00:00:00 --- log: started retro/10.04.05
03:11:13 --- quit: sixforty (Quit: Leaving.)
07:05:01 <crcx> 119 words in core.retro
07:07:19 <crcx> 190 with stage2+vocabs
07:13:59 <crcx> 265 with optional stuff (files, net, editor, debug words) loaded
09:49:27 --- join: n00b81|away (~taylor@c-24-91-82-205.hsd1.ma.comcast.net) joined #retro
09:49:35 --- part: n00b81|away left #retro
09:50:09 --- join: ajm_design (~ajm@unaffiliated/ajm-design/x-5063634) joined #retro
09:50:21 --- part: ajm_design left #retro
09:50:35 --- join: ajm_design (~ajm@unaffiliated/ajm-design/x-5063634) joined #retro
09:50:39 --- part: ajm_design left #retro
10:27:18 --- join: foucist (~foucist@ps14150.dreamhost.com) joined #retro
10:27:18 --- mode: ChanServ set +v foucist
10:27:53 <foucist> howdy
11:00:22 <crcx> hi foucist 
11:01:27 <foucist> hi crcx 
11:08:37 <crcx> what's up?
11:08:47 <foucist> not much
11:08:53 <foucist> well a bunch :P
11:09:16 <foucist> i'm in japan now
11:09:30 <foucist> coming back to canada soon
11:11:38 <crcx> cool
11:15:43 <foucist> crcx: you any good with analyzing binary sent from the intenret to an adware program ? :P
11:15:55 <foucist> it doesn't decode to ascii, base64, gzip/deflate/bzip2 etc heh
11:16:00 <foucist> but i do know what strings are probably in it
11:16:55 <crcx> how large is the file?
11:18:04 <foucist> 679 to 763 (i have to samples)
11:18:12 <foucist> bytes
11:18:59 <foucist> the adware program turns around and forces firefox/etc to load a popup and uses the URL that it got in that data string
11:19:19 <foucist> basically it turns around and sends about 350characters worth
11:19:27 <foucist> imemdiately after getting that binary data
11:19:37 <foucist> prolly encrypted or some shit i guess
11:19:45 <foucist> i've isolated the common parts between the two data strings
11:19:47 <foucist> header/footer etc
11:20:15 <foucist> meh, it's an annoying problem
11:20:19 <foucist> i'm probably gonna give up on it :P
11:20:25 <crcx> if you send me the samples, I can work on something tonight
11:25:25 <foucist> ok, just a sec, zipping it up
11:51:41 <foucist> crcx: http://www.foucist.com/files/adware-decode.tar.gz
11:59:09 <foucist> crcx: i'm talking to a guy in ##crypto and he asked me to compress the file as a test of its randomness..  i compressed one of the binary files from 763 to 503 with gzip
11:59:30 <foucist> so he thinks its not a typical encryption, perhaps an XOR cipher
12:00:43 <foucist> erm, i'll try xoring the two together and see what happens heh
12:32:46 <foucist> yeah playing around with xoring parts of it against each other etc, no luck yet
12:49:34 --- quit: virl (Remote host closed the connection)
14:26:08 --- join: erider_ (~erider@unaffiliated/erider) joined #retro
14:28:58 --- quit: erider (Ping timeout: 246 seconds)
15:17:15 --- join: crc_ (~charlesch@71.23.210.149) joined #retro
15:17:31 --- quit: crc (Disconnected by services)
15:17:38 --- nick: crc_ -> crc
15:17:48 --- mode: ChanServ set +o crc
15:21:24 --- quit: erider_ (Remote host closed the connection)
15:46:11 <crc> back home
16:27:38 --- join: erider (~erider@unaffiliated/erider) joined #retro
17:08:55 --- join: sixforty (~sixforty@pdpc/supporter/active/sixforty) joined #retro
17:12:15 --- quit: erider (Ping timeout: 260 seconds)
17:54:07 --- join: erider (~erider@unaffiliated/erider) joined #retro
19:06:18 --- join: FlameKoetsu (~ad32781b@gateway/web/freenode/x-hepdxwpntuvhnpui) joined #retro
19:07:54 --- part: FlameKoetsu left #retro
20:03:00 --- quit: erider (Quit: Leaving)
20:27:08 --- quit: sixforty (Quit: Leaving.)
20:33:14 --- join: virl (~virl__@chello062178085149.1.12.vie.surfer.at) joined #retro
20:51:01 --- join: sixforty (~vl@pdpc/supporter/active/sixforty) joined #retro
20:52:04 --- quit: sixforty (Client Quit)
21:47:48 --- quit: virl (Remote host closed the connection)
22:07:49 --- join: sixforty (~sixforty@pdpc/supporter/active/sixforty) joined #retro
23:56:44 --- quit: foucist (Ping timeout: 276 seconds)
23:59:59 --- log: ended retro/10.04.05