Making Rover Fart

by Bryan Elliott

As usual, blah, blah, blah, don't get yourself in trouble.  Not that strictly adhering to a EULA could usually get you in too much trouble.

This is the story of how I made the Microsoft Search Assistant dog into a flatulent beast of, um, finding things.  In addition, it's the story of how I did it without breaking the EULA.  It's effectively evidence of the pointlessness of EULAs in general in terms of preventing damage to one's image and copyrights.

I got the idea while trolling around the Slashdot forums.  Somehow, a post about the ability to make a scanner play music devolved into a conversation about dogs farting The Star-Spangled Banner (such is Slashdot) to which another poster said, "If you can make the Microsoft search dog do that, I'll consider you a God."

I thought to myself, well, I don't know about The Star-Spangled Banner, but there's no reason good 'ole Rover shouldn't be able to cut a few.  Maybe I'll make out as a minor demigod.  You know, spend weekends in the heavens and such.

I did some research.  Apparently, Microsoft's got some legalese stating that you're not allowed to reverse engineer an "ACS" (Agent Character... something?) file.  So I didn't.  Instead, I accepted the challenge and resorted to plain old deduction.

First, I wanted to find out if the data was compressed; compressed data can be a bitch to extract without looking at the binary.  There are a lot of ways to do this, but the only way I could think of doing it - without actually looking at the code, of course - was to try to compress the file myself.  The reasoning is that a compressed file won't compress much more than it already has.  If there's a significant compression ratio, say more than 10 percent of its body mass, the file has at least some uncompressed structure.

C:\Windows\SRCHASST\CHARS\ROVER.ACS went from 1,819 kB to 1,449 kB using bzip2 compression - with a significant compression factor, I could tell that while some of the contents were compressed (one would assume images in GIF, BMP/RLE, or JPEG format, as well as ADPCM, WMV or MP3 audio), the file itself was not.

Next, I reasoned thusly: When these little avatars first started appearing (read: Clippy), Microsoft still had a lot of stock in the WAV format, and in its parent, the RIFF container.  It stands to reason that Microsoft, as is Microsoft's won't, will keep the format unchanged in the interests of backward compatibility.

Thus, if I want to find the locations of the audio in an Agent, the method most likely to yield fruit would be to split the file up by RIFF signatures.  To do this without looking at the code is easy: I wrote a small CLI C program that would seek until its first RIFF, then output all data to a file, changing the filename whenever another RIFF signature is found.  I didn't personally have to look at the binary at all.

Once extracted, the audio, being WAV files, was theoretically clean.  I could, therefore, theoretically look at them.  Theoretically is right; I didn't know if there was any chaff data in between or after the last file.  Chaff data is "dirty" and must not be touched.  My savior?  SNDREC32.EXE.

I reasoned like this: SNDREC32.EXE uses the Windows API to handle sound files.  As such, it should be incapable of carrying any extraneous data - i.e., this chaff I'm on about - past the length of the WAV file.  So the quick-and-dirty way to get clean would be to open each of the ten files that my C program output, and press CTRL+S, saving scrubbed-up copies of each.

Now I had ten WAV files of "clean" data (it turned out that before I only had nine; the last file had some additional data tagging along at the end).  They were in various sub-formats (4-bit ADPCM, 8-bit PCM, 16-bit PCM), which led me to believe I could replace them with any valid WAV file of the same size.

I then hand-generated ten fart noises of varying pitch and length at 8 kHz, 8-bit mono PCM, matching each of the ten usual sounds in exact size.  I then modified my C program to instead insert the files, in order, starting from each RIFF signature.

I was worried at this point that there might be a checksum somewhere in the file.  I'd have no way of getting around that without "looking" at the binary.  (Having your program actually process each and every byte does count.  Skimming over each does not.)  Rest assured, there was no corruption detection mechanism or this article would never have left my fingertips.

Apparently Microsoft has no idea someone would want to modify one of their Agents - though I couldn't understand why you wouldn't.

I replaced the original ROVER.ACS with my new modified puppy.  Explorer needed to be killed for this to work, so I killed it and copied my new ROVER.ACS to its original location in: C:\Windows\srchasst\chars

Rover now toots like he's survived on nothing but Mexican food and Olestra potato chips.

Meanwhile, this approach brings up a whole field of possibilities - maybe the images are in a recognizable format as well.  Perhaps it's possible, if a little crude, to modify Clippy so that one of his "tricks" is to get bent into a pretzel and inserted into a goat's anus by a burly woman.

O.K., yeah, that was excessive, even for speculation.

I mean, doesn't everyone hate Clippy that much?