Log in

View Full Version : annoying ads

dzidzia
September 6th, 2002, 10:52
Hi,

I'm trying to remove ads from one of the 'messengers'
at first i tried just to remove it with resHacker and
borland's workshop but it didn't work... then i saw
it was packed with UPX, and that's why i got the
messages 'resource is broken'. I procdumped it
with success but it's still the same shit. It was
compiled with delphi and with W32Dasm i see
somethin' like _TCHat but it leads to 000000s at the
end of code... (i caught windows hwnd in softice,
but i found no way to deal with it...). Is there any way
to repair those resources? thatnks in advance

dzidzia
mancini
September 7th, 2002, 00:49
my bet is that you need to propperly unpack the executable first
i belive procdump only suport old upx versions
first get a program like file insPEctor XL or Language 2000 to find out the version of the packer
then get a unpacker for that version or unpack it in softice+icedump

also a resource editor can not remove ads from a program but in a few special situations
like when the dialog box in wich the ads apear has not the ads feed from a dll to it but it has a builtin static box in a dialog that you can resize to 0 height and 0 width
most modern adware programs rely on exports from dlls like the cd_clint.dll of cydoor that use a cache of adds or download them while online

also reed Reversing 'Adware' by Modifying Window Display Properties by Kayaker

oh and use Spy & Capure by Kobi Krichmar to identyfy your ad window parametres
dzidzia
September 7th, 2002, 08:35
thanks mancini,

I downloaded file insPEctor XL and Language 2000...
and guess what? - procdump was totally enough
to decompress that stuff. Only Borland Workshop
and ResHacker were too 'weak'. I read the tutorial...
was ready to press ctrl+d...but before I downloaded ExeScope ver6.10.

inside TCHat I saw nothing but...

object h1: THttpCli
URL = 'http://idi.tlen.pl/adinfo.php'
ProxyPort = '80'
Agent = 'Mozilla/3.0 (compatible)'
Accept = 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*'
NoCache = False
ContentTypePost = 'application/x-www-form-urlencoded'
MultiThreaded = False
OnDocBegin = h1DocBegin
OnDocEnd = h1DocEnd
OnRequestDone = h1RequestDone
Left = 64
Top = 88
end

but instead of decreasing the window size I took different
approach...i just changed interval hehe and the banner
doesn't come up at all...

cheerz

dzidzia
disavowed
September 8th, 2002, 15:35
for future reference, if you download upx, you can use it to unpack most files that were packed with upx
(no need for procdump)
stealthFIGHTER
September 8th, 2002, 21:02
Quote:
Originally posted by disavowed
for future reference, if you download upx, you can use it to unpack most files that were packed with upx
(no need for procdump)


Yes, but only in case the packed .exe were not additionally modified...

sF
hack3r2k
September 8th, 2002, 21:56
If was modified no problem ...

1. Check the sections names (should be UPX0, UPX1, [.rsrc])
2. Open the exe with an hex editor and check for the upx stamp (should be for ex. stamp BYTE '1.22',0,'UPX!',0C - analyze some upxed file to see where it comes) cause if it's not there or modified upx will say 'posibly hacked/modified' ...

That's all folks !

This is the most upx protection scheme that i've seen.


best regards,
.:hack3r2k:.