~ Eliminating the evil real player ~
Published in November 2002 (Version 0.07: October 2003)
Eliminating the evil real player
by Kane
small update by Kane
Stiletto's observations
Fravia's observations 1
Fravia's observations 2
Windows Media Player is evil: the "Supercookie"
(Awaiting more input /feedback / suggestions / critics :-)
'twas about time. I will repeat it: it was about time that some reverser would
'solve' the problems caused by the spyware known as Real player. Here is the solution. Read
and enjoy (and please consider that this is still in fieri)
Beginning (all great snowballs begin small)
Real Player/Real One (07/11/02 14:59:28)
I've recently started having to use a lot of .RM files, which brings along that nasty virus called RealPlayer or even nastier RealOne, other than being insanely bloated and degrading your privacy, I just plain don't like not being able to play files in any media player I damn well please :)
So I went looking for solutions to my virus problem, I found two which work well.
Firstly
tinra
http://evc.to/tinra/ (official site, down at the moment)
http://www.geocities.com/tinra04/ (so we'll use a mirror)
tinra converts .RM into raw .AVI so you can compress it into any format you choose. Well thats a partial solution but too time consuming for my needs, you also still have to have real player installed to convert, and thats without mentioning tinra's other limitations.
Secondly
Media Player Classic
http://vobsub.edensrising.com/mpc.php
Can kill two birds with one stone with this one, get rid of windows media player (reasons why here http://www.petri.co.il/wmp_spyware.htm) and also get rid of the need to run real player (although yet again it still has to be installed).
First bootup of a .RM file in MPC and there it goes, playing flawlessly, other than a few problems with tracking it works on all the .RMs i tried it on. Ok so now we have a partial solution, after turning off all the blatantly spying options in real player, adding it to kerio personal firewalls not allowed to connect out filter and killing that annoying systray startup agent, we have a nice functional way to play .RMs without using realplayer. That might be fine for some people but i'm picky :)
Maybe, just maybe,we don't need ALL of real player, maybe its a codec hiding someplace in that mess called c:\. So I break out our old friends filemon and regmon, set a filter on MPC and watch what it opens when its playing a .RM, i'll spare you the long output.
Bingo, there we go, it doesn't touch the real.exe, just some registry entries and a few DLLs. After a bit of trial and error, heres the list i've got that works without having any *.exe from realplayer installed.
DLL list
realDLLlist.txt
Registry Entrys
Real.reg
Now with a simple .bat file you could have it install all the needed files easily. Something like this
----------------------- cut here --------------
@echo off
xcopy /EYH nameoffolderwithdlls "C:\Program Files\Common Files\Real\"
copy /Y pncrt.dll %WINDIR%\System32\
regedit -s Real.reg
----------------------- cut here --------------
This was all done on a windows 2000 machine,
I have no other windows OS available to test it on, so it might not work on 9x/XP etc.
Kane (kane [AT] darkflux [DOT] org, november 2002)
Further observations (snowball is getting bigger, and quicker :-)
Ok, now let's have a look... for win 98:
You already have realplayer installed, so just delete the whole real subdirectory
with all the bin files in c:/program files,
screw real once for all!
Just keep the whole bangazz with all subdirectories in C:\Program Files\Common Files\Real\, but make sure
you delete the Update directory! That's it! Bie bie Real player, hope you wont feel too lonely
down the drain, you commercial vermine, in fact you'll be in good company!
Gabest's creation,
Media Player Classic, could -I fear- disappear from the web,
so here you have the relevant copies:
../zipped/mpc2kxp6465.zip (896001 bytes, for win 2000 and XP)
../zipped/mpc98me6405.rar (366318, for win 98).
You should by all means thank Gabest for this http://vobsub.edensrising.com/mpc.php,
or, more directly, http://order.kagi.com/cgi-bin/r1.cgi?N4A&&
Small update (automating the elimination)
Step 1
unreal.zip
Real reg + unreal.bat
@echo off
rmdir /S /Q "C:\Program Files\Real"
rmdir /S /Q "C:\Program Files\Common Files\Real\Visualizations"
rmdir /S /Q "C:\Program Files\Common Files\Real\Update_OB"
del /S /Q "C:\Program Files\Common Files\Real\Common\*DB*"
xcopy /EYH "C:\Program Files\Common Files\Real" "C:\Program Files\Common Files\unreal\"
rmdir /S /Q "C:\Program Files\Common Files\Real"
regedit -s Real.reg
Unzip both files to the same dir and run unreal.bat
(i shouldn't have to tell you the dangers of running batch files when
you don't know what they do, so open it in a text editor first so YOU know what
its doing)
it will automatically remove all
the crap from a default realone install, and move them to its own dir named
unreal. realsched.exe might not delete if realone has ran at
some point since your last reboot, if not, reboot after running
the batch file and then remove it manually.
Step 2
unreal_clean.zip
unreal_clean.zip
Real.reg + unreal_clean.bat
unreal_clean.bat:
@echo off
xcopy /EYH DLLs "C:\Program Files\Common Files\unreal\"
copy /Y pncrt.dll %WINDIR%\System32\
regedit -s Real.reg
This is to be used after a clean install of windows,
but firstly you'll have to have done step 1. Now make a directory on
your hard drive, something like
"C:\unreal\"
and copy all the directorys out of
"C:\Program Files\Common Files\unreal\"
into
"C:\unreal\DLLs\"
next, copy
"C:\WINNT\system32\pncrt.dll"
into
"C:\unreal\"
and finally, unzip the 2 files in unreal_clean.zip into
"C:\unreal"
backup "C:\unreal" somewhere safe,
and next time you install windows just run the install.bat.
Thats the end of having to install realone ever again (or at
least till theevil ones get wise to this) :)
Yet again this was all on a win2k box, its up to others
to put this technique onto the other winOS.
And with that i'm off to do a reinstall of win2k :)
I really should ghost/image the hdd so i don't have
to reinstall so much
Stiletto's observations (snowball is getting even bigger, and even quicker :-)
Comments (08/11/02 20:34:59)
All these comments are made on Kane's small update.
UNREAL.BAT and INSTALL.BAT:
On Windows 2000/XP, the /S switch on RMDIR and DEL is for deleting the entire directory, no matter if it is empty or not. The /Q switch will skip the prompt generated by the /S switch.
On Windows 98SE, there are no /S or /Q switches on either RMDIR and DEL. RMDIR defaults to not deleting the directory if there's stuff in it, and there's no switch to change that. Thus, you need to use DELTREE. The /Y switch suppresses prompting to confirm you want to delete the subdirectory.
DEL defaults to removing the files without question. So you don't need a /S or /Q. You can FORCE it to prompt by running DEL with a /P.
On xcopy (and most other DOS programs), /EYH won't work. You need to put spaces between the switches like so: "/E /Y /H".
Thus, on Windows 98:
change "rmdir /S /Q" to "deltree /Y"
change "del /S /Q" to "del"
change "xcopy /EYH" to "xcopy /E /Y /H"
But there must be some way to unify both batch files.
Additionally, when I tested my edited batch, it removed everything but:
(folder) C:\Program Files\Common Files\Real
(folder) C:\Program Files\Common Files\Real\Common
(folder) C:\Program Files\Common Files\Real\Update_OB
(file) C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
I don't know why. Otherwise, it's all gone.
INSTALL.BAT worked fine.
Also, in REAL.REG:
on Windows 98 it must be headed "REGEDIT4" instead of "Windows Registry Editor Version 5.00"
[HKEY_CLASSES_ROOT\Software\RealNetworks\Preferences\UserAddress]
@="exploitation@sucks.com" did not work. I don't know why.
My Comments: This is by far NOT THE BEST way of removing RealPlayer -
it left bits and pieces all through the registry and likely the operating system.
You'd do better to completely monitor the install process and uninstall process
at least once, and work out by hand the registry entries that are necessary for
a program to be able to play RealAudio files. I don't think we're quite
there yet, there should be more to remove. It's just codecs, I mean...
We should unregister them, copy them to another folder, reregister them -
the monitored install process should tell you how.
Also, I didn't install my player alternative beforehand. When Windows
goes to look for the player for RM files - Oh no! It's not there! So
I go install Media Player Classic as a solution mentioned by Kane and launch it.
I try to open my Noam Chomsky RM file obtained from the site he mentioned and...
OH NO! RealMedia ERROR! (not sure why) File associations should be taken
care of in a patch like this too.
I'd reboot to make sure all the changes have been applied, but on this
machine, I can't. (http://www.deepfreezeusa.com)
Fravia+, this RealPlayer "hack" is still very beta and IMHO doesn't deserve
a full-fledged essay yet. We need to "nice" it all up - make a .MSI installation
file or use another installer that will work on both Win9x/NT, get it to remove all
registry entries for RealPlayer/RealOne, only add back the ones that are necessary for
RealAudio (and RealVideo?) playback. (That's beyond my capacity, however.) And a lot
more research needs to be put into alternative players, and how they operate. IMHO
you should find one that works on many if not all of the Windows OS's, is free and
open-source. There are some talented reversers and programmers on these boards, I'm
sure they'll think of something. ;)
Stiletto
Fravia's observations (1)
I (fravia+) do not agree: these things start rolling --if they ever do--
through sudden movements, like snow-avalanches :-) Therefore there
is no need to fear that an 'incomplete' (coz it will always be "incomplete") solution
will do any damage,
on the contrary (imho) it will help us.
So we must get onwards with what we have... alas! we do
not have yet "a lot
more research needs... into alternative players". Wish we had. If anybody has it (does
it), please send it over...
"make a .MSI installation
file", says Stiletto... of course. But in the mean time our
(read Kane's)
silly simple hack works wonders... why should'nt we use / spread it? And I'm sure
that readers that found their way to this page will be able to finetune a dos batch file.
"it left bits and pieces all through the registry
and likely the operating system" It does not wonder me in the least...
so what?
As long as these bits and pieces are DEAD BEEF, I could not care less. Let's invest
our precious time in destroying our enemies' mischiefs, not exclusively
on 'purity' tasks. This said,
if anyone does develop a 'neater' solution, by all means, send it over!
But I would not (personally,
and I may be wrong) give to 'cleaning' a bigger priority than to 'solving'...
What I mean is that we have all been annoyed by real player for a long time, and
simply by 1. deleting it, 2. keeping its
codecs, 3. cleaning as much as we can
its "left behind mess"
and 4. using Gabest's Media Player Classic instead
of Real, we move a long way, imo, towards a real
player free world :-)
And no, thanks, their helix source
code offers still sound bogus to me, coming from people
that practicized large-scale spywaring, yet, by Jupiter! If they
really go open source we'll re-start using their products, maybe.
Fravia's observations (2)
Better be careful when experimenting with this stuff. Like putting your hands in a hornet nest.
My first impression is that the very moment you install the new huge RealOnePlayerV2GOLD.exe (that
most sites will link you to as soon as you try to download any real player's version), it will
screw -once uninstalled- your windozian register (and box) so that you will not
be allowed any more to install a previous
version of it. At least I began getting C++ error messages and system crashes, after having
deinstalled it (thoroughly, I thought), on a win98 box, when trying to install Real 8.1 (not realone).
I noticed that when installing realone plays inter alia with following files:
C:\WINDOWS\HISTORY\DESKTOP.INI (quite interesting per se :-)
C:\PROGRAM FILES\DESKTOP.INI (have a look :-)
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT
C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
C:\WINDOWS\COOKIES\INDEX.DAT
C:\WINDOWS\SYSTEM\STDOLE2.TLB
C:\WINDOWS\SYSTEM\MSHTML.TLB
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\OLE32.DLL
C:\WINDOWS\SYSTEM\MSVCRT.DLL
C:\WINDOWS\SYSTEM\JSCRIPT.DLL
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
C:\WINDOWS\SYSTEM\SHFOLDER.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\COOKIES\INDEX.DAT
My impression is that if you do happen to have
installed recent versions of Real Player
(8.1 or realone) then
you better -
uninstall through its uninstaller,
-
check per hand that everything disappeared (it will have not),
deleting what's still there if needs be
-
check with Jouni Vuorio's regcleaner that all entries
have really disappeared, uninstalling what's still there if needs be
-
reinstall an older version for instance, [realplayer8basicSetup.exe
5026304 bytes, Real Player 8 basic (win 32) Build 6.0.9.584] This was a version you could
still (try to)
control when phoning home... give up any such hope with the more recent ones :-(
-
check that everything ("modern" rm files) works with realplayer 8 basic
-
check that everything ("modern" rm files) works with Gabest's Media Player Classic
-
uninstall real player (keeping the codecs & co, see essays above)
If you want to be "quick and dirty" ('ts not very professional, zugegeben, but it works for simpletons
and, hey Stiletto! it screws real player enough :-)
You just delete EVERYTHING in
C:\Program Files\real
You just keep the existing subdirectories codecs, plugins and commons inside
C:\Program Files\Common Files\REAL
-
cross your fingers, restart and enjoy :-)
Ha! Science! What would not we do for thee!
:-)
Windows Media Player is evil: the "Supercookie"
Maybe you did not know it, but every time it installs,
this Microsoft's malware assign a unique ID number in the form of a GUID
to the player. This ID number is stored in the Windows registry.
The ActiveX interface to the Windows Media Player allows any JavaScript
Program to retrieve the ID number using the property "ClientID".
Here is your own one (Opera wont show it: you will need a stupid insecure browser to see it,
with the "WMP plugin" installed.
Remember, however that zombies -mostly- browse happily around with their MSIE :-)
click here
Of course, once a JavaScript program fetches
the ID number, this info
can be gathered appending it to the URL of a Webbug
or it can be stored in a normal cookie. Either case you
have been tagged, courtesy of Microsoft.
In the most recent version of the wmp, Microsoft graciously allows
users to uncheck the new WMP option "Allow Internet sites to uniquely identify
your player"... if users manage to find it.
Note that in the previous versions there was/is NO WAY to avoid
this malware tracking.
~ Bibliography ~ Links ~
Real Time Streaming Protocol:
http://www.rtsp.org/
Maillists:
BugTraq and NTBugTraq mailing lists
Other interesting places:
http://www.xmms.org/
http://www.computerbytesman.com/index.htm
http://forum.xmms.org/
http://www.xiph.org/ogg/vorbis/
http://www.icecast.org/about.html
http://www.angrycoffee.com/tutorials/mp3/index.html#toolbox
(c) III Millennium: [fravia+], all rights
reserved