Upx File Is Modified/hacked/protected
What's the problem (or question)? Steve Gibson, world renowned security expert (in his mind), has been developing a called 'SQRL' for four years. Along with all of the other executables on, he is distributing SQRL development mystery exes such as packed with UPX with a modified header/stub to prevent unpacking. If that link no longer works, check the latest EXEs in. He does this to hide his code and dependencies, because he's likely packing in other open source libraries and not disclosing them. Steve never, ever shares his code, but he claims it's all clean ASM. 321KB of packed ASM in this case, with a QR code printer and who knows what else, that he supposedly wrote in ASM and it's 321KB packed.
'upx: utorrent.exe: CantUnpackException: file is possibly modified/hacked/protected; take care!' What compression is used on the exe file? A modified upx?
In an effort to determine what open source libraries he is using in violation of their licenses and to audit the code, I attempted to unpack the SQRL exe. It is definitely using UPX with a modified header. Output from upx -d. Sqrl-0.0.6368.65.exe: file is modified/hacked/protected; take care!!!``` Output from PE Explorer UPX Unpacker plug-in: UPX: File compressed with UPX UPX: UPX version: 12 UPX: Crafty modification to UPX header detected!
UPX: Failed to recover the PE file header! Obviously, he's modifying the header to prevent decompression, because people could see the libraries he's bundling, and they could see his code as well in disassembler. The license has prevented header modification since 1.0, but he's doing it anyway. The license states: We grant you special permission to freely use and distribute all UPX compressed programs. But any modification of the UPX stub (such as, but not limited to, removing our copyright string or making your program non-decompressible) will immediately revoke your right to use and distribute a UPX compressed program. When confronted with this, Steve Gibson claims that he was of UPX in 2001 that allows him to perform header modification to prevent decompression.
Steve says: 'They once also offered in a paid-for commercial version that offered additional features, including the ability to obtain additional compression and the option to thwart command-line decompression. And that appears to be the version I'm using, since its last copyright year is 2001.' Furthermore, he that: 'I am quite certain that my use of UPX is congruent with what its authors authorized at the time I acquired it from them and I have no need to prove that to anyone. If Laszlo Molnar, or any of the other UPX copyright holders, wish to contact me through official GRC channels, rather than by borrowing Shania's newsreader, I will be more than pleased to settle any concerns they might rightfully have.'
File Extension Upx
What hasn't been discussed above is that strings run on the packed EXE also returns none of the copyright string, so it appears he's removing this as well. However, the more nefarious violation is the fact that you can't inspect the code or the libraries that he's packing in. Steve is publicly inviting UPX copyright holders to enforce their license against him. Please let me know if you need any more information. What should have happened?
Steve Gibson should have used the real upx.exe that would allow upx.exe -d Do you have an idea for a solution? Compel Steve Gibson to adhere to the license. How can we reproduce the issue?. Run upx.exe -d on or any recent exe in. Please tell us details about your environment. UPX version used ( upx -version): Unknown. Host Operating System and version: Windows.
Host CPU architecture: x86. Target Operating System and version: Windows Any. Target CPU architecture: x86. Steve Gibson, for media manipulation than technical wizardry, has now doubled down on his lies about UPX in his. He begins with a lie that 20 years ago, sold him UPX with a commercial license that prevented decompression on a web page he can see in 'his mind's eye.'
As I have said, I have a clear memory of having once purchased a flavor of UPX that offered additional features & removed command line decompression. I can still see the web page in my mind's eye despite it being more than 20 years ago. I've looked around, but it was so long ago that any receipt I might have, or the original download package with its license, are several workstation generation past, and are no longer online. He claims now that he's been exposed, he will switch packers: But this controversy has caused me to revisit my choice in EXE compressors. He continues by throwing shade at UPX directly: But the nicest news is that it's also better than UPX. It's faster to both compress & decompress, and it compresses more.:) Whereas the most recently published v0.0.6368.65 was 328,176 bytes, this alternative compressor just squeezed the working version I have down to 283,648 bytes.
And it appears to work perfectly. So, it appears Steve Gibson's mystery EXEs will now come packed with a mystery packer, all because he doesn't want anyone to see what statically linked libraries he's using., do you think you'll be able to assist in unpacking the original EXE linked? I have it downloaded in case he replace(s/d) it. For anyone who's interested in looking at it, here's the. Here's the original,. The only library I can see for sure (so far) that he's included illegally is. Are you interested in this at all?
The libsodium library ISC License states:. Permission to use, copy, modify, and/or distribute this software for any. purpose with or without fee is hereby granted, provided that the above. copyright notice and this permission notice appear in all copies. Obviously the packed, modified EXE doesn't have this string anywhere. The unpacked EXE doesn't either.
He's redistributing statically linked libsodium code without acknowledgement. If you're interested where it's used in the unpacked EXE, you can find references to it at address 0x004B45E7 and 0x004B4610.
SSZ004B45E7InitializingSodiumCryptoLibra: db'Initializing Sodium Crypto Library:%s',0Dh,0Ah,0 SSZ004B4610Sodiumlibraryrandomsource: db'Sodium library random source: ',27h,'%s',27h,0Dh,0Ah,0 In case he tries to repudiate his EXE, the original, modified packed EXE I linked above is digitally signed by him (GRC). You can follow 's instructions to get to my unpacked EXE exactly: Use a hex editor to change the name of the first PE section header to UPX (at offset 0x1d8).
Then replace the 4 zero bytes at offset 0x3e0 to UPX! That's all, now you can use 'upx -d' to uncompress the file.
How To Use Upx
Hashes:. Original packed/signed:. SHA1: 3eefb9d171db5db86adc2fe059b6a7. MD5: b9b71756447d32c95c173beb8f91e727.
Unpacked with upx -d after fixing headers:. SHA1: 1bb4ccfab5bfcd6b128a1aab5405c7d0b03b9173. MD5: 2285ad4737b9dd05af4a13369ad18f21.
Example of trace (note that same files are tried again and again), build 27220: 22:311uTorrent.exe3728CreateFile 192.168.1.1 my passport Movies SomeMovie BDMV CLIPINF 00005.clpi.!utNAME NOT FOUNDDesired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a. 22:415uTorrent.exe3728CreateFile 192.168.1.1 my passport Movies SomeMovie BDMV CLIPINF 00005.clpi.!utNAME NOT FOUNDDesired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a. 22:112uTorrent.exe3728CreateFile 192.168.1.1 my passport Movies SomeMovie BDMV CLIPINF 00005.clpi.!utNAME NOT FOUNDDesired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a. 22:877uTorrent.exe3728CreateFile 192.168.1.1 my passport Movies SomeMovie BDMV CLIPINF 00005.clpi.!utNAME NOT FOUNDDesired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a. If you have a magnet link that hangs uT under any circumstance, uT might already have saved a torrent from the magnet (in its torrent folder) that can be used instead of the magnet.
The magnet hang seems to generally occur after a torrent file has been generated. In my case i had six torrent files for it in uT's torrent dir with the file names file.torrent and file.#.torrent with # being 1-5. Meaning that uT had generated the torrent and then hanged, six times. In case uT hasn't generated a torrent, magnet2torrent.me seems to be a legitimate site to generate a torrent from a magnet.
It's still just normal upx (with -brute -lzma). Since you insisted, I actually wasted some time on this.: (Using UPX 3.08w.) Some poking around resulted in this: utorrent file, as is; upx returns this error: 'upx: utorrent.exe: NotPackedException: not packed by UPX' After removing Section '.bunndle' from the exe file; upx returns this error: 'upx: utorrent.exe: CantUnpackException: file is possibly modified/hacked/protected; take care!' What is section '.bunndle', you ask? An upx compressed DLL file that 'offer' by default to install a toolbar, a browser plugin that slows down surfing, computer and most likely violates user privacy by monitoring user activity aka bloatware (possibly spyware).
Many exe compressors are not design to handle file modifications after exe have been compressed. That utorrent works at all is pure luck. The standalone upx.exe file, used to unpack, verifies the file integrity before unpacking (using checksum) while the internal upx decompressor routine does not. (I haven't check upx's code, just a guess) In other words, security vulnerability, a possibility of inserting ie a virus without upx decompressor noticing. Upx really should fix that ie by adding an option to add file integrity check. No, a microsoft certificate isn't security enough. A PR stunt by microsoft to get their greedy fingers on more money for nearly nothing and getting more evil control like apple.
BTW: What compression is used on the exe file? A modified upx? They used same UPX but they stripped UPX header at offset 3E0h, that conatins compression method and checksums, so UPX can't unpack it anymore. You may compare 'old' and 'new' utorrent.exe at offset 3E0h-400h to see the difference.
'New' utorrent.exe can be unpacked still with 3d-party external unpacker that traces stub till program entry point (something like procdump), or header info can be recovered manually from stub's code to unpack it with UPX natively. Well' date=' I'm on Windows XP SP3 32-bit. I have all options under System Tray Enabled, but 'Show Balloon Notifications'. And also have enabled 'Start uTorrent when Windows Starts' and 'Start Minimized'. For the time being I have made a little batch file to delay uTorrent when Windows starts, for the moment it has worked; but is not the ideal solution. Something like: ping -n 40 localhost nul start 'uTorrent' ' uTorrent.exe' /MINIMIZED Another description for the problem could be that it's like it is on Boss Mode, but I don't even use that option.
Here is my settings.dat: url' I re-uploaded my settings.dat: so it can be checked to see if there is a problem. I tried it again with 3.1.3 build 27220 btw.
Still happening with latest build. BTW: What compression is used on the exe file?
A modified upx? They used same UPX but they stripped UPX header at offset 3E0h' date=' that conatins compression method and checksums, so UPX can't unpack it anymore. You may compare 'old' and 'new' utorrent.exe at offset 3E0h-400h to see the difference. 'New' utorrent.exe can be unpacked still with 3d-party external unpacker that traces stub till program entry point (something like procdump), or header info can be recovered manually from stub's code to unpack it with UPX natively./quote' Thanks for the info. Much appreciated. I didn't have the tools available to do such a comparison. Formatted my machine not so long ago.
I suspected they did it in purpose. Especially with the defensive response from Firon. Waiting for the possible news to drop about utorrent I.E.
Using illegal code, doing privacy violations, etc. Yes I'm very suspicious and paranoid, rightfully so. I've seen many programs go bad and burn users over the years. Fame, greed and ego can do horrible things to software that was once honest and trustworthy.
Firon: Pay notice i didn't accuse utorrent of any thing, i'm merely stating my experience of other software and the fear i have of utorrent going down the same path due to warning signs i've seen. EXE files can be resigned to hide tampering. It have even been successfully applied and used and talked about in the news.
Here's a news article example from a quick google search: 'The spy malware Flame used bogus Microsoft certificates to infect new computers, a prominent cybersecurity expert says' Off topic, certificates rant: Microsoft certificates program are just a scam. Gets microsoft to 'earn' more money, control the windows environment, make customers feel a false sense of security and by doing so trust too quickly when a program is signed.
Also making it very difficult for hobby developers and open source software alike. And microsoft are supposed to be for open source and hobbyists.
Using pr stunts like 'going native'. It still baffles me how many are fooled by that bullshit.