12 Nov

Why do antiviruses suck, part 2

In part 1, I tried to explain reasons behind some of the decisions anti-malware companies make when designing their products. In this part I’ll touch some other side-effects of those decisions and what they mean for power-users.

This site has been blocked

In general, I need a very basic antivirus protection – when I make a mistake during my reversing session or web browsing, it should stop malware from:

  • becoming persistent on my computer;
  • sending any data to its C&C server

I’m not retarded and can read and think for myself – therefore I don’t want “anti-phishing protection”, “parental control”, “safe banking”, “vulnerability scan” or any other features aimed for persons who shouldn’t be using Internet in the first place.

So, I always configure my antivirus to have just very basic on-access scan and firewall enabled, and all other components switched off. You can imagine my surprise when in last 2 days I have been greeted with these messages on 2 separate sites:
page blocked
WTF guys, I have switched off every component I could – why are you still active?! And why are you bugging me with this nonsense?

Make it more user-friendly

I’m very sure that the answer is very simple: somebody in the UI/UX department decided that Bitdefender UI needs to be simplified. So, they took the UI that actually made sense, and fucked it up.

Here’s how settings looked like in year 2013 (image (c) Softpedia):
bitdefender 2013 settings

And here’s how it looks in the Bitdefender 2016:
bitdefender 2016 settings
Antispam and Firewall have been moved to their corresponding module, but “Antimalware Filter” has disappeared altogether. After all, who would ever want to disable it, right?

To make matters worse, here’s how the alert looked in Bitdefender 2015 (image (c) PCRisk):
See, there was “Settings” button right at the top of alert page and you could disable “Antimalware filter” from there. Well, they “simplified” that option away as well. Geniuses!

But I really want to disable it!

Luckily, you still can. :) All Bitdefender settings are stored in C:\Program Files\Bitdefender\Bitdefender 2016\settings\. However, to be able to modify files, you will need to start your computer in safe mode.

The file you’re looking for is cloud.http.xml. Find your user name in it, and you’ll see a section like this:

Apparently, there are more few settings which are hidden in the UI. I can only guess the exact meaning of them but – to be honest – I don’t care. I just want this bugger to be gone from my machine. So, I changed “active” to “false” and for the good measure disabled each and every component as well. After a reboot, it all works the way I want, and I can access all the sites I want.

Great success! :)

05 Nov

Keygen templates in Visual Studio

I’m lazy and I hate doing the same tasks over and over again. Making UI for my crackme solutions is one of such tasks. It always goes like this: open Visual Studio, create new Windows Forms project in C#, drop 2 labels, 2 edit boxes and one button on the form. Set label texts to “Name” and “Serial”, set button title to “Generate..”, set the project icon, etc., etc..

There must be a better way!

..and it’s certainly not the way Blue Indian did his keygen template:

To build this template on your own, open the solution in Visual studio, comment out the calls for uFMOD and implement your own logic, after successful build of keygen, close the Visual studio, open the Form_Main.cs file in any text editor and uncomment those two calls to uFMod, save it. Now double click on the build.bat file to built it finally.

-To change the ICON and XM tune, edit the mini.res (resource file) with any resource editor like Restorator or any of your choice.

Open this, delete those, compile that, and what? I’m already confused, sorry.

Introducing Visual Studio project templates

I’m sure you know that when you click “New project” in Visual Studio, you’re presented with number of choices, like “Windows Forms Application”, “Console Application”, “Class Library” and so on. All these are project templates that are installed by default.

They provide all the files that are required for a particular project type, include standard assembly references, and set default project properties and compiler options. Hmm, that’s exactly what I needed! :)

This article at MSDN nicely explains that project template is simply a ZIP file that contains all the necessary files and a special .vstemplate file. This .vstemplate file is an XML file containing metadata Visual Studio needs to display the template in the “New Project” dialog.

Let’s try to put it all together.

Making simple keygen template

Making a new template is actually very easy. You take an existing Visual Studio project, replace project-specific strings with template parameters and press File->Export Template.

Here is my keygen for Mr. eXoDia’s simple crackme:
Obviously, template should not contain code for specific crackme. Let’s change that to something trivial and mark as FIXME:
Now I need to remove all references to crackme name. I will replace them with template parameter $safeprojectname$ in all files. After this change, project won’t compile anymore, so you need to be extra careful when changing stuff!
Hardcoding year in the (c) string is not a good idea because I want to use this template in year 2016 as well:
Now I just need to update AssemblyInfo.cs to make sure each project has correct name, (c) and GUIDs:
Did it work? Let’s see… File->Export Template, follow the wizard and…

It works. Kinda. The created template still has quite a few references to Mr eXodia’s crackme, I’ll need to modify project and solution files manually. Unzip the template, fix the files in text editor and ZIP them back. And now it works!

Few more cosmetic fixes (like using $projectname$ where possible), using $if$ and $targetframeworkversion$ to target all .NET framework versions, better namespace names and we have a template that’s actually useful.

Download here: https://www.mediafire.com/?sx1i5ba1uijjkii

It’s not particularly pretty but that’s pretty much what I’ve been using for 2+ years now – and hopefully it can inspire you to do something similar with your own code. ;)

Further reading

Reason→Code→Example : Creating Visual Studio project templates
Rebuilding template cache
How to: Manually Create Project Templates
How to: Create Multi-Project Templates

03 Nov

“Unlimited storage” Microsoft-style

What do you think – how large is “unlimited storage”? To me, word “unlimited” means, well, unlimited. “All you can eat”. No restrictions.

For a year, Microsoft was offering unlimited storage with their Office 365 package:

Today, storage limits just became a thing of the past with Office 365. Moving forward, all Office 365 customers will get unlimited OneDrive storage at no additional cost. We’ve started rolling this out today to Office 365 Home, Personal, and University customers.

It was not a bad deal – for $6.99/month you could have both Office and unlimited storage.

Of course, some people decided to take Microsoft up on their offer and use that storage. After all, why not?

Fast forward one year. New post from Microsoft OneDrive team tells us this:

Since we started to roll out unlimited cloud storage to Office 365 consumer subscribers, a small number of users backed up numerous PCs and stored entire movie collections and DVR recordings. In some instances, this exceeded 75 TB per user or 14,000 times the average.

Good job guys! :) If I had possibility to use unlimited storage, I’d use it as well!

But somehow Microsoft doesn’t like it..

We’re no longer planning to offer unlimited storage to Office 365 Home, Personal, or University subscribers. Starting now, those subscriptions will include 1 TB of OneDrive storage.

Free OneDrive storage will decrease from 15 GB to 5 GB for all users, current and new.

So, now you know. “Unlimited” means “please, no more than 5 GB” in Microsoft-speak.

02 Nov

Solving “Find the flag” crackme by Extreme Coders

Yesterday Extreme Coders posted a small crackme on Tuts4You. It’s quite an easy one but solving it would require either lots of typing or some clever automation. Of course, being lazy I went for the automation route! :)

Initial analysis

My preferred way is doing static analysis in IDA and – when necessary do dynamic analysis using OllyDbg. So, here is how it looks like in IDA:
As you can see, parts of code have been encrypted. 102 parts of code, to be exact. :)

Decrypt the code

Since there is a lot of code that’s encrypted, I need to automate decryption somehow. IDA scripting to the rescue!

There’s not much to comment. There’s a big loop that’s looking for the pattern of the decryption code. Then it extracts information about encrypted code address, size and used encryption key. Finally it decrypts the code.

Note – when you’re patching binary data in IDA, it’s always better to force IDA to reanalyze the affected fragment. I didn’t do that here because changing end of _main() will force analysis automatically.

After decryption the code looks much better:

Well, it’s better, but it still kinda sucks. We have 100 checks like this:

So, we’re solving system of 100 linear equations with 32 variables. Great! Who wants to write down these equations based on disassembly and then solve them manually? Not me!

Decompile the code

Let’s see if we can somehow make the problem easier for us. Hexrays decompiler provides nice output but it still needs a lot of cleanup:
Basically, the code responsible for encryption/decryption of checks is getting into our way.

Another IDA script to the rescue:

I took the previous script and modified it a bit. Now it finds both encryption and decryption loops and just nops them out. It also forces IDA to reanalyze the patched region – it’s very important because otherwise IDA lost track of correct stack pointer and decompiled code was wrong.

Quick changes in Hexrays plugin options to use decimal radix and the decompiled code looks great!

Text editor magic

Beginning reversers commonly underestimate power of text editors. Sure, the Hexrays output we got is readable, but it’s not really suitable for any sort of automated processing.

First, let’s get rid of all extra spaces. Replace ” ” (2 spaces) with ” ” (one space). Repeat until no more matches. Now it looks like this:

Put each equation on one line. Replace “\r\n +” (new line,space,plus) with ” +” (space,plus). Replace “\r\n *” (new line,space,star) with ” *” (space,star).

Get rid of those “if”. Get rid of “++v6;”. Replace “==” with “=”.

Finally, rename “enteredString” to “z” and get rid of those “[” and “]”

Congratulations, within one minute you got from ugly decompiled code to well-written system of equations!

And solve the problem

Nicely written system of equations is pointless, if you can’t solve it. Luckily, there’s an online solver for that right there! ;) Copy-pasting our cleaned system of equations into their webform gives us result:

This system has a unique solution, which is

{ z0 = 102, z1 = 108, z10 = 48, z11 = 108, z12 = 118, z13 = 101, z14 = 100, z15 = 95, z16 = 116, z17 = 104, z18 = 97, z19 = 116, z2 = 97, z20 = 95, z21 = 114, z22 = 49, z23 = 103, z24 = 104, z25 = 116, z26 = 33, z27 = 33, z28 = 33, z29 = 125, z3 = 103, z4 = 123, z5 = 89, z6 = 48, z7 = 117, z8 = 95, z9 = 115 }.

Converting character codes to ANSI string is an equally simple exercice, I’m not gonna bore you with that.

And that’s how you solve a crackme with nothing but a few scripts in IDA and a text editor.. ;)

22 Oct

Static unpacker for AutoPlay Media Studio files

tl;dr version – it unpacks stuff. Download from here. Fell free to leech and reupload. Report bugs here.

Unpacker for AutoPlay Media Studio


It all started with a topic on BlackStorm forums where whoknows posted a link to Reverzor – The first cloud based software that decompiles everything!.

Wow, a magic tool that does everything! Sounds too good to be true.. :) Soon enough, li0n posted a link to the trial executable and I started looking into it. I quickly found out that it’s written in AutoPlay Media Studio, and that there is no working unpacker for that.

I should fix that – and have some fun in process!

Existing tools and research

First, I found a great blogpost by Xiaopang – I wholeheartedly recommend that you read it.

And then there’s a AmsDec.exe by mohsen.
Unfortunately, it only works for some files (supposedly – v8.1, v8.2) and shows weird messages in Persian language. And it’s not really a decompiler, it just extracts _proj.dat file from the cdd file. And, of course, it didn’t work for Reverzor.

How AutoPlay Media Studio works

So, let’s see what we need to do to unpack it all properly. As the authors of AutoPlay Media Studio wrote in changelog:

As we all know, anyone determined enough can break any protection system given enough time and resources, but the use of rolling codes renders generic attacks ineffective. You can now sleep a little easier!

Right… They are using ZIP files protected with randomly generated passwords and obviously have no clue how generic attacks work..

Unpacker needs to analyze EXE file, generate correct password and unzip files. If there’s a cdd file, unzip that one too. And since it’s that simple, I will use AutoPlay Media Studio as a target for a separate blogpost explaining how to write a static unpacker from scratch. :)

Since there are several options how you can distribute files built by AutoPlay Media Studio, here’s a quick reference:

  1. you have just a single application.exe;
  2. Such files can be generated using “Publish -> Web/Email executable” feature in AutoPlay Media Studio. Example file would be CardRecovery v
    6.10 Build 1210 AIO Installer -nelly-.exe

    Drop the exe file on unpacker, it will unpack everything automatically. Then check the appropriate folder for extracted data files and _proj.dat for the installation script.

  3. you have a folder with application.exe and application.cdd in a subfolder AutoPlay;
  4. These files are created using “Publish -> Hard drive folder” in AutoPlay Media Studio. An example file can be, for example, Russian software (malware?) claiming to be a Photoshop installer.

    There is not much to unpack, as data files are in plain sight in folder AutoPlay and subfolders. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

  5. you have application.exe and application.cdd files in the same folder;
  6. This happens when “Rename resource files” feature is enabled in AutoPlay Media Studio. It’s one of those features that add fake security to the product:

    This option is designed to obscure the filenames of your resource files during publishing.

    This is a case of Users Sniffer. Similar to previous case, there’s not much to unpack. Drop the exe file on unpacker, it will find cdd file automatically and unpack everything, including _proj.dat.

Advanced use cases

But sometimes things are not that easy. So, here are few possible scenarios how to deal with modified AutoPlay Studio:

  1. application.exe is packed and there is application.cdd file present.
  2. This is a case of official AMS studio challenge that Xiaopang mentioned on the blog. Good news – you don’t need to be an unpacking wizard and properly unpack PCGuard to break their protection. It’s enough to run the EXE in VMWare, dump process memory and drop dumped exe on my tool. As long as PE header and section table is correct, it should be fine.

    1) Run and dump:
    2) When saving dump, keep the original filename. Otherwise my unpacker won’t be able to find cdd file:
    3) Process dump with unpacker:

  3. application.exe is packed and there is no cdd file.
  4. This is the case of Reverzor. First you would need to unpack Enigma Virtual Box – for that you can use my other unpacker.. ;) Now you have both exe and cdd files but exe file is still packed with ASPack. Again, you don’t need to unpack ASPack properly, just run & dump process memory. Then process dumped exe with my unpacker.

  5. application.exe is hacked and the cdd file is renamed to something else;
  6. This is a case of Idler. Author hacked AutoPlay engine and replaced file extension cdd with dll.
    There is no way for my unpacker to cover all such scenarios automatically, sorry. Just rename idler.dll to idler.cdd and drop idler.exe on unpacker.


This was a small weekend project for me. If it also helps you in some adventures, I’m happy. If it doesn’t help you at all, I don’t care. :)

Download the unpacker from: https://www.mediafire.com/?cyb4kagdwey0j1b

Note – due to technical reasons it’s compiled against .NET 3.5, if you wish to run it on computer with only .NET 4.0 installed, create amsunpacker.exe.config with the following lines:

<?xml version="1.0"?>
  <supportedRuntime version="v4.0"/>

And stay tuned for the upcoming post, where I’ll explain how to write such unpacker from scratch!

24 Sep

Volkswagen and their emission cheating software

Everyone these days is talking about Volkswagen and how they made a software that cheated in vehicle emission tests. Volkswagen’s stock price is tanking, CEO has been asked to resign, EU bureaucrats are looking into it and other major engine manufacturers are being investigated as well.

Let me give my opinion on all this affair.

How did they do it?

Quote from EPA violation notice sums it up well enough:

The ‘switch’ sense whether the vehicle is being tested or not based on various inputs including the position of the steering wheel, vehicle speed, the duration of the engine’s operation, and barometric pressure. These inputs precisely track the parameters of the federal test procedure used for emission testing for EPA certification purposes. During EPA emission testing, the vehicles’ ECM ran software which produced compliant emission results

So, they added a piece of code to vehicles’ ECU block that was able to detect testing mode and then adjust engines’ operating parameters. It’s very similar to what ECU tuning shops do, except Volkswagen did it to reduce emissions in certain cases and petrolheads do it to achieve best possible performance from their cars.

Whose decision was it?

Some dude on hackaday sees a big ethical issue here:

An engineer, either in Volkswagen or less likely at a subcontractor, signed off on code that would defeat the entire purpose of EPA and Clean Air Act regulations. Someone with the authority to say ‘no’ didn’t, and this code was installed in the electronic control unit of millions of cars.

Say what?

This dude apparently knows nothing about how corporations work. There is no way in hell that some engineer came to his boss and said: “Hey, I just figured out a way to cheat in USA emission tests, do you think it will be useful for our company?”.

No. Fucking. Way.

I’m convinced that this decision came from the middle management and was passed down to engineers. Something like: “We don’t care how you do it, just make sure our diesel engine passes those tests. Just don’t tell us how you managed that.” Plausible deniability, you know.

However, dude from hackaday is absolutely right in another aspect – some engineer will likely lose his job over this. It’s not because he did something wrong, it’s because the company needs a scapegoat. Just like they sacrificed Chief Executive Martin Winterkorn – CEO had nothing to do with a scandal, it’s just one of those steps company needs to do to make a good PR.

How did they get caught?

As strange as it sounds, they got caught by accident. International Council on Clean Transportation (ICCT) wanted to convince European bureaucrats to implement strict US standards for diesel emissions in EU. So, they hired West Virginia University’s Center for Alternative Fuels, Engines and Emissions (CAFEE) to run tests in the field. And as interim director of CAFEE explains:

They rented VW diesels, measured their tailpipe emissions on the road and compared them to measurements on the same cars made in the lab. The discrepancies were huge.

So, the scientists made some presentations in 2014, published their research online, and nobody except USA bureaucrats cared about it. Until last week, that is.

Now suddenly everybody is acting as if the world is going to be destroyed by this.

So, how bad it really is?

Let me answer this question with a quote from the original EPA news release:

These violations do not present a safety hazard and the cars remain legal to drive and resell. Owners of cars of these models and years do not need to take any action at this time.

I’ll give you a moment to think about that.

482’000 cars in USA alone. 11’000’000 cars in the whole world. 5 years. Exceeding NOx limits 20 times. Affected cars are not a safety hazard. USA cities are not covered in black smog. In fact, nobody noticed anything for 5 years. What does it tell you?

To me, the answer is simple – those NOx limits are fucking bullshit. They make your car more expensive and reduce horsepower of your engine. They don’t save the planet. They are there because some bureaucrat needs to justify his puny existance in some environmental agency.

Don’t get me wrong – I do care about the environment. But you are not helping the environment much by limiting already small emissions of NOx. Instead, you should rather look at the Asia and their industrial practices. For example, burning down forests in Sumatra – which produce so much smoke that the entire Singapore city (being 80 kilometers away from Sumatra!) has its air quality deteriorating to a “very unhealthy” range. Or look at the half of China’s rivers which are polluted with industrial waste and fertilizers. Now, that is something that actually needs fixing!

To sum it all up

Volkswagen knew these regulations are bullshit and won’t save the Earth. They knew their engines can’t pass them. So, they had balls big enough to give all bureaucrats the finger and cheated their way through.

I say – good for them! In my scorebook it’s “Volkswagen 1, Bureaucrats 0″.

23 Sep

Why do most antiviruses suck?

Mandatory disclaimer – all views in this article are my own and in no way represent views of my employer or my coworkers.

Last few weeks I noticed several gposts about antiviruses, False Positives and how bad the situation is. For example, this essay from atom0s and this complaint (reg required) by mudlord. And then there is this epic rage by evlncrn8. :)

To understand why antiviruses work this way, you need to consider plenty of factors. So, let’s take a quick look.

Why make antiviruses?

It usually starts with a group of skilled guys wanting to save the world. They make a great product, people like it, company makes some money, more people like the product, company grows even more and so on..

But as company grows, priorities change. The bigger and more popular the company gets, the more managers and investors it attracts. Those guys usually have no clue about technology behind antivirus. And they don’t care about technology, they only see numbers and dollar signs everywhere.

And then the primary goal of company changes to making profit for shareholders.

What’s with the UI?

Let’s face it – readers of my blog are not the usual antivirus users. Antiviruses are used by everyone – from extremely skilled IT geeks to Granma Millie living in the retirement home. And this causes second biggest problem – big companies cannot make product just for skilled IT geeks, as nobody else will be able to use it. You can’t make a product for the average user either. You need to make something that even Granma Millie can use.

And that’s why most software products in recent years get dumbed-down – managers think that they need to do “inclusive designs” – so even the most retarded of users can use the product.

New shiny features.

One of the most common complaint I hear is that all antivirus products are becoming a huge bloatware. There are several reasons for that. First, product managers just don’t know any better.They look at all competitors – if Company A has feature X, you need to have feature X, no matter if it actually makes sense or not. Second reason is that company somehow needs to sell new version of product. You can’t say – this version is the same as the old one, we just changed colours and moved buttons around. No, you need to have something like “New version, now with features Z and Q!”

It’s not the best way but it’s certainly the easiest!

AV reviews and tests.

When you are purchasing a new car, you probably search for the reviews online. You probably do the same when you decide to move to new city, plan your vacation or make any other big decision. That’s just normal.

And it’s the same with antiviruses – most people will either get a recommendation from someone they trust, or they’ll search for reviews online. So, the companies need to invest a lot in PR and make sure their product looks good in tests and reviews.

Testing methodologies most of the times are not representative of any real-life experience of ordinary users. Testers take whatever pieces of malware they can find and test AV products against them. They don’t distinguish between different types of malware, sample prevalence or geographical distribution.

I’m sure you feel much safer knowing that your antivirus protects you against a worm that is distributed only through Chinese QQ messenger, or that very nasty banker attacking only Brazilian banks. Don’t you?

To test False Positive rate, testers check number of files from popular download sites like CNET, Softpedia or PCWorld, or collected from European SMB companies. Of course, AV companies do the same thing and try to make sure they have no false positives on those sites. But if you’re a small software dev and distribute your software using other means, or don’t target SMB companies – well, bad luck. False Positive on your file doesn’t influence test results. :)

It’s a load of crap – but every company is still doing it because lots of potential users rely on such “tests” before buying antivirus. Some companies even cheat in tests.

Automation and big data.

Number of new malware and other crap these days is increasing exponentially. According to McAfee Quarterly Threat reports, ~4 million new malware samples appeared in the Q1 2009, ~7mil in the Q1 2012, ~32mil in Q1 2014 and ~48mil in Q1 2015.

Think about it. How can you process 48’000’000 samples?

The answer is simple – automation, automation and more automation. Malware classification is hugely automated process. Does the file look weird? Does it do weird things? Was it sent out in a spammy email? Is it encrypted to prevent automated analysis? Was it protected using stolen Themida? Do other antiviruses think it’s bad? Game over, classified as bad!

Sure, sometimes some legitimate software gets classified as bad. In this scale, it’s bound to happen.

If automation is not able to classify file, malware researchers will need to analyze it manually. This is where big data software, statistical models and cluster analysis come in. They alert researchers to traffic anomalies, suspiciously similar thousands of files and other “interesting” stuff. Files get prioritized based on prevalence, number of users affected and other factors. And, of course, the bigger the issue, the faster it gets attention from a real human being.

So, if your legitimate software is classified as bad and it affects all your 50 users – it’s not because AV company hates you or your product. Really, they don’t hate you. They just don’t know you even exist. So, the sooner you let the AV company know about the problem, the sooner they will fix the issue.

But hiding your head in sand and saying “I don’t have to time to play a cat and mouse game with anti-virus companies” will get you nowhere.

Are we all doomed?

Think about the points I just made. Your product needs to bring company money. You need to make a product Granma Millie can use. Your product needs to behave well in tests. Given the requirements, no matter how skilled the developers and researchers are, the end product will be…

Well, it will be just like the product you’re getting now – dumbed-down, feature-bloated money-making piece of software that fares reasonably well in artificial tests.

You’re living in the era of globalization and money-making corporations. Deal with it.

31 Aug

Let’s say something good about Google Chrome

In my previous post I criticized Google’s decision to disable NPAPI plugin technology. I still think it was a bad decision. But today let’s talk about a change that should be an improvement for virtually all users.

Chrome will begin pausing many Flash ads by default to improve performance for users. This change is scheduled to start rolling out on September 1, 2015.

Source: https://plus.google.com/+GoogleAds/posts/2PmwKinJ7nj

Say what? Is Google going against ads? 8-) Well, not really. HTML5 ads are apparently OK. But those obnoxious Flash-based ads will become click-to-play.

The setting in question is located in Settings->Advanced->Content Settings->Plugins:
It has been present in Chrome for several months already. So, I’m guessing that Google will be only pushing out some configuration change, or change the default value for new installations. Who knows, as Google is not giving us any details at this point..

Google’s ad detection algorithm might need some improvements and there might be some other side-effects but overall I think it’s a great change! Good job Google, you made my day better! :)

21 Aug

Dancing pigs – or how I won my fight with Google Chrome updates

I think removing NPAPI support from Google Chrome was a really stupid decision from Google. Sure, Java and some other plugins were buggy and vulnerable. But there is a huge group of users that need to have NPAPI for perfectly legit reasons. Certain banks use NPAPI plugins for 2-factor authentication. Certain countries have made their digital government and signatures based on NPAPI plugins. And the list goes on.

I have my reasons too. If I have to run older version of Chrome for that, I will do so – and no amount of nagging will change my mind.

That’s a well known fact in security circles, named “dancing pigs“:

If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet — he’s going to choose dancing pigs over computer security any day

Unfortunately pointy-haired managers at Google fail to understand this simple truth. Or they just don’t give a crap.

Hello, I am AutoUpdate, I just broke your computer

Imagine my reaction one day when my NPAPI plugin suddenly stopped working. It just wouldn’t load. It turned out that Google Chrome was silently updated by Google Update. It broke my plugin in the process and – officially – there is no way of going back.

What do you think I did next?

That’s right – I disabled Google Update from services, patched GoogleUpdate.exe to terminate immediately and restored previous version of Google Chrome from the backup. Dancing pigs, remember?

Your Google Chrome is out-of-date

It worked well for few months. But this week, Chrome started nagging me again.
Quick Google search lead me to this answer: you need to disable Chrome updates using Google’s administrative templates.

Let’s ignore the fact that the described approach works only for XP (for Windows 7 you need to use ADMX templates which you need to copy manually to %systemroot%\PolicyDefinitions) and now there are like 4 places related to Google Chrome updates in the policies.

So, I set the policies and it seemed to work. For a day.

Your Google Chrome is still out-of-date

Imagine my joy the next day when I saw yet-another-nagscreen. Like this:

No, I don’t need that update. Really!

I can close the nag, but 10 minutes later it will pop up again. And it looks like the only way to get rid of the nag is to patch chrome.dll. I really didn’t want to do that but dumb decisions by Google managers are forcing my hand here.

Reversing Google Chrome

Since Chrome is more or less open-source, you can easily find the nagware message:

From here, we can find which dialog is responsible for the nag:

From there we can find NOTIFICATION_OUTDATED_INSTALL which comes from UpgradeDetector. And finally we arrive at CheckForUpgrade() procedure:

This is what I want to patch! But how?

You could load Chrome DLL in IDA and try to find the offending call on your own. But I’m willing to bet that it will take you hours, if not days. Well, PDB symbols to the rescue!

Symbols for Chrome are stored at https://chromium-browser-symsrv.commondatastorage.googleapis.com and you will need to add that path to your _NT_SYMBOL_PATH. Something like this:

_NT_SYMBOL_PATH is a very complex beast, you can do all sorts of things with it. If you want a more detailed explanation how it works, I suggest that you read Symbols the Microsoft Way.

After that, you can load chrome.dll in IDA, wait until IDA downloads 850MB of symbols, and drink a coffee or two while IDA is analyzing the file. After that it’s all walk in the park. This is the place:

And one retn instruction makes my day so much better..

Final words

Unfortunately for me, this world is changing. You are no more the sole owner of your devices, all the big corporations want to make all the decisions for you.

Luckily for me, it is still possible to achieve a lot using a disassembler and debugger. And reverse engineering for interoperability purposes is completely legal in EU. :)

Have fun!