Browsing the archives for the Software Hacking category

18Jun09 Notes on Windows Live Messenger 8.5

Last time in “Windows Live Messenger 8.5 is Resurrected” I mentioned about that I removed the limit of single process per user session on a Windows system as well as the update-reminding balloons. This time I am going to tell you how the WLM originally works on such both things and you will find that there no difficulty to patch them yourself.

1. Constraint on the number of WLM process

This is done by trying to create an event object with invoking the CreateEvent() API function using a constant event name. In our case of WLM 8.5, it is MSNMSGR. If you use tools to probe opened handles in a WLM process, you may find some thing like Figure.1. According to the MSDN document, if you try to create a named event that already exists, CreateEvent() will return the handle to the already-created event object, and a subsequent GetLastError() invocation returns ERROR_ALREADY_EXISTS. So during WLM’s initialization, it tries to create a named event object and check the return value from GetLastError(): if the value indicates an existed object, the process signals it and terminated itself.

opened handles
Figure.1

To present this flow in a more detailed perspective, I made the following pseudo code:

HANDLE hEvent = CreateEvent(NULL, true, NULL, "MSNMSGR");
if (hEvent == NULL) {
    goto OnError;
}
else if (GetLastError() == ERROR_ALREADY_EXISTS) {
    // we do this to notify the existing WLM process
    // to pop up its main window
    SetEvent(hEvent);

    goto ExitProcess;
}

// do some subsequent initialization
....

2. Retrieval of current version number from server

After the identity authentication passed, the WLM client send its current version information to the server by posting a VER message in the microsoft defined protocol (it is a plain text format). The server then respond a CVR message with the latest stable version number of client software and perhaps a URL to the new client download, depending on the information sent by the client earlier. If the server response contains a URL, then it means that the client side is recommended to upgrade its program, and an annoying balloon will come out. This portion of code is merely some string comparison, which parses the server response.

DWORD dwHead = *((DWORD*)szMsg);
switch (dwHead) {
    case 0x20524556:  // VER
        ...
        break;
    case 0x20525643:  // CVR
        ...
        break;
    ...
}

A fast but somewhat brute method to disable this behavior is to break the pattern used to be matched by parser. We only need to modify the string CVR in the executable image to anything else, so the program will not be able to recognize the latest client version and URL to download it. This does work and for now no side effects have been found by me, since the information provided with a CVR message will not be used ever after.

No Comments Posted by mifan in Software Hacking
Tagged , , ,
19Oct08 Viva Capitalism! 枇杷資本主義!

After downloading an open source project licensed with GPL, it costs you a whole weekend setting up and having all configuration done, and finally being online on service. Others then come and use your network bandwidth, CPU, and memory resources for free, and some even try to hack your service. You paid the bills to electricity company and ISP for your system and look what you got in return: …… I can hardly name one, maybe the “respects” from free users?

So why not have your service GET PAID?
Continue Reading »

No Comments Posted by mifan in Software Hacking
Tagged , , ,
9Jun06 Open Uncle Russian’s Heart

お姉ちゃんの愛の注射器 Version 1.3.0 Beta (Build 20060608)
Program: http://mifan.infor.org/lab/dll_inj-1.3.0-beta.rar
Runtime Library: http://mifan.infor.org/lab/qt-mt321.rar

The most significant new feature of this version, 1.3.0, is no doubt that the DLL Injector can now access KAV (Kaspersky Anti-Virus) processes. But anyway, what’s so important about Uncle Russian that it is taken as a milestone of my program? Well, KAV prevents other programs from accessing its processes by blocking the OpenProcess system call trying to attain its handles. KAV is definitely doing the right thing: to protect itself from virii and other malwares, as we already knew the fact that many virii nowadays would try to disable anti-virus softwares.

Neverthless, we still want the access to the KAV processes, and there’s an interesting fact that captures my attention. Although we cannot terminate the process kav.exe directly, which runs as the login user, the operating system can do this when we logoff. This could mean that we can do something to attain the KAV processes’ handles like the system does. Finally I found that handles of every running process were kept by a system process, csrss.exe, and, more surprisingly, they were opened with PROCESS_ALL_ACCESS flag and duplicable. By using Native API calls can we easily enumerate and duplicate those handles and thus access the KAV processes bypassing calling OpenProcess.

Thanks to Process Explorer from Sysinternals so that I can be able to discover handles opened by running processes.

No Comments Posted by mifan in Release Notes, Software Hacking
Tagged , , ,
2Apr06 openChameleon 10.0 開放變色龍第十版

有一段時間沒有接觸 Linux 了,最近一時興起抓了 openSUSE 10.0 來看看在開放給社群維護之後的 SuSE Linux 變成什麼樣子。出乎我的意料之外,從 GRUB 開始就出現嚇到我的畫面:

grub.png

以下是 splash 在跑的畫面以及 KDE 的登入及載入畫面,和上圖的 GRUB 比較之後,可以發現 splash 的背景圖片居然用高失真率的壓縮,左下角一列的黃色圓圈與白色文字都顯現出了可怕的邊界效應,這應該是開發團隊不小心忽略而造成的瑕疵:

slash.png login.png kde_init.png

被併購之後的 SuSE Linux 中文支援度有明顯地改善,在安裝的時候選擇語系為正體中文之後不會再像前面幾版漏掉安裝幾款非常重要的 rpm。不過我還是很討厭預設的 TrueType 模糊字形,字體大小夠大的時候固然好看,小 size 的時候就模糊在一起了。應該要靠點陣互補,不過因為某些未知的原因我安裝新細明體失敗了,所以暫時用自行安裝的 Firefly 字形替代,現在看起來好多了:

desktop.jpg kde_logout.jpg yast.png firefox.jpg

現在 Linux Kernel 對不同硬體的支援程度越來越好,早已超過 Windows XP 的支援能力,從 YaST2 裡面的硬體設定選項可以略知一二。又 KDE 的登出畫面居然抄襲 Windows XP 的背景灰階化特效,雖然有種親切感,但是總覺得失去了發展自己激點的空間。Think different 才是可以促進人類文明進化的方針啊 :Q….

No Comments Posted by mifan in Software Hacking
Tagged