We watch full-screen flash video on the second monitor, we work on the first

Watching videos in flash (youtube and others) in full screen has a couple of flaws that are useful to fix directly in the flash library by running a patch of some files that appeared in the system after the installation or update of the flash player.

Disadvantages:
1) the (main) full-screen flash movie of the film (or animation) is minimized when the focus is lost by the window. For example, it is worth looking in ICQ, Skype on another monitor, in another browser window, launching or switching to another program - the expanded flash mercilessly collapses into its previous dimensions;
2) (also an unpleasant property) when expanding into a full window, a flash movie with the persistence of a robot repeats the same phrase for 3-4 seconds, interfering with viewing: "Press Esc to exit full screen mode", forgetting that users also have there is a memory.
The result is given in the form of several rules for a manual patch and in the form of an archive of the patched files of the flash player library of the current version 10.1.85.3.
Even if you have one monitor, the second patch will also be useful in this case.

(UPD: Continuation article, for version 10.1.102.64 , a step-by-step method for executing patches, identical to that described, is provided; files for the flash version are laid out.)

It is treated with a medical surgery - a patch program or manual editing of the code. We will solve the second problem at the same time with the first one in order to use time more efficiently, since we took up the HEX editor. Flash versions are updated, the previous tips to improve flash become obsolete.
')
The patch will have to be updated and applied every time the player is updated. In future versions of the player, the patch program currently available for Windows may stop working, therefore, the method and essence of building the patch are explained below. For the case of Linux, you will have to use the manual method described above or write something different.

We use ready hack (incomplete solution, for Windows and part of browsers)

The FlashHacker.zip [2] hacking program in the latest version of June 2010, designed for flash v.10.1.53.64, works fine with the current version 10.1.85.3 (from mid-September 2010), because, as you can see from the open the attached code, its algorithm is to search and replace a pair of bytes of an 11-byte line in the file with: \ WINDOWS \ system32 \ Macromed \ Flash \ NPSWF32.dll or similar for Windows 7.

Unfortunately, the victorious reports end there. Further, the program tries to find libraries for Chrome 6th version and Opera in Vista (in "% PROGRAMFILES (X86)%), does not try to patch Flash10.ocx for IE. In total, it provides a patch for 2 and a half browsers. For Chrome- 6.7 there is another program - DrizzlyChrome.zip by the same author. For others, you will have to act with your hands.

The program has a number of limitations: it works only on Windows, requires the .NET 3.5 Framework, does not explain its working principles. Solves only the first of 2 tasks set at the beginning of the article.

Elsewhere [8], a severe Visual C and Qt programmer writes a similar open source patch and an available SVN, which, moreover, can detect flash updates to automatically reinstall itself (feature added in September 2010). IgnoFlash-1.3.1.zip, 4.0 MB. The issue with IE has long been resolved; approach looks more serious.

Manual hacking of the flash library file

Let's move to a deeper level so as not to depend on the initiative of other hackers and do the same with our hands in any new version of flash, for any browser, for any OS. This has been partially clarified before us, so I will simply quote the explanations from the article [4] .

The essence of the hack is that the flash library looks for code that would look something like this in pseudo-code:

if (msg == WM_KILLFOCUS)
jump to kill_focus
if (msg == WM_PAINT)
jump to paint

and converted to code

if (msg == WM_KILLFOCUS)
nop
if (msg == WM_PAINT)
jump to paint

For example, for the flash version 10.1.53.64 (and for 10.1.85.3) the surrounding code looks like this:

74 39 83 E8 07 74 11 83 E8 05 75 13 8B

In later versions, some of the bytes may change, but the values ​​of 74, 74 and 75 (command codes) are likely to remain unchanged (as we’ll find out later, this is not quite true for IE). In the found section we replace 2 bytes 74 39 with 90 90, launch the browser, see the result. (End of citation.)

In total, the rule for all browsers except IE : we find in the file NPSWF32.dll v.10.1.85.3 or gcswf32.dll (where this file is located, described below) the line "74 39 83 E8 07 74 11 83 E8 05 75 13 8B" , we replace it with “90 90 83 E8 07 74 11 83 E8 05 75 13 8B”.

Flash Library Phantoms

How to find the desired library library flash? With this fun - it exists in several installations for different browsers and is stored in different places of the system (mentioned above).

Date of creation of files is not always true. For example, NPSWF32.dll v.10.1.85.3 is dated January 27, 2010 (in fact, the file version is from mid-September 2010).

To determine whether a file is used in a given browser, the Unlocker utility helps: open the browser, then check the file lock by this browser.

Firefox, Safari (5) and Opera browsers in WinXP (x32) use the library lying in the standard location: c: \ WINDOWS \ system32 \ Macromed \ Flash \ NPSWF32.dll.

Chrome - uses library placed in
D: \ Documents and Settings \ <username> \ Local Settings \ Application Data \ Google \ Chrome \ Application \ <7.0.517.41> \ gcswf32.dll.

Opera in Win 7, probably (judging by the hack program) uses the library from "% PROGRAMFILES (X86)% \ Opera \ program \ plugins \ NPSWF32.dll.

IE - uses its ActiveX library on a standard location:
c: \ WINDOWS \ system32 \ Macromed \ Flash \ Flash10 <k> .ocx
Metabukva <k> - varies depending on the version of the library. For v.10.1.85.3, <k> = "k".

This, by the way, is the famous file that is held by the system, even if it is not used anywhere, and even if this copy of WinXP in the system is not working. Fortunately, the latest version of Unlocker handles it. To fix it, you will need to make a copy of the file to another location in the system, remove the “Read only” flag, correct it, delete the file in the old location, place the corrected file in the old location.

Installing a new version of flash on one browser does not mean installing it on another. Therefore, everyone knows the feeling of déjà vu when installing a new version of the flash: “I have already done this before! And successfully completed! ". Indeed, the installation is repeated 2-3 times, each time for a single browser version. After 3-5 months, the story repeats. Forced installation of the current version of the player for IE is performed from the address fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe .

So, for different browsers, you need to make sure that you fix or fix exactly the file that is used by the browser. There may be misunderstandings with the replacement of file names. For example, Firefox picked up a renamed file named NPSWF32-1.dll and started working with it. Conclusion: it is better to store copies of files in another directory, even at the stage of experiments.

Of course, if a new version of the flash player comes out and the owner of the system updates it, the library file will be erased, so just in case it will not hurt to save the patched file in a copy (in the future, you can try to temporarily substitute the new library or give it to a friend with installation instructions).

Patch for Internet Explorer

At the moment, there was no description of hack for IE on the Internet, so I had to get IDA Pro to find a similar command chain in Flash10k.ocx and “bite” an unnecessary transition. Indeed, if in other browsers the commands were translated into a short 2-byte transition, this file contains a 6-byte transition, so the desired string was very unlike the one we know. The figure shows a fragment of the desired code and circled the command that must be turned into a sequence of NOP.


Or x86 assembler code for Flash10k.ocx file:

.text:1018576A loc_1018576A: ; CODE XREF: sub_101856AF+B7j
.text:1018576A push ebx
.text:1018576B push eax
.text:1018576C lea ecx, [ebp+68h+var_D4]
.text:1018576F call sub_10387C40
.text:10185774 push esi
.text:10185775 lea ecx, [ebp+68h+var_70]
.text:10185778 call sub_10199257
.text:1018577D mov ecx, [esi+34h]
.text:10185780 mov edi, [ecx+44Ch]
.text:10185786 mov eax, [edi+24h]
.text:10185789 mov [ebp+68h+var_BC], eax
.text:1018578C mov eax, 111h
.text:10185791 cmp [ebp+68h+arg_4], eax
.text:10185794 ja loc_10185A32
.text:1018579A mov ecx, [ebp+68h+arg_4]
.text:1018579D cmp ecx, eax
.text:1018579F jz loc_101859F5
.text:101857A5 cmp ecx, 20h
.text:101857A8 ja loc_101858EE
.text:101857AE jz loc_101858B5
.text:101857B4 mov eax, ecx
.text:101857B6 sub eax, 5
.text:101857B9 jz loc_101858A9
.text:101857BF dec eax
.text:101857C0 dec eax
.text:101857C1 jz loc_1018588D
.text:101857C7 dec eax
.text:101857C8 jz loc_10185860
.text:101857CE sub eax, 7
.text:101857D1 jz short loc_101857DC
.text:101857D3 sub eax, 5
.text:101857D6 jnz loc_10185D11


Total for IE in the file Flash10k.ocx (v.10.1.85.3) it is necessary to find "00 48 0F 84 92 00 00 00 83 E8" (address 0x184bc6) and replace it with "00 48 90 90 90 90 90 90 83 E8".

Correction of the words "Press Esc to ..."

On the Internet, there was only one thread of discussion and solutions to this problem. It is strange that such a general inconvenience forced to find a solution and publish it only one person (and the second connected). That's what they say about it:

The "press esc" message? I’ve got a problem with the "esc" from the fullscreen function.
- Are there any parameters by which I could delete the message “Press Esc ...”?

No, you’re not afraid of being able to use phising and the like.
There is no way to prevent it showing up.
It’s a real shame.
- No, this is a security solution to protect web players from phishing and the like. There are no ways to ban the display. This is indeed an inconvenience, but it is one of the features of web development.

We will fight this conscious anti-phishing code, knowing what we are giving up. Be prepared for the fact that some extremely cunning phisher will offer you to expand the video to full screen, but in fact it will be not only video, but also a form of payment with your bank, where you will enter private information, forgetting that in full screen you have a flash. Fisher will be glad that you didn’t read the warning about the Esc button once again and forgot that it is a flash from the Internet.

In [6] , an approach was demonstrated: turn the inscription into invisible and not fight with its appearance (Chronomaster filled it with zeros ) or write a resource that is shorter in code . Manually, the second approach will require less data to be changed, so we’ll select it. (I didn’t watch what kind of resource is 2288 bytes in length: an image or something more complicated. Checked — it works everywhere, the replacement string is found in all 3 libraries.)

To remove the warning “Press Esc to ...” (in any language) in all 3 flash library files v10.1.85.3: NPSWF32.dll, gcswf32.dll, Flash10k.ocx line “43 57 53 08 60 10 00 00 78 9C 95 57 6B 70 13 D7 ”is replaced by“ 84 85 4E 2B 6D 76 4E AA 65 1D D9 83 07 D4 93 2E ”.

Detailed explanations are written for possible future revisions of flash versions that differ from the current one. If version 10.1.85.3 is installed on the computer, library files with 2 patches for replacement can be obtained from the archive . Attention! Files are copied from russian installation, WinXP. MD5 checksums:
NPSWF32.dll - 2791B3E6EA48D491B8B8926EE96BF862 (5`969`360 bytes);
gcswf32.dll - 1466158D5E0D35CAD501BA663C9E4377 (6`021`120 bytes);
Flash10k.ocx - 308987522024C66FAE39B5B85AA37055 (6`069`712 bytes).
Or a new archive for version 10.1.102.64 .
Before replacing files, make sure that the browser windows are closed and that the version of the flash player installed on the computer is exactly 10.1.85.3 in all 3 files. If not, install this version or update only files with a matching version (then there will be an effect only in the corresponding browsers). Define file version - right mouse button on the file - Properties - Version - File version .
If, as a result of experiments, something stopped working (with an erroneous patch, the flash may not work properly in the browser), actions can be corrected by closing browsers and restoring the original versions of the files. In extreme cases, uninstalling and reinstalling the flash player for browsers. It may, of course, leave the control to an unpredictable place and break something if you try to change the addresses of the jumps with errors. General safety advice regarding system breakdowns - do not do experiments that you are not sure about the consequences of recovery, do not forget to keep the original copies of the files.

Links

1. " Making flash-videos play in full-screen background on multi-monitor systems (windows only) ", March 6, 2010.
2. Program patcher files NPSWF32.dll related to browsers. Build 6-24-2010
FlashHacker (en.), Support for Flash 10.1.53.64
(the video doesn’t explain how the patch is defective; in fact, it patches by searching for 11 bytes, as described in [4] .
3. How to use an outdated version of the player with a hack (files for installation are attached).
“Making flash-videos play in full-screen background on multi-monitor systems (windows only)” May 9, 2010 - October 3, 2010.
4. (English) Solution for flash 10.1 to versions 10.1.82.76 (without IE) - the main source.
"Fullscreen Hack for Flash 10.1"
5. Alternative patch (source code for AutoIt v3) (Habra parser links: correct hostname: autoitscript, correct in the address bar when viewing).
6. The patch for "Press Esc to ..." (v.10.1.85.3), the main source. There is an assembly with 2 patches for 10.1.82.76.
7. Repost - Jun 11, 2010.
8. IgnoFlash Patch is a promising hack for 2 monitors.
UPD: 9. The article-continuation, for version 10.1.102.64 , is a step-by-step method for executing patches that is identical to the one described; lined up files for flash version.
UPD: 10. In Flash 10.2 beta already, “Fullscreen content will remain fullscreen on secondary monitors, which will allow users to watch it while working on another display.”. It is good that progress does not stand still and the need for such patches will soon decrease.