26331 total geeks with 3498 solutions

Recent challengers:

KNL reverser 7 - 07:52PM
krc level 2 - 11:06AM
krc level 1 - 08:33AM

Welcome, you are an anonymous user! [register] [login]

	GEEK
Challenge Bonus Levels Geek Reverser View Solutions Test Centre Hall of Brain Hall of Bonus Hall of Reverse Geek or Freak

User's box

Username:

Password:

Forgot password?
New account

Shoutbox

	MaxMouse It's Friday... That's good enough for me!
	CodeX non stop lolz here but thats soon to end thanks to uni, surely the rest of the world is going good?
	stabat how things are going guys? Here... boring...
	CodeX I must be going wrong on the password lengths then, as long as it was done on ECB
	MaxMouse lol... the key is in hex (MD5: of the string "doit" without the "'s) and is in lower case. Maybe i should have submitted this as a challenge!

Donate

Donate and help us fund new challenges

Due Date:	Jun 30
June Goal:	$40.00
Gross:	$0.00
Net Balance:	$0.00
Left to go:	$40.00

Contributors

News Feeds

The Register

	Icahn doubles down on Dell offer with $14 per share buyback scheme
	Kiwi telco Two Degrees to roll out 4G in 2014
	TypeScript 0.9 arrives with new compiler, support for generics
	Google mounts legal challenge to surveillance gag orders
	It"s time to suck the marrow from the NBN debate
	Increased cell phone coverage tied to uptick in African violence
	Remote code execution vuln appears in Puppet
	Canonical unveils Carrier Advisory Group for Ubuntu phones
	Soylent days and soylent nights
	Tor users locked out of Facebook after wave of dodgy traffic

Slashdot

	MySQL Man Pages Silently Relicensed Away From GPL
	Verizon Accused of Intentionally Slowing Netflix Video Streaming
	Oculus Rift Raises Another $16 Million
	KWin Maintainer: Fanboys and Trolls Are the Cancer Killing Free Software
	Google Files First Amendment Challenge Against FISA Gag Order
	Microsoft To Start Dumping Surface RT To Schools For $199
	With an Eye Toward Disaster, NYC Debuts Solar Charging Stations
	2013 U.S. Wireless Network Tests: AT&T Fastest, Verizon Most Reliable
	How Ubiquitous Autonomous Cars Could Affect Society (Video)
	First Particle Comprising Four Quarks Discovered

Article viewer

Newest uTorrent 2 banned from trackers

Written by:	sefo
Published by:	sefo
Published on:	2010-03-24 07:18:22
Topic:	Assembly

Search OSI about Assembly.

More articles by sefo.

viewed 24067 times

Not sure if that's recent news or not, but I've had some request about changing uTorrent 2's peer_id because it's been banned from some trackers. UPDATE: The peer_id I used in this article is not correct. It should work using -UT160B- instead (see article for link)

Edit:
http://forum.utorrent.com/viewtopic.php?pid=468992

So following my BitComet hack:
http://osix.net/modules/article/?id=788

I apply it to uTorrent 2 (the process is easier than BitComet!)

Tools: OllyDbg, uTorrent2

STRINGS:

Note:
uTorrent2 is upx'ed to make the exe smaller, upx -d will do the trick.

First thing we do is check if the peer_id we want is hardcoded:
right-click->search for->all reference text strings

In the list, right click->search text = "peer_id"
The first occurrence is the string it sends to identify itself to the tracker.
It looks like this: ...&peer_id=%.20U...

uTorrent will replace %.20U by -UT2000- (and we want -UT1600-)
If you double click on this line you go to the code:

0040A28D PUSH utorrent.0046D0A8 ;ASCII "...&peer_id=%.20U...

At this point in code, the string has already been generated so we go up a little in code (randomly a few lines above) and by debugging from there we find:

Note:
After setting a BP, it takes a few seconds before breaking. Do not think your BP didn't work!

0040A281 |. 68 303D4900 PUSH utorrent.00493D30

00493D30 = -UT2000-
We can find this by a right-click on line above->follow in dump->immediate constant

We now need to find where 1 or both address are accessed (written to).

In the disasm window, r-click->go to->expression = 00493d30
r-clk on the new line that appears and ->breakpoint->on memory write

Note:
Before you set this kind of BP, remove all previous BP (atlt+B) and restart olly.
Then go to address above, set BP and run.

Run (F9) and it breaks there:

0040D877 PUSH ESI
0040D878 MOV ESI,ECX
0040D87A MOV DWORD PTR DS:[ESI],EAX ------->BP
0040D87C MOV EAX,DWORD PTR DS:[46D978]
0040D881 PUSH EDI
0040D882 MOV DWORD PTR DS:[ESI+4],EAX
0040D885 MOV EAX,48BC

So we set a BP on memory, write, again at 0040d87a and run again to stop here:

0040D86F MOV EAX,DWORD PTR DS:[46D974]

Now this address contains UT2000... (and will transfer it to 00493D30)

This looks harcoded (although i didn't see it in the strings listing)
So i follow it in dump, select UT2000 and press space, replace with UT1600 and copy to exe/save to file as usual. (see bitcomet article for details on how to patch an exe)

To test it, run the new exe and break on the following address:

0040A2F2 PUSH DWORD PTR SS:[EBP+6C]

You will see that the generated (the one submitted to trackers) has been modified.

http://www.gaytorrent.com:3394/announce?info_hash=Pz%e4%a3%c2B%d4%cc%27%02%ee%bfqk%93%d3%03Y%fe%0e&peer_id=-UT1600-%bcHq%18%7f%3b%1c%ae%83%e8%d9%90&port=11145&uploaded=0&downloaded=0&left=722337&corrupt=0&key=0B54A196&event=started

For the patched exe:
uTorrent160B.exe - uTorrent2 patched peer_id updated

Did you like this article? There are hundreds more.

Comments:

Anonymous
2010-09-05 00:46:35

that patched 160B does not work, showed 2000/18620 for version on the torrent site

Anonymously add a comment: (or register here)
(registration is really fast and we send you no spam)

BB Code is enabled.

Captcha Number:

Blogs: (People who have posted blogs on this subject..)

jackier

jackier on Mon 13th Oct 10am
111

sefo

Sneak - encryption on Fri 17th Nov 12pm
I'm developing the win32 version of sneak: http://snarkles.net/scripts/sneak/sneak. php The ASM source code is available on cyberarmy svn (for members only - free) Check the forum for details: http://www.cyberarmy.net/forum/sneak/mes sages/295244.

sefo

Geek Toolbar on Mon 13th Nov 8am
This a very simple and small toolbar I wrote in my spare time. I use the same set of tools very often and I find it very annoying to look for them in the start menu, on the desktop or in explorer. http://www.osix.net/modules/folder/index .php?tid=134

sefo

BinScan and Alternate Data Stream on Thu 27th Jul 9am
BinScan I created this tool to quickly identify modifications in the PE, use of a TLS callback and Alternate Data Streams. -> Some modifications done in the PE structure of an executable can prevent debuggers or other tools to open the executable.

sefo

Wmf Creator on Wed 26th Jul 7am
Now that the blog is online, I'll be able to share two or three tools I wrote. The first one I'd like to share is WMF Creator. I already put a link in the comments of my article: Wmf Exploit but I thought it would look nicer here. This tool will tak

Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)

Reverse Engineering by Geek_Freek

A test to check your assembly and reversing skills.

Assembly Language - non compiler specific by TroPe

You can test your assembly knowledge by taking this test. It starts out relatively easy, but gets progressively hards very quickly! If you know assembly, or just want to see what you DONT know about assembly, this test is for you. A more advanced assembly

Your Ad Here