f.lux hotkeys modification

I’ve started using f.lux some time ago and now I cannot live without it. But there is one disadvantage considering my use case. Whenever I want to see a movie (which is usually at evening when f.lux is making everything reddish) I have to disable it manually. Through context menu. Because hotkey allows you to disable it only for one hour. And my movies usually are longer than that. So what can I do? Fire an IDA, of course.

f.lux debugging #1

Where to start? I’ve tried to find string that is shown after pressing these keys (ALT + END): “for an hour” and “f.lux is back”. Strings window found it at address 0x483850 and 0x483860 (f.lux v. 3.10 for Windows). IDA could find only one reference to these addresses in single function sub_458330. Great, lets put breakpoint at the beginning of this function and lets see what happen.

Breakpoint will hit frequently after the program starts. It must be some kind of message processor. Ok, lets put breakpoints on lines referenced to strings (0x4585D6 and 0x4585E2 – see picture on the left) instead of begginig of function. Now we can see that it hits only on hotkeys, but not on menu click. Great.

Looking around this place we could find an interesting value. At address 0x4585B9 there is label pointing to double float:

.rdata:00490240 dbl_490240 dq 3600.0

3600 which is number of seconds in hour. Coincidence? And what is this strange fld instruction? Probably some mov with float argument. Lets find it.

I’m not sure but it looks like this value is placed on the stack as argument to sub_452BD0 function. Lets break on this function and try to modify the value on the stack. I found online float to binary converter here http://babbage.cs.qc.cuny.edu/IEEE-754.old/Decimal.html. I’ve tried to change this to 10 secs, which is 0x4024000000000000 (use double precision). It works, so all we need to do is to patch executable with value corresponding to 3 hour time or so and maybe change strings accordingly, right?

Why not “disable until sunrise”?

Why not just remap ALT + END to call this function? It has no shortcut whatsoever. Lets find this string. It is used at address 0x457DD0 as parameter to AppendMenuA function. But it is here registered, not executed. Maybe we should try different approach: lets find xrefs to sub_452BD0. We should find proper message processor associated with menu this way.

There is five of them. Lets break on four yet unexamined. This way we will detect the one called by menu. As we can see, it is 0x457FCF. But wait, there is similar code next to it.

Only difference is in timeout parameter passed to our function – it is -1 this time. Is it some special value to indicate this “until sunrise” mode? Lets find out. We already have breakpoint in here, so we only have to click this option from menu. And it breaks!

Finally our hack comes to modify this single value at address 0x4585B9 (hotkey handling function). Or I suggest to modify instruction to load value -1 from address 0x4901F8 instead to not affect other places where this value is used (and there is several such places). And maybe changing string “for an hour”.

Oh wait, “until sunrise” is too long to fit in there! What now?

Don’t worry, there are at least two possible solutions. We could use another string here. “Until sunrise” is presented at 0x483888. And if you want string that starts with lower case, you could use “Disable until sunrise” at 0x483724 but skipping the first word.

If you still couldn’t find any useful string, you could always add new one. At the end of .rdata section there is more than 400 bytes unused. You can put your string there. Don’t forget to update virtual size of this section in section header.

Unfortunately f.lux license forbids me to publish modified version. Instead, I would present patching instruction in form that it would be easy to patch with any hex editor.

Format:
address: original value -> new value
where address is file offset hexadecimal value.

"Until sunrise" patch:
579BB: 40 02 49 00 -> F8 01 49 00
579D7: 60 38 48 00 -> 2C 37 48 00

"3 hour" patch:
8F640: 00 00 00 00 00 20 AC 40 -> 00 00 00 00 00 18 C5 40
82C60: "for an hour" -> "for 3 hours"

Porting AutoMapa 6.10 to SIMPad

Yes, I bought new SIMPad – most powerful model SLC.

My last port of AutoMapa is a little bit outdated so I decided to port the new version (6.10B). After changing architecture differences (same as in my previous port) new problem arose – missing function imported from coredll.dll. It is imported by wce24Am.exe by ordinary number (1777). IDA claims that it is EnumDisplaySettings. It appears that this function is never used, but I’m not sure. It returns 0 when fails.

I changed the ordinary number in IAT to 113 (good as any other value exported by coredll.dll) and changed the calling routine to nop instruction. Now it will always return 0.

Unfortunately, AutoMapa developers claims that this is the last version of this product for Windows CE 4.20.

automapa-simpad_6_10.zip

Porting AutoMapa 6 to SIMPad

About two years ago I bought a Siemens SIMPad tablet. It is an old ARM-based 8,4″ touchscreen device with Windows CE 4.1 on board. It’s not a secret that I get it to play around with – I like vintage hardware like this.

Unfortunately Siemens was never released WinCE 4.2 for his product, last of the 4.x line system which is required for many programs. There is pack of dlls for SIMPad to run some of them (google for simpad fake dlls), also there is program changing PE headers which modify minimum system version required to run. But many programs still cant run. One of them was AutoMapa (for navigation).

I’ve started to investigate what’s the reason – I’ve googled for information. It found out that AutoMapa (wce42Am.exe) is compiled for ARMv5 instruction set with some additional instructions called Thumb mode and SIMPad CPU – StrongARM has only implemented ARMv4 (without Thumb mode). Without sources – sounds impossible. But it is not.

Continuing my investigation I discovered that AutoMapa never gets into Thumb mode – it run in default ARM mode all the time. It do however uses one new instruction:

BX Rx         (hex: 1xFFF2E1)

Rx is one of the registers (R0 – R15). This instruction is described as branch and exchange. It is unconditional branch to the address from Rx register. If bit 0 of the Rx is set, CPU enters in Thumb mode and starts to process instructions in Thumb instruction set from given address. But, as I mentioned before – AutoMapa never goes into Thumb mode, bit 0 of this register is always cleared. We could replace this instruction with some ARMv4 equivalent which could not change execution mode but just jump into location through register. In ARMv4 we have:

MOV PC, Rx    (hex: 0xF0A0E1)

Which moves value from Rx register into program counter. Both instructions are 4-bytes long so I just replaced every occurrence in code section of PE file. I’ve done it by WinHEX replace options because there was too much hit to made it by hand (almost 2000 replaces). In standard ARM mode every instruction is 4-bytes long and must be located at addresses divisible by 4 so if we check only dwords located at proper addresses there is only a little chance to modify something which is not an instruction.

Next thing to do is to modify PE headers. I’ve changed Machine Code entry (offset 0x10C) from “ARM Thumb” (0x01C2) to “ARM” (0x01C0). Required WinCE version is held in Major and Minor Subsystem Version – I’ve changed Minor (offset 0x152) from 20 to 10 (from 4.20 to 4.10).

After replacing file on SIMPad – AutoMapa started up without any trouble. Maybe a little slow, but usable. But it works! Without any crash or error. Unfortunately I have no longer any SIMPad device to take photo, but I start thinking of getting one 🙂

automapa-simpad_6.zip

My old Siemens patches

Siemens SL45i (or SL45, SL42 – it’s the same phone) is – in my opinion – the best cellphone of it’s time. I spend a lot of time reversing it’s software and try to making it better by developing patches. Scene of patching this phone was very busy, hundred of patches was developed. In some point, RizaPN, most recognizable patchmaker created “Binary File Access” – patch that allow us to load and run executable files from memory card. I’ve developed some of that files, even wrote a simple game. I collected all patches which I still have. Some of them are missing, so it is not complete pack, but the most important ones are present. If you have any of my missing patches – please contact me.

Some of the most productive patchmakers which I’d like to recall are: RizaPN, lalo.lerry, mamaich, Chaos, DeadManS, rc-flitzer, ValeraVi, vBart and many others. Thank you guys.

My patches for Siemens SL45i – pack of V-Klay patches contains Thermometer v1.2, MP3 indicators v3.1, Fast animated logo, Green button function, Playlist MP3 instead, Buttons Animation, Band selection and Auto OC. Some of them are documented with assembler source code.

My apps for Siemens SL45i – pack of binary executable files (bin) contains Archer (simply arcade game), Playlist Converter, Thermometer v1.1 and OC Info. With sources.

Siemens SX1 – I developed several flash patches between March and December of 2007. This patches are in sxpr format – it is APatcher format. Just to see files you could use Microsoft Word, Wordpad or OpenOffice Writer. This files contain some Wordpad formatting so it is not convenient to open them in notepad.

My patches for Siemens SX1 – all my patches are collected in single archive. The most complex one (date and profile name in mainscreen) contain assembler source. List of patches in archive: Disable Low Battery Message and sound, Don’t change backlight level in camera, Change camera standby timer, Change camera standby timer v2, Disable Selected profile message, Don’t display profile name in mainscreen, Display date and profile name symbol in mainscreen, Don’t show OpLogo picture, Display date and profile name symbol in mainscreen v2, Don’t show profiles in shutdown menu.