Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6181 closed task (fixed)

Evaluate Alkasir

Reported by: hellais Owned by: isis
Priority: Medium Milestone:
Component: Archived/Ooni Version:
Severity: Keywords: SponsorH201206
Cc: ioerror, isis, Shondoit Actual Points:
Parent ID: #5865 Points:
Reviewer: Sponsor:

Description

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by Shondoit

Cc: Shondoit added

The installer unpacks the files to a folder.
alkasir.exe, alkasirB.dll, proxy.dll, servrlib.dll, ./ar/alkasir.resources.dll and ./en/alkasir.resources.dll are all .NET binaries.
I've been able to decompile these to C#.
Now, what would be the best course of action to share these amongst ourselves without disclosing it to the public?

Other than that, it contains alkasirS.exe which looks like a modified version of PuTTY with obfusction, called PoTTY; See: http://www.mrhinkydink.com/potty.htm
libeay32.dll and ssleay32.dll look like OpenSSL 0.9.8k.
And the folder xulrunnner contains all sorts of binaries, which looks like a stock version of xulrunner 1.9.1.

comment:2 Changed 7 years ago by isis

Owner: changed from hellais to isis
Status: newaccepted

Neat! Thanks for the help!

I know I asked the other night what tools/steps you took, but would you mind answering again, just so that we've got documentation here on the process?

Also, if you don't want to do the rest of the analysis, you could tarball what you've got so far and send it to me at isis(at)torproject(dot)org. My GPG key is 0x2CDB8B35, and I believe I've given you a card with my fingerprint. If you do still want to do the analysis, I'd be happy to meet with you somewhere and hack the rest of this out.

comment:3 Changed 7 years ago by isis

Status: acceptedneeds_review

Shondoit and I reviewed the decompiled source last night and I was deaddropped a copy. Though, I should note that they did pretty much all the work and the analysis, and I just checked in every once in a while to ask questions and see how things were going. Most of the resulting information is Shondoit's discoveries, though I also went over the code to reconfirm.

The wiki page for Alkasir has been filled out with the notes from the review.

Shondoit, ioerror, hellais: do any of you have any additions or comments before I close this ticket?

And Shondoit: Thanks for all your help! You're awesome. :)

comment:4 Changed 7 years ago by Shondoit

Tweaked the wiki page with my findings.

comment:5 in reply to:  4 Changed 7 years ago by isis

Resolution: fixed
Status: needs_reviewclosed

Replying to Shondoit:

Tweaked the wiki page with my findings.

Thanks! Marking as done.

comment:6 Changed 7 years ago by karsten

Keywords: SponsorH201206 added
Milestone: Sponsor H: June 2012

Switching from using milestones to keywords for sponsor deliverables. See #6365 for details.

Note: See TracTickets for help on using tickets.