lshttpd was apparently packed with a modified version of UPX

#1
Hi,

I'm trying to unpack the Litespeed Enterprise lshttpd binary. I can see that it was packed with UPX 3.04 and is apparently using LZMA compression. The license of UPX does allow usage of UPX for commercial applications, which Litespeed Enterprise obviously is, however it imposes the limitation that only an unmodified version of UPX may be used for doing this.

The license also explicitely states
We grant you special permission to freely use and distribute all UPX
compressed programs. But any modification of the UPX stub (such as,
but not limited to, removing our copyright string or making your
program non-decompressible) will immediately revoke your right to
use and distribute a UPX compressed program.
so if that is indeed the case you may no longer use UPX or distribute programs that have been packed with it.

Considering the intentions of the Copyright holders the binary should clearly be unpackable:
UPX is not a software protection tool; by requiring that you use
the unmodified UPX version for your proprietary programs we
make sure that any user can decompress your program. This protects
both you and your users as nobody can hide malicious code -
any program that cannot be decompressed is highly suspicious
by definition.
Have I been using the wrong LZMA SDK (I used the version provided at https://github.com/upx/upx-lzma-sdk) or is indeed (in violation of the copyright) a modified UPX version used here?
 
Top