040B4DC 68FC964700 push 004796FC
:0040B4E1 E83BE20300 call 00449721
If you don't want to modify Teleport, but want it to stop to connect to
tenmax.com (and try to retrieve the non-existing update.txt, giving them
your IP - btw: the tenmax server responses with 'access forbidden')
you can simply add "127.0.0.1 www.tenmax.com" to your Windows HOSTS file...
that's it... bye, faulpelz (thx to Noose for correcting me... ;)
-cut-
- 'Faulpelz', January 2001