That's a seeeeeecret.Originally Posted by D3TR1TUs
That's a seeeeeecret.
"I just remembered something that happened a long time ago."
I know uT's source code is a secret, but you don't need it to do thisThat's a seeeeeecret.
Last edited by D3TR1TUs; 11.01.12 at 15:16.
Just unpack the uTorrent executable, search the ANSI string "private" using your favorite hex-editor, and fill the first match with something else.
There was a certain idiosyncrasy pertaining private torrents that were already loaded. I don't remember if they'd still be "locked" or would actually forget their status and have DHT and PEX enabled for them also.
"I just remembered something that happened a long time ago."
you tried this and worked?
From what I've searched, it didn't look that easy:
I'll try your way, if it doesn't work, i'll see how far i can go with the other guy's methodThis patch is specific to the particular build of uTorrent it's applied to as the code - at least the locations of - changes in each build, and there are relative jumps in the patch.
But the approach I used to make the patch was to un-UPX utorrent, load it into IDA Pro and look for the strings "private" and "dht", then follow the cross-references back to the code that uses them. From there it was clear to see how the private flag worked; I used some spare space at the end of the code segment to add some extra code to move the bits, and the functions were patched to jump to that code and back again. If you disassemble the patched and unpatched exes side by side you can see how this works.
btw, this was what you had to change for the old uTorrent 1.8.2
Code:uTorrent 1.8.2 build 15167 with DHT patch This patched copy of uTorrent removes the restrictions on torrents marked as private, allowing uTorrent to use DHT, Peer Exchange and Local Peer Discovery to look for new peers when it is normally not allowed. How it works ------------ In its internal data structures, uTorrent uses four bits in one byte of data per torrent to record these settings. bit # 7 6 5 4 3 2 1 0 \ | | / | | | | not used | | | DHT enabled (default: 1) (set to 0) | | | | | private torrent | | | Peer Exchange enabled (default: 1) | Local Peer Discovery enabled (default: 1) When a torrent file is added, uTorrent checks the "info" section for an integer value named "private". If it's set to 1, it marks the private torrent bit in the byte shown above, which forces the other information in this byte to be ignored. This byte is also saved in the resume.dat file (a bencoded file that uTorrent uses to save its state) as an integer value named "dht". The patch works by storing the private torrent flag in bit 7 instead of bit 1 so that all the code in uTorrent that checks bit 1 to determine if this is a private torrent will always find that it isn't. However, it writes the "dht" value out to the resume.dat normally, so if you start an unpatched copy of uTorrent your private torrents will still be private. The extra code to do this is placed at the end of the .text segment and its virtual size increased accordingly. Reproducing the patch --------------------- Here are the steps required to apply the patch; you will need UPX version 3.03 and a hex editor: 1. Decompress the uTorrent.exe file using the following command: upx -d uTorrent.exe 2. Open the uTorrent.exe file in a hex editor and change the following: position old bytes new bytes -------- ------------------------ ------------------------ 200 BC E8 530B 50 68 0C CB 45 00 E9 AC 5F 05 00 90 8574 02 80 BCEC 8A 4E 41 80 E1 F7 E9 E0 F5 04 00 90 5B2BC 00 00 00 00 00 00 00 00 8B C8 80 E1 80 C1 E9 06 00 00 00 00 00 00 00 00 0B C1 50 68 0C BB 45 00 00 00 00 00 00 00 00 00 E9 3F A0 FA FF 8B C8 80 00 00 00 00 00 00 00 00 E1 02 C0 E9 06 24 FD 0B 00 00 00 00 00 00 00 00 C1 8A 4E 41 80 E1 0A E9 00 00 00 00 09 0A FB FF 3. The digital signature is now invalid. Remove it from the file by deleting everything after position 8F000. 4. Recompress the file using this command: upx --ultra-brute uTorrent.exe 5. This will produce a file of size 267264 bytes. The patch is now complete and should be identical to the file in this torrent.
Yes.
I've read about that patch, the guy disassembled the executable and made some interesting finds. I just took the easy way. If uTorrent doesn't know how the value that marks a .torrent as private is called, it can't block DHT and PEX.
"I just remembered something that happened a long time ago."
tried and worked!
used the upx unpacker built into PE explorer, disassembled, found the right private string, and edited on ultra edit :)
it works right away even without repacking
I never bother repacking the uTorrents I make for private use
Why did you need to disassemble it? You could have gone to "private" on Ultra Edit right away?
"I just remembered something that happened a long time ago."
i found more than one private string, it was kinda obvious which one i had to modify, but i just wanted to make sure i was deleting the right labelI never bother repacking the uTorrents I make for private use
Why did you need to disassemble it? You could have gone to "private" on Ultra Edit right away?
As I said before, it's always the first match when looking for "private" as an ANSI string. The string "utf-8" can be found a few bytes before it. It's been like this since at least 1.7.x. It should be easy to make a program that can patch this in any version of uTorrent, even.
"I just remembered something that happened a long time ago."
Hello,
I tried unpacking uTorrent 1.6.1 & 3.2.2 using both upx 303/309 and it told me it was not packed by UPX. I received the following message:
How did you manage to Unpack it. :|Code:D:\Setups\upx309w>upx.exe --file-info uTorrent.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2013 UPX 3.09w Markus Oberhumer, Laszlo Molnar & John Reiser Feb 18th 2013 uTorrent.exe [i386-win32.pe, win32/pe] 968592 bytes, not compressed by UPX
Last edited by Damnsel; 26.04.13 at 13:30.
uTorrent 1.6.1 used PECompact, so UPX can't do anything to it. I never bothered to find what the newer versions use to compress the executable, but QUnpack gets rid of it nicely.
A fun game: compare the unpacked filesizes of both versions, and see how much garbage has been added to µTorrent over the years.
"I just remembered something that happened a long time ago."
I am very concern about this method, i've heard another one, just remove the tracker after first announce to get peers, I think site will notice that we removed the tracker and get banned?
I not sure OP's method works in what.cd or not?
---------- Post Merged at 06:55 ---------- Previous Post was at 06:51 ----------
@anon, what tools that you create to enable DHT in private torrent?
in that case, can we remove the tracker url after first announce , so become ghost leeching and 100% safe?
There is nothing 100% safe... it depends on the tracker!
This method is a different way to block tracker communication (like removing the announce URL), but that doesn't make it any more or less detectable.
"I just remembered something that happened a long time ago."
excuse my english anon, but do you mean remove tracker url and block communication using fake proxy are the same situation , they will detect ?
Yes.
"I just remembered something that happened a long time ago."
Posting Permissions
Reply With Quote
Bookmarks