fravia @ Paris
Ecole polytechnique, 6 February 2001



The importance of reverse engineering for seekers

Reversing algos, reversing software, reversing reality


Cleaning the last version of Opera

Introduction

Opera is well known as the best browser for the windoze environment.
It has many advantages vis-à-vis bloated browsersaurii like Microsoft's Internet Explorer (which, beside being overbloated and buggy, [syphons your data] to third parties) or Netscape (whose code, to state it diplomatically, is quite overbloated and buggy)
To start with, Opera has a "turn images off" on-the-fly button that -you'll have to admit- is something one simply cannot live without any more if one wants to peruse the silly ad-infested web of today effectively and without eccessives delays.
But there's more: Opera has even a sort of BUILT-IN 'anti-popup' function: have a look at file ~ preferences ~ windows... see the checkbox for 'allow documents to create windows? Well... uncheck it! What are you waiting for? :-)
You think I have finished with the advantages that Opera offers? Nossir...try this other one: file ~ preferences ~ multimedia... see the checkbox 'enable animation GIF images'? Well... uncheck it! Yep, believe or not: you can selectively kill those useless animated gifs that nobody in their right mind would ever 'prefer' to load! :-)
Of course you can download hic et nunc Opera for LINUX as well...

If you think I have finished with Opera's advantages you'r wrong: if I type in the URl window -look on the screen behind my shoulders- q "advanced searching" and then press ENTER... see? I'm searching with google! Similarly we have a for Altavista and h for Hotbot... (see the whole list inside preferences ~ search) not a bad choice! But I miss Fast... well, we can easily modify the source code of Opera to get the almost useless t of GoTo to point to fast :-)

Ah yes, modifying code. An important activity for good seekers. For a long time Opera was distributed as shareware with an evaluation limit of 30 days, but it has always been so easy to find 'unlocking' serial numbers on the web that many a reverser was wondering if the idea wasn't rather to let it 'quietly' diffuse in order to compete against the 'big two' obsolete browsersaurii.

Version 5 of Opera is free, but has a horrible commercial bug.

Let's have a look at a version 5 of Opera. For this lesson we'll use a version (Build 828, Platform Win32, System Windows 98) with the executable opera.exe having a length of 1.884.207 bytes.
The bug is present: target's code triggers -apparently intentionally- an awful 'advertisement banner' inside the main window of the program, this sore moreover 'rotates', annoying your eyes with many a vulgar advertisement.

The illegal temptation

Now, even before starting reversing the code, let's point out and underline that to kill these ads it wouldn't be necessary to reverse its code: as many of you will already know, there are some very easy ways any zombie could have killed this tasteless advertising feature WITHOUT ANY NEED WHATSOEVER TO STUDY ITS CODE AT ALL:

FIRST METHOD
Voilà, c'est fait.

SECOND METHOD
fish a complete cracked copy out of the web (http://www.crack.ru/cgi-bin/crack_en.pl?what=crack&first=1&string=opera&.submit=Search for instance). Voilà, c'est fait.

But we wont do it. We wont register our 'free' copy of Opera with a crack (you should really register Opera, later, once you have realized that it is indeed a very good tool: it deserves it).
We'll kill the advertisement in a legal way.

Keeping on the legal side

But I want today to show you the sheer and almighty POWER of software reverse engineering, besides, we are (supposed to be) reversers, not thieves, so let's have a deeper look inside Opera in order to understand how this 'advertisement bug' works. This approach will be useful to ameliorate ANY software that dares annoy your eyes with advertisement windows. Let's keep on the legal side: When I installed Opera on my portable I got this window:



   You shall not modify, translate, reverse engineer, decompile or disassemble the Software or any part thereof or otherwise attempt to derive source code or create derivative works therefrom.
This is terrible. I NEED to decompile AND disassemble ANY software entering my memory! Why should I trust it?
You are not allowed to remove, alter or destroy any proprietary, trademark or copyright markings or notices placed upon or contained with the Software.
I should accept this? Why?
Registration Codes...
This does not interest us: even if it would be easy to find them on the web we are NOT going to use any registration code...

As you see, we have a problem. If we click onto the I accept button, we are supposed not to modify, translate, reverse engineer, decompile or disassemble... but that's exactly what we want to do with any software that enters our systems and that we may decide to use: there are enough malwares around... I know, I know, this is the windoze world, it is not GNU/Linux... but what can we do? Easy! If clicking on 'I accept' means we cannot reverse engineer, then conversely clicking on 'No thanks' must mean that we CAN reverse engineer!

We just need a 'No thanks' button!
This is simple... at the moment we have NOT yet clicked nutting, have we? So we may reverse engineer THIS SCREEN as much as we fancy... a simple customizer intervention will do the job:



That's it, we may now proceed without breaking our EULA (end user licence agreement). Our copy of Opera may now be 'tweaked' for study purposes.

Descending inside Opera 5.0

As you can see on the big screen behind my shoulders, the advertisement window in Opera 5.0 (this software will be our 'target' today) is located in the top right corner of the main window.
In order to kill it we must identify the ad hoc drawing routine inside the code of our target. There are MANY paths that you can follow, we'll take the 'dimensional' one today.
We'll start from the DIMENSIONS of the advertisement window, they must, of course, reside as parameters inside the target's code.
In order to calculate them most reversers would use softice command hwnd -x when Opera is running.
Of course among Opera's many big and small windows that softice will list, our specific advertisement window will be some sort of multiple document interface (MDI) child window... since Opera is a web browser that uses MDI, so that you don't have to open multiple browsers to view a number of websites at the same time (an important 'secret' of Opera revealed :-)
In this specific case, as we'll see in a second, our advertisement window will be a MDICHILD class window.
But forget this silly crackers' jargon and reversing approach: you don't even NEED to know the reversing abc in order to fetch the data you need to kill it: there's a MUCH MORE SIMPLER way to get at the dimensions of this window. In fact, using a utility like our trusted customizer, you'll be able to fetch the exact dimensional (and "nominal") data of this indecent (and soon to be eliminated) window of ours.

Thus we fire the customizer again... see the yellow ball rolling on the big screen behind my shoulders?
Here we choose the 'edit window' option.
And then, in "windows details", with 'select' checked, we just click onto 'on'... this approach is so easy that even your aunt, or a microsoft certified software developer could follow it.
Now move the customizer's 'big' cursor slowly towards our target. AH! See how many 'hidden' windows are revealed while we are on our way there?
In fact there are a lot of "hidden processes" going on during any 'normal' windoze's session (and you can bet that someone, somewhere is taking advantage of this matter of fact in order to gather data about you... but that's another story). Let's simply ignore these hidden windows for now, you'll be able to play with the customizer all by yourself at some other time... we want to tackle our target now...

Identifying the culprit advertisement window

So, here we come to our advertisement window, here are the data as reported by the customizer... "size and position": x position=328, y position=4, height=64 and width=472... and, see, it is indeed a BLD_MDICHILD window... an MDI child window as we supposed.

A small digression about the 'standardized' dimensions of advertisement windows: as it happens advertisement windows have often semi-standard heights and widths: in my experience most advertisement windows are rectangularly shaped in the range 62-64 (height) per 460-478 (width). Why this "7 something to one" relation (460/62=7.41 466/63=7.39; 472/64=7.37; 478/65=7.35) should be (grossomodo) constant beats me, but nonetheless what counts is that you can be reasonably sure that somewhere inside the code of your average 'advertisement carrier' similar values will be pushed onto the stack shortly before any window-drawing 'call' that will paint the advertisement payload you're supposed to HAVE TO WATCH all the time.

Let's start with the value we got: as we have seen this Opera's ad-window has following dimensions (which are often enough standard in adwares):

width="472", height="64"

The fixed 'start' advertisement image is just a somewhat smaller (468/60) OperaBanner.png image that you will find inside your Opera/images subdirectory where you will be able to modify it as much as you fancy, for instance:



Or whatever else you may fancy :-) Note also that the people at Opera use the png format. This deserves to be used waay more often on the web (instead of the 'proprietary' gif :-P

Anyway we would rather eliminate than simply change somehow an advertisement banner, n'est ce pas? The two decimal numbers that define the DIMENSIONS OF THE CONTAINING WINDOW 64 & 472 translate into 0x40 and Ox1D8 in hexadecimal. Since these two parameters must be pushed somewhere inside the code, we proceed to disassemble our target (use either wdasm or [IDA]) and then we examine the 'dead listing' of the disassembled code.
What are we looking for? Just the values 40 and 1d8? No: we can be waaay more precise (if necessary we will afterwards always 'fall back' to 'broader' searches).

In fact we "should" find somewhere inside the code of our target BOTH our 40 & 1d8 dimensions values pushed on the stack.
It's cosmic power! Assembly is assembly: no matter which 'higher' language has been used to program Opera, no matter which compiler has been used to compile its code, a 'long' push is 68xxxxxxxx (with inverted notation for the xxxxxxxx address) whilst a 'short' push is 6Axx, therefore we'll of course look for:
68D8010000 = push 000001D8 (note the inverted notation D801!)
and
6A40 = push 00000040
I won't annoy you now with the possible slack variants or register variants of these values. Besides there's no point in being excessively cracking-smart here, since these values are in effect pushed "as such" inside Opera: note that since BOTH these parameters are to be pushed in order to set the width and height of a given window, they will mostly be situated very near to each other inside the code.
Thus let's simply fetch the code snippet where "our" width and height values are pushed inside the code.
Jumping here from 6D35(Conditional)...
6D3A A1A8305900   mov eax, dword ptr [005930A8]
6D3F 3BC6         cmp eax, esi
6D41 743D         je 406D80
6D43 6A54         push 54
6D45 6A40         push 40  ;height
6D47 68D8010000   push 1D8 ;change to 6800000000 (push 0) and kill ads
6D4C 81C128FEFFFF add ecx, FFFFFE28
6D52 57           push edi
6D53 51           push ecx
6D54 56           push esi
6D55 FF7014       push [eax+14]
Note that this snippet holds the ONLY TWO references to both
68D8010000 = push 000001D8 and 6A40 = push 00000040
that do exist in the whole 'dead listing' of our target... :-)
That's called a BINGO! in crackers' jargon :-)

We're not finished, eh.
As you can see from the snippet above, the routine is conditionally called from 6D35.
Let's have a look
6D18 FF15C8A55500 Call dword ptr [0055A5C8] ;GetClientRect
6D1E 3975DC       cmp dword ptr [ebp-24], esi
6D21 7448         je 6D6B  ;of course an unconditional jump would avoid
                           ;the call below and eb48 (jmp 6D6B no matter
                           ;what) would kill our targeted ads as well :-)
6D23 8B4DAC       mov ecx, dword ptr [ebp-54]
6D26 8BD9         mov ebx, ecx
6D28 2B5DA4       sub ebx, dword ptr [ebp-5C]
6D2B 81EBDB010000 sub ebx, 1DB
6D31 6683FB64     cmp bx,  64
6D35 7D03         jge 6D3A ; call "vulgar_advertisement_settings"
6D37 6A64         push 64
6D39 5B           pop ebx

Note that THERE ARE MANY OTHER POSSIBLE APPROACHES TO KILL AN ADVERTISEMENT... or, more globally, to find your mustard inside overbloated code... for instance you could proceed also using the nice "colour" approach (window's background is pale yellow? Let's say F3F55B?

bgcolor="#F3F55b"

Well by now you should know what you should be looking for in the dead listing :-)
Note that a 'positional' as opposed to 'dimensional' approach is also possible...

This concludes today's conference. We went a long way, from the macrocosmos of the structure of the web to the microcosmos of Opera inner workings and assembly code. And yet these two dimensions are more correlated than one would think, and -what is more disturbing- the more you'll try to study and understand them, the more you'll realize that there is even more to understand, lest you be taken advantage of unknowingly.

Understanding searching and reversing matters is of paramount importance in a world of hidden codes, secret meanings and concerted propaganda, where you are supposed NOT EVEN TO UNDERSTAND what's going on.
Never before the old words: Fac sapias, et liber eris have been so true and I'm convinced that the clever students of the most brilliant and famous university in France should and will understand this. I am honored of having being invited here. Any questions?

fravia+
#include "standard_disclaimer.h"


«««««  Back to paris5.htm «««««        »»»»» Back to paris.htm  »»»»»
(c) III Millennium by [fravia+], all rights reserved and reversed