MegaUpload Manager Decompile $$$

[spliff666]

Hi, i'm looking from someone who knows more about this topic then myself as i've kind of reached my technical limit.

What the objective is...

Operation Hash Cookies
If you upload a file with megaupload manager or via their webUI and the file is on their systems already then it (after a md5 check) instantly upload it without having to transfer the whole file.

Some reading from http://poirotsramblings.blogspot.com...d-and-md5.html give a brief insight into this through collisions, the findings there are gone into in more detail in my findings after the break, However the comment was of interest to me as I don't understand how this works yet

I spent some time trying to reverse engineer the uploading protocol, when uploading larger files they don't just check the MD5 they split the file into 130 pieces and checks the MD5 of each(I assume - at least the MD5's are transferred) and I suspect without having figured out the specifics that after having checked these MD5's some challenges about specific bytes of data in the file are issued(at least the data transferred from user to megaupload seems to always be part of the file).

So at the minute i've hit a wall after viewing everything I can in wireshark and now its time to move onto decompiling the uploading tools.

The 2 tools that are used for uploading are
MegaManager - http://static.megaupload.com/megamanager.exe and
webUI - http://wwwstatic.megaupload.com/gui2/ru.swf

ANY extra info that ca be added would be awesome, Wha ti'm invisioning is if we can't just inject the MD5 then maybe we can inject the 130 pieces that it splits it into (cite pirots ramblings comments) and have glorious bulletproof links

I will post other info below from Wireshark and the Decompilation of RU.swf

spliff666 Reviewed by spliff666 on 2nd Nov 2010. MegaUpload Manager Decompile $$$ Hi, i'm looking from someone who knows more about this topic then myself as i've kind of reached my technical limit. What the objective is... Operation Hash Cookies If you upload a file with megaupload manager or via their webUI and the file is on their systems already then it (after a md5 check) instantly upload it without having to transfer the whole file. Some reading from http://poirotsramblings.blogspot.com/2008/07/megaupload-and-md5.html give a brief insight into this Rating: 5

[spliff666]

Using SoThink SWF Decompiler 5.3 (Portable) i've decompiled ru.swf from
http://wwwstatic.megaupload.com/gui2/ru.swf
and after a little searching around it turns out the code were after is in Sprite538(Meaningless identifier added by SoThink) but the Sprite is also called mega.FileUploader, so looks like we're onto a winner, the variables described here (or _constantPool as its defined) are

Code: 

"_global"  "com" "Object" "mega" "FileUploader" "__server" "__eventHandler"  "__logField" "logWindow_mc" "log_txt" "init" "prototype"  "LocalConnection" "domain" "Domain[" "]" "managers" "Logger" "write"  "_this" "__file" "flash" "net" "FileReference" "addListener" "onSelect"  "__sizeTotal" "size" "name" "fileSelect" "Select[name: " ", size: "  "browse" "upload" "__id" "generateRandomID" "uploadStarted" "Date"  "getTime" "listener" "onOpen" "onUploadStart" "Up_beg[name: " ", server:  " ", pd: " "postData" "onSecurityError" "updateTransferRate"  "onUploadError" "stopNonsense" "Up_err[Security Error: " "onIOError"  "onProgress" "onVerification" "Upp_err[IO Error (Pos_file_ter)]"  "loadConfirmationXML" "onHTTPError" "Upp_err[HTTP Error]"  "__sizeProcessed" "Math" "round" "__transferRateIntervalSet"  "updateTransferRateInterval" "IntervalManager" "setInterval"  "onComplete" "timeOut" "timeOutInterval" "Up_com[name: "  "onUploadCompleteData" "removeListener" "clearInterval" "onUploadFinish"  "Up_com_data[name: " ", d: " "message="
                   "__description" "&password=" "__password" "&trafficurl="  "__trafficExchange" "&toemail=" "__recipientEmail" "&fromemail="  "__yourEmail" "&multiemail=" "__multiple" "&user=" "user"  "upload_done.php?UPLOAD_IDENTIFIER=" "&s=" "startNonsense"  "__transferRate" "cancel" "onUploadCanceled" "Up_can[name: " "XML"  "ignoreWhite" "onLoad" "firstChild" "childNodes" "attributes" "url" ""  "unescape" "onUploadTerminated" "Term_up_XML_load_succ[xml_url_att: "  "Term_up_XML_load_err" "LoadVars" "message" "password" "trafficurl"  "toemail" "fromemail" "multiemail" "POST"  "uploadquick.php?UPLOAD_IDENTIFIER=" "sendAndLoad"  "Term_up_XML_request[name: " ", id: " ",user=" "count"  "getNextHighestDepth" "nonsense_mc" "createEmptyMovieClip"  "onEnterFrame" "removeMovieClip" "0" "9" "8" "7" "6" "5" "4" "3" "2" "1"  "length" "random" "floor" "getSizeProcessed" "getTransferRate"  "getSizeRemaining" "getSizeTotal" "getName" "getDescription"  "setDescription" "getFileName" "setTrafficExchange" "setPassword"  "setRecipientEmail" "setYourEmail"
                  "setMultipleRecipients" "ASSetPropFlags"

Through out these variables it refers to startNonsense which i'm guessing might have something to do with sending the actual data of the file, if its nonsense
The main on I see here is generateRandomID which is why i'm thinking the values discussed in the previous post is random

[spliff666]

I've used wireshark and captured packets, there is a couple of IPV6 packets, just ignore them

http://www.megaupload.com/?d=K1NZTKQL MegauploadMD5.pcap (15.78 KB)
So here we go, sometimes if you upload a file in megamanager it seems almost instant, this is because MM uses MD5 checksums to check with its server whether a file with the same md5 hash exists.
11 6.235650 192.168.1.100 174.140.154.21 HTTP GET /u/?u=58f8bd000da54135141e6cf5b4cc91dc HTTP/0.9

This responds nicely with an ack on line 13 with the http data 216

This can also be seen by going to...

http://www.megaupload.com/u/?u=58f8b...1e6cf5b4cc91dc

This 216 is the server that the data is saved on as just after this on line 18 we get
18 6.761535 192.168.1.100 192.168.1.254 DNS Standard query A www216.megaupload.com

Now we get the response on line 20 with the IP that that server is located at "174.140.157.61"
20 7.036199 192.168.1.254 192.168.1.100 DNS Standard query response A 174.140.157.61

Now comes the gray area, don't know what the tcp packets are going to and fro, UNTIL line 59! This is the money line
qEC8@,d=Y3H_PEGXx61Malcolm in the Middle - 103 - Home Alone 4.avi233f03dfd29e13cd07187cec545c07f9megaupload.co mTVShowsRUS.com[none][none][none]

a bit of gobbldy gook then
"Malcolm in the Middle - 103 - Home Alone 4.avi" <- File name
"233f03dfd29e13cd07187cec545c07f9megaupload.co m" <-MegaUpload cookie m(i'm pretty sure)
"TVShowsRUS.com" <- Comment
[none] <-Password
[none]<- From Email
[none]<- To Email
This is followed by a response with a tcp packed advising the final MU link.


So i've sniffed a few more...
qE{@BdW!YbE/gj|PD-.6YSeinfeld.S06E13.DVDRip.XviD-SAPHiRE.avi233f03dfd29e13cd07187cec545c07f9megaupl oad.comTVShowsRUS.com[none][none][none]
qE}_@MdBu+AZYlL,8)FPD-}V:7^pkSex And The City S4E13 - The Good Fight [RavyDavy].avi233f03dfd29e13cd07187cec545c07f9megaupload.com TVShowsRUS.com[none][none][none]
qE~7@=dW$d}Y&#37;iPC @VZSex And The City S4E11 - Coulda, Woulda, Shoulda [RavyDavy].avi233f03dfd29e13cd07187cec545c07f9megaupload.com TVShowsRUS.com[none][none][none]
qE@;dW$dYVN/PCI@VZSex And The City S4E11 - Coulda, Woulda, Shoulda.avi233f03dfd29e13cd07187cec545c07f9megaupl oad.comTVShowsRUS.com[none][none][none]

The last 2 are the same file. I just renamed it, however the link that is returned both times is the same. ( i think datch or x have had this problem when using HJSplit for Wii ISO's that are padded to get the correct filesize)

We notice that each of these final requests start with qE, now back to the original file, that gobbdle gook must ahve meaning, so i've investigated and found that line 53 holds that same data "qE8C5@d=Y3H^PwPx61"

[Kaizoku]

Have you looked at the web interface for multiupload? They also implement the hash checking system, rather than working on the exe, I think you need ollydgb for that.

http://wwwstatic.megaupload.com/flash/multiupload.swf

[Kaizoku]

I Think this function copy the original file on server (when hash checking is done), it then calls uploadquick.php instead of upload_done.php

Code: 

function loadConfirmationXML(filename, filesize) {
        var _this = this;
        var _local4 = new XML();
        _local4.ignoreWhite = true;
        _local4.onLoad = function (success) {
                if (success) {
                        if ((this.firstChild.childNodes[0].attributes.url != undefined) && (this.firstChild.childNodes[0].attributes.url != "")) {
                                _this.__eventHandler("onUploadTerminated", unescape(this.firstChild.childNodes[0].attributes.url));
                        } else {
                                _this.__eventHandler("onUploadError");
                        }
                        com.mega.managers.Logger.write(_this.__logField, ("Term_up_XML_load_succ[xml_url_att: " + this.firstChild.childNodes[0].attributes.url) + "]");
                } else {
                        _this.__eventHandler("onUploadError");
                        com.mega.managers.Logger.write(_this.__logField, "Term_up_XML_load_err");
                }
        };
        var _local3 = new LoadVars();
        _local3.name = filename;
        _local3.user = _root.user;
        _local3.message = __description;
        _local3.password = __password;
        _local3.trafficurl = __trafficExchange;
        _local3.toemail = __recipientEmail;
        _local3.fromemail = __yourEmail;
        _local3.multiemail = __multiple;
        _local3.sendAndLoad((((__server + "uploadquick.php?UPLOAD_IDENTIFIER=") + __id) + "&user=") + _root.user, _local4, "POST");
        com.mega.managers.Logger.write(_this.__logField, ((((((((("Term_up_XML_request[name: " + _this.__file.name) + ", size: ") + _this.__file.size) + ", server: ") + __server) + ", id: ") + __id) + ",user=") + _root.user) + "]");
}

[fjcuenase]

A long time ago It sourprised me this Megaupload feauture and
now I need to send to megaupload md5 hashes by myself but I can't.

When I try to upload a file using Mega Manager, if I try uploading it
using Megaupload it upload the whole file. But if I try uploading it
using Megavideo It just ignore it.

I'm using WebScarab Sniffer and I don't find any http request o responde
related to http://www.megaupload.com/u/u=?.*
I've also tried to upload a file using megaupload webtool and the
experience is the same.

When I try to send an http request to megaupload.com/u I receive a
404 response. Where is the problem? Md5 hash doesn't work anymore?

[spliff666]

The /u/ is stil active on the multifetch subdomain
http://multifetch.megaupload.com/u/?...2b781318ce1d21

[SiMmER]

hey i would suggest u to edit ur posts and discuss this via pm's to the guys who have replied to this topic.

because if u succed in achiving what ur trying then this will be public and mu will patch it

-SiMmER

[?RaJ?]

so, what do you want exactly?

a program that can do same like Mega Manager Does?

[Sub]

Very very interesting