TheBat Importer (en)

Aus FelixSchwarz

Wechseln zu: Navigation, Suche

Inhaltsverzeichnis

Current situation

July 2011: Still no public information on the file formats. However Michal Kocarek's wrote a Thunderbird Extension named Bird Import partially based on the information found on this page. You might want to check the source as his extension is able to handle also newer versions of The Bat!.

August 2005: There is no public information about the file formats which are used by The Bat!. Ritlabs does not disclose any useful information. Several recovery tools exist but they are all closed source and their authors were not willing to share informations.

Existing Tools

  • Alexey N. Vinogradov is the author of a plugin for The Bat! called BayesIt! which was integrated into the offical The Bat! version some time ago. In a posting on tbdev in July 2003 he mentioned an open source program which can parse TBB files. Even with thorough searching I couldn't find this open source program. Alexey didn't answered my emails yet. Although I have already decoded most of the information inside a TBB file it would be nice to have access to another TBB parser.
  • DeBat!: no working email address (cracker group?).
  • Mail Password Viewer: Got some source code which should be able to decrypt passwords stored in ACCOUNT.CFG. Thanks a lot to puky (this author created "The Bat! Password Viewer", too).
  • tb2kmail is a tool Gregor Fellenz mentioned to me. It uses IPC calls to control a running The Bat! instance so that it will export all mails automatically. This tool does not include a specification of the file format.
  • The Bat! Filter Commander: The author did only decrypt some structures of the filter file format and used mostly the raw data as a black box for his tool. Unfortunately the source code for this tool was lost during a hard disk crash.
  • The Bat! Password Recovery: "Quellcodes oder Beschreibungen meiner Programme gebe ich nicht weiter." ("I will not share source code or descriptions of my programs.")
  • TheBat! Unpass: no answer.

My own reverse engineering attempts

I started my own reverse engineering attempts. I did not disassemble or decompile any program files. All information was gathered by looking at the data files and the registry, making changes with The Bat! and comparing the new files with the previous state.

So far I was able to extract most of the mails out of the TBB files. The information I have so far are summarized in the TBB file format specification.

Software

I wrote a little TBB-to-mbox converter in C. This converter is just a prototype but may be used as a basis for a real converter. Ultimately, I would like to see a import module for Thunderbird so I started writing an import extension for Thunderbird.

TODO

Import Mails

  • Color groups: Internally The Bat! uses the unique short name to map a configuration in COLORS.INI to a specific mail. Unfortunately I didn't know yet how to map this short name to a four byte identifier. They are using a hash algorithm but I don't know which one... AFAIK Thunderbird is limited to five predefined color groups. Therefore I think importing color groups will be probably impossible.
  • Exact format for external attachments. How to parse a message efficiently to extract all references to external attachements?

Import Address Books

  • reverse engineer the ABD format.

Import Accounts

I was able to write a specification of the ACCOUNTS.CFG file format - at least for the major parts of it. Some parts such as password decryption are missing though. I wrote a small decoder for this file but it is really, really LOW quality!

Import Filters

  • decode ACCOUNT.SRX

Import Quick Templates

  • look for an extension which provides functionality equivalent to the quick templates.
  • decode ACCOUNT.QTN

Further Information Sources

  • ACCOUNT.FLX - folder specific information (folder names, folder specific templates and settings)
  • ACCOUNT.PFX - S/MIME certificates (PKCS#12 format)
  • ACCOUNT.SCC - information about S/MIME certificates of others?
  • ACCOUNT.FLB - ???
  • ACCOUNT.SCE - "connection between email addresses and signers when using S/MIME (ASN.1 BER encoded)" (The Bat! help file)
  • ACCOUNT.VCF - personal vcard
  • ACCOUNT.HIS - log file with filter actions (not interesting)
  • ACCOUNT.LOG - general log file with received mails (not interesting)
  • ACCOUNT.M_D - message UIDLs which where deleted from the server
  • ACCOUNT.M_R - message UIDLs which are marked as read on the server

For more details see also: TheBat! World - Config Files (German only, sorry)

Persönliche Werkzeuge