Forum: Poser - OFFICIAL


Subject: quandry with poser 8...

Doctor Destruction opened this issue on Jul 04, 2010 · 39 posts


Doctor Destruction posted Sun, 04 July 2010 at 4:19 PM

Got a question-

I was using Poser 8 (with SR-3 installed) when all of a sudden it bombed out to Windows with an error saying-

Fatal Error in Runtime
Poser will exit now, cannot find file ./Runtime/ui/roomTabs.xml

So I go about rooting around the Poser 8 install to try and find said file when I find that most of the system files in Poser 8 have simply disappeared.  The executable itself and some files in the Poser 8 folder are still there, but everything else (including stuff in the P8 libraries) are gone. 

Anyone else ever experience this?


pjz99 posted Sun, 04 July 2010 at 4:27 PM

That's never happened to me or anyone I've heard of - sounds a bit like you just had a hard drive hardware fault.

My Freebies


Doctor Destruction posted Sun, 04 July 2010 at 4:35 PM

Well... I'm in the middle of doing a chkdsk on the drive in question, so I hope that isn't the case.  


Doctor Destruction posted Sun, 04 July 2010 at 8:42 PM

Got a status report-

It turned out that it wasn't a hard drive giving me trouble but rather a problematic Poser item I had installed in my Runtimes.  More specifically, something called "V4WetCreator" is the item in question- it's a texture package that uses Python code to initialize changes to textures.  This would be fine, except for that what it actually does is go through and delete all files and folders in your Poser Runtime until you're left with the "Fatal Runtime Error" pop-up.  

And I know it's the problem because I got curious and tried it again after reinstalling Poser.  

So please- be very weary of "V4WetCreator". 


pjz99 posted Sun, 04 July 2010 at 8:52 PM

Holy crap, where did you obtain that?

My Freebies


Doctor Destruction posted Sun, 04 July 2010 at 9:05 PM

Not sure, as it was a little while ago.  I'm fairly sure I didn't get it here, though. 

The only thing I DO know is it'll definitely ruin your day.  Like I said, I ended up doing the Matlock thing and tried for a second attempt at using it after a reinstall- it totally went through and borked my Poser 8 install.

The GOOD news is that-

But that's all small potatoes compared to what it DOES do, which isn't pretty.  


nruddock posted Mon, 05 July 2010 at 3:25 AM

I found a file called "V4WET.ZIP" and looking at the script in that, it has the hallmarks one of Herman's little bombs.

As the download date is nearly a couple years ago, I have no idea where it was came from, but it's certainly not legitimate.


pjz99 posted Mon, 05 July 2010 at 10:12 AM

Herman the guy who regularly defaced Renderotica until they got rid of him permanently?

My Freebies


nruddock posted Mon, 05 July 2010 at 11:23 AM

Quote - Herman the guy who regularly defaced Renderotica until they got rid of him permanently?

Yes, him.

The "bad" code in this case was hidden away in someone else's script, so somewhat less obvious than the other attempts.


pjz99 posted Mon, 05 July 2010 at 11:33 AM

Huh.  What a peon.

My Freebies


Doctor Destruction posted Mon, 05 July 2010 at 12:51 PM

So V4WET.ZIP is the file, is it?  I'll go through my archive of stuff and see if I can find it. 

And yeah- that Hermann dude was causing some major trouble and trolling a couple of sites.  He had also been banned from RaunchyMinds (where I Moderate) for assaulting other members as well.  I kind of figured he had something to do with the spreading of that malicious code.

Thanks for the heads up with that ZIP file, nruddock.  


TrekkieGrrrl posted Mon, 05 July 2010 at 5:03 PM

 Herman's little bombs? Sounds like it's something commonly known, yet I've never heard about that before? What is that? Just so I can be sure to steer clear of it.

FREEBIES! | My Gallery | My Store | My FB | Tumblr |
You just can't put the words "Poserites" and "happy" in the same sentence - didn't you know that? LaurieA
  Using Poser since 2002. Currently at Version 11.1 - Win 10.



WandW posted Mon, 05 July 2010 at 6:35 PM

BB did a demo a few months ago of a prop that incorporated a python script-you loaded the prop and it ran a script.  His was benign, but I do worry that someone could incorporate one that wasn't...... 

----------------------------------------------------------------------------------------

The Wisdom of bagginsbill:

"Oh - the manual says that? I have never read the manual - this must be why."
“I could buy better software, but then I'd have to be an artist and what's the point of that?"
"The [R'osity Forum Search] 'Default' label should actually say 'Don't Find What I'm Looking For'".
bagginsbill's Free Stuff... https://web.archive.org/web/20201010171535/https://sites.google.com/site/bagginsbill/Home

Doctor Destruction posted Mon, 05 July 2010 at 7:21 PM

@Trekkie-

"V4WetCreator" was a kind of MAT pose thing that put a "wet" sheen on V4, like what would happen if you went out swimming or something similar.  It was supposed to go over whatever normal textures you already had over your figure and was even had differing levels of wetness including a setting called "Drenched".  The original author of the MAT pose was someone going by the name "Mackie Messer" and it (according to the readme file I found) was copyrighted in 2008.  

If that ZIP file is still out there in the wild, then it should be avoided at all costs. 


nruddock posted Tue, 06 July 2010 at 1:28 AM

Attached Link: http://www.renderosity.com/mod/forumpro/showthread.php?thread_id=2749924

> Quote -  Herman's little bombs? Sounds like it's something commonly known, yet I've never heard about that before? What is that? Just so I can be sure to steer clear of it.

The others got zapped fairly quickly here and at Rotica.

Best advice is if a freebie contains a script, it needs checking unless you're really sure you trust the author.


TrekkieGrrrl posted Tue, 06 July 2010 at 3:29 AM

 Gah! I know that things can contain scripts (PhilC used it a few years ago for one of his easter eggs where he embedded the script inside the OBJ) but I hadn't heard of anyone actually using it maliciously. Brr.. And for said person.. I knew he was a jerk but not that he was an all-out criminal. Writing virus and other malicious code to deliberately destroy someone's computer IS a crime in most countries. In Germany, too.

What an arse. Thankfully I don't think I have the V4Wet. Good thing now I rarely use those wimmen ;)

FREEBIES! | My Gallery | My Store | My FB | Tumblr |
You just can't put the words "Poserites" and "happy" in the same sentence - didn't you know that? LaurieA
  Using Poser since 2002. Currently at Version 11.1 - Win 10.



kawecki posted Tue, 06 July 2010 at 6:31 AM

Well.., I raised the alarm some months ago, but they didn't like me so I shut up my mouth...

Stupidity also evolves!


Byrdie posted Tue, 06 July 2010 at 10:42 PM

Oi, that is nasty! Must check if I have it among all the freebies I've yet to install. I did pick up a few from Rotica and something to make Vicky/Mike look like they've been swimming without tons of postwork would certainly have tempted me.Good thing I didn't use/need it right away.

Is it only Poser 8 this thing's been nuking? If so, good thing I also haven't upgraded yet.


jamminwolf posted Tue, 06 July 2010 at 11:01 PM

Good grief, I wish these people would get a life and leave others alone!

Funny I was thinking a few days ago wondering if you can do such a nasty trick with python scripts.  Thankfully I didn't grab this "V4 Wet" script, but again I don't hardly use Poser (I'm a DS user but have Poser for comparing and making DS mats for characters and such).

Say, can you look at these pythons in a script editor (such as Notepad++)?  I'd like to find how you can find such bad calls like this.  Would be good for others to learn this as well for their safety.

...wolfie


bagginsbill posted Tue, 06 July 2010 at 11:08 PM

You might be able to read it - if it's a plain old .py file. But I demonstrated how easy it is to hide the script in anything - JPG files, PNG thumbnails, readme.txt files. Anything can be a Python script. In the demo I did, I mildly encrypted the script so that even if you looked at it, you'd have no idea what it says.


Renderosity forum reply notifications are wonky. If I read a follow-up in a thread, but I don't myself reply, then notifications no longer happen AT ALL on that thread. So if I seem to be ignoring a question, that's why. (Updated September 23, 2019)


jamminwolf posted Tue, 06 July 2010 at 11:19 PM

Damn, that's not good, baggins!  I wonder if antiviruses can catch that?  Or if these companies are even aware of python scripts.  I think I've heard something about jpg images, but thought that was a bunch of bull lol.  Now I know.

BTW good to finally meet you, have heard about you quite a few times.

...wolfie


bagginsbill posted Wed, 07 July 2010 at 12:04 AM

Technically, antivirus programs don't look for nasty stuff in general, but specifically for viruses and worms. A virus is a program that spreads itself to other programs, usually through some action involving the user. A worm spreads itself to other computers without any help from humans. The business of hiding destructive scripts in add-on products for Poser is not a virus or worm. It doesn't spread itself. You volunteer to install it yourself, as part of something you think you want. The only copy you end up with is what you explicitly installed. Technically it's a Trojan Horse. While most viruses are presented as Trojan Horses, not all Trojan Horses are viruses or worms.

Meanwhile, it is malware. And there are plenty of anti-malware programs, but this particular one would not rise to the level of awareness that would cause the malware authors to handle it.


Renderosity forum reply notifications are wonky. If I read a follow-up in a thread, but I don't myself reply, then notifications no longer happen AT ALL on that thread. So if I seem to be ignoring a question, that's why. (Updated September 23, 2019)


jamminwolf posted Wed, 07 July 2010 at 12:22 AM

That explains, guess I'm throwing words together (virus, trojans, malware) carelessly lol.  Actually I thought malwares install itself on your computer to force advertisements or something, but I guess it just "takes a malware" to do that.

Would be nice if we can somehow tell our malware programs to look for something particular in python scripts, sorta like the K9 cop showing his dog... "See this?  Take a smell, good boy, now search!" hehe :D

Sorta sounds stupid probably, just wish there was a way to keep people from getting this garbage.

...wolfie


nruddock posted Wed, 07 July 2010 at 1:35 AM

The only real way to protect against this sort of thing would be to radically change the way Poser Python is setup, a sandbox coupled with the notion of trusted scripts like Jasc did for PaintShopPro, but the weak link is always going to be the end user.


kawecki posted Wed, 07 July 2010 at 3:15 AM

Any script that is able to read, modify and write a file can create a virus that can reproduce, multiply and spread, just modify a system or user file.
If a script is able to call and execute another program it also can modify the Windows registry, just issue a procedure call to regedit.exe with parameter the keys data and Windows will do this task.

Stupidity also evolves!


Doctor Destruction posted Wed, 07 July 2010 at 9:02 AM

Quote - Oi, that is nasty! Must check if I have it among all the freebies I've yet to install. I did pick up a few from Rotica and something to make Vicky/Mike look like they've been swimming without tons of postwork would certainly have tempted me.Good thing I didn't use/need it right away.

Is it only Poser 8 this thing's been nuking? If so, good thing I also haven't upgraded yet.

It would appear that the malicious script will attack whatever is the dominant version of Poser you're using.  In my case, I just happened to P8 installed, which essentially put it on the proverbial chopping block as far as that script was concerned.  Since Poser 7 also makes use of Python code, it'd be quite logical to think that it could be a target as well.  

And yes- Smith Micro needs to change how it works with Python code so that it operates in a shell or "sandbox".  Either that, or they should adopt a whole other language all-together... one that doesn't make direct access to memory and -as such- results in decreased security. 


markschum posted Wed, 07 July 2010 at 9:37 AM

The ability of Poser to read and write files allows scripts that modify existing files which can be very useful for removing morphs, adding erc and that sort of thing. The downside is obviously that it enables a malicious script to delete files.

If files o missing the first place to check is the trash bin of windows, to see if they are there and recoverable.


Doctor Destruction posted Wed, 07 July 2010 at 9:57 AM

The deleted files totally bypassed the Recycle Bin, making them pretty much unrecoverable, short of using file-searching recovery software (and even THAT was a crapshoot as I found out).  


jamminwolf posted Wed, 07 July 2010 at 10:52 AM

Quote - The deleted files totally bypassed the Recycle Bin, making them pretty much unrecoverable, short of using file-searching recovery software (and even THAT was a crapshoot as I found out).  

Well, you have my word, I'll never download a python from anyone unknown, only from trusted people like Netherworks and D3D.  That crap's scary lol.

...wolfie


bagginsbill posted Wed, 07 July 2010 at 10:57 AM

Just to be clear, the point of my demonstration is that if your attitude (rightly so) is to distrust scripts, then you must distrust EVERY freebie. It is trivial to hide a script in a hat, or a character, or a chair.


Renderosity forum reply notifications are wonky. If I read a follow-up in a thread, but I don't myself reply, then notifications no longer happen AT ALL on that thread. So if I seem to be ignoring a question, that's why. (Updated September 23, 2019)


jamminwolf posted Wed, 07 July 2010 at 11:17 AM

True to that, and that went through my mind.  I don't download much freebies anyways, just simply too busy and already getting lots of stuff for the work I do (by trusted friends of course LOL!) anyways.

I would say "I'm glad I use only DS" (which don't read pythons), but I do have to use Poser for the projects I do, and I use the pythons I already have quite often.

...wolfie


nruddock posted Wed, 07 July 2010 at 1:16 PM

Quote - I would say "I'm glad I use only DS" (which don't read pythons) ...

Well the situation w.r.t. D|S is potentially even worse than for Poser because all the presets are scripts and can be supplied in a binary format or encrypted (which pretty much prevents something subtle being detected).


colorcurvature posted Thu, 08 July 2010 at 3:05 PM

hi there,
i have just noticed this thread and this is something that kind of shocks me. worse enough that something like this accidently could happen because of a programming bug (which would be a total nightmare), but doing it on purpose....

speaking of it... how can one make sure (as a python script creator) that the scripts one ships are actually 100% harmless? i regularly scan my scripts for functions I suspect to be dangerous in general, e.g. like any kind of 'write', 'delete' etc.?. if someone out here on rendo has an idea which other functions could be harmful, please drop me a sitemail, I would love to find out I am not using those at all >_<

should one digitally sign all files one ships? but I wonder if there is a standard way for "trusted" products, e.g. here on rendo? I think I never downloaded a product that required a public key of the author to be usable >_<

cheers,
col


pjz99 posted Thu, 08 July 2010 at 3:46 PM

Reputation, mainly, just like regular software.  Digital signage is only as trustworthy as who it came from, I don't think it's a real solution, it just gives users a false sense of complacency.  Basically if you don't trust it totally, then maybe you shouldn't run it.

My Freebies


markschum posted Thu, 08 July 2010 at 3:54 PM

repitation I agree. I would not look at stuff by ockham , Philc, nruddock, cage and several others.

I do look at stuff using sys and shutil libraries in python because those are the system and high level file handling stuff.

you can look for code like walk, dir and so on that list folder contents.

.pyc files make me nervous, those are the compiled python that you cant read.


colorcurvature posted Thu, 08 July 2010 at 4:11 PM

yes. but pyc still contains the used symbols as plain strings, so I think you should find "shutil" in a .pyc just like in a .py


pjz99 posted Thu, 08 July 2010 at 4:20 PM

What if you wrote a little function in to do poor man's decryption on the commands before executing them ;)

My Freebies


colorcurvature posted Thu, 08 July 2010 at 4:29 PM

i'd rather die ;)


WandW posted Thu, 08 July 2010 at 4:32 PM

You could do a text search for 'python' to see if a script is called where one shouldn't be, but beyond that, it's "Be Careful Out There"...

----------------------------------------------------------------------------------------

The Wisdom of bagginsbill:

"Oh - the manual says that? I have never read the manual - this must be why."
“I could buy better software, but then I'd have to be an artist and what's the point of that?"
"The [R'osity Forum Search] 'Default' label should actually say 'Don't Find What I'm Looking For'".
bagginsbill's Free Stuff... https://web.archive.org/web/20201010171535/https://sites.google.com/site/bagginsbill/Home