Author Topic: "Ana" ARG thread (Read 114470 times)

mctwist · November 12, 2017, 10:16:34 AM

Quote from: Val on November 12, 2017, 09:55:57 AM

Lol, dll size can change a lot based on optimizations, standard library type (varies with VS version), if you static compile, use dynamic base, generate meta data, packer usage, etc etc.

I am well aware of this fact. I did compile the DLL with their own build files, located on GitHub. The only difference is that they used an older version of the SDK, which I doubt would increase the file size this significantly. However, the dll could be dynamically linked with DiscordRPC, though.

Ad Bot · Advertisement

Val · November 12, 2017, 10:31:26 AM

Then they would include the DiscordRPC dll in addition to the binder dll, or require it to be installed somewhere that blockland can load it (ie installation or placing at the root directory or similar) Static linking is configured in the settings for the rpc library anyways. There is no reason the header would increase the size unless there's something really stupid in there..

What you should do is check the dll with a packer identifier. If nothing shows up then investigate the code in ollydbg and see if it's a custom packer or if the instructions are radically different (compare entry points and their functions to a certain depth), Ida works great for this too. Evidence for packers like if there's no IAT or a bunch of garbage data for most of the dll should be checked too. Try comparing their size in-memory.

Edit: I accidentally said the settings dynamically linked RPC but I totally meant static in context ("not dynamic".. forgot the not :P). Sorry for the confusion.. it was early.

Gytyyhgfffff · November 12, 2017, 11:41:39 AM

welp it looks like you don't just download .dlls from random ass loving guys who only became relevant a few months ago due to their stuffty bot and arg

torin� · November 12, 2017, 01:27:30 PM

Quote from: Gytyyhgfffff on November 12, 2017, 11:41:39 AM

welp it looks like you don't just download .dlls from random ass loving guys who only became relevant a few months ago due to their stuffty bot and arg

GEE its almost as if its an alt of (((someone)))

Blockhead22102 · November 12, 2017, 01:51:23 PM

Quote from: Shift Kitty on November 11, 2017, 07:46:26 PM

Their name could be Mike. That's the only thing I could gather from decompiling the dll.

Mikey "King High" 555

Ipquarx · November 12, 2017, 02:14:42 PM

Quote from: torin� on November 12, 2017, 01:27:30 PM

GEE its almost as if its an alt of (((someone)))

literally stop
the only reason ana was banned was because people kept saying it was zapk as if they knew what they were talking about when in reality they don't know stuff
It's actually happened before when some people accused Carbon Zypher of posting a malicious exe which was actually just a false positive. He was unbanned, it's not without precedent.

Can someone PM me the original dll tho?

edit: i got the dll thank

torin� · November 12, 2017, 02:22:27 PM

ok have fun with your fishy as forget dlls

Darryl McKoy · November 12, 2017, 02:46:11 PM

Quote from: Val on November 12, 2017, 09:55:57 AM

But if reversing is involved then I think I have a good clue on who it could be.. 3548!!!

Ooo now that's a good theory.

torin� · November 12, 2017, 09:11:00 PM

Val · November 13, 2017, 12:24:04 AM

Ok, a friend gave me the DLL Ana made (it's called zodlrm.dll.. I hope that's it!) and I found time to look at it in ida. It's not packed or encrypted, and there's no real difference from the source as far as the initialization routine goes. It's funny to see player collision toggle DLL strings here and there, which supports the idea it's rather crudely made (this is in the source too). The only DLL of importance in the IAT is the runtime and I don't see any evidence of LoadLibrary calls. So at the surface level it appears pretty safe, except for the fact the RPC library is statically linked. It's fine to do that but it has some security implications...

The discord RPC library is open source so it can be compiled with any modification and later static linked to the binder DLL. It would be very easy to sneak in malicious code when the size of the library is as big as it is, and I really don't want to spend hours digging through all that crap to find something either. It would have been more legitimate if they used RPC as a DLL because then they can't hide anything, but it's another thing to add to the mod folder and it's perfectly valid to static link like this for convenience.

We don't know what configuration they used to build the lib either, so that could explain the size difference mctwist is getting, like if they used optimizations or they turned off certain features that made it smaller, and potentially a bunch of other things. I wouldn't think a newer version would cause a size difference that drastic unless there was some major feature added, so check the github page I guess. To get a better answer he'd have to tell us the config he used to build the libraries... I'm not gonna bother experimenting myself for now because I'm too lazy to get the v140 toolset. :P

But if this is a puzzle that isn't supposed to be super hard, and there's clues knocking around in the DLL, then they'd probably expose it in a way that doesn't require much beyond tools like wireshark, hex editors or process monitor, and of course making it malicious invalidates the whole ARG. A memory editor is a good idea too in case there are strings that are decrypted at runtime. But I doubt there's much more to discover besides that one string...

It was mentioned before: there exists an interesting string which happens to be the program database, "c:\users\mike\documents\visual studio 2017\Projects\DiscordDLL\Release\DiscordDLL.pdb." The purpose of one of these is to provide useful debugging information (symbols, links to source, etc) to whatever needs it, but the database itself is not very important. What's weird is the project settings in the github do not explicitly state a path like this, and if one isn't defined it defaults to the location of where the DLL is written to. So Anneliese didn't build the DLL themselves according to the project settings in the github, some guy named mike did and the config was pruned to make it look like Anneliese built it when the source came out.

tl;dr it's probably safe except the fact there could be code hidden in the static linked RPC library, we don't know the config they used to compile RPC and this affects size, and the debug database path doesn't match the source code which means someone else named mike built it.

shitlord · November 13, 2017, 02:55:47 PM

Quote from: Val on November 13, 2017, 12:24:04 AM

Ok, a friend gave me the DLL Ana made (it's called zodlrm.dll.. I hope that's it!)

i dont know where your friend got "zodlrm.dll" because thats not the DLL

the proper DLL should just be DiscordDLL.dll

Quote from: Val on November 13, 2017, 12:24:04 AM

It was mentioned before: there exists an interesting string which happens to be the program database, "c:\users\mike\documents\visual studio 2017\Projects\DiscordDLL\Release\DiscordDLL.pdb."

whats your source for this because theres literally nothing like this in the DLL from ana's github release 3 days ago

Shift Kitty · November 13, 2017, 07:25:03 PM

Yes, he said that isn't in the github. But you cropped the post before you got to that point.

Quote from: Val on November 13, 2017, 12:24:04 AM

What's weird is the project settings in the github do not explicitly state a path like this, and if one isn't defined it defaults to the location of where the DLL is written to. So Anneliese didn't build the DLL themselves according to the project settings in the github, some guy named mike did and the config was pruned to make it look like Anneliese built it when the source came out.

That string actually comes from the DLL they supplied rather than the source. The one that says mike.

shitlord · November 13, 2017, 07:31:15 PM

Quote from: Shift Kitty on November 13, 2017, 07:25:03 PM

Yes, he said that isn't in the github. But you cropped the post before you got to that point.

That string actually comes from the DLL they supplied rather than the source. The one that says mike.

im looking in the DLL from github 3 days ago not the source

post the DLL you're talking about that says "mike" in it

Shift Kitty · November 13, 2017, 07:57:53 PM

Quote from: stufflord on November 13, 2017, 07:31:15 PM

im looking in the DLL from github 3 days ago not the source

post the DLL you're talking about that says "mike" in it

I'm not going to post it because it's the same one that got Ana perma banned.

Val · November 13, 2017, 08:08:05 PM

Quote from: stufflord on November 13, 2017, 02:55:47 PM

i dont know where your friend got "zodlrm.dll" because thats not the DLL

the proper DLL should just be DiscordDLL.dll

YEA, I thought the name was weird too. I had three guesses:

- it was shared around using some kind of hosting service that mangled the name
- the name is spooky or is a clue because it fits the ARG theme
- some guy was testing this against their own build and put two DiscordDLL.dll in the same folder for some reason, so they slapped the keyboard to lazily resolve the name conflict and later shared it around (meme)

I decided to just put that side note in because the contents of the DLL check out against the github source, ie strings, order of execution, and so on, and I then might get some insight later (AND IT TOTALLY WORKED!1)-- I didn't get to see the original thread/"release" so the question of the name's roots or how seriously I should take it was out the window. It made sense an ARG would name files like this; innocent me slapped it into ida and happily chugged along at decoding the ancient mythological secret doomsday DLL the alien name implied.

That is in the past. I now have investigated this and... Val regrets to inform you it was the first thought: someone uploaded it to my friend using mymixtape and then he later gave that to me in all its mangled glory. I had no idea this stupid site existed (i live under a rock) and figured six lowercase characters for entropy would be dumb for a file sharing service, and one that changes file names at that. like WTF. I ended up giving way too much benefit of the doubt to the third idea and looked like an idiot. I wouldn't have done this anywhere else but in an ARG thread and yet here we are.. val_JUST.png and I'm 3000% mad.

OK, sorry for writing this much for a non-problem but I thought sharing my epic fail would make someone laugh at with me. But yes, it is the real deal.

Quote from: stufflord on November 13, 2017, 02:55:47 PM

whats your source for this because theres literally nothing like this in the DLL from ana's github release 3 days ago

Quote from: stufflord on November 13, 2017, 07:31:15 PM

im looking in the DLL from github 3 days ago not the source

post the DLL you're talking about that says "mike" in it

It's the debug file path that's compiled into the binary. Try searching "mike" in a hex editor or something.

Quote from: Shift Kitty on November 13, 2017, 07:25:03 PM

That string actually comes from the DLL they supplied rather than the source. The one that says mike.

That's what I said. The supplied DLL and source are supposed to match 1:1, but if that's the case then mike wouldn't show up in the DLL, and the source is crafted to make you believe in the 1:1. You are supposed to say "wow, great moves detective val" and be impressed.

Or maybe val_JUST2.png is on it's way and you're saying Ana did not supply the mike DLL. I kind of just jumped in when DLL was mentioned. OK, someone give me a quick rundown on how it came to be before I write myself into irrelevance. I'm just here to reverse spooky DLLs.