Faux' blog

Flaaaames!

All reason has failed, it's time for some transparent flaming of Laurence's response to my previous post.

I do not have the time or inclination to install each one to find out if it is in the default package selection, ...

Don't worry, I'm more than happy to do it for you. It appears that (k)Ubuntu, Mandriva, Fedora and SUSE don't ship with the packages in their default install.

..and even if not it’s still a single tick-box away and can be installed from the installation media rather than a large download away.

Where did you get this installation media from, just out of interest? Did you download them, say, a DVD iso? Sounds rather large, if you aren't going to be installing most of the packages by default. Maybe you didn't download them and paid someone like The Linux Shop to ship them to you? You may not be aware that Microsoft offer a similar service, for instance, they allow you to order the platform sdk on a low-cost cd.

..it took 3 searches and 20 minutes following various links to find a download page for Visual Studio Express Edition.

I think we might need pictures here.

1. First of all we're going to visit the website of a popular search engine, known as Google. You may have heard of it. We're looking for "Visual Studio Express Edition", so go ahead and enter it into the box, noquotes. Click "I'm feeling lucky", as indicated in the above image.
2. This'll get you to the Visual Studio Express Edition home page. From here, we have to decide which version of VSEE we're after For Windows Development. At random, I've picked the C++ edition, so click Visual C++ 2005 Express Edition. Another screen capture is provided if you are having problems locating the link:
3. We're aiming to download it, so, here, click on the large DOWNLOAD NOW link. No arrows required here, I hope.
4. Again, click "Download":
5. That's all. If, however, you'd prefer to manually download the file as apposed to use Microsoft's download manager, you may want to select manual installation instructions here.

By my count, that's four mouse clicks from the google home-page. The Direct-X SDK is three.

Additionally, once downloaded and installed I still have to add the library paths for DirectX’s libraries to the search paths for any project requiring them.

Visual Studio has a global library path, very useful for these library things. It even has a nice GUI to configure it! To access it, under Visual Studio 2005, follow: Tools -> Options -> Projects and Solutions -> VC++ Directories -> Show directories for: Library files.

Any path added to there will be searched by your project.

...As far as I can tell (I may be wrong) this ’standard’ is a defacto standard and applications do not have to comply if they do not want to....

I wasn't refering to the labeling of the menus, I was refering to the fact that they will be accessible via. alt keys (if they exist at all), and that windows will attempt to fill in any access keys that the application has failed to specify, meaning that you'll always have a consistent interface.

Hope that helps :)

Follow-up to: "I don't want it to be intuitive, I want it to be useful."

I just read I don’t want it to be intuitive, I want it to be useful, and felt that it needed a reply:

The major fall of Windows is the lack of a development environment by default. Under (almost)every Linux distribution...

Besides the fact that the (vast) majority will never need or want to compile anything, the top four linux distros (according to DistroWatch), as far as I know, don't come with a compiler in the default install. That's hardly "(almost) every".

I have to goto the website of each of the libraries I need...

Not for any of the libraries that are included with Visual Studio, such as the list of them in the Platform SDK (all 198 of them), and the optional library packs such as the DirectX SDK. What you mean here is that the maintainers of many libraries that are freely avaliable on the internet are not catering fully for those of us developing on platforms that aren't UNIX-like, and aren't using gcc and bash?

perhaps Microsoft should take the time to actually make the system useful

Windows ships with many productivity tools, most of which cause incredible levels of complaint from people from a UNIX background, and/or work so well that they aren't noticed. The whole network configuration system (including dhcp/ppp/firewall/auto-time-sync/wireless/SNMP/UPNP/SMB/WNB/..), for instance. Do any linux distributions have this level of utility in the base install? I'd guess that, for a binary system (which those 4 linux distros mentioned were), networking is slightly more important than a compiler?

so I don’t have to use the menus..

Windows has this wonderful thing known as a standard (unless, say, the application was built against something vile such as QT or Mozilla's engine) with respect to the menu being drawn, such that you know that all of the menu items should be accessible through a "chord" of alt+a series of other characters. Applications tend to follow sequences, too, like Alt->f->s for File-Save. Does that count as using the menu, or as hotkey? I'd vote for hotkey.

configuring appropriate shortcuts..

I'd recommended TextPad, it's really great once you switch it to Windows-compatiable hotkeys mode. ;)

Windows is already intuative enough.. [sic]

So, Windows is both intuitive and "more useful" for 95% of the computer-using population (ie. the non-developers)? I wonder if this explains some its market share?

Meta

Recently I switched this blog, and my other sites, over from Apache to lighttpd, which, along with having a much lower memory footprint, seems to be faster (with FastCGI) than mod_php.

This was as an attempted response to this blog's terrible uptime, it seems that with certain versions of libc6 (2.3.6-7), such as the ones that have recently entered into Debian Testing cause mysql to be unstable under UML, which is what my hosts, Bytemark, use. It didn't help, although a recent libc6 update (2.3.6-13) seems to have improved things somewhat.

Now, assuming here that people actually read my blog, it's been submitted to various sites, such as Planet CompSoc and Technorati. Once there's some relevant content, it'll hopefully end up on Planet 3yp, too.

Last thing, I dislike WordPress' default theme, on account of it being fixed width, and failing to render correctly in Opera. The theming engine is hindering my work on an alternate theme, having failed to find one I like. Flex, a css-only theme for WordPress, may be able to save me some grief here.

Nvidia related woes

Mid-revision session I suddenly (as you do) felt the desperate need to check on the temperature of various things in my case, and I noticed that my XFX 6800GT was idling at roughly 105°C. Toasty. I could have sworn that it was idling lower than that before, but it was still below the threshold (127°C), so I left it. This is probably Nvidia's fault.

Coincidentally, my set of 3d glasses had arrived, so I decided to have a play. This involved installing the Nvidia stereo drivers, which are only compatible with the 78.01 drivers, which are two (if you include the betas) major versions out of date, and hence won't run most top-end games. Bad Nvidia.

The sample application that comes with the drivers, however, shows the quality that these glasses are capable of, even in "beginner mode". Outstanding (ahaha). Good Nvidia/Edimensional.

Then my desktop blue-screens. The card had overheated, this is without any overclocking, without touching the heatsink, and with three 120mm case fans. Bad Nvidia.

I decided to try and underclock my graphics card (to cool it down). Firstly, the overclocking widget works as a limited user, which isn't a particularly good idea, especially seeing as when trying anything but a trivial underclock; it hard locks the machine. During slightly less serious underclocks, the automatic tests fail, and the widget informs me that I need to try a "lower speed" (hah). Bad Nvidia.

Taking the machine apart, removing the graphics card, removing all visible dust/dirt/etc., reseating and reattaching the power cable (yes, that took a few power cycles to work out) seems to have fixed, or at least temporarily subdued the heat problem, however.. now.. upgrade time?

Update: It seems that eDimensional's support site has more recent versions of the stereo (and their companion) drivers. A quick examination suggests that these were packaged by the same people as the copy on nVidia's site, from which I'll conclude that they come from nVidia... so.. why don't they offer them on their site?

Update 2: They do, finally. The 91.31 Stereo Drivers are avaliable by following through the nVidia Driver Wizard. Yay nVidia!

The Date and Time control panel is a calendar

Following my fun with MacroMaker, I decided to try something slightly more challenging, something that seems to irritate quite a few people running as LUA... the fact that you can't access the Date and Time control panel, even in read only mode.

The only (sensible) work-around is to allow the user to change the date and time, but this raises quite a few security concerns, as a few applications depend on the system's clock being close enough to correct.

Anyway, I wanted to run the Date and Time control panel applet as a limited user, just so I can use it as a calendar. Cracking tutorial follows, page down if you aren't interested.

The file we're hoping to attack is %windir%\system32\timedate.cpl, copy it somewhere sensible. As it happens .cpl files are just dlls, unfortunately OllyDbg's LoadDLL wrapper does't seem to understand them. If you check the association, they're set to open with rundll32, ie.

rundll32.exe shell32.dll,Control_RunDLL "c:\desktop\timedate.cpl"

The DDE stuff doesn't seem to matter, luckily.

Fire up OllyDbg, the file we're trying to debug is rundll32.exe (make a copy of it if you want, but, as you're running as LUA you can't damage it anyway), with the argument string shown above.

Here is where my knowledge of OllyDbg sucks, I have no idea how to get it to pause on a specific module's loading (which isn't done in rundll32, so isn't breakpointable). Without being able to attach OllyDbg to the timedate.cpl before the code we're intersted in (whatever the security check might be), none of the breakpoints will be effective. Damaging the code (manual INT3s) won't help, either.

Having traced (miles) through the code to the point where the module is loaded, it's easier just to hit ctrl+f9 (execute 'till return) 30 times, and the module will have been loaded. Trust me on this. :)

Jump to it from the "Executable modules" window, right click -> search for -> all intermodular calls. The security functions we're looking for are the ones starting with "Zw", ie. ZwAdjustPrivilegesToken, ZwClose and ZwOpenProcessToken. I have no idea where the "Zw" comes from, but I'm guessing that they aren't the standard functions, they are, instead, the "Nt" variants of the functions, as documented by Sysinternals, although this is irrelevant... breakpoint them all, and hit run (F9).

At this point, OllyDbg stops at the LoadLibraryW call. How infuriating. Hit run (F9) again.

Next stop is at one of the ZwOpenProcessToken, aha. The code we're looking at:

58735FCF:
call DWORD PTR DS:[< &ntdll.NtOpenProcessToken>]
test eax,eax
jge short timedate.58735FE0
xor eax,eax
jmp timedate.58736066

Step over (F8) it, and you'll notice that it's returned 0 into EAX. The (standard version of) OpenProcessToken's documentation suggests that it returns a boolean, so our zero would be 'false', as in, function failed.

Hit F8 again, and OllyDbg helpfully tells us that the jump is taken. This (obviously, if you test it by modifying the register) isn't what we want, so edit the code. The 'test' and 'jge' instructions aren't required, so replace them with mov eax,1. OllyDbg will fill in the NOPs for you.

Code fragment now looks something like:

58735FCF:
call DWORD PTR DS:[< &ntdll.NtOpenProcessToken>]
mov eax,1
nop
jmp timedate.58736066

Save the changes to the file, and restart the app. It works! The rest of the calls are either ignored, or have sensible error handling, great.

The applet still thinks it can change the time, but notices (and silently ignores) the case when it can't. Same with the timezone.

The next step would be to be able to make this change on the fly.. overwriting the existing control panel applet with the modified one is, even though it shouldn't make any difference, pushing it a bit. Plus, then it'd even work from the taskbar.

As far as I know, there are no security risks involved in what I just did.. note that everything (apart from reading the association for .cpl files (which I've duplicated above so you don't need to)) was done as a limited user.

If you're too lazy to make the changes yourself, I've got a binary here (for my personal use only, of course): timedate_lua.cpl (sig).

Note: Don't try this one at home, either, kids.

Oh, and for anyone who didn't get the title, it's a response to The Old New Thing's 'The Date/Time control panel is not a calendar', which is clearly lies.

nonadmin the 'x-treme' way

I was reading the nonadmin wiki and found a link to Lee Holmes' Blog about cracking software to the extent that it will run without administrator access.

I like this idea... the ability to fix 'broken' (NB: Macro Maker was a terrible choice on Lee's part, due to the fact that the 'brokeness' is caused by the copy protection, meaning that any patches for it can't be redistributed) software via. binary patching is a great concept.

I tried running through Lee's (probably illegal) tutorial, it seems not to work. It may work if you've run the app as administrator in the past, or if you've opened up anything inside HKLM, but I'm yet to do either of these for any app I've needed to run.

I've used OllyDbg before, so I fired it up. First thing I tried was Search for -> All intermodular calls, which finds an awful lot of references to registry functions (mostly Reg*, but some SHSet/GetValues too).

I couldn't be bothered to fix all those, so I tried searching for the constant, HKEY_LOCAL_MACHINE (<a href="http://gnuwin32.sourceforge.net/">fgrep</a> HKEY_LOCAL_MACHINE <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=484269E2-3B89-47E3-8EB7-1F2BE6D7123A">platform_sdk</a>\Include\* gives you a value of 80000002). This gets a load of hits, too.

Surprisingly enough, I couldn't be bothered to fix all those, either. Essentially, what we're trying to do is fix everywhere that HKEY_LOCAL_MACHINE (80000002) (Windows LUA accounts are much happier writing to HKEY_CURRENT_USER (80000001)) has been used as an argument to a function call.

Following my success with sed on various Linux machines (you don't want to know), I decided to try it the.. er.. 'x-treme' way (under the assumption that it'd break everything horribly).

In most cases the value will have been PUSHed, ie.

PUSH 80000002

This assembles to:

68  02 00 00 80

Fire up XVI32, open up the exe in question...

'Replace All' instances of our offending code 68 02 00 00 80 with the more LUA friendly 68 01 00 00 80.

Save, exit, and try running the executable. It's not invalid (which is impressive) and it seems to actually work fine, but it still brings up one of those nasty error messages. Click OK and.. it works, fine. Next time I run it the error doesn't appear at all.

Quick check suggests that the whole app is working fine. Strange.

That really shouldn't work, should it?

Note: Don't try this at home, kids.