You are on page 1of 4

PARSING THE CHAT LOG AND DEOBFUSCATING THE REGISTRY

FOR GIGATRIBE VERSION 2.5


CONTENTS
Purpose ............................................................................................................................................................................ 1
Note ................................................................................................................................................................................. 1
Tools Used ........................................................................................................................................................................ 1
Deobfuscating the Registry ............................................................................................................................................... 1
Parsing the Chat Log ......................................................................................................................................................... 3
Text Presentation Codes ............................................................................................................................................... 4
Thanks .............................................................................................................................................................................. 4
Contact ............................................................................................................................................................................. 4

PURPOSE
The purpose of this paper is to further the very good work completed by Vuyk in 2009 and described in his paper:
GigaTribe Forensic Guide. Specifically, this paper details the structure of the chat log created by GigaTribe and addresses
Vuyk’s specific point of deobfuscating the paths and usernames present in the Windows Registry.

NOTE
My research has been carried out using GigaTribe version 2.52; a newer version of GigaTribe (version 3) is now available
which use different files. Consequently, the usefulness of this paper is limited to the older version of GigaTribe.

TOOLS USED
¬ GigaTribe 2.52
¬ WinHex 13.8 SR-4

DEOBFUSCATING THE REGISTRY


The obfuscation used by GigaTribe is very simple. It is basic ASCII value maths.

In the user’s NTUSER.DAT, there are two obfuscated values at the following locations:

HKCU\Software\ShalSoft\GigaTribe\SessionPassword
HKCU\Software\ShalSoft\GigaTribe\SessionUsername

Note: SessionPassword may be missing if the SessionStorePassword value is off, that is, 0.

In my example the values are as follows:


SessionPassword 0x410F12949e919091cacbc6c7
SessionUsername 0x410F12949e919091cacbc6c7

It can be seen that in my example both values are the same. In this instance the password is indeed the same as the
username.

As suggested by Vuyk, the 0x410F1294 seems to be a prefix for obfuscated data, so this should be removed:
Prefix Data
0x410F1294 9e919091cacbc6c7

Next, the data part should be split into pairs of characters:

9e 91 90 91 ca cb c6 c7

These values have been arrived at by subtracting the value of the original character from 255:

255 - Cu = Co

where Cu is the character as entered by the user, and Co is the obfuscated character. So to work this back, 255 is added
to Co.

Co16 9e 91 90 91 ca cb c6 c7
Co10 158 145 144 145 202 203 198 199
Cu10 (255-Co10) 97 110 111 110 53 52 57 56
ASCII of Cu a n o n 5 4 9 8

As can be seen, the username is: anon5498. By applying the same process to the SessionPassword value, the same
result would be achieved. The username and password are indeed the same.

Also identified by Vuyk was the Registry key which stores the shared folders:
HKCU\Software\ShalSoft\GigaTribe\anon5498\Sharings

This key is only created once a folder has been shared. The same obfuscation applies:
"My Downloads"=
"0x410F1294bcc5a3bb909c8a929a918b8cdf9e919bdfac9a8b8b9691988ca3a7af8a8c9a8da3b28
6dfbb909c8a929a918b8ca3b286dfbb90889193909e9b8cc4dcc4cec4cecfcbc7cac8c9cfcfcfc4c
ed3"

First, strip the prefix, leaving:


bcc5a3bb909c8a929a918b8cdf9e919bdfac9a8b8b9691988ca3a7af8a8c9a8da3b286dfbb909c8a929a918b8ca3b286df
bb90889193909e9b8cc4dcc4cec4cecfcbc7cac8c9cfcfcfc4ced3

In this example I shall use hexadecimal values rather than translating into denary values as in the previous example.
Therefore the values are subtracted from FF as opposed to 255.

Co16 bc c5 a3 bb 90 9c 8a 92 9a 91 8b 8c df 9e 91 9b df ac 9a
Cu16 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65
ASCII C : \ D o c u m e n t s a n d S e

Co16 8b 8b 96 91 98 8c a3 a7 af 8a 8c 9a 8d a3 b2 86 df bb 90
Cu16 74 74 69 6E 67 73 5C 58 50 75 73 65 72 5C 4D 79 20 44 6F
ASCII t t i n g s \ X P u s e r \ M y D o

Co16 9c 8a 92 9a 91 8b 8c a3 b2 86 df bb 90 88 91 93 90 9e 9b
Cu16 63 75 6D 65 6E 74 73 5C 4D 79 20 44 6F 77 6E 6C 6F 61 64
ASCII c u m e n t s \ M y D o w n l o a d

Co16 8c c4 dc c4 ce c4 ce cf cb c7 ca c8 c9 cf cf cf c4 ce d3
Cu16 73 3B 23 3B 31 3B 31 30 34 38 35 37 36 30 30 30 3B 31 2C
ASCII s ; # ; 1 ; 1 0 4 8 5 7 6 0 0 0 ; 1 ,

Therefore, the registry value “My Downloads” is:


C:\Documents and Settings\XPuser\My Documents\My Downloads;#;1;1048576000;1,
FIGURE 1: SHARED FOLDERS WITHIN GIGATRIBE

Clearly there is some additional information after the path: ;#;1;1048576000;1,. No relevance was able to be
discerned from this data.

PARSING THE CHAT LOG


Also identified by Vuyk is the existence of a chat log, stored at the following location:

C:\Documents and Settings\<WindowsUser>\Application Data\GigaTribe\ChatHistory


<GigaTribeUser>.bin

By engineering a number of small chat logs it was possible to breakdown the component parts. Below is such a
breakdown of a chat log which contains only one message:

FIGURE 2: BREAKDOWN OF CHAT MESSAGE

Part Offset Data Type Relevance


A 0x00 Int32 Signature, always seen as 0xCHAO.
B 0x04 Int32 Number of messages in this log.
C 0x08 Int32 Unix timestamp for the message that follows.
D 0x0C Int32 Number of characters in the message that follows.
E 0x10 ASCII The actual message in ASCII.
F 0x2B Int32 ID of the sender of the message.
G 0x2F Int32 Private message flag.

By manipulating the ID of the sender within the file and then opening GigaTribe it was possible to “trick” GigaTribe into
displaying an incorrect username as the sender of the message. However, if an ID from a user not a friend of the logged in
user was edited into the file, the message was simply not displayed in GigaTribe. This implies some kind of lookup
performed by the GigaTribe software.

During the research the ‘private message flag’ was only ever seen to be 0 or 1 (in fact setting it to 2 seemed to cause
GigaTribe to delete the log file!). If set to 1, another user ID then followed. A message such as this appears in the user’s
‘Private messages’ tab rather than the ‘Public messages’ tab.
For more messages, parts C through to G are repeated for each message.

Below is an extract of a chat log showing the ‘Private message flag’ with a value of 1, and then an extra Int32, before the
start of the next message record:

FIGURE 3: RECORD WITH THE EXTRA INT32

Part Offset Data Type Relevance


A 0x2D0 Int32 Unix timestamp for the message that follows.
B 0x2D4 Int32 Number of characters in the message that follows.
C 0x2D8 ASCII The actual message in ASCII.
D 0x2EE Int32 ID of the sender of the message.
E 0x2F2 Int32 Private message flag.
F 0x2F6 Int32 ID of the recipient of the private message.

TEXT PRESENTATION CODES


Within GigaTribe’s chat, users can choose some basic formatting for their messages: bold, italic, underline, colour. These
formats are transmitted with the message itself. Below is an example of such a formatted message:

Hi, /b/cff0000my/b/c000000 /cff0000name/c000000's /u/cff0000ymous555/u/c000000!

In this example formatters /b, /cXXXXXX and /u have been used. These represent bold, colour and underline respectively.
After the colour formatter are six hexadecimal characters, these are “web colours”, that is 3 pairs for red, green and blue.
Properly formatted this message would look as follows:

Hi, my name’s ymous555!

Other codes in the messages seen:

Code Explanation
/i Italics
/oXXX /o seems to be followed by a 3 numbers, for example: /o001 displays as a sad smiley and
/o002 displays as a happy smiley. In the free version of GigaTribe used during testing no
option for inserting emoticons was immediately apparent.
/l<username>/l Seems to be a link of some sort. Always seen in the context of inviting another user.

THANKS
D/Sgt. Les Vuyk, Niagara Regional Police Service, Technological Crime Unit.
¬ GigaTribe Forensic Guide
o http://www.scribd.com/doc/30524658/Gigatribe-Spy

CONTACT
forensicgeekinthecorner@gmail.com
¬ Chat Log Parser and Registry Deobfuscator available on request.

You might also like