26334 total geeks with 3498 solutions

Recent challengers:

netpanik reverser 7 - 10:00PM
netpanik reverser 6 - 09:55PM
UltraSuperboy level 4 - 07:52PM

Welcome, you are an anonymous user! [register] [login]

	GEEK
Challenge Bonus Levels Geek Reverser View Solutions Test Centre Hall of Brain Hall of Bonus Hall of Reverse Geek or Freak

User's box

Username:

Password:

Forgot password?
New account

Shoutbox

	MaxMouse It's Friday... That's good enough for me!
	CodeX non stop lolz here but thats soon to end thanks to uni, surely the rest of the world is going good?
	stabat how things are going guys? Here... boring...
	CodeX I must be going wrong on the password lengths then, as long as it was done on ECB
	MaxMouse lol... the key is in hex (MD5: of the string "doit" without the "'s) and is in lower case. Maybe i should have submitted this as a challenge!

Donate

Donate and help us fund new challenges

Due Date:	Jun 30
June Goal:	$40.00
Gross:	$0.00
Net Balance:	$0.00
Left to go:	$40.00

Contributors

News Feeds

The Register

	NASA serves up Curiosity"s billion-pixel panorama
	That Microsoft-Nokia merger you"ve been predicting? It"s no go
	Microsoft caves on Xbox One DRM and used-game controls
	Kim Dotcom victim of "largest data MASSACRE in history"
	Google preps wave of machine learning apps
	Reg to Australia: Here"s your chance to find NBN answers
	Microsoft breaks bug-bounty virginity in $100,000 contest
	Google"s JavaScript challenger gains better tools, performance
	Google joins Amazon, HP, Rackspace in easing HDD data importing
	Adobe CEO admits need to "tweak" Creative Suite"s cloud-only policy

Slashdot

	2 Men Accused of Trying To Make X-Ray Weapon
	Monsanto Executive Wins World Food Prize
	Microsoft Launches $100k Bug Bounty Program
	The Plight of Star Wars Droids
	Java API and Microsoft"s .NET API: a Comparison
	MakerBot Merging With Stratasys
	Microsoft Kills Xbox One Phone-Home DRM
	Billion-Pixel View of Mars Snapped By Curiosity
	Deb Nicholson Talks About the Open Invention Network (Video)
	Five predictions for (Bit)coin

Article viewer

Newest uTorrent 2 banned from trackers

Written by:	sefo
Published by:	sefo
Published on:	2010-03-24 07:18:22
Topic:	Assembly

Search OSI about Assembly.

More articles by sefo.

viewed 24077 times

Not sure if that's recent news or not, but I've had some request about changing uTorrent 2's peer_id because it's been banned from some trackers. UPDATE: The peer_id I used in this article is not correct. It should work using -UT160B- instead (see article for link)

Edit:
http://forum.utorrent.com/viewtopic.php?pid=468992

So following my BitComet hack:
http://osix.net/modules/article/?id=788

I apply it to uTorrent 2 (the process is easier than BitComet!)

Tools: OllyDbg, uTorrent2

STRINGS:

Note:
uTorrent2 is upx'ed to make the exe smaller, upx -d will do the trick.

First thing we do is check if the peer_id we want is hardcoded:
right-click->search for->all reference text strings

In the list, right click->search text = "peer_id"
The first occurrence is the string it sends to identify itself to the tracker.
It looks like this: ...&peer_id=%.20U...

uTorrent will replace %.20U by -UT2000- (and we want -UT1600-)
If you double click on this line you go to the code:

0040A28D PUSH utorrent.0046D0A8 ;ASCII "...&peer_id=%.20U...

At this point in code, the string has already been generated so we go up a little in code (randomly a few lines above) and by debugging from there we find:

Note:
After setting a BP, it takes a few seconds before breaking. Do not think your BP didn't work!

0040A281 |. 68 303D4900 PUSH utorrent.00493D30

00493D30 = -UT2000-
We can find this by a right-click on line above->follow in dump->immediate constant

We now need to find where 1 or both address are accessed (written to).

In the disasm window, r-click->go to->expression = 00493d30
r-clk on the new line that appears and ->breakpoint->on memory write

Note:
Before you set this kind of BP, remove all previous BP (atlt+B) and restart olly.
Then go to address above, set BP and run.

Run (F9) and it breaks there:

0040D877 PUSH ESI
0040D878 MOV ESI,ECX
0040D87A MOV DWORD PTR DS:[ESI],EAX ------->BP
0040D87C MOV EAX,DWORD PTR DS:[46D978]
0040D881 PUSH EDI
0040D882 MOV DWORD PTR DS:[ESI+4],EAX
0040D885 MOV EAX,48BC

So we set a BP on memory, write, again at 0040d87a and run again to stop here:

0040D86F MOV EAX,DWORD PTR DS:[46D974]

Now this address contains UT2000... (and will transfer it to 00493D30)

This looks harcoded (although i didn't see it in the strings listing)
So i follow it in dump, select UT2000 and press space, replace with UT1600 and copy to exe/save to file as usual. (see bitcomet article for details on how to patch an exe)

To test it, run the new exe and break on the following address:

0040A2F2 PUSH DWORD PTR SS:[EBP+6C]

You will see that the generated (the one submitted to trackers) has been modified.

http://www.gaytorrent.com:3394/announce?info_hash=Pz%e4%a3%c2B%d4%cc%27%02%ee%bfqk%93%d3%03Y%fe%0e&peer_id=-UT1600-%bcHq%18%7f%3b%1c%ae%83%e8%d9%90&port=11145&uploaded=0&downloaded=0&left=722337&corrupt=0&key=0B54A196&event=started

For the patched exe:
uTorrent160B.exe - uTorrent2 patched peer_id updated

Did you like this article? There are hundreds more.

Comments:

Anonymous
2010-09-05 00:46:35

that patched 160B does not work, showed 2000/18620 for version on the torrent site

Anonymously add a comment: (or register here)
(registration is really fast and we send you no spam)

BB Code is enabled.

Captcha Number:

Blogs: (People who have posted blogs on this subject..)

jackier

jackier on Mon 13th Oct 10am
111

sefo

Sneak - encryption on Fri 17th Nov 12pm
I'm developing the win32 version of sneak: http://snarkles.net/scripts/sneak/sneak. php The ASM source code is available on cyberarmy svn (for members only - free) Check the forum for details: http://www.cyberarmy.net/forum/sneak/mes sages/295244.

sefo

Geek Toolbar on Mon 13th Nov 8am
This a very simple and small toolbar I wrote in my spare time. I use the same set of tools very often and I find it very annoying to look for them in the start menu, on the desktop or in explorer. http://www.osix.net/modules/folder/index .php?tid=134

sefo

BinScan and Alternate Data Stream on Thu 27th Jul 9am
BinScan I created this tool to quickly identify modifications in the PE, use of a TLS callback and Alternate Data Streams. -> Some modifications done in the PE structure of an executable can prevent debuggers or other tools to open the executable.

sefo

Wmf Creator on Wed 26th Jul 7am
Now that the blog is online, I'll be able to share two or three tools I wrote. The first one I'd like to share is WMF Creator. I already put a link in the comments of my article: Wmf Exploit but I thought it would look nicer here. This tool will tak

Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)

Reverse Engineering by Geek_Freek

A test to check your assembly and reversing skills.

Assembly Language - non compiler specific by TroPe

You can test your assembly knowledge by taking this test. It starts out relatively easy, but gets progressively hards very quickly! If you know assembly, or just want to see what you DONT know about assembly, this test is for you. A more advanced assembly

Your Ad Here