By Q [Phrozen Crew]
Courtesy of fravia's page of reverse engineering
1 June 1998
Programmers' corner
Let's Start:
This TV program has a very annoying bug : When ever u start it , it
makes noise for about 3 seconds - until the program
has "fixed" it-self on the station . It's like the program calibrates
it-self , and on this short calibration stage it makes the same
noise as if u r not tuned to a station (the "snow" picture)
.. making this calibration stage a bit too long .
Ok , time to play with it .
- Run the program (tv.exe)
- Hit the 'home' button to toggle the Mute Option to On .
- Re-Run it .
The result is NO-Noise , and the mute option is kept ON . So the program
saves this option , and at the beginning , when
it sees the mute option is ON , it will mute the speakers so there's
no noise .
We can draw a line of work for the StartUp code : There are 2 ways
:
Way #1 :
1. Get Mute Option.
(From an ini-file , registry ..)
2. Set MuteFlag accordingly.
(If Mute Option is ON then MuteFlag = 1 , else MuteFlag=0)
3. If MuteFlag=1 then Call ShutDownSpeakers .
(Will mute speakers -notice,before the calibration stage- if MuteFlag=1)
else Call TurnOnSpeakers.
(Will De-Mute the speakers if MuteFlag=0)
4. Calibration Stage.
(The "snow" noise if not Muted)
5. Normal message loop - the rest is the program itself. (Now
that everything is ready , the program will run it's curse..)
6. Exit.
(Exit when ESC is pressed)
OR Way #2 :
1. Get Mute Option.
2. Set MuteFlag accordingly.
3. If MuteFlag=1 then Call ShutDownSpeakers .
(Will mute speakers -notice,before the calibration stage- if MuteFlag=1)
4. Calibration Stage.
5. Normal message loop - the rest is the program itself.
6. TurnOnSpeakers and Exit.
(Speakers on and Exit when ESC is pressed)
See the difference ?
It's important to know EXACTLY how the program works before attempting
to reverse it.
When the TV prog runs , it takes control of the screen (Winice is blocked
!! Pressing Ctrl-D (or Alt-S in my case;) when
TV is running ,will load winice, but u wont see it !) further more
u can't move to an other process (by pressing Alt+Tab for
example) , so there is no direct way of telling which of the above
ways is correct . Not direct , so in-direct .
The Audio Mixer for the rescue ..
Load the Audio Mixer .I recommend the one that comes with windows -
SNDVOL32.EXE.( the shortcut is
Programs\Accessories\Multimedia\Volume Conrol) .
Run the program , set Mute option OFF (so there's audio) and exit .
On exit a dialog will appear asking if u want to keep
the TV audio in the background , press yes and return to the Mixer.
There are several Audio Controls : Midi , Wave , CD and LineIN . It's
the last one we are interested - lineIn- because the
audio from the TV is sent through the LineIN audio control.
Use the mixer to Volume Down the LineIN volume . Remember the sound
in the background ? It's decreasing.
Set the volume to half of what is was , and run the program . As u
can hear , the volume is STILL half of the previous - it
hasn't changed , the volume has not been re-set or updated back to
maximum .
And another thing : Run TV , Mute the sound and exit ; Look at the
Mixer ; The Mute-LineIn-tag is UNSELECTED.
From here we can deduct that the 2nd line of work is the correct
one (it's a pretty lame deduction ,but it's better than spending
10 hours with the disassembly..) :
1. Get Mute Option.
2. Set MuteFlag accordingly.
3. If MuteFlag=1 then Call ShutDownSpeakers
. (Will mute speakers -notice,before the calibration
stage- if MuteFlag=1)
4. Calibration Stage.
5. Normal message loop - the rest is the program
itself.
6. TurnOnSpeakers and Exit.
(Once ESC is pressed :Speakers on -that's why the mute tag is unselected-
and Exit)
Now "all" there's left to do is Make MuteFlag=1 before the 3rd step
so there will be no noise on step 4 , After Step 4 do :
-Set MuteFlag according to MuteOption ; - If MuteFlag=0 then speakers
On.
Sound complicated ? it IS ! That's why i've decided to play a bit more with the Mixer , thinking there MUST be a simpler answer . And there Is :-) (Why fill the salt-cellar through the little holes, when there is a wide openning at the back ? ;)
Run the Audio Mixer and select the Mute tag (so the mixer will Mute
LineIN audio control) , run the program and select
the mute option (in the program) Off . The result is NO-SOUND . No
matter what u select in the TV program , there will be
no sound as long as the Mute Tag (in the mixer) is selected !
We can gather that the way the program mutes the LineIn is different
from the way the Mixer does it , but both ways make the same results.
The only explanation i can find is that the TV program can tell the
TV card directly to stop sending Audio to the SB . Whereas
the mixer (that doesn't know that u have a TV card) will mute The SB
from it's behalf .
Here's to illustrate it :
| |
| TV CARD -> | -> Sound Blaster -> | -> Speakers |
Both locks need to be 'Un-locked' to hear the audio (logical AND) ;
the mixer has the "parent" properties , meaning it can
block all 'childs' (TV card , Piano or whatever).
The Solution:
The idea is to write a little program that will :
1. Mute LineIN.
(Mute LineIN just like the mixer does)
2. Run the TV program.
3. Wait a while -3 seconds is enough-.
4. De-Mute LineIN .
(Again , like the Mixer)
5. and exit .
(End of LinDM ; TV is still running - It's windows , remember ? ;)
Or to put it in other words , Lock Lock #2 , Run program , delay
3 seconds and Unlock Lock #2 , leaving the Mute Option
available in the program.
Good , it looks like a plan :-)
(The little program will be named LinDM - LineIN (De)Mute..)
OK , Time to learn how the Mixer Mutes and De-Mutes LineIn , so we'll
"rip" it to LinDM.
Disassemble the mixer (SNDVOL32.EXE) with W32dasm , and look at the
Exports .
here are the interesting functions :
Import Module 002: WINMM.dll
mixerSetControlDetails
auxGetNumDevs
mixerGetID
auxGetDevCapsA
midiOutGetNumDevs
midiOutGetDevCapsA
waveOutGetNumDevs
waveOutGetDevCapsA
mixerClose
mixerOpen
mixerGetLineControlsA
mixerGetControlDetailsA
mixerGetNumDevs
mixerGetDevCapsA
mixerGetLineInfoA
PlaySoundA
many functions with "Get" , but we are looking for those with "Set"
(Mute or DeMute is a 'Set' operation) .
There is only one with a 'set' : mixerSetControlDetails
Ok , let's see if this is the correct one . Boost up wINICe and
>Bpx mixerSetControlDetails
(If u get a 'Symbol not defined' , add WINMM.dll in the Exported
symbols in winice.dat , and reboot ... Btw , if u think u've made a type-o
, use the >exp command ..)
Load the mixer and select the Mute tag . Winice poped ! So this is the
function we were looking .
That's all we need from softice ,for now .Now to get more info on this
function . For this we have the SDK - programming
help file. Search for mixerSetControlDetails in the help file (i didn't
find it in the small SDK , but in the SDK that comes with
Delphi 3.0) .
Note that we don't need to fully understand this function with all
it's parameters , we just need the structure of the parameters -
So we'll correctly copy/rip it from the mixer using winice .
I won't bother u with details and code , u can do it your selfs , or
look at my source below.
Now what ? Now i JuMp iN JoY !! :-)
When i run LinDM.EXE , the TV program is loaded and .. No NOISE !!
LinDM Locks Lock #2 for 3 seconds , just enough
time for the calibration stage to end ,then it Un-Locks Lock #2
, letting the TV program to run it's course , still giving me the
option to Mute the speakers within the TV program.
BTw , there's another little bug in this program : when u set theMuteOption
ON , and exit the dialog asking if u want to keep the audio in the backround
still appears . It's pretty useless , so to make the dialog go away when
Muted Change the byte at 0000743E from 41h to 27h (in TV.EXE). This is
a pretty travial 'crack' so i'll skip the explanation.
That's it , i hope u enjoyed and learned from this .
To EveryOne :
So what's the lesson here ?
When the spray doesn't kill the bug , u can always use the hammer !
;)
There are sometimes easier / simpler ways to crack something ..u just
need keep your eyes OpEn and keep in mind that by using Logic you can save
time ,so don't be afraid to use it ..
To SoftWare Programmers :
Please take a minute to look at your program from a side view, and
fix whatever u can find before u release it. It took me 2 days to do the
above , but I'm sure u can do it in 2 minutes with the full source ..
The release date Can wait a day.
To +Fravia :
I see u hold the record for the most time without TV (as a 20th century
man , i mean ..) Before u discard it , here's a little note : TV , much
like the internet, can entertain , but can also enrich . U just need to
know where (and when) to look ..
May I suggest 'The Discovery Channel'? Or CNN (to keep cracking
reality ;) ? Or Babylon 5 ? ;-)
(Besides , TV is the best thing to do when disassembling or downloading
large filez .. )
Greetings:
PC members , +FraVia and all +HCUkers , friends . :-)
------ Cut here ------
;------ LinDM.ASM
-------
;Should be compiled with Tasm 5.0
;Use the following to compile:
;
;tasm32 /ml /m3 /z /q LinDM
;tlink32 -x /Tpe /ap /c LinDM,LinDM,, import32.lib
.386P
.Model Flat ,StdCall
UNICODE = 0
Extrn
ExitProcess:PROC
Extrn
mixerSetControlDetails:PROC
Extrn
GetTickCount:PROC
Extrn
WinExec:PROC
SW_MAXIMIZE EQU
3
.Data
;--------------------------------------------------------
hOBJ dd 0
;Handle of the mixer device.
dd 12345678h
;Use winice to get INTO the mixerSetControlDetails function
dd 0
;to see that this is the Handle's structure.
dd 41h
;The Mixer Control Details (MCD) stucture :
MCD dd 18h
;Size (in bytes) of MCD
dd 14h
;Control-ID (11h => Wave, 12h => Midi, 13h => CD, 14h => LineIN)
dd 01
;Number of channels
dd 0
;Handle of owner
dd 4
;Size of Data
dd OFFSET Data
Data dd 1
;0 => DeMute , 1 => Mute
Time1 dd 0
;Holds beginning time
CmdLineData db "C:\VHTV\TV.EXE",0
;Command Line to run the TV program.
.Code
;--------------------------------------------------------
Main:
Call mixerSetControlDetails , OFFSET hOBJ,
OFFSET MCD, 0
;Mute LineIN like the mixer does.
Cmp eax , 0
Jnz Exit_
;Exit on error
Call WinExec , OFFSET CmdLineData , SW_MAXIMIZE
;Run the program
Cmp eax , 31h
Jna Exit_
;Exit on error
Call GetTickCount
Mov dword ptr Time1 , eax
@1: Call GetTickCount
Sub eax , dword ptr Time1
Cmp eax , 0BB8h
; 0xBB8 = 3000 milliseconds = 3 sec
Jna @1
;Loop if not delayed enogth
Mov dword ptr Data , 0
;De-Mute LineIn
Call mixerSetControlDetails , OFFSET hOBJ,
OFFSET MCD, 0 ;Unlock Lock #2 ;)
Exit_:
Call ExitProcess , 0
End Main
;--------------------------------------------------------
------ Cut here ------
Phrozen_q@CyberDude.Com
sEE yA :)
-Q
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia Is reverse engineering illegal?