Yes you are quite right...teasing does suck and I am sorry if I give the appearance to be doing that...i do not mean to.
Now let me offer you some comfort and a little reassurance in saying that I will not leave you forever wanting to know more on these things but I shall fully quench your desire and appetites to know when I am ready.
(i hear a voice say, "you said you were ready now)
I am but I move in
my own time and when I move it will be powerful and swift without indecisiveness and the words spoken will be the truth as i see it.
Now then how to proceed? shall I keep this thread with only facts or should i mix it with some allegations which may prove false?
at any rate...a beginning needs to be made.
sorry i have strayed off my intended course.
Below is
bullshit sorry that is the only way I know to describe it.
Here is your last warning and disclaimer before I begin "laying it on thick"
[Warning....if you do not like what you see here all you need to do is press the little
back button located at the top left of your browser's screen....making a mental note to yourself that what you found here offends you so that in the future you will know not to make the same mistake of clicking on something you do not wish to read.]
end of disclaimer on with the bullshit
Okay i am proceeding with this day by day as the stream of thought hits me.
what I do is test security mechanisms on the internet. I am a security concious individual who looks for and examines possible threats before they are made public knowledge.
Now with that said I wanted to tell you all that I just as of today redownloaded the kmd.exe (which is the kazaa media desktop installer for version 1.60 of the KaZaA Media Desktop off of
http://download.cnet.com (hope i gave the correct url)
what does this installer do? That is an excellent question my friends. To put simply it just downloads this file kmd16_en.exe from other people who are running the KaZaA Media Desktop 1.60 software.
Why is this interesting to me?
1)The kmd.exe makes no registry entries concerning
KaZaA Net or "connection info" such as the <KaZaA Sigature> info that is needed by its installed executable which is paced with PECompact to about 1.67mb however when uncompressed reaches the staggering portion of over 3.2 megabytes.
Okay more on this
So what is the ramifications to made by studying just this simple installer file
A)If this could be broken down and decimated into defining terms as to how it does what it does then this is a great discovery what it means to me is that it would act exactly like a download would in KaZaA media desktop only it would not allow or offer you the ability to share files or set upload limits...
How doesit work?
I'm not 100percent sure but it seems to rely on the same method as the gentle known as
Indy has discussed at length in his other posts...meaning it appears to use the uuhash or "signature" for this file to download from other peers....
Now then since the Connection info (meaning the list of ip addresses that it scans first) is not stored in the registry...and neither is the
Signature File (signature file referred to here as the encrypted key that is passed between KaZaA clients to allow them to communicate with one another) where are they stored?
My guess would be in Memory....so what I did was do a memory dumpt the best way I knew how using an utility called
Memory Dumper Pro however either I am not familiar with using this utility or maybe I just do not know how to interpret the results ...basically what happened was I got a lot of binary looking data meaning (to me) in the form of
hexadecimal notation which to me unless it is in some kind of
human readable form is meaningless.
However I would almost bet that if the kmd.exe (installer) were uncompressed and decompiled or a hex-editor was used on it that it would indeed show the
KaZaA Signature (encryption key which the clients use to communitcate with one another much like PGP key)
For those interested I have a utility for breaking encryption schemes if you can identify at least a 5letter string in what is encrypted then the app i have will use that string value to decrypt the rest of the code.
(warning I may be talking out of my ass here about things i know nothing about....if you think I am full of something....i advise you to go back and follow the instructions in the disclaimer...to those of you still interested read on...please)
What does this mean? Basically to a few gifted coders this kmd.exe file could be reverse engineered to become the ulitmate Leech client for the fasttrack network by using hash files made with the sig2dat program by Indy
Next Point
Okay while using the new kazaa 1.60 i made sure to remove the bde projector all reg entries and clsid values and also replaced the cd_clint.dll with a dummy.
I got some irregular port calls which I blocked with my firewall. I only allow the kazaa executable access on port 1214 (at least to my knowledge anyway)
I use Atguard 3.22 as my person firewall and running Windows 98 with IE5.5 and SP2 installed I have a k6-2 500 mhz processor with 256 mb ram and a 13.2 gig harddrive (posted thisinfo in case its helpful to know what kind of system i am using. I also have a soya ema+7 motherboard)
I have a few of the irregular port calls documented on my other website located here
http://kickme.to/kazam (shameless plug....please visit also
http://kazaa.mirrorz.com/ ) [/end shameless plug]
I found a tip by a poster to the Napsterites forum known as I thinkit was Snarkridden (forgive me if i get the name wrong it is not intentional) whom said that if you do a search for resume.dat that you would be able to find all the info on a client that you wanted to and in essence see what the supernode sees...i don't know if i did this correctly but this does seem to work (more on this another time)
What I did however was search for *.cab adn what this showed me was a lot of results that I thought were for people whom may have been sharing their entire harddrives probably because of improper setup although I've heard there is an exploit for this that involves more than just the common netstat -an ipaddress:1214 browser "hack"
If anyone has more details on the
realthreat please PM me with the information or email me at
harbynger1901@hotmail.com
Thanks for the info....
anyway here is the interesting thing I found I saw something for
bde secure install so naturally I searched for or right-clicked and selected
find more from same user sure enough this person was sharing their entire harddrive.
Now get this...I think this caused or produced a
buffer overflow in the kazaa app (my definition of buffer overflow is as follows: Memory is a temporary storage place for information each application you have open and running on your computer is allocated (allowed) a certain amount of space in "virtual memory" (i.e., your RAM 128mb whatever it is you have) and when this space is full ....there is no more room to add to it....so if somehow something happens that causes more information to be sent to this virtual holding or storage place and it is already full it would cause the program to crash and or hang your computer and you will have to reboot)
Well thisis what happened to me...I got so many results from doing the
find more from same user that is caused a buffer overflow or
overrun in the kazaa executable and I had to reboot...
Now get this...in the past all I would need to do would be to enter the person's ip address with port 1214 into the browser and I'd see all there was to see if they were sharing their whole harddrive like this fellow was....only this time for some reason I could not do that....
Makes me wonder if He/the guy/gal was blocking http requests on port 1214 with his browser of the new improved KaZaA 1.60 now acts as a better
daemon (port guardian....more on this later as well)
So far this as far as I got tonight ....and these are only observations on the program...this is not the seedy-side underbelly of the people and personalities behind this "great" P2P app....although I assure you that people with their "personalities" and attitudes to exist and there are great stories there....would any of you care to tell yours?
Look forward to your input on my thoughts/observations/speculations and of course incessant
rumour mongering
btw Greetings to Goldenrod