(16 September 1997)
Courtesy of Fravia's page of reverse engineering
Well, a new +contribution to our project 5... (yet we still
await mammon_'s one too) Here +YOSHi teaches something pretty interesting...
a nice reverse engineering essay: short and precise!
Only one critic, though: please,
never forget, from now on, to give THE VERSION of the target you are using! This is
even more important with a target like Navigator, which comes in hundredone
same reason you'd want to kill cookies, they're annoying, and they do
pop up quite often, usually as disclaimers. Please note that Netscape
uses MessageBoxA to display the box.
a. Load up Netscape (assuming you have SoftIce loaded). Pick a page with
b. Bpx messageboxa, BEFORE you visit the site
c. Load the page into Netscape
d. You will land in SoftIce, in the messageboxa code. Here's where the
e. P RET once and look at the code. There is nothing really interesting,
so p ret a few times until you come to the following code:
mov ebx, [eax + 4c]
add esp, 08 <- you are here
eax jmp checkresult
mov eax, [edi]
test eax, eax
f. Now, bpx on the address before the call. Reload the page in Netscape.
g. You are back in SoftIce. Press F10 once, and assemble this where the call is:
xor eax, eax
xor eax, eax
Note the use of the inc ax instead of inc eax, it does the same thing in this case and uses one more byte.
h. Press F5 to leave SoftIce and.... no more messagebox! The page loads as if you had pressed Ok.
i. It's not over yet. This only works in memory until you patch it (for obvious reasons). So, patch it :)
That's all from me, I hope this knowledge is put to good use! :)
(c) +YOSHi, 1997. All rights reversed.
You are deep inside Fravia's page of reverse engineering, choose your way out:
Back to project 5
is reverse engineering legal?