Hi,

I've been searching this forum just for fun, and i've noticed that always you talk about ghostleeching you need an extra tool.

Well, let me tell you that there's no need for an extra tool, just follow this steps and you'll be ghostleeching in no time

:biggrin:

1) I use uTorrent but this should work with any bittorrent client that supports a proxy
2) Go to preferences, connection, and remove any proxy (if any).
3) Start your torrent, wait a few seconds till you get the peer list
4) Go to preferences, connection, and add a proxy that doesn't exists ... for example, you can put in host: 1.1.1.1 or 127.0.0.1 (or any other ip address that doesn't have a proxy listening) and choose a random port.

Ready, the next time your client tries to announce, it'll fail without reporting anything to the tracker. Just make sure you stop the torrent before removing the proxy.

:top:

Please, sorry my english ... it's not my native language and i just returned from a party and i'm a little bit drunk

:tongue:

hello mathias,

the proxy part is a really good alternative for removing the tracker url.
But you should also change your ip before you restart your torrent.
It's much safer because then the staff can't compare their peer lists of their clients with the one on their tracker.
They will found out that there is an ghost leeching ip but then they could only search after your range and not after the exact ip address...

About the extra tool:
I think anon has created it because the he could enable DHT the hole time and in the past the problem with UT1610 was that the program deletes the peer cache after you've renewed your ip....

Hi Matías,

A very good method you got there. :top: You could also announce through a real proxy first (if the tracker allows them), and go to step 4 after getting the peerlist. If you were also browsing the tracker behind the same HTTP proxy, it won't know your real IP at all. Of course you can also change your real IP restarting your router/changing your MAC/etc. like Butcho said, and you won't have to worry about whether the tracker has detected you're behind a proxy. :smile:

Another way to manage it is to flush your DNS cache after the first announce, and add this line to your HOSTS file:

127.0.0.1 tracker.xxxxxx.com
But it's more complicated. :tongue:

@Butcho: that's right - changing the tracker URL list for private torrents made uTorrent forget about all peers. But if you make a mod ignore the private flag, uT will no longer be able to tell whether a torrent is private or not, and since the security measure doesn't apply to public torrents, it won't empty the peer cache.

thx bro for explanation, i thought that they have removed the peer cache problem in v 1.8*!
I saw mathias comes from the same path ot the earth like you, perhaps he is your neighbor.... :biggrin:

too complicated for me, but just curios, this method still working?

It should...

If in doubt, try it on a public torrent. Or ILT.

too complicated for me, but just curios, this method still working?

complicated :eek13:
just insert a fantasy proxy after you got enough peers

Isn't that exactly what this method consists on?

Or are you trying to summarize the first post?

Or are you trying to summarize the first post?

exactly, to show that it's not as complicated as whateveritakes thought :rolleyes:

I like the method:biggrin:
And hi matias.Haven't seen you in a while.

And hi matias.Haven't seen you in a while.

Same here.

Look at the thread's date :biggrin:

Same here.

Look at the thread's date :biggrin:

FAIL:rolling_eyes:
Even bigger than SBfreak:tongue:

But what will the tracker think? Mr tracker will be like, this guy downloaded a torrent file from me and started the torrent but never completed. Hmmm and quite a few of his recent snatches are the same.....Something is fishy here.......

But what will the tracker think? Mr tracker will be like, this guy downloaded a torrent file from me and started the torrent but never completed. Hmmm and quite a few of his recent snatches are the same.....Something is fishy here.......

Risk-Return Tradeoff Definition (http://www.investopedia.com/terms/r/riskreturntradeoff.asp)

@Butcho: that's right - changing the tracker URL list for private torrents made uTorrent forget about all peers. But if you make a mod ignore the private flag, uT will no longer be able to tell whether a torrent is private or not, and since the security measure doesn't apply to public torrents, it won't empty the peer cache.

Any chance we could get a DIY tut on how to mod any version of uT so as to ignore the preivate flag? http://www.sb-innovation.de/images/smilies/new/biggrin.gif

I know there are already some mods for this, but this way you could keep using your fav version of uT :)

Any chance we could get a DIY tut on how to mod any version of uT so as to ignore the preivate flag? image (http://www.sb-innovation.de/images/smilies/new/biggrin.gif)

That's a seeeeeecret. :geek:

That's a seeeeeecret. :geek:

I know uT's source code is a secret, but you don't need it to do this :P

Just unpack the uTorrent executable, search the ANSI string "private" using your favorite hex-editor, and fill the first match with something else.

There was a certain idiosyncrasy pertaining private torrents that were already loaded. I don't remember if they'd still be "locked" or would actually forget their status and have DHT and PEX enabled for them also.

Just unpack the uTorrent executable, search the ANSI string "private" using your favorite hex-editor, and fill the first match with something else.


you tried this and worked?

From what I've searched, it didn't look that easy:


This patch is specific to the particular build of uTorrent it's applied to as the code - at least the locations of - changes in each build, and there are relative jumps in the patch.

But the approach I used to make the patch was to un-UPX utorrent, load it into IDA Pro and look for the strings "private" and "dht", then follow the cross-references back to the code that uses them. From there it was clear to see how the private flag worked; I used some spare space at the end of the code segment to add some extra code to move the bits, and the functions were patched to jump to that code and back again. If you disassemble the patched and unpatched exes side by side you can see how this works.

I'll try your way, if it doesn't work, i'll see how far i can go with the other guy's method

btw, this was what you had to change for the old uTorrent 1.8.2


uTorrent 1.8.2 build 15167 with DHT patch

This patched copy of uTorrent removes the restrictions on torrents marked as
private, allowing uTorrent to use DHT, Peer Exchange and Local Peer Discovery
to look for new peers when it is normally not allowed.


How it works
------------

In its internal data structures, uTorrent uses four bits in one byte of data
per torrent to record these settings.


bit # 7 6 5 4 3 2 1 0
\ | | / | | | |
not used | | | DHT enabled (default: 1)
(set to 0) | | |
| | private torrent
| |
| Peer Exchange enabled (default: 1)
|
Local Peer Discovery enabled (default: 1)


When a torrent file is added, uTorrent checks the "info" section for an
integer value named "private". If it's set to 1, it marks the private torrent
bit in the byte shown above, which forces the other information in this byte
to be ignored.

This byte is also saved in the resume.dat file (a bencoded file that uTorrent
uses to save its state) as an integer value named "dht".

The patch works by storing the private torrent flag in bit 7 instead of bit 1
so that all the code in uTorrent that checks bit 1 to determine if this is a
private torrent will always find that it isn't. However, it writes the "dht"
value out to the resume.dat normally, so if you start an unpatched copy of
uTorrent your private torrents will still be private.

The extra code to do this is placed at the end of the .text segment and its
virtual size increased accordingly.


Reproducing the patch
---------------------

Here are the steps required to apply the patch; you will need UPX version 3.03
and a hex editor:

1. Decompress the uTorrent.exe file using the following command:

upx -d uTorrent.exe

2. Open the uTorrent.exe file in a hex editor and change the following:

position old bytes new bytes
-------- ------------------------ ------------------------
200 BC E8
530B 50 68 0C CB 45 00 E9 AC 5F 05 00 90
8574 02 80
BCEC 8A 4E 41 80 E1 F7 E9 E0 F5 04 00 90
5B2BC 00 00 00 00 00 00 00 00 8B C8 80 E1 80 C1 E9 06
00 00 00 00 00 00 00 00 0B C1 50 68 0C BB 45 00
00 00 00 00 00 00 00 00 E9 3F A0 FA FF 8B C8 80
00 00 00 00 00 00 00 00 E1 02 C0 E9 06 24 FD 0B
00 00 00 00 00 00 00 00 C1 8A 4E 41 80 E1 0A E9
00 00 00 00 09 0A FB FF

3. The digital signature is now invalid. Remove it from the file by deleting
everything after position 8F000.

4. Recompress the file using this command:

upx --ultra-brute uTorrent.exe

5. This will produce a file of size 267264 bytes. The patch is now complete
and should be identical to the file in this torrent.

you tried this and worked?

Yes.

I've read about that patch, the guy disassembled the executable and made some interesting finds. I just took the easy way. If uTorrent doesn't know how the value that marks a .torrent as private is called, it can't block DHT and PEX. :happy:

tried and worked!

used the upx unpacker built into PE explorer, disassembled, found the right private string, and edited on ultra edit :)

it works right away even without repacking

I never bother repacking the uTorrents I make for private use :happy:

Why did you need to disassemble it? You could have gone to "private" on Ultra Edit right away?

I never bother repacking the uTorrents I make for private use :happy:

Why did you need to disassemble it? You could have gone to "private" on Ultra Edit right away?

i found more than one private string, it was kinda obvious which one i had to modify, but i just wanted to make sure i was deleting the right label :P

As I said before, it's always the first match when looking for "private" as an ANSI string. The string "utf-8" can be found a few bytes before it. It's been like this since at least 1.7.x. It should be easy to make a program that can patch this in any version of uTorrent, even.

Hello,

I tried unpacking uTorrent 1.6.1 & 3.2.2 using both upx 303/309 and it told me it was not packed by UPX. I received the following message:


D:\Setups\upx309w>upx.exe --file-info uTorrent.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.09w Markus Oberhumer, Laszlo Molnar & John Reiser Feb 18th 2013

uTorrent.exe [i386-win32.pe, win32/pe]
968592 bytes, not compressed by UPX

How did you manage to Unpack it. :|

uTorrent 1.6.1 used PECompact, so UPX can't do anything to it. I never bothered to find what the newer versions use to compress the executable, but QUnpack gets rid of it nicely.

A fun game: compare the unpacked filesizes of both versions, and see how much garbage has been added to µTorrent over the years.

I am very concern about this method, i've heard another one, just remove the tracker after first announce to get peers, I think site will notice that we removed the tracker and get banned?

I not sure OP's method works in what.cd or not?

---------- Post Merged at 06:55 ---------- Previous Post was at 06:51 ----------

@anon, what tools that you create to enable DHT in private torrent?

in that case, can we remove the tracker url after first announce , so become ghost leeching and 100% safe?

There is nothing 100% safe... it depends on the tracker!

This method is a different way to block tracker communication (like removing the announce URL), but that doesn't make it any more or less detectable.

excuse my english anon, but do you mean remove tracker url and block communication using fake proxy are the same situation , they will detect ?

do you mean remove tracker url and block communication using fake proxy are the same situation

Yes.

Yes.
thanks anon!

a little off-topic, just make sure i won't double make a new topic ,, which do we have the thread discuss about "A site can be found in B power user invite forum" ? i wanna know which site has good invite forum, good giveaway... .etc.

thanks anon!

Member since 2009, still can't find the Thanks button? :wthink:


a little off-topic, just make sure i won't double make a new topic ,, which do we have the thread discuss about "A site can be found in B power user invite forum" ? i wanna know which site has good invite forum, good giveaway... .etc.

We've had a couple of dedicated threads for that, but they're highly outdated by now. Newer information is scattered on other ones, but that's hard to find.

Feel free to start a new one!

Member since 2009, still can't find the Thanks button? :wthink:



We've had a couple of dedicated threads for that, but they're highly outdated by now. Newer information is scattered on other ones, but that's hard to find.

Feel free to start a new one!
i disabled all javascript for all site, so thanks button doesnt work for me here :P