"Fixing" AIMS-Lab's VH-TV Program
By Q [Phrozen Crew]
Courtesy of reverser's page of reverse engineering
1 June 1998
USEFUL
Programmers' corner

Well, I must say that I personally cannot understand how possibly someone in his right mind would want to watch television (slurping all the fake propaganda of the slave masters and -as if that were not bad enough- getting tons of compelled advertisement channelled down your brain). Man! Read a good book, play with your kids, surf the interesting parts of the web, wander inside a forest, love your partner, write a poem, crack a program, chat with a friend... whatever but for Chrissake do not reduce yourself to the sad abominion of a slave that worships the very whip used to tame him! Gosh: when I think of all the nice people making smashed potatoes of their own life every evening I really get the creeps.
Anyway I'm happy to host this nice work by Q. See: crackers repair bugs inside commercial programs they use in order to ameliorate them... as Q writes to the Shareware programmers: "Please take a minute to look at your program from a side view, and fix whatever u can find before u release it. It took me 2 days to do the above , but I'm sure u can do it in 2 minutes with the full source .. The release date Can wait a day..." Quite right! ("sauf" that I doubt that such a shoddy programmer could fix it in 2 minutes even with source code :-) Now: enjoy this good bug smashing work: reversing at his best!


                                  "Fixing" AIMS-Lab's VH-TV Program
                                                                            By Q [Phrozen Crew]


* I'm not a native english speaker , so please bare with me .
Intro:
Bugs, those small but annoying things the programmer has left out , are found at practically every software nowadays, when programmers are in a hurry to finish up their work , with only money in their heads. And what can u do about it ? Send 1000
complaints through e-mail ? U'll get no response .. I know , that's what i did about a year ago.
Now , however, thanks to +Reverser and other cracking resources , i can "reverse engineer" (aka "bug busters" ;) that bug .. And i will show u how .
 
What you'll need:
- The TV program it-self  , can be found at http://aimslab.com . However , i'm afraid , it won't help u if u don't have a TV card.
- SNDVOL32.EXE  , can be found at your windows directory (c:\windows) . You'll see why in the essay ;)
- W32dasm . Can be found all over the net .
- And wIN-ICe .
* For tools u should try LordCaligo's site:  http://lordcaligo.org/ .

Let's Start:
This TV program has a very annoying bug : When ever u start it , it makes noise for about 3 seconds - until the program
has "fixed" it-self on the station . It's like the program calibrates it-self , and on this short calibration stage it makes the same
noise as if u r not tuned to a station (the "snow" picture) .. making this calibration stage a bit too long .

Ok , time to play with it .
- Run the program (tv.exe)
- Hit the 'home' button to toggle the Mute Option to On .
- Re-Run it .
The result is NO-Noise , and the mute option is kept ON . So the program saves this option , and at the beginning , when
it sees the mute option is ON , it will mute the speakers so there's no noise .
We can draw a line of work for the StartUp code : There are 2 ways :

Way #1 :
1. Get Mute Option.                                                (From an ini-file , registry ..)
2. Set MuteFlag accordingly.                                   (If Mute Option is ON then MuteFlag = 1 , else MuteFlag=0)
3. If MuteFlag=1 then Call ShutDownSpeakers .     (Will mute speakers -notice,before the calibration stage- if MuteFlag=1)
                           else  Call TurnOnSpeakers.          (Will De-Mute the speakers if MuteFlag=0)
4. Calibration Stage.                                                (The "snow" noise if not Muted)
5. Normal message loop - the rest is the program itself.  (Now that everything is ready , the program will run it's curse..)
6. Exit.                                                                    (Exit when ESC is pressed)

OR Way #2 :
1. Get Mute Option.
2. Set MuteFlag accordingly.
3. If MuteFlag=1 then Call ShutDownSpeakers .     (Will mute speakers -notice,before the calibration stage- if MuteFlag=1)
4. Calibration Stage.
5. Normal message loop - the rest is the program itself.
6. TurnOnSpeakers and  Exit.                                  (Speakers on and Exit when ESC is pressed)
 
See the difference ?
It's important to know EXACTLY how the program works before attempting to reverse it.
When the TV prog runs , it takes control of the screen (Winice is blocked !! Pressing Ctrl-D (or Alt-S in my case;) when
TV is running ,will load winice, but u wont see it !) further more u can't move to an other process (by pressing Alt+Tab for
example) , so there is no direct way of telling which of the above ways is correct . Not direct , so in-direct .
The Audio Mixer for the rescue ..
Load the Audio Mixer .I recommend the one that comes with windows - SNDVOL32.EXE.( the shortcut is
Programs\Accessories\Multimedia\Volume Conrol) .
Run the program , set Mute option OFF (so there's audio) and exit . On exit a dialog will appear asking if u want to keep
the TV audio in the background , press yes and return to the Mixer.
There are several Audio Controls : Midi , Wave , CD and LineIN . It's the last one we are interested - lineIn- because the
audio from the TV is sent through the LineIN audio control.
Use the mixer to Volume Down the LineIN volume . Remember the sound in the background ? It's decreasing.
Set the volume to half of what is was , and run the program . As u can hear , the volume is STILL half of the previous - it
hasn't changed , the volume has not been re-set or updated back to maximum .
And another thing : Run TV , Mute the sound and exit ; Look at the Mixer ; The Mute-LineIn-tag is UNSELECTED.
From here we can deduct that the 2nd line of work  is the correct one (it's a  pretty lame deduction ,but it's better than spending 10 hours with the disassembly..) :

1. Get Mute Option.
2. Set MuteFlag accordingly.
3. If MuteFlag=1 then Call ShutDownSpeakers .    (Will mute speakers -notice,before the calibration stage- if MuteFlag=1)
4. Calibration Stage.
5. Normal message loop - the rest is the program itself.
6. TurnOnSpeakers and  Exit.                                     (Once ESC is pressed :Speakers on -that's why the mute tag is unselected- and Exit)

Now "all" there's left to do is Make MuteFlag=1 before the 3rd step so there will be no noise on step 4 , After Step 4 do :
-Set MuteFlag according to MuteOption ; - If MuteFlag=0 then speakers On.

Sound complicated ? it IS ! That's why i've decided to play a bit more with the Mixer , thinking there MUST be a simpler answer . And there Is :-)   (Why fill the salt-cellar through the little holes, when there is a wide openning at the back ? ;)

Run the Audio Mixer and select the Mute tag (so the mixer will Mute LineIN audio control) , run the program and select
the mute option (in the program) Off . The result is NO-SOUND . No matter what u select in the TV program , there will be
no sound as long as the Mute Tag (in the mixer) is selected !
We can gather that the way the program mutes the LineIn is different from the way the Mixer does it , but both ways make the same results.
The only explanation i can find is that the TV program can tell the TV card directly to stop sending Audio to the SB . Whereas
the mixer (that doesn't know that u have a TV card) will mute The SB from it's behalf .
Here's to illustrate it :

                               |                               |

  TV CARD  -> -> Sound Blaster  -> ->  Speakers 
                               |                               |
                             Lock #1                           |
         TV program locks it when Mute Option is on.           |
                                                            Lock #2
                                            Mixer Lockes it when Mute tag is selected.

Both locks need to be 'Un-locked' to hear the audio (logical AND) ; the mixer has the "parent" properties , meaning it can
block all 'childs' (TV card , Piano or whatever).
 

The Solution:

The idea is to write a little program that will :
1. Mute LineIN.                                        (Mute LineIN just like the mixer does)
2. Run the TV program.
3. Wait a while  -3 seconds is enough-.
4. De-Mute LineIN .                                 (Again , like the Mixer)
5. and exit .                                               (End of LinDM ; TV is still running - It's windows , remember ? ;)

Or to put it in other words , Lock Lock #2 , Run program , delay 3 seconds and Unlock Lock #2 , leaving the Mute Option
available in the program.

Good , it looks like a plan :-)
(The little program will be named LinDM - LineIN (De)Mute..)
OK , Time to learn how the Mixer Mutes and De-Mutes LineIn , so we'll "rip" it to LinDM.
Disassemble the mixer (SNDVOL32.EXE) with W32dasm , and look at the Exports .
here are the interesting functions :

   Import Module 002: WINMM.dll
 mixerSetControlDetails
 auxGetNumDevs
 mixerGetID
 auxGetDevCapsA
 midiOutGetNumDevs
 midiOutGetDevCapsA
 waveOutGetNumDevs
 waveOutGetDevCapsA
 mixerClose
 mixerOpen
 mixerGetLineControlsA
 mixerGetControlDetailsA
 mixerGetNumDevs
 mixerGetDevCapsA
 mixerGetLineInfoA
 PlaySoundA

many functions with "Get" , but we are looking for those with "Set" (Mute or DeMute is a 'Set' operation) .
There is only one with a 'set' :  mixerSetControlDetails
Ok , let's see if this is the correct one . Boost up wINICe and
>Bpx mixerSetControlDetails
(If u get a 'Symbol not defined' , add WINMM.dll in the Exported symbols in winice.dat , and reboot ... Btw , if u think u've made a type-o , use the >exp command ..)

Load the mixer and select the Mute tag . Winice poped ! So this is the function we were looking .
That's all we need from softice ,for now .Now to get more info on this function . For this we have the SDK - programming
help file. Search for mixerSetControlDetails in the help file (i didn't find it in the small SDK , but in the SDK that comes with
Delphi 3.0) .
Note that we don't need to fully understand this function with all it's parameters , we just need the structure of the parameters -
So we'll correctly copy/rip it from the mixer using winice .
I won't bother u with details and code , u can do it your selfs , or look at my source below.
 

Now what ? Now i JuMp iN JoY  !! :-)
When i run LinDM.EXE , the TV program is loaded and .. No NOISE !! LinDM Locks Lock #2 for 3 seconds , just enough
time for the calibration stage to end ,then it Un-Locks Lock #2 , letting the TV program to run it's course , still giving me the
option to Mute the speakers within the TV program.

BTw , there's another little bug in this program : when u set theMuteOption ON , and exit the dialog asking if u want to keep the audio in the backround still appears . It's pretty useless , so to make the dialog go away when Muted Change the byte at 0000743E from 41h to 27h (in TV.EXE). This is a pretty travial 'crack' so i'll skip the explanation.
 
That's it , i hope u enjoyed and learned from this .

To EveryOne :
So what's the lesson here ?
When the spray doesn't kill the bug , u can always use the hammer ! ;)
There are sometimes easier / simpler ways to crack something ..u just need keep your eyes OpEn and keep in mind that by using Logic you can save time ,so don't be afraid to use it ..

To SoftWare Programmers :
Please take a minute to look at your program from a side view, and fix whatever u can find before u release it. It took me 2 days to do the above , but I'm sure u can do it in 2 minutes with the full source ..
The release date Can wait a day.

To +Reverser :
I see u hold the record for the most time without TV (as a 20th century man , i mean ..) Before u discard it , here's a little note : TV , much like the internet, can entertain , but can also enrich . U just need to know where (and when) to look ..
May I suggest 'The Discovery Channel'? Or CNN (to keep cracking reality ;) ? Or Babylon 5 ? ;-)
(Besides , TV is the best thing to do when disassembling or downloading large filez .. )

Greetings:
PC members , +reverser and all +HCUkers , friends . :-)

------ Cut here ------

;------      LinDM.ASM        -------
;Should be compiled with Tasm 5.0
;Use the following to compile:
;
;tasm32 /ml /m3 /z /q LinDM
;tlink32 -x /Tpe /ap /c LinDM,LinDM,, import32.lib

.386P
.Model Flat ,StdCall
UNICODE = 0
Extrn           ExitProcess:PROC
Extrn           mixerSetControlDetails:PROC
Extrn           GetTickCount:PROC
Extrn           WinExec:PROC
SW_MAXIMIZE     EQU     3

.Data
;--------------------------------------------------------
hOBJ    dd 0                  ;Handle of the mixer device.
        dd 12345678h          ;Use winice to get INTO the mixerSetControlDetails function
        dd 0                  ;to see that this is the Handle's structure.
        dd 41h
                              ;The Mixer Control Details (MCD) stucture :
MCD     dd 18h                ;Size (in bytes) of MCD
        dd 14h                ;Control-ID (11h => Wave, 12h => Midi, 13h => CD, 14h => LineIN)
        dd 01                 ;Number of channels
        dd 0                  ;Handle of owner
        dd 4                  ;Size of Data
        dd OFFSET Data
Data    dd 1                  ;0 => DeMute , 1 => Mute

Time1   dd 0                  ;Holds beginning time
CmdLineData db "C:\VHTV\TV.EXE",0       ;Command Line to run the TV program.

.Code
;--------------------------------------------------------
Main:
     Call mixerSetControlDetails , OFFSET hOBJ, OFFSET MCD, 0             ;Mute LineIN like the mixer does.
       Cmp eax , 0
       Jnz Exit_                  ;Exit on error

     Call WinExec , OFFSET CmdLineData , SW_MAXIMIZE                               ;Run the program
       Cmp eax , 31h
       Jna Exit_                  ;Exit on error

     Call GetTickCount
       Mov dword ptr Time1 , eax

@1:  Call GetTickCount
       Sub eax , dword ptr Time1
       Cmp eax , 0BB8h            ; 0xBB8 = 3000 milliseconds = 3 sec
       Jna @1                     ;Loop if not delayed enogth
 

       Mov dword ptr Data , 0     ;De-Mute LineIn
     Call mixerSetControlDetails , OFFSET hOBJ, OFFSET MCD, 0     ;Unlock Lock #2 ;)

Exit_:
     Call ExitProcess , 0

End Main
;--------------------------------------------------------
------ Cut here ------

Phrozen_q@CyberDude.Com
sEE yA :)
-Q
 



USEFUL
Programmers' corner

redhomepage red links red anonymity +ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_reverser
redIs reverse engineering illegal?