Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

One picture is worth 128K words.

computers / alt.comp.os.windows-10 / Re: Best hex way to emasculate an executable updater?

SubjectAuthor
* Best hex way to emasculate an executable updater?mike
+* Re: Best hex way to emasculate an executable updater?Mighty✅ Wannabe✅
|`* Re: Best hex way to emasculate an executable updater?mike
| `- Re: Best hex way to emasculate an executable updater?Mighty✅ Wannabe✅
`- Re: Best hex way to emasculate an executable updater?Andy Burns

1
Best hex way to emasculate an executable updater?

<trtpqq$ir4l$1@solani.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=68777&group=alt.comp.os.windows-10#68777

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: thi...@address.is.invalid (mike)
Newsgroups: alt.comp.os.windows-10
Subject: Best hex way to emasculate an executable updater?
Date: Tue, 7 Feb 2023 20:43:44 +0530
Message-ID: <trtpqq$ir4l$1@solani.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 7 Feb 2023 15:13:31 -0000 (UTC)
Injection-Info: solani.org;
logging-data="617621"; mail-complaints-to="abuse@news.solani.org"
User-Agent: Unison/2.1.10
Cancel-Lock: sha1:PbHX2joTjptrN3P55IUVBlwzmHg=
X-User-ID: eJwNyckRACEIBMCUVo4Bw1Fg8g9hfXa1KxYqDA5zOktjjLnu5nwzPQ1Ua6bs9NfAMWuJYpO4dtDtoGjLs8UPfsMWrA==
 by: mike - Tue, 7 Feb 2023 15:13 UTC

Have you ever had an updater that kept coming back?

I installed memoryhogs hoping it would help me identify a cpu/io hog.
https://www.ghacks.net/2017/01/23/memory-hogs/
http://michaels-tech-notes.info/software-database/
https://www.michaels-tech-notes.info/app/download/3888974/MemoryHogs.exe

The memory hogs program works ok but insists on installing its own updater.
I deleted the updater. It came back.
I deleted it again. It came back again.

Thinking I'd be "clever", I deleted it and created an empty text file
of the same name "MemoryHogsUpdater.exe" but it came back on top of it.

What's an easy way to slightly destroy the updater by injecting hex?
Would just hex editing work or is there a more clever way?

Re: Best hex way to emasculate an executable updater?

<i4uEL.3184591$%fx6.2853314@fx14.ams1>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=68780&group=alt.comp.os.windows-10#68780

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!peer01.ams1!peer.ams1.xlned.com!news.xlned.com!feeder.cambriumusenet.nl!feed.tweaknews.nl!posting.tweaknews.nl!fx14.ams1.POSTED!not-for-mail
Subject: Re: Best hex way to emasculate an executable updater?
Newsgroups: alt.comp.os.windows-10
References: <trtpqq$ir4l$1@solani.org>
From: ...@. (Mighty✅ Wannabe✅)
Organization: Prometheus Society
MIME-Version: 1.0
In-Reply-To: <trtpqq$ir4l$1@solani.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 28
Message-ID: <i4uEL.3184591$%fx6.2853314@fx14.ams1>
X-Complaints-To: abuse@tweaknews.nl
NNTP-Posting-Date: Tue, 07 Feb 2023 15:26:06 UTC
Date: Tue, 7 Feb 2023 10:25:35 -0500
X-Received-Bytes: 1766
 by: Mighty✅ Wannabe✅ - Tue, 7 Feb 2023 15:25 UTC

mike wrote on 2/7/2023 10:13 AM:
> Have you ever had an updater that kept coming back?
>
> I installed memoryhogs hoping it would help me identify a cpu/io hog.
> https://www.ghacks.net/2017/01/23/memory-hogs/
> http://michaels-tech-notes.info/software-database/
> https://www.michaels-tech-notes.info/app/download/3888974/MemoryHogs.exe
>
> The memory hogs program works ok but insists on installing its own
> updater.
> I deleted the updater. It came back.
> I deleted it again. It came back again.
>
> Thinking I'd be "clever", I deleted it and created an empty text file
> of the same name "MemoryHogsUpdater.exe" but it came back on top of it.
>
> What's an easy way to slightly destroy the updater by injecting hex?
> Would just hex editing work or is there a more clever way?

Use a firewall to block internet access to any process you want to deny
internet access. Most people who use "cracked" software know to block
internet access to their "cracked" software.

I use "Tinywall", but there is a learning curve.

https://tinywall.pados.hu/

Re: Best hex way to emasculate an executable updater?

<trtska$isoj$1@solani.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=68782&group=alt.comp.os.windows-10#68782

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: thi...@address.is.invalid (mike)
Newsgroups: alt.comp.os.windows-10
Subject: Re: Best hex way to emasculate an executable updater?
Date: Tue, 7 Feb 2023 21:31:28 +0530
Message-ID: <trtska$isoj$1@solani.org>
References: <trtpqq$ir4l$1@solani.org> <i4uEL.3184591$%fx6.2853314@fx14.ams1>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 7 Feb 2023 16:01:15 -0000 (UTC)
Injection-Info: solani.org;
logging-data="619283"; mail-complaints-to="abuse@news.solani.org"
User-Agent: Unison/2.1.10
Cancel-Lock: sha1:QvOSSOu4xc+nG8AwjWsI0F22i2k=
X-User-ID: eJwNykkRwDAMBDBKWd+B46zH/CG0ess1EEwLD/P1BdUwzXMmOi7AsvXSbrzCXDrHhCkv0NvD+vMcqrwV2fwAXkwWXQ==
 by: mike - Tue, 7 Feb 2023 16:01 UTC

On 07-02-2023 16:25 <@.> wrote:

> Use a firewall to block internet access to any process you want to deny

I use the default Windows firewall but it did not pop up any warning.
I think I can bring up the Windows firewall using the control+i buttons.
But then how do I know which domain to block in Windows firewall?

Re: Best hex way to emasculate an executable updater?

<k4fb3nF9dopU1@mid.individual.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=68783&group=alt.comp.os.windows-10#68783

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: alt.comp.os.windows-10
Subject: Re: Best hex way to emasculate an executable updater?
Date: Tue, 7 Feb 2023 16:04:04 +0000
Lines: 7
Message-ID: <k4fb3nF9dopU1@mid.individual.net>
References: <trtpqq$ir4l$1@solani.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net S7N4uwtbKsPcoH4juHCnywdty6m2R253b29aF00Oi2zfoUDe00
Cancel-Lock: sha1:Hw3Xw0tU9eu3N0DWrqZcHb6rIgQ=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.6.1
In-Reply-To: <trtpqq$ir4l$1@solani.org>
 by: Andy Burns - Tue, 7 Feb 2023 16:04 UTC

mike wrote:

> Thinking I'd be "clever", I deleted it and created an empty text file
> of the same name "MemoryHogsUpdater.exe" but it came back

create a folder called "MemoryHogsUpdater.exe" ?

Re: Best hex way to emasculate an executable updater?

<mXuEL.2$JnWf.0@fx07.ams1>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=68784&group=alt.comp.os.windows-10#68784

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!peer02.ams1!peer.ams1.xlned.com!news.xlned.com!feeder.cambriumusenet.nl!feed.tweaknews.nl!posting.tweaknews.nl!fx07.ams1.POSTED!not-for-mail
Subject: Re: Best hex way to emasculate an executable updater?
Newsgroups: alt.comp.os.windows-10
References: <trtpqq$ir4l$1@solani.org> <i4uEL.3184591$%fx6.2853314@fx14.ams1>
<trtska$isoj$1@solani.org>
From: ...@. (Mighty✅ Wannabe✅)
Organization: Prometheus Society
MIME-Version: 1.0
In-Reply-To: <trtska$isoj$1@solani.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 19
Message-ID: <mXuEL.2$JnWf.0@fx07.ams1>
X-Complaints-To: abuse@tweaknews.nl
NNTP-Posting-Date: Tue, 07 Feb 2023 16:24:50 UTC
Date: Tue, 7 Feb 2023 11:24:19 -0500
X-Received-Bytes: 1443
 by: Mighty✅ Wannabe✅ - Tue, 7 Feb 2023 16:24 UTC

mike wrote on 2/7/2023 11:01 AM:
> On 07-02-2023 16:25 <@.> wrote:
>
>> Use a firewall to block internet access to any process you want to deny
>
> I use the default Windows firewall but it did not pop up any warning.
> I think I can bring up the Windows firewall using the control+i buttons.
> But then how do I know which domain to block in Windows firewall?

I gave up trying to figure out how to use Windows firewall.

The Tinywall is actually a user interface for Windows firewall. That's
why the program size is so small. Tinywall lets you specify all the
restrictions and it will change the settings in Windows firewall for you.

The file size of Tinywall is only 868 kb.

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor