Proof of xAurora = Hacked Maxthon

 

Target File:    xaurora.exe

CRC-32: 615F3ABD

MD-5: E6522E1775634243CA6BDADA13586607

 

This file is the main executable included in xAurora2008-RC1-Final-Lite.zip [CRC-32:BB6A0A4E, MD-5:   8270802D21EDF19273961E756FA3D469] from http://www.xaurora.net/uploads/xAurora2008-RC1-Final-Lite.zip

 

Tools:  

(1)   PEiD from http://www.peid.info

(2)   Hex Editor such as Hex WorkShop from http://www.hexworkshop.com/

 

 

Method

 

(1)   Extract the xAurora2008-RC1-Final-Lite.zip file and run xAurora at least once to see it runs properly on your machine.

(2)   Launch PEiD and open xAurora.exe.


Ok now we can see that xAurora is packed with PECompact. That’s why it cannot be disassembled easily. So we need to unpack this EXE before looking at code.

Here we will do partial unpacking just to prove the point.

 

(3)   Press -> button on PEiD and select the “PEiD Generic Unpacker”

 

 


 

 

 

(4)   Now you will get “snaker’s Generic Unpacker” dialog box. To do unpacking first you need to know the Original Entry Point (OEP) of the executable before packing. This can be detected automatically (but may not be correct). To detect OEP press -> button on this dialog box.

 


 

(5)   Ok plug-in has detected OEP. Now press “Unpack” button. You will see xAurora starts in the background. If is stops at any splash screen press ok to continue till the browser interface shows up.

 

 

 

 

 

 

 

(6)   After few seconds a message box will pop up asking for rebuilding the Import Sections. Press “No” button.

(7)   Then exit from the unpacker and PEiD by pressing Exit button or using title bar controls.

(8)   Now you will see a new file “xaurora.exe.unpacked.exe“ being generated at the original location of “xaurora.exe” file


 

 

 



This unpacked EXE will not run because we have not fixed the import sections and the OEP may not be accurate but this generated file just serves our purpose. (I have not included steps to verify the accuracy of OEP and rebuilding of import sections here because I want to keep this as simple as possible. So that many people not familiar with this stuff can do it)

 

(9)Now open this unpacked EXE (xaurora.exe.unpacked.exe) in Hex WorkShop or any decent HEX editor. And scolle down to location 0x166ED0.

 

 

 

 

 

 

 

 


Here you can clearly see “CMainFrame MaxthonInfo” string. This clearly shows this code section is copied from Maxthon.

Who ever have done string replacement has missed this. May be this cannot be changed since this Data Object name is referenced from many other places in the code.

 

(10) To verify above do the steps 1 to 8 for some maxthon old version (found here http://www.oldversion.com/program.php?n=maxthon). Here I have done this for Maxthon 1.1.035, (this may not the exact version used to create xAurora, but lets do trial and error) and compare.  Maxthon versions found here are packed with asProtect, therefore compare the unpacked versions.

 

 


Sample locations to compare

 

xAurora Unpacked

Maxthon 1.1.035 unpacked

0x166ED0

0x13CCC0

0x18AF40

0x153CA0

 

 

In addition to pointed locations you can do your own comparison on Strings, Resources, code fragments etc… and see the remarkable similarity. (Almost the same strings, Strings containing xAurora has there counterparts with Maxthon, Same Class names etc etc…)

 

Also, you may be able to see the 100% assembly coded xAurora uses at least 15 MFC classes!

 

Conclusion:

xAurora = Hacked Maxthon

 

 

-May the force be with you

Anonymous Skywalker