Copernic 4.55 reversing
Well, "Eyeball grasping" is all the rage nowadays, and more and more dirty tricks are used to force you to look at completely useless banners and idiotical advertisements that noone in his right mind would click onto. Why this actually happens beats me: in my experience and world, in order to find the sort of people that would really eventually click onto one of these banners you would have to visit a center for mentally handicapped in their terminal phase. Maybe I'm wrong, though, and in the real "Guinea Pigs" world that the advertisers dream of, there really exist hundred thousands of slaves who happily click on any commercial abomination they see and then - drooling for pleasure - buy the crap they deserve. I doubt it, though.
Anyway it is our holy duty to destroy these tricksters: they grasp our eyeballs? We'll grasp their - quite sensible - commercial balls. Here you go with a simple, but effective, essay by +Tsehp
Lets just put an end to this...
If Unregistered then ads
Written by +Tsehp
The crack has been performed on my actual OS: win 2000
The first step is not to hurry on softices breakpointing. Sit down, use some good old "zen cracking" attitude and think a little about what this prog could do.
Now, since there is a feature to remove the ads - for people rich enough to escape the advertisement hell reserved for slaves and poor sods - this means that this target MUST keep a flag for it, a flag that decides wether the owner has enough money to escape advertisement or not. Of course this flag (let's say either true "poor_sucker=0 give him hell" or false "poor_sucker=1 he may escape without ads") must be either inside a kore or less "hidden" file or inside the registry.
Dead easy, of course: We use the regmon tool and check and uncheck the display ads option. But nothing interesting happens. I also tried to check with filemon,
just to see if it looks for a flag hidden inside a lost file, nothing again.
My last solution was to see if this program use a flag hidden inside its resources, and to load a resource string, you can use loadlibraryA.
I found this part inside its disassembly :
0046E270 push ebp
0046E271 mov ebp, esp
0046E273 add esp, 0FFFFFBF8h
0046E279 mov [ebp+var_8], edx
0046E27C mov [ebp+var_4], eax
0046E27F push 400h
0046E284 lea eax, [ebp+var_408]
0046E28A push eax
0046E28B mov eax, [ebp+var_4]
0046E28E push eax <-string number inside the resource
0046E28F mov eax, ds:dword_5798B4
0046E294 push eax
0046E295 call LoadStringA_0 <-Put a bpx on this with softice before searching.
0046E29A mov ecx, eax
0046E29C lea edx, [ebp+var_408]
0046E2A2 mov eax, [ebp+var_8]
0046E2A5 call sub_403F2C
0046E2AA mov esp, ebp
0046E2AC pop ebp
Then , after the bpx, you start a search, and you stop just before the loadstring call, just at this location on win 2k.
The String number pushed is 0xC49A, 50330 in decimal. Take a resource editor and look for this string, nothing inside...
Easy to guess, on the regged version, this string resource contains a flag, checked just before you start a search.
To see what happens next, p-ret twice, you land here :
0054C24B ; CODE:0054C204j
0054C24B lea edx, [ebp-0FCh]
0054C251 mov eax, [ebp-2Ch]
0054C254 call sub_4095B8
0054C259 mov edx, [ebp-0FCh]
0054C25F lea eax, [ebp-2Ch]
0054C262 call sub_403EDC
0054C267 mov edx, [ebp-2Ch]
0054C26A mov eax, ds:dword_5778B0
0054C26F call sub_4DA868
0054C274 call sub_46EDFC
0054C279 test al, al <- you are here
0054C27B jnz loc_54C31A
0054C281 mov eax, ds:dword_5778C0
0054C286 cmp byte ptr [eax+0Ch], 0
0054C28A jz short loc_54C2B4
0054C28C mov eax, ds:dword_5778C0
0054C291 mov edx, [eax]
0054C293 call dword ptr [edx+4]