kichik.net

Every picture is worth a thousand words, they say. In total, I’ve written the equivalent of 13 pictures in this blog. I thought I’d have at least 50, but apparently I don’t write that much. For the fourteen-thousandth word, I’ve decided to create an actual picture. Sadish’s MistyLook has served me well for a long time, but I felt it is time for a change and so this new theme was born. It’s not perfect yet and I’ll probably keep working on it, but I really like it and it fits me well.

It was quite fun to create this new theme. It allowed me to resurrect deeply burried skills I thought I’d never touch again. I’ve also learned that I need a Wacom tablet, Firebug is priceless, CSS is even more powerful than I remembered and Kim’s Lakers pen is a life saver.

Humanity is doomed. We are just too brilliant to keep on living. Everyone can feel it, but like the sheep we are, we fail to notice the looming cliff ledge, slowly pacing towards our inescapable demise. We have outgrown our intellectual capacity. Any bit of information added since 2781 BC brings destiny a step closer. We are facing imminent extinction by the hands of our own wisdom.

Being the average sheep herd we are, we have our share of black sheep. Some of them have taken it upon themselves to enlighten the herd and warn us of the danger looming ahead. News networks all over the globe are alerting the homo sapiens species of the grave dangers unfolding in front of their unsuspecting herd. Every self-respecting website publishes at least one article spelling out the well known fact that technology is extremely dangerous. Not even one newspaper failed to bring forth today’s hot headline - “Modern day technology is the bane of our existence”. Radio broadcasts elaborate - “It thins out the herd”. Ewes, rams and lambs alike all know by now that using technology limits the herd’s collective intellect, slowly turning it to a crowd of brainless zombies, unable to care for themselves.

Black sheep have successfully taught us to hinder inventions such as GPS, the Internet and computer games. Sadly, they were too late to do the same for thesaurus, books, pen and paper, wheel and fire. Those unholy inventions and discoveries have already taken their toll on the herd. Young lambs no longer look for words in the dictionary, but find them in two keyboard strokes; ewes no longer tell stories around the fireplace, but write them in books available for all; rams no longer draw on cavern walls with charcoals, but paint with too much detail and too many colors on cloth; herds no longer break their legs and perish on their way to neighbor herds, but drive in air-conditioned cars with leather seats; sheep no longer get ill of uncooked meat, but devour delicious seasoned steaks. The herd has agonized for thousands of years without even realizing it.

Clearly, scientific inventions and discoveries that ease every day lives are the devil’s brainchild. Those who know they know nothing and keep on trying to disclose as many of the meadow’s great secrets as they can are nothing but mere devil worshipers. Sheep that fear not looking beyond the grass that lies before them do nothing but harm. Foul creatures that dare share their fruit of labor so that the entire herd may advance and excel are inconsiderate, egocentric and self-serving sinners. Those who define the very meaning of being stupid by negation are the horsemen of the apocalypse.

I call to you today my fellow sheep — let us put an end to this morbid state of affairs. Let us break this vicious circle of knowledge passing, stop this vile orgy of technology and return to our lonely roots. Let us burn Google on the stake, melt our GPS-capable iPhone, demolish our libraries, drown every type of vehicle, incinerate all the books, halt all scientific progress and go look for red round small things in the big place with the green and brown big stuff where the other lamb just goed.

9 out of 10 open-source experts advocate frequent releases. We, the simple people, don’t know better and should listen to the experts. Sadly, we simpletons still don’t know how to read and so the fine print eludes us. While we all may be good and obedient developers, the users don’t care for our frequent releases squashing our colossus bugs and featuring our shiny new toys. As frequent our releases are as frequent the reports of bugs long ago fixed and features that shined and sparkled at ancient times but are now filled with rust.

Ghost versions of the past haunt us daily while users refuse to upgrade. Our innovative forefathers, suffering immensely from this plague, had uncovered the great potential of automatic updates. No longer is the user able to flee his ordained destiny. Fate shall pop-up and fulfill itself even with the absence of user interaction.

But even this sparsely applied method carries its own set of fine prints. Boiler plate implementation includes a web server containing the latest version number or even a server-side script that ever so nicely checks for the user whether his version is expectedly old. As with everything else, here too success brings failure. As faithful users gather their masses around our monthly-polished releases, the web server begins to break down. Most web servers, especially those that poor open-source developers can afford, do not offer load balancing and will easily succumb to the sheer amount of bandwidth generated by thousands of users performing even the simplest of GET requests.

Enter DNS. The Domain Name System is a distributed and globally cached system that basically maps domain names such as nsis.latest-version.org into numbers such as 2.36.0.0. And it gets even better — foreign sources report there are free DNS servers out there, waiting to be used. Services such as dyndns.org offer a simple HTTP based API that sets new IP to a free domain name. Creating a new version notification service is as simple as creating a new free domain, updating it every time a new version is released, calling inet_addr when the client-side loads and comparing the result to the current version.

This free and simple solution provides many advantages over conventional HTTP based version check.

• Automatic load balancing with servers all over the world.
• Simple code with no need for complex HTTP libraries.
• No need for relatively heavy HTTP operations for both client and server.
• HTTP proxies do not get in the way.
• Firewalls and the entire security fiasco usually overlook DNS.

And as always, there are disadvantages.

• Updates take time to propagate.
• Only 3 bytes of information.

Make sure you set the first byte to 127 to make sure the IP associated with your update domain is invalid. This way, whoever is at 2.36.0.0 won’t get any unwelcome traffic.

I am probably not the first to think of this, but it is a cool idea nonetheless. I’m so going to implement this for the next version of NSIS!

Over a year has passed since the NSIS Media menace. Mostly good things have happened since. I figured this could be a good time to recap and summarize.

• Download.com no longer contains NSIS Media infected downloads. I’ve received no response for my queries, so I assume I had nothing to do with it.
• NSIS Media malware update servers are no longer operational.
• I have received only one e-mail complaining about NSIS Media over the last year, compared to the dozens before I’ve released the remover.
• My remover was downloaded approximately 10,000 times from my website and probably a bit more from other websites as well.
• My lawsuit has failed miserably. I was trying to get back at Opensoft/Openwares and all of their Vanuatu-based friends with the help of the Software Freedom Law Foundation. We tried to track down someone we could sue, but failed. After a few unanswered queries and answers pointing at multiple directions from various related companies, the search was sadly brought to a halt.
• I was contacted by F-Secure for details of NSIS Media. I seem to recall there were more companies that asked for my help, but I can’t find the e-mails proving it.
• Most anti-virus or malware removal applications I’ve tested find only the most common infections of NSIS Media and skip the rarer DLL files.
• Opensoft is still up to no good.
• Openwares is still alive and kicking, spreading malware and using NSIS but no sane user will surf to that website.
• I have received no donations for my research or for creating the remover.
• I still don’t make 1000$ a day

So there you have it — the story of a deceased malware. I’d like to think I took at least a small part of its demise.

Ladies and gentlemen, we interrupt the silence schedule to bring you shocking news. Hatred has reared its ugly head on the forsaken grounds of our dear old friend — Windows 98. It appears the bigots have set a new target for their cynical and non-politically-correct persecution. Big-boned dialogs and initialization-limited rectangulars are shamelessly discriminated against and abused for no acceptable reason. Exceptions, overflow errors, division errors and antique dialogs were thrown at the victims, reports say. We were unable to get comments from the alleged bigots.

We were unable to get pictures from the event, but luckily, it can be easily reproduced.

BOOL CALLBACK proc(HWND h, UINT m, WPARAM w, LPARAM l)
{
  return FALSE;
}
int main(int argc, char* argv[])
{
  char dt[24] = {0,};
  RECT r = {32757,};
  HWND dlg = CreateDialogIndirect(
    GetModuleHandle(NULL),
    (LPDLGTEMPLATE) dt,
    0,
    proc);
  MapDialogRect(dlg, &r); // BOOM!
  return 0;
}

HAPPY BIRTHDAY!

Apparently, I’m a brainless lump of amino acids mixed with some calcium and water wrapped in keratin. As it turns out, if I had the choice, I’d spontaneously set myself ablaze at the very first opportunity I stumble upon. If I see a ledge, I will delightfully leap ahead and form a charming crater. If I hear a car, I will undoubtfully try to stop it by hand so I can greet the driver. If a gun happens to find its way into my arms, I wouldn’t even pause to ponder and surely pull the trigger. If I become disoriented and wind up in a bar, I will purchase pure ethanol, pour it over my barren head and implore the barman for a zippo. Yes, I’m just that ignorant.

Electricity is another fine example of scary and absurd technologies fools like myself should evade. By far one of humanity’s most hazardous discoveries, this vile and corruptive force has been known to claim the lives of innumerous poor souls. It is a widely known fact that over a hundred of this world’s brightest minds buy a one-way ticket to the buzz train every single day. Thousands of households are desolated every passing minute due to electricity related complications. 8 out of 10 doctors advocate electricity-free households. Edison rolls in his grave and children weep over their lost innocence.

I was therefore not surprised to learn I was denied access to 220v-110v wall socket adapters. Usage of such mischievous tools could result in serious harm to body and property. Failure to properly connect an adapter to a wall socket could incite a fire. Failure to properly mount the cable into the adapter could result in immediate annihilation of the human race.

Hope of a better future overflows me when I learn eggheads responsible of saving me from myself have deemed this doomsday device inappropriate for mass consumption. Despite my futile attempts to dislodge the northern hemisphere by connecting my camera charger using an adapter, I’m still here to tell the tale. All I had to do is halt my quest for an adapter before the third mall and resort to soldering some spare metallic parts, unearthed from the darkest corners of the house.

Since around 1995, I’ve been using the web in one way or another. At those days, I would had been amazed to even notice the slightest proof of recognition on a face in response to the word modem. Today, on the other hand, I can’t walk on the street without hearing or seeing something related to the internet. Despite its ever growing popularity, it still carries with it a distinct odor of technology.

Just the other day, I embarked upon a quest for retrieving information on an everyday object with which I could extend my knowledge. What would later seem obvious caught me by surprise when, lucky as I may have felt, searching Google for apple resulted in what can only be described as an horrific synthesis of metallic, glossy and white alloys of plastic and aluminum; and not the sought sweet and divine composite of texture, taste and aroma I had expected. Quickly I realized my mistake and, not feeling lucky anymore, I commenced on a far less ambitious journey in the depths of the search results to find my craved fruit.

For all of those innocent souls out there looking for the tasty fruit like myself, allow me to dedicate this post and donate my page rank to 1up the original apple. Link by link, the web shall one day become humane.

On every second Tuesday of the month, Microsoft indulges us with a slew updates ranging from trivial to critical and sometimes even truly superior. Sadly, not even the most ardor imbued zealot of Windows rejuvenation can bring the updates to life without a reboot. To ensure everyone do reboot, Microsoft has added the lovely “Restart Now” dialog we have all come to cherish.

Distressing as it may be, while loved and cherished, the dialog is often the center of attention in the Windows loath-fest. Getting rid of it, however, isn’t that difficult. All it takes is killing one service.

net stop wuauserv

But what if yours truly is not near the computer on patch Tuesday and the dialog starts its cheerful countdown to complete and total annihilation of the current session? While skimming through some Group Policies, I’ve noticed there’s one for disabling this annoying reboot countdown. Simply create a DWORD named NoAutoRebootWithLoggedOnUsers under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU, set it to 1 and say bah-bye to Microsoft’s equivalent of the dreaded ad pop-up.

Microsoft’s Tim Rains has more details on the subject.

I had some fun today trying to figure out why Banner likes to hang around with .NET so much so it wouldn’t even leave. I found out that while being destroyed, something tries to send messages to the main dialog. But the main dialog is busy with destroying the banner. I added exactly two iterations of the famous win32 message loop and everything started working. I still don’t know why those messages are sent or why it’s so important they’ll be answered before the banner is destroyed or even why it happens just with the .NET installer. And don’t even ask about different synchronization methods that make it tick. So far, I’ve found only smoke signals and the fire extinguisher won’t last much longer.

Of all the signals, I liked the message loop the most. It actually points to something I’ve done wrong. I’ve starved the main dialog’s thread while creating a modeless dialog as its child. That’s why I dug in further into those two iterations of the loop and those two messages that it processes. It turns out both of them had the same identifier - 0xc0c3. Now that’s no regular WM_ message… That’s a message registered with RegisterWindowMessage. But which message is it? That’s where the fun starts. There’s no GetRegisteredWindowMessage API available and nothing on the topic comes out on Google.

So with no leads to follow I started digging. Normally, to give a certain string a specific value in Windows, an atom is created. And indeed, 0xc0c3 is in the range of named atoms. To make things even simpler, in WINE, RegisterWindowMessage simply calls GlobalAddAtom, casts ATOM to UINT and returns. Great, then GetAtomName or GlobalGetAtomName should do the trick. Only reality isn’t as bright as WINE would like us to think. It turns out RegisterWindowMessage uses a different atom table for its messages. But which atom table and how can you even specify a table with GetAtomName?

To specify a table, a low-level access to RtlLookupAtomInAtomTable is required. But that function is deep inside ntoskrnl.exe. So, up one level and you get NtUserGetAtomName which uses the same atom table as NtUserAddAtom which is the function RegisterWindowMessage calls. But that’s inside win32k.sys… Luckily, user32.dll already handles that. It has a stub that calls NtUserGetAtomName at 0×7E41FA8E. Some playing around with the second parameter which turns out to be UNICODE_STRING and the atomic table is in hands’ reach.

Engines off, coding fingers down, digging complete and the message name is MSUIM.Msg.Private. That too gets little to none results on Google, but who cares… Debugging is fun

For any of you who’d ever want to convert a registered message into a readable name, here’s the NSIS code. Replace 0xc0c3 with the message identifier and 0×7E41FA8E with user32!NtUserGetAtomName and you’re good to go.

# the atom
StrCpy $2 0xc0c3
;System::Call user32::RegisterWindowMessage(t'test_message')i.r2
# create UNICODE_STRING
System::Alloc 1008
Pop $R0
StrCpy $R1 0
StrCpy $R2 1000
IntOp $R3 $R0 + 8
System::Call *$R0(&i2R1,&i2R2,iR3)
# call NtUserGetAtomName
System::Call ::0x7E41FA8E(ir2,iR0)i.r1?e
# parse UNICODE_STRING
System::Call *$R0(&i2.r4,&i2.r3,w.r0)
# print details
DetailPrint "user atom's name is $0"
DetailPrint "length is $4 (???)"
DetailPrint "NtUserGetAtomName returned $1"
Pop $1
DetailPrint "GetLastError() = $1"
# done
System::Free $R0