Futile attempt of spreading malware: 3wPlayer vs. perl hackers
If you happen to be a voracious torrent user you may have found yourself in the situation where instead of a film your video player displays a still text inviting you to download their stupid trojan-horse infected video proprietary video player.
Basically the video file is there, but it's been encrypted so that only that particular crappy video player allows you to see it. Or is it? Apparently 3wplayer are not very bright, all they did was using standard exclusive or (XOR) with a short string, which makes sense. It's really easy to implement, saves space since the function for encoding and decoding is the same and most importantly it's fast, wich it has to be when dealing with video. What those morons who created that stupid player forgot, was that if you have a lot of the same bytes in the file you want to encrypt, the XOR key shines through. (hacking code below!)
That means that with a simple perl script you may circumvent that problem.
#!/usr/bin/perl # Turn of output buffer $|++; # The key for XOR decryption my $key = 'UIERYQWORTWEHLKDNKDBISGLZNCBZCVNBADFIEYLJ' . chr(0); print "Reading from \"$ARGV[0]\":\n"; $insize = -s $ARGV[0]; # Open the bogus AVI file open(IN, $ARGV[0]) or die $!; binmode IN; # Read Header to check read(IN, $buffer, 4); if ($buffer ne 'RIFF') { print " ERROR: \"$ARGV[0]\" is not an AVI\n"; close IN; exit(1); } # Get Length of the unencrypted movie read(IN, $buffer, 4); $offset = unpack 'L', $buffer; print " End of the unencrypted movie is at byte offset $offset\n"; # Jump to the read offset seek(IN, $offset, 0); # The next 4 or 8 Bytes seem to be either an unsinged long # or an unsigned quad. This is another offset to jump # over some filler bytes. Right now I can't really tell if # it's 4 or 8 bytes, because I only have 1 file to test with. # I assume it's a quad. # low word read(IN, $buffer, 4); $offlo = unpack 'L', $buffer; # high word read(IN, $buffer, 4); $offhi = unpack 'L', $buffer; # Calculate offset $offset = $offhi * 4294967296 + $offlo; print " Offset after the unencrypted movie is $offset\n"; seek(IN, $offset, 0); # Then there seem to be another 100 filler bytes # with value 0xff. Jump over those too, to get # to the offset where the real movie starts. printf " Adding extra filler bytes, final offset is %s\n", $offset+100; seek(IN, 100, 1); # Update the size $insize -= $offset+100; # Open a file for writing the decrypted data to print "Decrypting to \"$ARGV[1]\":\n"; open(OUT, ">$ARGV[1]"); binmode OUT; truncate OUT, 0; $bytes = 0; $klen = length($key); # Read key length bytes, decrypt them and # write them to the output file untill you reach # the end of the file while ( read(IN, $buffer, $klen) ) { $buffer ^= $key; print OUT $buffer; $bytes += $klen; # print the status printf "\r %d written (% .1f %%)", $bytes, ($bytes / $insize * 100); } # Close both files close OUT; close IN; print "\n\nDONE!\n";
Save the code as decode.pl and start the script on the command line with:
perl decode.pl ENCRYPTED_FILE.avi DECRYPTED_FILE.avi
And don't forget to put the file names in quotes if you have spaces in them. decode.pl + VLC or MPlayer worked just fine.
Many thanks to the mininova forums' hackers.
Comments
smart!
what a genius
I didn't get it well .. !
How I can run the code in command in Windows XP ?
I just wrote the code in Command Prompt and this message appeared :
'perl' is not recognized as an internal or external command,
operable program or batch file.
You need to get Perl
You need to get Perl (programming language) installed on your computer. I recommend ActiveState.com distribution for Windows.
Windows download:
http://www.activestate.com/store/download_file.aspx?binGUID=e5c71329-b7a...
Other (good) OS's mostly come with Perl installed.
Forgot to mention that
Forgot to mention that instead of newest films - after decryption you might get some porn movie or some other movie instead of what you were hoping for, since the 3wplayer creators didnt bother to use the real movie. At least in my case.
But I noticed they also don't bother to edit the info file that ussualy comes with torrents from well known groups such as axxo. So you might want to download just that file first, and if it's OK, then the rest of files in torrent.
@torrent
@ahmed
I forgot to mention that indeed you will need perl to run the script, I gave you the benefit of the doubt ^_^
@Alex
aXXo is one of the greatest releaser of all time. I would prefer to find an aXXo release with x264 encoding + vorbis... but it's fine anyway. It is not true that they don't bother to release a fake torrent under his name, I am planning to write an entire post about the torrent community and the best film releases.
Stay tuned b(~_^)b
But still...
This is working, and kudos to codemonkey for it, but the movies packaged are not the ones they claim to be (downloaded 'Superbad' and got 'Barbershop 2: Still in the Business')
Thanks
Thanks a lot Federico for your time and code that was given.
Regards.
Before you d/l a movie....
When you find a movie you want to download, how can you tell if it has the dumb 3wplayer encryption tacked onto it?
before...
When you find a movie you want to download, how can you tell if it has the dumb 3wplayer encryption tacked onto it?
You can't really tell, since there are no clear identification signs. What you can do is look for positive comments on the torrent file, torrentspy, mininova and demonoid are decent communities, you can trust that source.
^_^
-----
http://topdayitypedongoogle.wordpress.com
more details please!
Where we should save the decode.pl??
I put my video and my decode.pl in the same file, and I execute the prl decode.pl command. however, I get "Can't open perl script "decode.pl": no such file or directory".
I have windows XP OS.
I need more details!!
Thank's
Obviously, you put the perl
Obviously, you put the perl file in your working directory, the same as the file. THis is the simplest way, a smarter one would be to place the source perl file in a directory of your local PATH.
Linux/Unix/OS x users know very well what I am talking about.
http://www.troubleshooters.com/linux/prepostpath.htm
On Windows XP:
http://www.computerhope.com/issues/ch000549.htm
Byez,
-----
http://topdayitypedongoogle.wordpress.com
F***ing 3wplayer files
Which is the best hex editor to find the key of a movie?
what about DOM Player ?
what about DOM Player ?
dom malware
what about DOM Player ?
As far as I know it should be easily fixable with the same procedure.
byez,
hi I have windows vista and
hi I have windows vista and I can't setup ActivePerl-5.8.8.822-MSWin32-x86-280952.msi can some body help me ??????
Another way...
for you folks out there who don't download this movies by torrent, there is a P2P program wich allow us to see what we're downloading even before we have all the movie/music, i use it to get out of this situations, as soon as i see that the movie im downloading is a 3seconds length movie with only one image i cancel the download. the program is called ARES 2.0.9, if you want to download and see if the file you're downloading is real or not i sugest you to download movies via this program... but thats only my opinion... any way i would like to thank the person who made this code in pearl, since it has been a really help in this "battle" against malware.
ARES
ARES is Open Source (thumb up!), it's written in Delphi/Kylix and currently there is only a windows version 32-bit MS Windows (NT/2000/XP) to be precise. The built-in directshow media player looks nice, but MPlayer in conjunction with any file sharing program works fine.
http://sourceforge.net/projects/aresgalaxy/
The real issue is that by having the file split into chunks it could pass lots of time before you can actually get a preview of the video. I still think the best solution is using a decent torrent search engine that reports fake files. I'm working on a guide.
Stay tuned.
decode.pl problem
hey,,
i recieving this error,
D:\Movies\New Folder>perl decode.pl old.avi new.avi
Reading from "old.avi":
No such file or directory at decode.pl line 10.
plz give me a solution. i had installed perl, pasted the .avi file in decode.pl directory.
Line 10 is when the file is
Line 10 is when the file is read. Are you sure the file is there, it's called like that and that it's the right video file? Try a the dir command and paste the output here.
Bull shit
Bull shit dont working it's a fu**ing sample of XOR encryption made by a dumb perl coder.
The encryption of DomPlayer cant be braked!
RST Security
Thank you Anonymous coward
Thank you Anonymous coward for your useful insight and for the exceptional property of language with which you so eloquently presented your point of view.
Allow me to disagree with such impetuous remark, as the code has been tested and at the time it was made it was indeed working. It may very well be that you did not follow the procedure or that the DomPlayer developers changed the encryption afterwards.
Regards,
I have found interesting
I have found interesting sources and would like to give the benefit of my experience to you.
I am tuning my pc by the best software for free, with the file search engine DornFall
May be you have your own experience and could give some useful sites too. Because this social site help me much.
Post new comment