Warm Turkey

To any potential future employers: please disregard this blogpost, I am actually very productive.

So I'm a huge procrastinator. To give you an idea: this project was a way of procrastinating for a maths test. And then while working on this projected I ended up getting distracted and doing some other stuff.
Luckily I found a cool program called "Cold Turkey". It allows you to set a timer, during which the program will block access to a list of websites with a rather distractive nature. And the cool thing is, this program is actually pretty well-made. You can't simply remove the browser extension or stop the program using task manager. But I will not let that stop me in my quest to do absolutely nothing even remotely productive.

Before even looking at the binary, I suspected that using an uncommon browser would bypass this program. Since the list of browsers is hardcoded, using an obscure browser like Basilisk or Waterfox (both Firefox forks) would not be detected by the program. And indeed, when using these browsers I can browse Reddit all I want. Eat that, productivity!

The first thing I noticed was that the entire program has been written in C#. Not just the main window, but also the background programs for specific browsers (CTMsgHostFirefox.exe, CTMsgHostChrome.exe and CTMsgHostEdge.exe) and all the dlls. This is great, because .NET applications are trivial to reverse engineer. Just pop 'em in dnSpy or Jetbrains' dotPeek and you can see the entire source code. No scrolling through millions of x86 instructions, just some nice readable C#.

file *.exe *.dll

Reading through the code, I saw the program uses Process.GetProcessesByName() to find running browsers. It looks for browsers with the names firefox, msedge, chrome, brave, opera and vivaldi. This means that if you use any other browser, it is not detected. What this also means, is that you can simply rename your browser executable to notfirefox.exe, and you will fly under the radar!

GetProcessesByName

Another thing that caught my attention was a folder called "web", containg an HTML page and a couple of CSS and JavaScript files. It seems like Cold Turkey is built using Electron or something similar. Most of the JavaScript files were libraries for the user interface of the program, but there was one file that contained some heavily obfuscated code. About the first half of the script is a huge array of hex-encoded strings, which are then used later in the script. A couple of these strings are just generic HTML elements and ids/classes. However, it also contains about a thousand website domain names. Some news sites and some gaming stuff, but also dating, gambling and porn sites. After looking around a bit I found you can import some other block lists.

Blocklist import


With a little big of regex fuckery, I also dumped the list of functions defined in the script. I had a quick look and I suspect toggleBlock() is the function responsible for enabling the blocker and requestUnlock() probably has something to do with unlocking it. So you could probably patch these functions, but I don't think it's worth the hassle of messing with obfuscated code to be honest. Also, this would require administrator privileges, which I feel like is kinda cheating.

Dumped JS function definitions

One thing I kept wondering was where this program stores its config and other data. On Windows it stores this in SQLite databases located in C:\ProgramData\Cold Turkey. The config is saved in JSON format in data-app.db. This stores the settings of the application itself, like the theme and how strict the block is (which we could already exploit). However, it also stores whether the block is active at all. If the user decides to lock the blocker (so that it can't be disabled while a timer is active or until the user enters a password), the lock settings are stored here as well. But in fact, this doesn't really matter because you can disable the blocker even if it's locked.

Config from data-app.db


Fun fact: this config also stores whether the user has the free or the pro version of the program

A demonstration of this trick can be seen here

In conclusion, Cold Turkey is a very useful program. It has helped me focus on my homework (until I got distracted by this project, that is). And for the record: I think this program is actually very well-made. A lot of similar programs can simply be clicked away, closed in task manager or straight up uninstalled. Cold Turkey is actually very well protected against that kind of fuckery. So your average procrastinator will probably not break this program. But if you're determined enough and don't mind messing with config files stored in a database format, you can get around it.

If anyone wants to mess with this a little bit more, here's some of the source code of this program: