📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
sp
's Blog
Created: Monday, November 14 2005 10:38.29 CST
Modified: Monday, November 14 2005 10:38.29 CST
This is an imported entry.
View original
.
Printer Friendly ...
Is Sony in violation of the LGPL?
Author:
sp
# Views:
1379
Update
:
Click here
Im sure youve already heard about the Sony rootkit that was first revealed by Mark Russinovich of
Sysinternals
. After the Finnish hacker Matti Nikki (aka muzzy)
found some revealing strings
in one of the files (go.exe) that are part of the copy protection software, the rootkit is also suspected to be in violation of the open-source license
LGPL
. The strings indicate that code from the open-source project
LAME
was used in the copy protection software in a way thats not compatible with the LGPL license which is used by LAME.
On Slashot muzzy mentioned that he doesnt have access to
Sabre BinDiff
, a tool that can be used to compare binary files. I was in the opposite position as I have BinDiff but I didnt have the file in question (go.exe). I mailed muzzy and he hooked me up with the file.
I compared go.exe with a VC++-compiled version of lame_enc.dll but unfortunately BinDiff didnt find a single relevant matched function. A quick manual check didnt reveal any LAME functions in go.exe either.
Even though go.exe apparently does not contain any LAME code, a considerable amount of tables and constants from the LAME source files can be found in the go.exe file. Heres a
list of the LAME tables
Ive been able to locate. The first column shows the hex address where the table can be found in the go.exe file, the second column shows the name of the table as it appears in the LAME source code and the third column shows the LAME source file where the table can be found.
I have to add though, that not a single table actually seems to be used by the go.exe code. What does that mean? Ive asked random people and Ive heard speculation ranging between "accidentaly linked" and "encrypted code in go.exe that uses the tables and cant be found in the disassembler". Further analysis needs to be made but at this point Im leaning towards more or less accidental inclusion.
If you wish to comment on this blog entry, please do so on the
original site
it was imported from.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}