After both threads have been run there is a call to sub_00402CF7 which I named netcode1.
This method starts by trying to resolve the URL perdesi.magicshells.org.
After resolving the URL, there is another call to sub_0040AF58:
sub_0040AF58(&var_2c, 4, 1, 0)
Let's take a closer look at sub_0040AF58.
This function takes 4 arguments. The first argument is the address of a variable. This is to be passed to other functions that may be called inside sub_0040AF58.
The second argument is an index to decide which function is to be called, from an array of functions.
The third to indicate whether sub_0040AEB0 should be called, and finally the fourth argument is a string to be compared against a list of strings.
This time, according to our arguments, sub_0040AEB0 will be called. This function checks to see if there is a running mIRC instance.
The function located at array[4] calls GetLocaleInfo with locale set to LOCALE_SYSTEM_DEFAULT and LCType set to LOCALE_SABBREVCTRYNAME. Once the locale abbreviated name is retrieved, a '|' is appended to it followed by 5 random numbers.
If mIRC was running at the time sub_0040AEB0 was called, '[M]' is the prefix of the newly created string.
Since our bot will connect to an irc server, this string, is going to be used as the nick.
netcode1 proceeds with the connection to the irc server (by connecting to perdesi.magicshells.org), and after logging in, it tries to join the channel '#r00lz#' with password 'r0lzxz'.
After spending sometime debugging sub_402FD2 (which is responsible for handling the irc protocol) I found that at address 403985 a check takes place to see if the first char of the message is a '.'. I assumed this should represent that whatever came after the '.' should be interpreted as a command.
The commands will be explored in a future post.
This method starts by trying to resolve the URL perdesi.magicshells.org.
After resolving the URL, there is another call to sub_0040AF58:
sub_0040AF58(&var_2c, 4, 1, 0)
Let's take a closer look at sub_0040AF58.
This function takes 4 arguments. The first argument is the address of a variable. This is to be passed to other functions that may be called inside sub_0040AF58.
The second argument is an index to decide which function is to be called, from an array of functions.
The third to indicate whether sub_0040AEB0 should be called, and finally the fourth argument is a string to be compared against a list of strings.
This time, according to our arguments, sub_0040AEB0 will be called. This function checks to see if there is a running mIRC instance.
The function located at array[4] calls GetLocaleInfo with locale set to LOCALE_SYSTEM_DEFAULT and LCType set to LOCALE_SABBREVCTRYNAME. Once the locale abbreviated name is retrieved, a '|' is appended to it followed by 5 random numbers.
If mIRC was running at the time sub_0040AEB0 was called, '[M]' is the prefix of the newly created string.
Since our bot will connect to an irc server, this string, is going to be used as the nick.
netcode1 proceeds with the connection to the irc server (by connecting to perdesi.magicshells.org), and after logging in, it tries to join the channel '#r00lz#' with password 'r0lzxz'.
After spending sometime debugging sub_402FD2 (which is responsible for handling the irc protocol) I found that at address 403985 a check takes place to see if the first char of the message is a '.'. I assumed this should represent that whatever came after the '.' should be interpreted as a command.
The commands will be explored in a future post.
No comments:
Post a Comment