NewsSearcher warning

NewsSearcher sends your newsserver, account, password to Joop.

Details
Everytime you start NewsSearcher it connects to http://ns.does.it
This redirects the NewsSearcher to a server at http://ns.100webspace.net/

NewsSearcher first sends this server some initial details (version of NewsSearcher used, which config for NewsSearcher is used). No problems here.
The server responds with a special string, which triggers NewsSearcher to do a couple of things:

1. Send your newsserver, port, account, password to this server
2. Depending on if the NewsSearcher config is a older one, it will download new engine definitions from this server.

This happens everytime you start NewsSearcher.
It isn't all that bad.

Thank Joop
If you like to share your paid news account with Joop and maybe others you can go to http://z14.invisionfree.com/NewsSearcher/ and thank him there.

Change your password
If you don't want to share your account you should change your password of your news accounts:
Eweka: http://www.eweka.nl/nl/control_panel/
Giganews: http://www.giganews.com/

Privacy fix NewsSearcher
If you still want to use NewsSearcher you can block ns.does.it in your HOSTS file.
It will prevent NewsSearcher from sending your account details to anyone.

Your HOSTS file is located in this folder "C:\WINDOWS\system32\drivers\etc"
Open HOSTS file and add the following line:
127.0.0.1 ns.does.it

Latest NewsSearcher config
The latest config is version 4. Default installation of NewsSearcher contains config version 3.
When you block ns.does.it, it will not download the latest config.
But you can download config version 4 from here: http://rapidshare.com/files/94206888/ns_config_4.rar.html
And put it in the following folder: %APPDATA%\NewsSearcher

Don't believe it and want your own proof?
Check yourself using Ethereal (http://www.ethereal.com/), Wireshark (http://www.wireshark.org/), or some other network sniffer.

You don't have to search for anything inside NewsLeecher, just watch the first packets.
Look carefully when NewsSearcher does a HTTP GET request.

The GET string should look something like this:
"GET /i.php?u=&c=(A)&v=(B)&cv=(C)&s=(D)"
where in most cases:
A: 39006 => Client version
B: 0.11.1.1 => Newssearcher version
C: 4 => Newssearcher engine version. If this is 3 newssearcher will do another GET request for engine version 4
D: (A long string of random characters) This is your paid news account encrypted using base64 encoding. http://en.wikipedia.org/wiki/Base64

Decode this last string (D) using some base64 decoder (http://www.motobit.com/util/base64-decoder-encoder.asp) and you can get the same conclusion as I did.

Conclusion
I really liked Joop's NewsSearcher and he did a good job, but I only wished he would have asked for some accounts instead of using his program to get paid accounts from everyone.

Newsleecher remove [RnE] tag from foldernames

You want to remove the subfix [RnE] from extracted folders by RnE from newsleecher

Its not that hard to do, you only have to do the following steps.
Make a backup of newsleecher.exe just to be sure :).

1. Open newsleecher.exe with your favorite hexeditor (ie. Hex Workshop).



2. Search for Text String " [RnE]" or Search for Hex Values "20 5B 52 6E 45 5D"
The hex values represent the same string: http://www.asciitable.com/
20 = space
5B = [
52 = R
6E = n
45 = E
5D = ]





3. Change the 07 value before this " [RnE]\" into 01
The 07 represents the length of the string
" [RnE]\" -> length of 7
"\" -> length of 1
"... FF FF 07 00 00 00 ..." becomes "... FF FF 01 00 00 00 ..."





4. Remove "... 20 5B 52 6E 45 5D ...", so whats left is "... 00 00 5C 00 ..."








The filesize of newsleecher must stay the same, so in removing those 6 values
you would have to add some padding using 6 NOPS, http://en.wikipedia.org/wiki/Nop
90 = NOP
5. Add those NOPS after "5C 00" -> "5C 00 90 90 90 90 90 90"
"... 5C 00 55 8B ..." becomes ... 5C 00 90 90 90 90 90 90 55 8B ..."







6. Save and you're done. Newsleecher RnE will not add the [RnE] tag anymore.