Thursday, March 18, 2010

Patch like there's no tommorow

On this post I would like to tell the story of three little binary patches I've done recently. I find patching to be the highest form of hacking, it requires decent reverse engineering skills combined with good OS understanding. Every Pirate must have its own eye patch.

1. Gmail Notifier:

Not long ago I bought a USB mail notifier, which is a small LED lamp in the shape of an envelope, that glitters every time I get a new email. About 8 USDs on DealExtreme (http://www.dealextreme.com/details.dx/sku.27062). I didn't quite like the software it came with, so I decided I would add the ability of turning the LED on n' off to some better mail notifier. I've spent some time figuring out how to control it using a C++ tool that I wrote, that did not work whatsoever. After some frustrating long hours of reading on the MSDN, I turned to reverse engineer the C# software that came with the device combing some USB port monitoring. After failing again to turn on this stupid LED, I called Python to the rescue. I found out that there is an HID USB module for Python that makes life so much easier. I must say that the Python module was so good at explaining everything, that after two minutes of playing with it, I instantly got the freaking device on, I understood what was wrong with my C++ code and I gained a better understanding of the entire HID mechanism. And my message for everyone who reads this post is, don't work hard, use Python. Anyhow, now I got a small script that sets the USB device to whatever color I choose. I installed the Gmail notifier that is written by Google, set it up, and almost instinctively loaded it to IDA. Strings like "%d unread mails" or "No new mails" were easy to find, so it became quite clear where the patch should go. Using Ollydbg, I wrote the patch down. Ollydbg has a good assembling option, where one can enter assembly code easily, check the encoding and later copy it into the original EXE file. Easy as one, two, three. If anyone has ideas on ways to improve this process, please do tell.

2. SWF32.dll. I've written before about my Flash games cheating experience. One of the problems I was telling you about was patching an Action Script byte code at real time, because after the Flash VM loads the code it changes it and optimizes it, and makes it hard for me to find the relevant code in the memory. So I wanted to add an option to patch an SWF file just after the browser is done loading it, but a second before it's loaded by the VM. The SWF file format supports ZLib compression, and most of the games out there take advantage of it. So I thought a good place to patch would be after the file is inflated. On this attempt I wanted to write down a patch that is a bit more complicated; a patch that would load a set of binary alterings for the SWF file from some text file, check that the original bytes match the target (To avoid oopsies) and apply. So for this patch I used the Microsoft Detours Library, published for free, examples included, on the MSDN. I found the detour library to be very intuitive and useful.

3. The Matrix. I found the bug on the Matrix that allows Neo to jump over buildings, I fixed it and banned the user... Ok, I had another real patch, but I think I'll save it for another time.