First of all I want to thanks Ex0rPhine for helping me to analyze, unprotect and disassemble this program, thanks a lot bro.
A few weeks ago I was browsing a rusian forum and I found a link to a full working copy of Xrumer 3, then I decided to see how it worked and see if it really uses some alien tech to manage captchas
I see no alien tech around, but we can find a interesting idea nicely implemented, in this article I will try to explain the basics of how it works, and an easy way to avoid being spammed by it.
Sadly, I can't say anything about the captcha recognizing engine, because I have not so much free time, and honestly I think is impossible to understand a complex algorithm looking at the ASM disassembly.
Ok, let's begin.
What is Xrumer?
Their creators at botmaster.net say "XRumer is a software application that automatically posts your messages to forums, guestbooks, bulletin boards and catalogs of the links (as well as into livejournals and wiki). In a word it is an autosubmitter. " Or, I'll say, in a word is a tool to spam anything that isn't an email
Xrumer 3 allows to send PMs in phpBB and vBulletin boards.
But the coolest feature from Xrumer is that it can create new accounts in forums automatically, working around pictcode protection or email confirmation.
Here we can see the captchas it can handle.
Here you can see a video of Xrumer 3 at work.
XRumer File Structure
Debug/ - Here is the log of single test forum processing, after pressing "Test" button
img/ - In this file is stored graphic information
Langpack/ - Language packs.
Links/ - Here are stored all databases, which contain links of forums and guestbooks. Files format:*ForumsList id*.txt
Logs/ - this folder contains report files (reports are automatically created during the program working)
Projects/ - here is stored files of your projects. Files format: *.xpy
config.ini – the program configuration file
proxy.ini – Proxy checking settings
xblack.txt – black list (forums where posting is undesirable)
xprior.txt – contain forums default categories, where are recommended to post messages
xproxy.txt – contain HTTP – proxy list. It is updated automatically or the user fills in it.
xsocks.txt - contain SOCKS – proxy list. (must be filled in by the user)
Types of links databases
There are 5 types.
ForumsList id*.txt –the main database.
ZForumsList id*.txt – a database that was formed during the last session when going through the main database. The links stored in this database point directly to the page where message is posted.
MForumsList id*.txt – the database with activation links, formed during the downloading of activation links from the e-mail inbox (it is created if in "Profile activation via email" option is set up manual mode).
RForumsList id*.txt – the database with links to use "Reply" option on forums. By using this option you can reply to your previous posts. Created while executing "Forums" database list.
EForumsList id*.txt – the databases for editing earlier created post.
Xrumer is coded in Delphi, and the resulting .exe is protected using Aspack v2.12.
When you start XRumer, it connects to botmaster.ru and botmaster2.ru and does some requests about the account. If you block the access to botmaster via the hosts file, it says "blah, blah, internet connection problem..." and exits.(EOP Dixit )
In order to use Xrumer you should have a valid account, that account is maintained paying $10 monthly to the botmaster.ru guys. Ex0rPhine found a few accounts and tried them but all the accounts were dead, that's why we never spammed any forum
If you watched the video, by now you should have a pretty good idea of what this program does, and how to use it, in this section I'll try to give some basic insight in how it works.
Message Preview.You can preview how will look your messages using this module, and XRummer will open a page in your browser that simulates a board showing your message.
Also you can use macros to create variations of your message to post.
The proxy engine. Xrumer can use anonymous proxies or socks5 and haves an anonymous proxy leecher, URLs to leech are stored in a txt file, that by default comes with 41 entries and includes a few not working. The leeched proxies are stored xproxy.txt and xsocks.txt.
This works like any other proxy tester engine, nothing new.
Target List. It comes with 158352 targets ready to spam, or you can use the companion program Hrefer that looks in search engines (Yandex, Google, MSN, Yahoo, Altavista) for new posible targets. In Hrefer you can specify keywords to narrow your target search or use predefined templates to search only for "guestbooks", "phpBB boards" "vBulletin boards" etc.
Mass PM.Starting with version 3.0, XRumer can mass PM a complete board, the manual says it can only do it in vBulletin and in phpBB boards, but if we inspect the file masspm.ini we can see that it also haves the links to do it in Invision boards.
XRumer manual comes with this note about Mass PM
As the Personal Messages system of mass posting is new in Xrumer 3.0 and some of the forums have a very reliable protection system against automated postings, such as (it is forbidden to send the message more often, than 1 time in ~20 seconds, it is forbidden more than 3-5 messages in day, etc.). However, we are constantly working on new ways to circumvent these systems.
Mail registration. It can auto register some web mails,
or you can provide a pop3 account to use for user registration process. Xrumer can be configured to check the email account every n minutes, for mail confirmations, then Xrumer analyzes the mail, in a really simple way, looks for the confirmation link, and follows it.
To analyze the received mails, Xrumer haves a set of patterns to match in the mail's text, and in the links inside the mail, those patterns are defined in the file xpop.txt
Let's see some entries in the file...
[...]Account validated at[...]
Patterns to find in the mail's text.
Patterns for activation links
Extracted from XRumer manual
Posting mode is selected on the "Links database" tab. There are 5 modes:
1. ForumsList – links are taken from the main database.
2. ZForumsList – links are taken from a database that was formed during the last session when going through the main database. The process in this mode is a few times faster, this is because the links stored in this database point directly to the page where message is to be posted.
3. MForumsList – the database with activation links, formed during the downloading of activation links from the e-mail inbox (see "Mail").
4. RForumsList – the database with links for answering to in previously created topics.
5. EForumsList – the databases with links to editing before created topics. It is necessary to post necessarily with same nickname and password that was previously used. Probably to edit only those topics that were created on behalf of the registered user.
The ZForumsList id*.txt, RForumsList id*.txt, EForumsList id*.txt and MForumsList id*.txt databases are created during the process of posting.
All databases are located in the Links folder.
The process of posting
Extracted from XRumer manual
In the process of its work XRumer continuously processes links from the forums database – ForumsList id*.txt (or ZForumsList id*.txt, MForumsList id*.txt, RForumsList id*.txt – see Posting modes).
The algorithm looks something like this:
1. The program enters the site by the next link from the database.
2. If it is a forum, it chooses the most suitable topic for your message.
If it is not – it looks for a link to forum/guestbook/links catalog/creation of new topic etc.
3. It checks whether registration is needed to create topics, if yes – it registers to the forum, and logs into it after that. If during registration there is a need to enter a text from a picture (pictocode) – the picture is downloaded and processed, and the code is entered.
More info on this process is located here - http://www.botmaster.net/pictocod/.
If registration must be activated by an e-mail, the program will continue working on next forum and activate links on background, if "Profiles activation via e-mail" is set in automatic mode. If is turned off – it will stop work on this forum. If "Profiles activation via e-mail" is set in manual mode, then it will download activation links from the e-mail inbox only by pressing the button "Get the activation links from the mail box" in "Mail" tab. This forum will be placed in the report file Activation id*.txt. Downloaded links are placed into the MForumsList id*.txt database
4. Find the form that has to be filled in and fills in the needed fields.
5. Sends the entered data.
6. Checks whether the information sent was actually posted. If it was – link to the page with the message is added to the Success id*.txt report. If data was sent but the software could not verify the posting - link to the page with the message is added to the HalfSuccess id*.txt report.
The link to the page where message posting has occurred is placed into the ZForumsList id*.txt database and if next time the process is launched not by the ForumsList id*.txt database but by the ZForumsList id*.txt database it will run 5-7 times faster. The link to the page where the reply to that message is posted is placed into the RForumsList id*.txt database. And next time you start the messaging from this database, no new topics will be created, instead replies to previously created topics will be sent.
This is the "Question-Answer" system (more info on this is located here - http://www.botmaster.net/v-o/).
7. If the link to the form or the forum has not been found, the link is placed into the Resultates id*.txt report, with the explanation why the posting failed.
8. If "Profiles activation via e-mail" is set in automatic mode the program will continue working and activate links on background.
If "Profiles activation via e-mail" is set in manual mode, when the end of the ForumsList id*.txt database is reached, only by pressing the button "Get the activation links from the mail box", Xrumer will switch to downloading activation links from the e-mail inbox. Downloaded links are placed into the MForumsList id*.txt database. When the download is complete it goes through the activation links.
The bot AI is the weak point of XRumer, why?
The bot analyzes the web pages or mails received using the pattern matching approach.
As I said before, the patterns for confirmation mails are in the file xpop.txt, and the
patterns to handle the registration and posting process are defined in the file xlinks.txt
This is XRumer weak point, let's see a fragment of xlinks.txt
#Endast registrerade medlemmar har access till forumet.<;>Du <b>kan inte</b> skapa nya inlägg i det här forumet<;×òîáû îòñûëàòü ñîîáùåíèÿ âû äîëæíû âîéòè â ñèñòåìó.;>To post you must be logged in. If you don't have an account yet, please register.<;>Para postar você precisa estar logado;Il n'y a que les membres enregistrés qui ont le droit d'accéder à ce forum;Attention, ce forum est un espace PRIVE, vous devez en être membre pour y entrer et y participer;>Sólo miembros registrados pueden acceder a este foro<;>Om een bericht te posten moet je ingelogd zijn;>Sólo los usuarios registrados tienen acceso a este foro.<;>Deze optie is allen beschikbaar voor geregistreerde leden.<;>Disculpa, no tienes permiso para responder a esa discusión<;forums is a member-only feature.<;>Seules les personnes enregistrées peuvent poster sur ce forum.<;you must be registered and logged-in to post;Íåçàðåãèñòðèðîâàííûì íåëüçÿ ñîçäàâàòü òåìû;>Âàì çàïðåùåíî èñïîëüçîâàòü ëè÷íûå ñîîáùåíèÿ íà ôîðóìå<
OK, that list is heavily resumed, but we can see that we have lot of sentences in different languages saying that you need to register in order to post. Those sentences matches with the tag MUSTREGISTERANYWAY. Is interesting that this guy defines the tags after the keywords... Anyway, these are the tags:
Based in the resulting tag Xrumer gets it decides what would be it's next step.
As you can see, Xrumer should know the exact sentence used for any of the possible target boards, in any possible language, but... it doesn't.
Previous XRumer versions weren't able to learn new sentences, and were doomed, but XRumer 3 can learn new ones, but I don't know how good is doing it :S
How to avoid being spammed by XRumer
This is completely theorical because we can't make our Xrumer copy to start spamming due to licensing problems , and we can't test it...
but... The idea would be to make XRumer engine to think that the registration operation failed, even if it worked.
So, what we do is, when you follow the mail confirmation link you got, you always get a page that says "The activation key you supplied does not match any in the database", but written in the same color that the background, but showing an image that says "Your account is activated".
Then, human users will see the picture and will know they need to reload the page or whatever, but Xrumer will match that to the tag WRONGACCOUNT, and isn't going to proceed.
I'm sure there are other similar ways to cheat XRumer.
I hope this essay helps people to understand a little better what are we talking about when we talk about XRumer, I'm leaving lot's of thing without explanation in order to keep this relatively short.