Thursday, March 18, 2010

Patch like there's no tommorow

On this post I would like to tell the story of three little binary patches I've done recently. I find patching to be the highest form of hacking, it requires decent reverse engineering skills combined with good OS understanding. Every Pirate must have its own eye patch.

1. Gmail Notifier:

Not long ago I bought a USB mail notifier, which is a small LED lamp in the shape of an envelope, that glitters every time I get a new email. About 8 USDs on DealExtreme (http://www.dealextreme.com/details.dx/sku.27062). I didn't quite like the software it came with, so I decided I would add the ability of turning the LED on n' off to some better mail notifier. I've spent some time figuring out how to control it using a C++ tool that I wrote, that did not work whatsoever. After some frustrating long hours of reading on the MSDN, I turned to reverse engineer the C# software that came with the device combing some USB port monitoring. After failing again to turn on this stupid LED, I called Python to the rescue. I found out that there is an HID USB module for Python that makes life so much easier. I must say that the Python module was so good at explaining everything, that after two minutes of playing with it, I instantly got the freaking device on, I understood what was wrong with my C++ code and I gained a better understanding of the entire HID mechanism. And my message for everyone who reads this post is, don't work hard, use Python. Anyhow, now I got a small script that sets the USB device to whatever color I choose. I installed the Gmail notifier that is written by Google, set it up, and almost instinctively loaded it to IDA. Strings like "%d unread mails" or "No new mails" were easy to find, so it became quite clear where the patch should go. Using Ollydbg, I wrote the patch down. Ollydbg has a good assembling option, where one can enter assembly code easily, check the encoding and later copy it into the original EXE file. Easy as one, two, three. If anyone has ideas on ways to improve this process, please do tell.

2. SWF32.dll. I've written before about my Flash games cheating experience. One of the problems I was telling you about was patching an Action Script byte code at real time, because after the Flash VM loads the code it changes it and optimizes it, and makes it hard for me to find the relevant code in the memory. So I wanted to add an option to patch an SWF file just after the browser is done loading it, but a second before it's loaded by the VM. The SWF file format supports ZLib compression, and most of the games out there take advantage of it. So I thought a good place to patch would be after the file is inflated. On this attempt I wanted to write down a patch that is a bit more complicated; a patch that would load a set of binary alterings for the SWF file from some text file, check that the original bytes match the target (To avoid oopsies) and apply. So for this patch I used the Microsoft Detours Library, published for free, examples included, on the MSDN. I found the detour library to be very intuitive and useful.

3. The Matrix. I found the bug on the Matrix that allows Neo to jump over buildings, I fixed it and banned the user... Ok, I had another real patch, but I think I'll save it for another time.

4 comments:

  1. Can you elaborate on what was the initial error on the C++ code? Also, what did you learn about USB, any important insights?

    ReplyDelete
  2. Most of the problem I had were coming from the fact that I've underestimated the importance of what they call "output reports". I thought that I can just write raw bytes to a open handle. Apparently, you must use the standard "reports" and the relevant API. The Python module just guided me on all the steps on the process, by supplying a different object for each step with the relevant API.

    ReplyDelete
  3. You might want to take a look at EasyHook, which lets you do some nice things beyond Detours capabilities. For example, you can write a completely managed hook in C#.

    ReplyDelete
  4. I am succesfully using CyUSB. It comes with generic usb driver, some GUI utils, managed and unmanaged API (dll's) and all of that is free. They are vendors of hardware module called FX2 that you may put at your hardware in order to communicate with it at USB from PC.

    Their documentation is very technical and short but it's understandable.

    I use it in order to communicate by USB from PC to self-made device (hardware)

    ReplyDelete