Let's take a look at one of DarkOrbit sub SWFs. It has a class named PandorasBox. Cool, right? No, not cool (at least not for Toshinou users). So what is PandorasBox? It is a class which DarkOrbit uses for encrypting/decrypting packets. What you want to take a look at is the toString() method.
Code:
override public function toString() : String
{
var _loc1_:String = new Error().getStackTrace();
if(_loc1_)
{
if(this._caller && _loc1_.indexOf(":ExternalInterface$/_callIn()") != -1)
{
this._caller(_loc1_);
}
return null;
}
return null;
}
Okay, okay. It's just a toString method. But this code
Code:
if(this._caller && _loc1_.indexOf(":ExternalInterface$/_callIn()") != -1)
{
this._caller(_loc1_);
}
doesn't look good, right? So what is _caller? _caller is a function which is passed to PandorasBox during handshake (one of the first packets). How does it look like? It's located in main.swf and it looks like this
Code:
function(param1:String):void
{
sendRequest(new §_-53r§(param1));
}
It sends a request containing the dirty stacktrace from Toshinou! But hey, maybe toString is never called, right? Unfortunately, it's being called quite often. Let's come back to our PandorasBox.
Code:
public function encode(param1:ByteArray) : ByteArray
{
param1.position = 2;
var _loc2_:int = param1.readShort();
if(_loc2_ == ID)
{
this.toString();
}
}
This is a fragment of the encode function which encodes packets. The suspicious fragment is obviously
Code:
if(_loc2_ == ID)
{
this.toString();
}
It simply checks if the command's ID (_loc2_) equals to some ID. But what ID is it? It's the Movement Command ID. Yes, you are right. It sends a request like "hi, darkorbit, I'm using toshinou ban me asap" every time you move.