The Revenge of ~e5d141.tmp !!!

Discussion in 'ProcessGuard' started by LuckMan212, Mar 15, 2005.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Well, some of you may remember a while back I posted about the mysterious and annoying behavior of "~e5d141.tmp" which is part of the Macrovision software protection system used by Adobe in the Photoshop CS suite. I have a thread about it over here if you want to brush up on the gory details.

    Well, I recently got Adobe Premiere Pro 1.5 and lo and behold, I discovered that it, too, uses the ~e5d141.tmp method. Problem is, apparently the executable, while it has the same name and path, has a different MD5 checksum from the Photoshop CS version. As you can see, below:

    http://www.f2systems.com/files/snap005.png

    The annoying part about this is that PG warns me every time I run either app that "This application has changed since you last allowed it!". So if I run Photoshop and then run Premiere, I get the warning. Then I run Photoshop again, and I get another warning. It is endless. I am not quite sure if there is any way to solve this problem without just disabling PG before launching either of these programs (not convenient) or just clicking "Permit" constantly (not convenient either).

    Has anyone else experienced this and is there anything the DCS developers can do to work around this? My only idea is to somehow allow multiple MD5-sums to be stored for a single .exe -- so that PG could track 2 or 3 different versions of an exe that occupies the same "path" or has the same name. That would solve the issue.
     
  2. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    What happens when you run both apps at the same time and they both need access to different versions of ~e5d141.tmp?

    Einsteins theory of Relative Instability?

    (Premiere + Photoshop / Adobe) + (~e5d141.tmp x 2) = BSOD :D
     
  3. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Strangely enough, they both are able to run concurrently. However when running both, I do get a warning from PG regardless of which is started first that the ~e5d141.tmp file has been modified.

    Another strange side-effect that I just noticed is that after running Premiere Pro, the setting for "animate windows when minimizing or maximizing" is turned ON against my will. I hate this effect and it slows down minimizing and maximizing substantially. Why do companies insist on doing this kind of crap?
     
    Last edited: Mar 18, 2005
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    You could always see what sort of checking they put into the binary and change the filename string inside one of the programs using a binary editor, keep the length of the filename the same (ie: replace the 141 with a 142) and you might be able to avoid the collision and hence the PG alert....

    Normal caveats apply, editing binaries can stop them from working and might even trigger an anti-hacking mechanism; and if you edit the wrong parts of the file anything might happen.... have a backup beforehand

    Also don't expect support from the manufacturer when you call up to report a problem, unless you are willing to put the proper binary back in place and reproduce the problem with the original one

    NB: not for the faint hearted and its probably against the license terms for the program
     
Thread Status:
Not open for further replies.