Dissecting the new Mark 8 E-Meter updater software

Discussion in 'Projects' started by DeathHamster, Nov 26, 2013.

  1. DeathHamster Member

    So... Who wants to download the Mark 8 updater software and stick it under a microscope? (Downloading the exe is safe, but for the love of Xenu, don't run it! Only run it inside a secure virtual box or a clean stand-alone box that you scrub afterward.

    The update installer is 23.4M. I'm surprised (and very suspicious) that they let you download it without logging in on their site first.

    I think Admiral Ackbar said it best...

    The main question is: What else does it install besides E-meter updater? 50-ish MB expanded seem damned big for updating their new toaster.

    More Clam Nanny filtering software? A rootkit for a Scienobotnet?
    • Like Like x 11
  2. DeathHamster Member

    By the way, when I downloaded it, I immediately changed the name of the exe so that I don't trip over it two years from now and accidentally run it, and well as changing the extension so that I can't.

    • Like Like x 7
  3. RightOn Member

    did boy dig
  4. DeathHamster Member

    Afraid I don't have to time to dig just now. I only downloaded it in case they locked it up for registered members only later.
    • Like Like x 6
  5. Perhaps they have some sort of spyware/listening device in there to record the person's voice as he's self auditing?
  6. overhere Member

    If they did, they probably want to spy on indies who still audit. That would explain the "public" new software update.
    • Like Like x 1
  7. RightOn Member

    out ethics
    please report to your CS stat
  8. Anonymous Member

  9. Anonymous Member

    Watch it... When you run the program, it will send some shit:

    • Like Like x 5
  10. Anonymous Member

  11. Random guy Member

    50 Mb? What is this, MS Word?
    • Like Like x 4
  12. Anonymous Member

    The chrome.pak file has copyright from Apple software? This is some crazy shit

    • Like Like x 7
  13. Anonymous Member

  14. Anonymous Member



    • Like Like x 9
  15. DeathHamster Member

    It seems to be part of Chromiumembedded project stuff.

    On native Windows apps, if you want to display HTML (and CSS, Javascript, etc, etc...) the option was that you had to use a control which is a gateway to Microsoft IE. That sucks donkey balls for a number of reasons. (Don't get me started when I'm suffering from PCS [Pre-Coffee Syndrome].)

    Chromiumembedded is a framework to allow native apps to do the same with the Chrome browser.

    So... This install has probably added either an embedded or full-up version of the Chrome browser to the system. Heck, that might explain the damned install size right there! :cool:

    The phone-home stuff is going to Scientology via their expensive Akamai proxying service. It would be nice to know what it sent.

    LOL at the serial/USB dongle. I guess they really didn't have another option after the meters rotted in boxes for all these years.

    Two suggestions:
    1. Check to see if there are any extra processes running. (I use Process Explorer by Mark Russinovich via Microsoft, but Task Manager might do in a pinch.)
    2. Were any start-up programs added?
    Good stuff Anonymous!
    • Like Like x 5
  16. Anonymous Member

    Some interesting findings:




    Those are only a few examples. This motherfucker queries the whole registry, my Documents and Settings folders and more.
    • Like Like x 8
  17. DeathHamster Member

    If an embedded Chrome is being installed, it would query a lot of stuff like the IE settings, however, I notice that they're looking for their own Firefox plug-in:

    If this update is only run once a year, why would they need a Firefox plug-in? Heh.
    • Like Like x 2
  18. DeathHamster Member

    Nice Windows programs don't dick with c:\autoexec.bat anymore. If something needs to run on startup, there are proper ways of doing it these days. Even #$%@ Adobe and Apple don't do stuff like that when installing their crud.

    I'd say that autoexec.bat is a sign something scuzzy is going on.
    • Like Like x 5
  19. Anonymous Member

    When running the program it will create several files and folders in the TEMP folder:


    Some of the content in the Data_3 temporary file:


    Some of the content of the Data_2 temporary file:


    Some of the content of the Data_1 temporary file:


    So it seems like the GUI is on the hubbard site. So why is the installation 25MB? It also sends statistics information to the Google Analystics site (visitor information)

    Attached Files:

    • Like Like x 2
  20. DeathHamster Member

    By the way, what does it put in c:\autoexec.bat?
  21. Anonymous Member

    It creates a shortcut to m8lp (Mark VIII Launch Protocol) files in the registry:



    • Like Like x 1
  22. Anonymous Member

    It doesn't add anything to my autoexec.bat file
  23. DeathHamster Member

    It checked for it, created it, read it, but didn't put anything in it? Odd... (Hanlon's razor?)
  24. Anonymous Member

    It doesn't like you.
  25. Anonymous Member

    • Like Like x 2
  26. Anonymous Member

    • Like Like x 11
  27. Anonymous Member

    E-mail sent to the virus companies with some explanation. Let's see what happens next.

    Maybe one of you with some Wireshark experience can take a look at the packets?
  28. DeathHamster Member

    Has anyone tried to open a browser and access critical sites with one of these boxes yet? WWP,, etc. Any blocking, filtering, or extra ports open to CoS sites?
  29. RightOn Member

    I have no idea what the fuck you guise are talking about, but it sounds totally awsome
    • Like Like x 5
  30. DeathHamster Member

    Did you send to Panda or Vipre? (Joking, but I wonder what their reaction would be...)
    • Like Like x 3
  31. Rod Keller Member

    I was in the original filter software. I'd be curious to know if I'm still on the list, if there is a list.
  32. wolfbane Member

    And there's the proof that everything Marc Headley has said about the warehousing of these e-meter is trufax. Well done Anon, well done.
    • Like Like x 9
  33. Anonymous Member

    What kind of value would an software update add to an old ass serial e-meter do? I really don't get it.
  34. Anonymous Member

    xenu or xemu may gain entrance
  35. DeathHamster Member

    It's like taking a wrapped xmas present and trying to figure out what's inside by hefting it, shaking it and whatnot.

    Only this present is from Scientology, it smells funny, and occasionally it ticks.
    • Like Like x 10
  36. RightOn Member

    :D ^ I love you! LOL
  37. wolfbane Member

    Fkme it's a resource intensive pig. This thing looks like it came straight out of the final chapter(s) of a textbook demo program for Windows system management actions using .Net2.0 in its earliest incarnation. One of those deals where coding examples are given for common actions that build up incrementally into a totally useless program overall, unless you parse out the relevant bits.

    Also note the reliance on dw20.exe - Dr. Watson, LOL! Who in their right fking mind doesn't wrap their own error routine in this day and age! That kind of shit went out of fashion with Win2000. Like with the autoexec.bat handling, this is another BIG obvious sign that this install package was lifted from another source and crudely adapted to do some simple function, but they drug along a ton of other shit that they didn't know how to remove.

    DO WANT to see a copy of dw.log plox. Unless it's already posted and I missed it?

    Inb4 rampant reports of MarkVIII updater crash and burn problems pissing people off who paid a small fortune and can't get it registered.
    • Like Like x 2
  38. wolfbane Member

    Tech-wise, nothing. These things have sat in storage so long it does not seem feasible it would require a firmware update/activation to run digital functionality. As Marc Headley has explained in the past, they would have needed to gut all the e-meters they had in storage and replace the internals to truly accomplish that, in which case there would be native USB support.

    Which is also stupid, if the thing works right out of the case - don't connect it to your computer. Period.

    Speculation: what they are likely trying to do is shoehorn in the means of automated device tracking/registration, to prevent people who are not in good standing from being able to use them. A faux lockdown if you will, fooling people into thinking that need to get the firmware check annually to keep it working. And I would be shocked if there really is a chip inside the device that self-disables if it does not get connected to a computer once a year.

    There is so much crap in that Anibus Report, custom handling of some sort of calendar-based date tracking didn't jump out at me, yet... but surely there is a date stored to a regkey somewhere that will set off a stoopid nag prompt telling the person to re-connect their e-meter after a year has elapsed. With the real purpose being a server-side process that records which serial numbers map to which names to tell the cult who is using which device.
    • Like Like x 3

Share This Page

Customize Theme Colors


Choose a color via Color picker or click the predefined style names!

Primary Color :

Secondary Color :
Predefined Skins