Club CDFreaks - Knowledge is Power - View Single Post

Synetech · 05-03-2008

I was doing some work with virtual-machines today. Since this topic came up earlier today (I don’t recall how or why), when I finished with the vms, before I wiped and reset them, I decided to give the Elby driver a last test for fun. I have good news and bad news.

The good news is that the filename of the “temp”file is not random and can easily be determined. It is derived from the serial-number of the boot-drive (for some reason). It is not actually a hash, but simply the eight-digit serial number XOR’d with the magic value 8af15bc6. So for example:

Code:

Open a command prompt (Run->cmd)
> dir c:\
Note the serial number (eg 1234-ABCD)
Run a calculator (eg Run->calc)
Enter Hex mode (eg Press F5 for Windows’ calc)
Enter the serial number (in this case 1234-ABCD)
Click XOR (or Press ^)
Enter the magic number 8af15bc6
Get result (eg Press Enter/click =)
Tada! Your “temp”file number (in this case 98C5F00B)
> dir c:\windows\S98C5F00B.tmp /a
> attrib c:\windows\S98C5F00B.tmp

(I still don’t know what the contents of the file are though, so if anyone figures it out I’d be curious to know.)

The bad news is that this realization messes up all of the previous explanations. I don’t know about any of you, but I for one rarely change the serial number (or even the volume label) of any of my drives, LET ALONE every ten seconds. It cannot logically be used to enforce the license (you can test this by altering the serial number), and even if it did, it could do it once on startup, not every 10 seconds for all eternity. It is not testing for the drive’s presence (why would it need to test the serial number to check for the drive’s presence, simply opening the device should be sufficient, and for that matter, why check the (hd) boot-drive at all, this is OPTICAL drive software.)

I cannot think of a reason to check the drive’s serial number every 10 seconds forever.

Maybe it was some kind of debug function that they forgot to remove from the final code.

#ifdef _DEBUG guys!

In any case, I never said that it was in fact malware or a rootkit, and whatever the purpose for the infinite polling, it is unlikely to be for malicious purposes. My only beef is that it snuck in quietly (not in changelog), sort of hid (hidden and system), and forever eats resources for an unknown and unexplained reason.

For any programmers out there, it is trivial enough to patch the driver file to stop polling (don’t forget to update the checksum). However, that is probably against the EULA (ironic

), but creating a directory by the same name is not, which sufficiently prevents the disk access without affecting function—although the polling continues, and in fact does TWO accesses every 10 seconds (that quickly fail instead of doing a read/write). Of course setting the ElbyCDIO service to disable stops the polling and doesn’t seem to stop any of the apps from working, at least not that I can tell.

Well, that’s it. I have provided you people with as much information and research on this topic as there is. You now have enough to make an informed decision. If you don’t mind files scattered on your hard drive in places they shouldn’t be and in your registry (I have seen orphaned reg entries from various SlySoft/Elby apps in inappropriate place, eg HKCU\) and you want or need to continue using it, then that’s fine (hopefully it will be the only program stuck in an infinite-loop on your system), if not then that’s fine too.

I hope that I have helped anyone who did wonder about this and other people who attempt an Internet search for answers will somehow be led to these threads for enlightenment. (You never know, it could even drum you up a couple of sales.)

Either way, happy ripping.

(I wonder if Mark Russinovich faced this kind of resistance when he tried to help.

)

05-03-2008	#8 (permalink)
Synetech CD Freaks Member Join Date: Nov 2005 Location: Not LA or NYC :( Posts: 216	Re: Hidden file repeatedly accessed I was doing some work with virtual-machines today. Since this topic came up earlier today (I don’t recall how or why), when I finished with the vms, before I wiped and reset them, I decided to give the Elby driver a last test for fun. I have good news and bad news. The good news is that the filename of the “temp”file is not random and can easily be determined. It is derived from the serial-number of the boot-drive (for some reason). It is not actually a hash, but simply the eight-digit serial number XOR’d with the magic value 8af15bc6. So for example: Code: Open a command prompt (Run->cmd) > dir c:\ Note the serial number (eg 1234-ABCD) Run a calculator (eg Run->calc) Enter Hex mode (eg Press F5 for Windows’ calc) Enter the serial number (in this case 1234-ABCD) Click XOR (or Press ^) Enter the magic number 8af15bc6 Get result (eg Press Enter/click =) Tada! Your “temp”file number (in this case 98C5F00B) > dir c:\windows\S98C5F00B.tmp /a > attrib c:\windows\S98C5F00B.tmp (I still don’t know what the contents of the file are though, so if anyone figures it out I’d be curious to know.) The bad news is that this realization messes up all of the previous explanations. I don’t know about any of you, but I for one rarely change the serial number (or even the volume label) of any of my drives, LET ALONE every ten seconds. It cannot logically be used to enforce the license (you can test this by altering the serial number), and even if it did, it could do it once on startup, not every 10 seconds for all eternity. It is not testing for the drive’s presence (why would it need to test the serial number to check for the drive’s presence, simply opening the device should be sufficient, and for that matter, why check the (hd) boot-drive at all, this is OPTICAL drive software.) I cannot think of a reason to check the drive’s serial number every 10 seconds forever. Maybe it was some kind of debug function that they forgot to remove from the final code. #ifdef _DEBUG guys! In any case, I never said that it was in fact malware or a rootkit, and whatever the purpose for the infinite polling, it is unlikely to be for malicious purposes. My only beef is that it snuck in quietly (not in changelog), sort of hid (hidden and system), and forever eats resources for an unknown and unexplained reason. For any programmers out there, it is trivial enough to patch the driver file to stop polling (don’t forget to update the checksum). However, that is probably against the EULA (ironic ), but creating a directory by the same name is not, which sufficiently prevents the disk access without affecting function—although the polling continues, and in fact does TWO accesses every 10 seconds (that quickly fail instead of doing a read/write). Of course setting the ElbyCDIO service to disable stops the polling and doesn’t seem to stop any of the apps from working, at least not that I can tell. Well, that’s it. I have provided you people with as much information and research on this topic as there is. You now have enough to make an informed decision. If you don’t mind files scattered on your hard drive in places they shouldn’t be and in your registry (I have seen orphaned reg entries from various SlySoft/Elby apps in inappropriate place, eg HKCU\) and you want or need to continue using it, then that’s fine (hopefully it will be the only program stuck in an infinite-loop on your system), if not then that’s fine too. I hope that I have helped anyone who did wonder about this and other people who attempt an Internet search for answers will somehow be led to these threads for enlightenment. (You never know, it could even drum you up a couple of sales.) Either way, happy ripping. (I wonder if Mark Russinovich faced this kind of resistance when he tried to help. ) __________________ -- Synetech