Kazaa Search Term E...
 
Notifications
Clear all

Kazaa Search Term Encoding

6 Posts
4 Users
0 Likes
389 Views
(@jlloyd)
Posts: 17
Active Member
Topic starter
 

Hi people,

Anyone know how Kazaa search terms are encoded (as located in the following hive)?
\NTUSER.DAT\NTRegistry\$$$PROTO.HIV\Software\Kazaa\Search\

I just want to verify the accuracy of Kazaalyser.

Thanks,

Justin.

 
Posted : 11/01/2006 8:18 pm
(@dc1743)
Posts: 48
Eminent Member
 

Justin,

Without knowing exactly how the search terms are encoded there are (at least) three generally accepted ways of viewing the search terms in plain text.

1. Import Registry Hive into Kazalyser
2. View registry with Access Data Registry Viewer which decodes them for you
3. Substitute the registry keys into a new Kazza install and use Kazaa.

My preferred method is using Access Data Registry viewer (and using Kazalyser to check results)

Regards Richard

 
Posted : 12/01/2006 2:04 pm
(@jlloyd)
Posts: 17
Active Member
Topic starter
 

Hey Richard,

Thanks for that, good to see someone I know on here -)

A bit more background might be useful here.
I've had an unusual case come in where I have simply been asked to comment on a number of reports provided by other experts (both sides) but will not be conducting my own independent investigation and so will not have access to the encase images or original drives.
The reports provide a Kazaalyser breakdown including search terms and the Hex code contents of the relevant registry keys have also been provided. I want to confirm, and explain, that Kazaalyser has correctly transformed the registry keys.
Now, what I've done so far is to recreate the Kazaa setup on a virtual machine, enter the keywords provided in the report, and then document the contents of the registry keys. That, naturally, allows me to confirm that Kazaalyser has correctly transformed the keys - but it doesn't allow me to explain the transform process.
For the purposes of the case the confirmation work I've done so far is probably enough but I'd just like to be able to provide a full explanation as to the encoding algorithm.
In essence I'd just like to understand how Kazaalyser does what it does -)
I should probably just call Paul Sanderson but as it's a commercial product I hesitate to try to pick his brains.

Hope you're well,

Justin.

 
Posted : 12/01/2006 2:37 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Justin, (we met when you visted Richard recently). The Kazaa encoded search terms in the registry are some kind of cypher text (a type of Caesar cypher). I did a little research on it a while ago, but have misplaced my notes.

From what I can remember it uses the ASCII table with a mathematical algorithm taken from the characters positioning sequence, to offset to characters in the ASCII table. For example if you type a word 'apple' the first character in the word is the lower case letter a=0x61- the software encodes this by +7 on the ASCII table, and changes it to the character 0x68 (h). I imagine someone with a Cryptography background will pick up on this and explain it better.

I use Paul's excellent KaZalyser, and it does the job nicely.

I hope this helps?

Andy

 
Posted : 12/01/2006 3:13 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Interesting discussion.

I'm very interested in this for obvious reasons, most particularly b/c it doesn't seem to be documented anywhere.

In my Registry Parser code, I've included code to handle the Rot-13 "encryption" that MS puts on a couple of keys. The regular expression I used could easily be redone to transform these values as well.

So…what is the complete path to the Kazaa search terms, and how are they listed within the Registry? Are they REG_SZ data types?

Harlan

 
Posted : 12/01/2006 4:57 pm
(@jlloyd)
Posts: 17
Active Member
Topic starter
 

Hey guys,

Andy, give me a call the next time you're in the Midlands, I'll take you out for that beer you missed in Devon.

Right, I've started making some progression notes relating to the byte values stored within the reg keys in order to try to pin down the encoding sequence and offset. At first glance it looks to be fairly simplistic up until the third character entry, but I've yet to sit down with a hex calculator to have a good look at the patterns. I'll let you know what I find unless I decide to ditch it and do something more productive instead -)

Justin.

All the keys are of type REG_SZ and are located within HKEY_CURRENT_USER\Software\Kazaa\Search

The progressions I have noted so far are

a 66 00 00 00
b 65 00 00 00
c 64 00 00 00
d 63 00 00 00
e 62 00 00 00
f 61 00 00 00
g 60 00 00 00
h 6F 00 00 00
i 6E 00 00 00
j 6D 00 00 00
k 6C 00 00 00
l 6B 00 00 00
m 6A 00 00 00
n 69 00 00 00
o 68 00 00 00
p 77 00 00 00
q 76 00 00 00
r 75 00 00 00
s 74 00 00 00
t 73 00 00 00
u 72 00 00 00
v 71 00 00 00
w 70 00 00 00
x 7F 00 00 00
y 7E 00 00 00
z 7D 00 00 00

A 46 00 00 00
O 48 00 00 00
Z 5D 00 00 00

aa 66 00 06 00 00 00
ab 66 00 05 00 00 00
ac 66 00 04 00 00 00
af 66 00 01 00 00 00
ag 66 00 67 00 00 00
ah 66 00 0F 00 00 00
ai 66 00 0E 00 00 00
am 66 00 0A 00 00 00
an 66 00 09 00 00 00
ao 66 00 08 00 00 00
ap 66 00 17 00 00 00
av 66 00 11 00 00 00
aw 66 00 10 00 00 00
ax 66 00 1F 00 00 00
az 66 00 1D 00 00 00

aA 66 00 26 00 00 00
aZ 66 00 3D 00 00 00

aaa 66 00 06 00 7F 00 00 00
aab 66 00 06 00 7C 00 00 00
aac 66 00 06 00 7D 00 00 00
aad 66 00 06 00 7A 00 00 00
aae 66 00 06 00 7B 00 00 00
aaf 66 00 06 00 78 00 00 00
aag 66 00 06 00 79 00 00 00
aah 66 00 06 00 76 00 00 00
aai 66 00 06 00 77 00 00 00
aaj 66 00 06 00 74 00 00 00
aak 66 00 06 00 75 00 00 00
aal 66 00 06 00 72 00 00 00
aam 66 00 06 00 73 00 00 00
aan 66 00 06 00 70 00 00 00
aao 66 00 06 00 71 00 00 00
aap 66 00 06 00 6E 00 00 00
aaq 66 00 06 00 6F 00 00 00
aar 66 00 06 00 6C 00 00 00
aas 66 00 06 00 6D 00 00 00
aat 66 00 06 00 6A 00 00 00
aau 66 00 06 00 6B 00 00 00
aav 66 00 06 00 68 00 00 00
aaw 66 00 06 00 69 00 00 00
aax 66 00 06 00 66 00 00 00
aay 66 00 06 00 67 00 00 00
aaz 66 00 06 00 64 00 00 00

 
Posted : 16/01/2006 7:09 pm
Share: