Other posts you might find interesting:
Futile attempt of spreading malware: 3wPlayer vs. perl hackers
By: Federico Pistono
13 Aug 2007If you happen to be a voracious torrent user you may have found yourself in the situation where instead of a film your video player displays a still text inviting you to download their stupid trojan-horse infected video proprietary video player.
Basically the video file is there, but it's been encrypted so that only that particular crappy video player allows you to see it. Or is it? Apparently 3wplayer are not very bright, all they did was using standard exclusive or (XOR) with a short string, which makes sense. It's really easy to implement, saves space since the function for encoding and decoding is the same and most importantly it's fast, wich it has to be when dealing with video. What those morons who created that stupid player forgot, was that if you have a lot of the same bytes in the file you want to encrypt, the XOR key shines through. (hacking code below!)
That means that with a simple perl script you may circumvent that problem.
#!/usr/bin/perl
# Turn of output buffer
$|++;
# The key for XOR decryption
my $key = 'UIERYQWORTWEHLKDNKDBISGLZNCBZCVNBADFIEYLJ' . chr(0);
print "Reading from \"$ARGV[0]\":\n";
$insize = -s $ARGV[0];
# Open the bogus AVI file
open(IN, $ARGV[0]) or die $!;
binmode IN;
# Read Header to check
read(IN, $buffer, 4);
if ($buffer ne 'RIFF') {
print " ERROR: \"$ARGV[0]\" is not an AVI\n";
close IN;
exit(1);
}
# Get Length of the unencrypted movie
read(IN, $buffer, 4);
$offset = unpack 'L', $buffer;
print " End of the unencrypted movie is at byte offset $offset\n";
# Jump to the read offset
seek(IN, $offset, 0);
# The next 4 or 8 Bytes seem to be either an unsinged long
# or an unsigned quad. This is another offset to jump
# over some filler bytes. Right now I can't really tell if
# it's 4 or 8 bytes, because I only have 1 file to test with.
# I assume it's a quad.
# low word
read(IN, $buffer, 4);
$offlo = unpack 'L', $buffer;
# high word
read(IN, $buffer, 4);
$offhi = unpack 'L', $buffer;
# Calculate offset
$offset = $offhi * 4294967296 + $offlo;
print " Offset after the unencrypted movie is $offset\n";
seek(IN, $offset, 0);
# Then there seem to be another 100 filler bytes
# with value 0xff. Jump over those too, to get
# to the offset where the real movie starts.
printf " Adding extra filler bytes, final offset is %s\n", $offset+100;
seek(IN, 100, 1);
# Update the size
$insize -= $offset+100;
# Open a file for writing the decrypted data to
print "Decrypting to \"$ARGV[1]\":\n";
open(OUT, ">$ARGV[1]");
binmode OUT;
truncate OUT, 0;
$bytes = 0;
$klen = length($key);
# Read key length bytes, decrypt them and
# write them to the output file untill you reach
# the end of the file
while ( read(IN, $buffer, $klen) ) {
$buffer ^= $key;
print OUT $buffer;
$bytes += $klen;
# print the status
printf "\r %d written (% .1f %%)", $bytes, ($bytes / $insize * 100);
}
# Close both files
close OUT;
close IN;
print "\n\nDONE!\n";
Save the code as decode.pl and start the script on the command line with:
perl decode.pl ENCRYPTED_FILE.avi DECRYPTED_FILE.avi
And don't forget to put the file names in quotes if you have spaces in them. decode.pl + VLC or MPlayer worked just fine.
Many thanks to the mininova forums' hackers.
iBlog @
My Communities
iSupport
- Just because the math works doesn't mean it's true
- The great String Theory debate: Brian Greene and Lawrence Krauss
- I'm sick
- Happy Newton Day!
- Reset
- COP15: UN source interview on African negotiations
- As UN Restricts NGOs, COP15 Side Events Draw Crowds
- A price to pay for popularity
- Indian Youth Climate Network interview with bloggers at COP15
- It's a conspiracy!
- replica watches
1 week 7 hours ago - Whether it’s an accident or
1 week 1 day ago - All seven had decided to
1 week 1 day ago - All seven had decided to
1 week 1 day ago - how can I make use of this?
1 week 1 day ago - did you manage with this?
1 week 2 days ago - The world has never seen such pile of freezing heat crap
1 week 3 days ago - Michele Nista must and will take Italy to a new 4.25.1945
2 weeks 8 hours ago - This is a really good
2 weeks 1 day ago - This article the work of the
2 weeks 3 days ago
24 Responses to Futile attempt of spreading malware: 3wPlayer vs. perl hackers
eliezer faizal (not verified)
Wednesday, August 22, 2007 - 12:49 reply quote
what a genius
ahmed (not verified)
Sunday, September 2, 2007 - 02:44 reply quote
How I can run the code in command in Windows XP ?
I just wrote the code in Command Prompt and this message appeared :
'perl' is not recognized as an internal or external command,
operable program or batch file.
Alex (not verified)
Sunday, September 2, 2007 - 11:02 reply quote
You need to get Perl (programming language) installed on your computer. I recommend ActiveState.com distribution for Windows.
Windows download:
http://www.activestate.com/store/download_file.aspx?binGUID=e5c71329-b7a...
Other (good) OS's mostly come with Perl installed.
Alex (not verified)
Sunday, September 2, 2007 - 11:10 reply quote
Forgot to mention that instead of newest films - after decryption you might get some porn movie or some other movie instead of what you were hoping for, since the 3wplayer creators didnt bother to use the real movie. At least in my case.
But I noticed they also don't bother to edit the info file that ussualy comes with torrents from well known groups such as axxo. So you might want to download just that file first, and if it's OK, then the rest of files in torrent.
Federico Pistono
Tuesday, September 4, 2007 - 13:38 reply quote
@ahmed
I forgot to mention that indeed you will need perl to run the script, I gave you the benefit of the doubt ^_^
@Alex
aXXo is one of the greatest releaser of all time. I would prefer to find an aXXo release with x264 encoding + vorbis... but it's fine anyway. It is not true that they don't bother to release a fake torrent under his name, I am planning to write an entire post about the torrent community and the best film releases.
Stay tuned b(~_^)b
geem (not verified)
Friday, September 14, 2007 - 23:08 reply quote
This is working, and kudos to codemonkey for it, but the movies packaged are not the ones they claim to be (downloaded 'Superbad' and got 'Barbershop 2: Still in the Business')
Choppy hairstyles fan (not verified)
Thursday, July 23, 2009 - 16:50 reply quote
Yup, it's working well for me too. I had some troubles with Pearl though, but all is well now.
Zlog Vladimir (not verified)
Sunday, September 16, 2007 - 08:30 reply quote
Thanks a lot Federico for your time and code that was given.
Regards.
Anonymous (not verified)
Wednesday, October 3, 2007 - 20:59 reply quote
When you find a movie you want to download, how can you tell if it has the dumb 3wplayer encryption tacked onto it?
Federico Pistono
Thursday, October 4, 2007 - 01:52 reply quote
You can't really tell, since there are no clear identification signs. What you can do is look for positive comments on the torrent file, torrentspy, mininova and demonoid are decent communities, you can trust that source.
^_^
-----
http://topdayitypedongoogle.wordpress.com
Adam (not verified)
Friday, October 5, 2007 - 13:19 reply quote
Where we should save the decode.pl??
I put my video and my decode.pl in the same file, and I execute the prl decode.pl command. however, I get "Can't open perl script "decode.pl": no such file or directory".
I have windows XP OS.
I need more details!!
Thank's
Federico Pistono
Friday, October 5, 2007 - 16:05 reply quote
Obviously, you put the perl file in your working directory, the same as the file. THis is the simplest way, a smarter one would be to place the source perl file in a directory of your local PATH.
Linux/Unix/OS x users know very well what I am talking about.
http://www.troubleshooters.com/linux/prepostpath.htm
On Windows XP:
http://www.computerhope.com/issues/ch000549.htm
Byez,
-----
http://topdayitypedongoogle.wordpress.com
The_Man_01 (not verified)
Monday, October 22, 2007 - 22:20 reply quote
Which is the best hex editor to find the key of a movie?
Ahmed (not verified)
Saturday, October 27, 2007 - 13:22 reply quote
what about DOM Player ?
Federico Pistono
Monday, October 29, 2007 - 11:04 reply quote
As far as I know it should be easily fixable with the same procedure.
byez,
Anonymous coward (not verified)
Friday, November 2, 2007 - 21:56 reply quote
hi I have windows vista and I can't setup ActivePerl-5.8.8.822-MSWin32-x86-280952.msi can some body help me ??????
BagMan (not verified)
Tuesday, November 13, 2007 - 16:28 reply quote
for you folks out there who don't download this movies by torrent, there is a P2P program wich allow us to see what we're downloading even before we have all the movie/music, i use it to get out of this situations, as soon as i see that the movie im downloading is a 3seconds length movie with only one image i cancel the download. the program is called ARES 2.0.9, if you want to download and see if the file you're downloading is real or not i sugest you to download movies via this program... but thats only my opinion... any way i would like to thank the person who made this code in pearl, since it has been a really help in this "battle" against malware.
Federico Pistono
Wednesday, November 14, 2007 - 15:32 reply quote
ARES is Open Source (thumb up!), it's written in Delphi/Kylix and currently there is only a windows version 32-bit MS Windows (NT/2000/XP) to be precise. The built-in directshow media player looks nice, but MPlayer in conjunction with any file sharing program works fine.
http://sourceforge.net/projects/aresgalaxy/
The real issue is that by having the file split into chunks it could pass lots of time before you can actually get a preview of the video. I still think the best solution is using a decent torrent search engine that reports fake files. I'm working on a guide.
Stay tuned.
Anonymous coward (not verified)
Sunday, February 10, 2008 - 09:38 reply quote
hey,,
i recieving this error,
D:\Movies\New Folder>perl decode.pl old.avi new.avi
Reading from "old.avi":
No such file or directory at decode.pl line 10.
plz give me a solution. i had installed perl, pasted the .avi file in decode.pl directory.
Federico Pistono
Saturday, February 16, 2008 - 03:07 reply quote
Line 10 is when the file is read. Are you sure the file is there, it's called like that and that it's the right video file? Try a the dir command and paste the output here.
Anonymous coward (not verified)
Tuesday, April 22, 2008 - 09:11 reply quote
Bull shit dont working it's a fu**ing sample of XOR encryption made by a dumb perl coder.
The encryption of DomPlayer cant be braked!
RST Security
Federico Pistono
Wednesday, April 30, 2008 - 09:38 reply quote
Thank you Anonymous coward for your useful insight and for the exceptional property of language with which you so eloquently presented your point of view.
Allow me to disagree with such impetuous remark, as the code has been tested and at the time it was made it was indeed working. It may very well be that you did not follow the procedure or that the DomPlayer developers changed the encryption afterwards.
Regards,
Anonymous coward (not verified)
Tuesday, December 30, 2008 - 19:23 reply quote
I have found interesting sources and would like to give the benefit of my experience to you.
I am tuning my pc by the best software for free, with the file search engine DornFall
May be you have your own experience and could give some useful sites too. Because this social site help me much.
Steve_BZ (not verified)
Friday, January 30, 2009 - 22:43 reply quote
What a great piece of code. Does anyone have a working piece of perl code using wxWidgets or similar which can play the .avi afterwards?
Regards Steve
Post new comment