PARSING THE CHAT LOG AND DEOBFUSCATING THE REGISTRY FOR GIGATRIBE VERSION 2.

5
CONTENTS
Purpose ............................................................................................................................................................................ 1 Note ................................................................................................................................................................................. 1 Tools Used ........................................................................................................................................................................ 1 Deobfuscating the Registry ............................................................................................................................................... 1 Parsing the Chat Log ......................................................................................................................................................... 3 Text Presentation Codes ............................................................................................................................................... 4 Thanks .............................................................................................................................................................................. 4 Contact ............................................................................................................................................................................. 4

PURPOSE
The purpose of this paper is to further the very good work completed by Vuyk in 2009 and described in his paper: GigaTribe Forensic Guide. Specifically, this paper details the structure of the chat log created by GigaTribe and addresses Vuyk’s specific point of deobfuscating the paths and usernames present in the Windows Registry.

NOTE
My research has been carried out using GigaTribe version 2.52; a newer version of GigaTribe (version 3) is now available which use different files. Consequently, the usefulness of this paper is limited to the older version of GigaTribe.

TOOLS USED
¬ ¬ GigaTribe 2.52 WinHex 13.8 SR-4

DEOBFUSCATING THE REGISTRY
The obfuscation used by GigaTribe is very simple. It is basic ASCII value maths. In the user’s NTUSER.DAT, there are two obfuscated values at the following locations: HKCU\Software\ShalSoft\GigaTribe\SessionPassword HKCU\Software\ShalSoft\GigaTribe\SessionUsername Note: SessionPassword may be missing if the SessionStorePassword value is off, that is, 0. In my example the values are as follows: SessionPassword 0x410F12949e919091cacbc6c7 SessionUsername 0x410F12949e919091cacbc6c7 It can be seen that in my example both values are the same. In this instance the password is indeed the same as the username. As suggested by Vuyk, the 0x410F1294 seems to be a prefix for obfuscated data, so this should be removed:

Prefix 0x410F1294

Data 9e919091cacbc6c7

Next, the data part should be split into pairs of characters: 9e 91 90 91 ca cb c6 c7

These values have been arrived at by subtracting the value of the original character from 255: 255 - Cu = Co where Cu is the character as entered by the user, and Co is the obfuscated character. So to work this back, 255 is added to Co. Co16 Co10 Cu10 (255-Co10) ASCII of Cu 9e 158 97 a 91 145 110 n 90 144 111 o 91 145 110 n ca 202 53 5 cb 203 52 4 c6 198 57 9 c7 199 56 8

As can be seen, the username is: anon5498. By applying the same process to the SessionPassword value, the same result would be achieved. The username and password are indeed the same. Also identified by Vuyk was the Registry key which stores the shared folders: HKCU\Software\ShalSoft\GigaTribe\anon5498\Sharings This key is only created once a folder has been shared. The same obfuscation applies: "My Downloads"= "0x410F1294bcc5a3bb909c8a929a918b8cdf9e919bdfac9a8b8b9691988ca3a7af8a8c9a8da3b28 6dfbb909c8a929a918b8ca3b286dfbb90889193909e9b8cc4dcc4cec4cecfcbc7cac8c9cfcfcfc4c ed3" First, strip the prefix, leaving: bcc5a3bb909c8a929a918b8cdf9e919bdfac9a8b8b9691988ca3a7af8a8c9a8da3b286dfbb909c8a929a918b8ca3b286df bb90889193909e9b8cc4dcc4cec4cecfcbc7cac8c9cfcfcfc4ced3 In this example I shall use hexadecimal values rather than translating into denary values as in the previous example. Therefore the values are subtracted from FF as opposed to 255. Co16 Cu16 ASCII Co16 Cu16 ASCII Co16 Cu16 ASCII Co16 Cu16 ASCII bc 43 C 8b 74 t 9c 63 c 8c 73 s c5 3A : 8b 74 t 8a 75 u c4 3B ; a3 5C \ 96 69 i 92 6D m dc 23 # bb 44 D 91 6E n 9a 65 e c4 3B ; 90 6F o 98 67 g 91 6E n ce 31 1 9c 63 c 8c 73 s 8b 74 t c4 3B ; 8a 75 u a3 5C \ 8c 73 s ce 31 1 92 6D m a7 58 X a3 5C \ cf 30 0 9a 65 e af 50 P b2 4D M cb 34 4 91 6E n 8a 75 u 86 79 y c7 38 8 8b 74 t 8c 73 s df 20 8c 73 s 9a 65 e bb 44 D c8 37 7 df 20 9e 61 a a3 5C \ 88 77 w cf 30 0 91 6E n b2 4D M 91 6E n cf 30 0 9b 64 d 86 79 y 93 6C l cf 30 0 df 20 ac 53 S bb 44 D 9e 61 a ce 31 1 9a 65 e 90 6F o 9b 64 d d3 2C ,

8d 72 r 90 6F o c9 36 6

df 20

90 6F o c4 3B ;

ca 35 5

Therefore, the registry value “My Downloads” is: C:\Documents and Settings\XPuser\My Documents\My Downloads;#;1;1048576000;1,

FIGURE 1: SHARED FOLDERS WITHIN GIGATRIBE

Clearly there is some additional information after the path: ;#;1;1048576000;1,. No relevance was able to be discerned from this data.

PARSING THE CHAT LOG
Also identified by Vuyk is the existence of a chat log, stored at the following location: C:\Documents and Settings\<WindowsUser>\Application Data\GigaTribe\ChatHistory <GigaTribeUser>.bin By engineering a number of small chat logs it was possible to breakdown the component parts. Below is such a breakdown of a chat log which contains only one message:

FIGURE 2: BREAKDOWN OF CHAT MESSAGE

Part A B C D E F G

Offset 0x00 0x04 0x08 0x0C 0x10 0x2B 0x2F

Data Type Int32 Int32 Int32 Int32 ASCII Int32 Int32

Relevance Signature, always seen as 0xCHAO. Number of messages in this log. Unix timestamp for the message that follows. Number of characters in the message that follows. The actual message in ASCII. ID of the sender of the message. Private message flag.

By manipulating the ID of the sender within the file and then opening GigaTribe it was possible to “trick” GigaTribe into displaying an incorrect username as the sender of the message. However, if an ID from a user not a friend of the logged in user was edited into the file, the message was simply not displayed in GigaTribe. This implies some kind of lookup performed by the GigaTribe software. During the research the ‘private message flag’ was only ever seen to be 0 or 1 (in fact setting it to 2 seemed to cause GigaTribe to delete the log file!). If set to 1, another user ID then followed. A message such as this appears in the user’s ‘Private messages’ tab rather than the ‘Public messages’ tab.

For more messages, parts C through to G are repeated for each message. Below is an extract of a chat log showing the ‘Private message flag’ with a value of 1, and then an extra Int32, before the start of the next message record:

FIGURE 3: RECORD WITH THE EXTRA INT32

Part A B C D E F

Offset 0x2D0 0x2D4 0x2D8 0x2EE 0x2F2 0x2F6

Data Type Int32 Int32 ASCII Int32 Int32 Int32

Relevance Unix timestamp for the message that follows. Number of characters in the message that follows. The actual message in ASCII. ID of the sender of the message. Private message flag. ID of the recipient of the private message.

TEXT PRESENTATION CODES
Within GigaTribe’s chat, users can choose some basic formatting for their messages: bold, italic, underline, colour. These formats are transmitted with the message itself. Below is an example of such a formatted message: Hi, /b/cff0000my/b/c000000 /cff0000name/c000000's /u/cff0000ymous555/u/c000000! In this example formatters /b, /cXXXXXX and /u have been used. These represent bold, colour and underline respectively. After the colour formatter are six hexadecimal characters, these are “web colours”, that is 3 pairs for red, green and blue. Properly formatted this message would look as follows: Hi, my name’s ymous555! Other codes in the messages seen: Code /i /oXXX Explanation Italics /o seems to be followed by a 3 numbers, for example: /o001 displays as a sad smiley and /o002 displays as a happy smiley. In the free version of GigaTribe used during testing no option for inserting emoticons was immediately apparent. Seems to be a link of some sort. Always seen in the context of inviting another user.

/l<username>/l

THANKS
D/Sgt. Les Vuyk, Niagara Regional Police Service, Technological Crime Unit. ¬ GigaTribe Forensic Guide o http://www.scribd.com/doc/30524658/Gigatribe-Spy

CONTACT
forensicgeekinthecorner@gmail.com ¬ Chat Log Parser and Registry Deobfuscator available on request.

Sign up to vote on this title
UsefulNot useful