GPL violation in Netopsystems FEAD Optimizer/Recomposer used by Adobe Reader Install package

Mon Jan 23 13:45:34 CET 2006

A while ago I discovered a GPL violation in the installation package of the
Adobe Reader 6 and 7. The installation package uses a high compression
technology (FEAD) sold by the Netopsystems AG (www.netopsystems.com). The
package consists of an SFX header which extracts the rest of the install
file to a folder, which then contains the "original" Adobe Reader install
shield package. I was wondering how they do such great compression (since
the Adobe Installshield package is already compressed, they still compress
it much more). So I was playing around with the SFX and found out that they
use some kind of executable compression or encryption technology. The only
good exe-compression utility I know of is UPX written by Markus Oberhumer
(www.oberhumer.com). So I downloaded the UPX source code and after playing
around a little I finally made it to successfully decompress the SFX header.
So this is proof of concept that they use UPX, which is copyrighted by the
GPL. Markus Oberhumer has stated that UPX might be used by anyone for any
file or program. The program being compressed does not need to be published
under the terms of the GPL, but only, if UPX has not been modified! Since
Netopsystems modified UPX so noone is able to decompress their SFX with
standard UPX they actually MUST publish their FEAD optimizer under the terms
of the GPL, as this is stated in Markus Oberhumers license agreement. They
definitely violate that rule, and I bet they do it by knowing about their
violation, since they changed UPX in a way which makes it unrecognizable for
the people. They changed all occurences of the UPX strings to NOS. This is
so noone would get the idea this is UPX. I would not have found out if I had
not just tried. They did not change any functionality but the checksum
algorythm, which aims only to hindering people to extract their package and
to make it more difficult to decompile or stuff like that.
The uncompressed SFX does not work with the package though, since they have
some kind of header checksum which does not fit the uncompressed SFX header.
But the uncompressed header works throwing an error message such as "Wrong
SFX header checksum". So it is not corrupted or something. If you want to
know how to build an UPX for decompressing Adobe SFX headers search for
"Netopsystems UPX" in comp.compression newsgroup. I posted instructions
there. I also send an E-Mail to Mr. Oberhumer, so he actually knows what is
going on.
I would like to see an injunction like in the Fortinet case since I am sure
they make alot of money with selling their stuff to companies like Adobe and
McAfee or Hewlett Packard, so its time to tell them, whose software they are
really selling there.