21 Aug

Dancing pigs – or how I won my fight with Google Chrome updates

I think removing NPAPI support from Google Chrome was a really stupid decision from Google. Sure, Java and some other plugins were buggy and vulnerable. But there is a huge group of users that need to have NPAPI for perfectly legit reasons. Certain banks use NPAPI plugins for 2-factor authentication. Certain countries have made their digital government and signatures based on NPAPI plugins. And the list goes on.

I have my reasons too. If I have to run older version of Chrome for that, I will do so - and no amount of nagging will change my mind.

That’s a well known fact in security circles, named "dancing pigs":

If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet — he's going to choose dancing pigs over computer security any day

Unfortunately pointy-haired managers at Google fail to understand this simple truth. Or they just don't give a crap.

Hello, I am AutoUpdate, I just broke your computer

Imagine my reaction one day when my NPAPI plugin suddenly stopped working. It just wouldn't load. It turned out that Google Chrome was silently updated by Google Update. It broke my plugin in the process and - officially - there is no way of going back.

What do you think I did next?

That's right - I disabled Google Update from services, patched GoogleUpdate.exe to terminate immediately and restored previous version of Google Chrome from the backup. Dancing pigs, remember?

Your Google Chrome is out-of-date

It worked well for few months. But this week, Chrome started nagging me again.
Quick Google search lead me to this answer: you need to disable Chrome updates using Google's administrative templates.

Let's ignore the fact that the described approach works only for XP (for Windows 7 you need to use ADMX templates which you need to copy manually to %systemroot%\PolicyDefinitions) and now there are like 4 places related to Google Chrome updates in the policies.

So, I set the policies and it seemed to work. For a day.

Your Google Chrome is still out-of-date

Imagine my joy the next day when I saw yet-another-nagscreen. Like this:

No, I don't need that update. Really!

I can close the nag, but 10 minutes later it will pop up again. And it looks like the only way to get rid of the nag is to patch chrome.dll. I really didn't want to do that but dumb decisions by Google managers are forcing my hand here.

Reversing Google Chrome

Since Chrome is more or less open-source, you can easily find the nagware message:

From here, we can find which dialog is responsible for the nag:

From there we can find NOTIFICATION_OUTDATED_INSTALL which comes from UpgradeDetector. And finally we arrive at CheckForUpgrade() procedure:

This is what I want to patch! But how?

You could load Chrome DLL in IDA and try to find the offending call on your own. But I'm willing to bet that it will take you hours, if not days. Well, PDB symbols to the rescue!

Symbols for Chrome are stored at https://chromium-browser-symsrv.commondatastorage.googleapis.com and you will need to add that path to your _NT_SYMBOL_PATH. Something like this:

_NT_SYMBOL_PATH is a very complex beast, you can do all sorts of things with it. If you want a more detailed explanation how it works, I suggest that you read Symbols the Microsoft Way.

After that, you can load chrome.dll in IDA, wait until IDA downloads 850MB of symbols, and drink a coffee or two while IDA is analyzing the file. After that it's all walk in the park. This is the place:

And one retn instruction makes my day so much better..

Final words

Unfortunately for me, this world is changing. You are no more the sole owner of your devices, all the big corporations want to make all the decisions for you.

Luckily for me, it is still possible to achieve a lot using a disassembler and debugger. And reverse engineering for interoperability purposes is completely legal in EU. smile

Have fun!

25 thoughts on “Dancing pigs – or how I won my fight with Google Chrome updates

  1. Hi!

    Would it be possible to modify the maximum http requests with this as well?
    I know that Chrome has a thread pool

  2. Because on some complex websites Chrome just chokes hard. Firefox has 15 I think already. Chrome folks are so backward.

    I think auto patching could be done :)

    • Never happened to me. :) If it's a reasonably large public website exhibiting these issues, I'd bug website owners to use domain sharding and/or Chrome authors to change connection defaults.

      Automatic patcher should be possible but I haven't tried to implement it myself.

  3. Still, how do you actually patch an enum with Ida Pro? I've only patched logic so far. JNZ, JMP etc.

    • It's not an enum, it's an array of integers.

      In my old chrome.dll (45.0.2414.0) it looks like this:

      So, you just change number 6 to whatever you like. :)

      EDIT 2x: properly formatting code in comments is hard.

  4. I found the hex string shown in your example: 55 8B EC 83 EC 20 83 65 FC 00 56 8B F1 57 8D BE 10 01 00 00. You said change it to RETN, which is hex C3, so I changed the ending from 8D BE 10 01 00 00 to C3 BE 10 01 00 00, but it doesn't seem to work. Chrome just crashes after a while.

    Could you tell me what to change? Thank you

    • You should replace first byte of that sequence with retn instruction. So, in my example, it's address 02CF3BDF - and after patch it looks like this:

  5. Hi,

    I'm using Chrome 52 and i opened chrome.dll in IDA Pro but the strings are not there. Maybe because the version i use is newer and the dll has changed. I am new to this what i have to do? I really want to turn off that boring out-of-date popup. Thanks

    • Most likely you did not set up symbols correctly. Please re-read that part of blog post and try again. :)

      If it still doesn't work, please upload your chrome.dll to mega.co.nz or mediafire.com and send me the link. Ideally - with a step-by-step description of what you did and what didn't work as expected. I'll try to look at it and find out what's causing the issue.

  6. First thanks for your quick answer.

    You were right i did a mistake with the symbol path i forgot to change the drive letter from F to C. Looks like more strings appeared when i restarted IDA but still none of the ones you mentioned, i got these instead with similar names:

    Since i'm not experienced with this i decided like you said to upload chrome.dll to mediafire, here's the link: {link_removed}

    • You still did something wrong with symbols. :) If you did it right, you'd be able to see the correct place in IDA:

  7. I give up with the symbols but i found the strings above:

    031ECD7F push ebp
    031ECD80 mov ebp, esp
    031ECD82 sub esp, 20h
    031ECD85 and [ebp+var_4], 0
    031ECD89 push esi
    031ECD8A mov esi, ecx
    031ECD8C push edi
    031ECD8D lea edi, [esi+110h]
    031ECD93 mov ecx, edi
    031ECD95 call sub_1CB2879
    031ECD9A mov ecx, esi
    031ECD9C call sub_31ECE01
    031ECDA1 test al, al
    031ECDA3 jnz short loc_31ECDFB

    So i only have to change the 1st line from 031ECD7F push ebp to 031ECD7F retn ? I am totally new with code editing how can i do that?

    A much easier solution would be that you do it and upload the modified file.

    Thank you again for your help.

    • Due to possible legal issues, I cannot upload the modified file. So, you'll have to modify it yourself. ;)

      In the snippet I posted above you can see the corresponding byte values. Use any hex editor to find them:

      Change the first byte from 55 to C3, save the modified file and enjoy!

      P.S. Always make a backup copy of file before modifying it! :)

  8. It works! I replaced chrome.dll with the modified one and since then the out-of-date message never showed up again.

    I tried many solutions from a lot of sites but only this one worked for me, it's a shame we need to modify a file to get rid of that nagging popup.

    Btw, would it be possible using this method to remove the geolocation and bookmark icon from the url bar, and also the warning "This page is trying to load scripts from unauthenticated sources" ? They are useless for me but I would understand if you dont have time to deal with that.

    Anyway thank you again for your support i hope it will help other people too.

    • As I said in an earlier comment, everything is possible.

      The method of locating icons in address bar would be similar to what I described in the post. But I'm not particularly interested in spending my time on that..

  9. Hi again!

    I decided to switch from 32 to 64 bits of Chrome and it appears that the chrome.dll is different. I looked for the string but i didn't find it, it must be different then. Can you help me find the one that match in the 64 bits version? Like last time i uploaded the file to Mediafire: {link_removed}

    Thank you

    • This is the place you're looking for:

      and the bytes to search for:

      I'm not using the 64-bit version, so I wasn't able to test it myself. Take care! :)

      • Hi,

        I forgot to say that it is also working for the 64 bits version of Chrome using the method of kao's last post.
        Be careful the chrome.dll file is different between 32 and 64 bits so it will only work for 64 bits. If you use 32 bits just read the first post to find the right sequence of bytes.
        Before any modification make a backup of the file then open it with a hex editor and change the first byte from 48 to C3 of the following sequence:
        48 89 5C 24 10 57 48 83 EC 70 83 A4 24 80 00 00 00 00 48 8D B9 70 01 00 00
        Save and enjoy no more out-of-date popup.
        I hope it will help many people using the 64 bits version.
        Finally thanks again kao for your help and for making this topic.

  10. Thanks for your help! I have a Vista Ultimate install which I'm not quite ready to part with - it still has security updates for several months, after all - and I only use Chrome on a few specific websites I trust, but it's a pain to have the popup coming up all the time and stealing focus.

Leave a Reply

Your email address will not be published.