I was going through the net one day and I saw that grc.com had a new program out called "OptOut". After going to the page of the program and reading through some things, I found out somethings I had not heard before. Fancyful tales of spyware programs and hidden agendas. I thought to myself wow, isn't that interesting. But, not once did I think that I would find that BULLSHIT on my computer. Alas, I was wrong. After running OptOut, I soon found that this Spyware was on MY computer! So, what did I do about it? I had OptOut get rid of it! And when OptOut does that, it states something to the effect of "After the spyware dlls are removed, the programs that use said Spyware dlls might not work correctly." So, I thought cool! Now I will know what programs were using that shit :) Days went by, until after a routine day of looking though the net, I found a nice big file to download.
So, I popped open "Net Vampire" and was just about to enter my download info, when BAMM! I get a message box stating "advert.dll not loaded". At last, I had found the program that was using the Spyware :)
The main problem though was that now I COULD'NT USE Net Vampire at all. All I got was a message box and then the program would call ExitProcess. That sucks, don't you agree? Now what to do about it? Well, what else: It is time to do some reversing :)
Well now, I don't really think you will LEARN much, if anything, from this. I must also say that I feel kind of weird writing this essay because it seems like this is just more like cracking than reversing, but whatever. I am just kind of telling a story here. But hey, if you learn something, THEN ALL THE BETTER :)
Well, here goes:
Tools used: I only used HIEW and my brain :)
Target: Net Vampire v3.3
Intention: My intention was to be able to use Net Vampire minus the Spyware bullshit.
Session:
I try not to use too many tools when they are not needed, as in this case.
First thing I did was to re-run the program(vampire.exe) to see what the exact message with the message box was. The message reads "Failed to load ADVERT.DLL". So that is all I needed to "fix" this program. Just that stupid-ass message.
All you have to do is run HIEW and pop in vampire.exe. Do a search through the exe for "Failed to load ADVERT.dll" and "advert.dll" by itself. Why look for "advert.dll"? The reason is that in order for vampire.exe to use that dll, it has to first be imported. And, it isn't in the file's import table, so it must imported via LoadLibrary or Getmodulehande, but I paid no attention to this while I was "fixing" vampire.exe.
Well I found the strings above at:
"Failed to load ADVERT.DLL" @ :004718AC
"advert.dll" @ :004718C4
So, hmm, what to do next? Easy, just hit f7(search) and look what instructions those locations are used in. REMEMBER to search for them by first reversing the addresses like so :004718AC should be searched for by looking for "AC184700" and :004718C4 by "C4184700". I found only two general locations in the whole file where these addresses were used. Look at the dissasemblies below:
:004715F4 55 push ebp
:004715F5 8BEC mov ebp, esp
:004715F7 51 push ecx
:004715F8 8945FC mov dword ptr [ebp-04], eax
:004715FB 68AC184700 push 004718AC
:00471600 E86348F9FF Call 00405E68
:00471605 8B55FC mov edx, dword ptr [ebp-04]
:00471608 8982D8000000 mov dword ptr [edx+000000D8], eax
:0047160E 8B45FC mov eax, dword ptr [ebp-04]
:00471611 83B8D800000000 cmp dword ptr [eax+000000D8], 00000000
:00471618 7524 jne 0047163E
:0047161A 6A00 push 00000000
:0047161C 668B0DB8184700 mov cx, word ptr [004718B8]
:00471623 B201 mov dl, 01
:00471625 B8C4184700 mov eax, 004718C4
:0047162A E8A1ECFCFF call 004402D0
:0047162F A1A8C94A00 mov eax, dword ptr [004AC9A8]
:00471634 8B00 mov eax, dword ptr [eax]
:00471636 E84506FCFF call 00431C80
:0047163B 59 pop ecx
:0047163C 5D pop ebp
:0047163D C3 ret
Now, the first general location is dissasembled above. You can see that at address :004715FB, the code there has "AC184700" at it's end. So we know that that instruction is pushing "advert.dll" and if you look below many instructions you see that at address :00471625 the code there has "C4184700" at it's end, hmm, the location of "Failed to load ADVERT.DLL" :) Now, look just above a bit at address :00471618 and we see a "jne 0047163E" lets see, that would take us past the part where "Failed to..." is played with if the instruction above it wasn't equal. Why don't we just jump past that shit, What I did was change the jne to a jmp. I did this so I wouldn't be bothered again with that "Failed to ..." message.
Well, as I said before, there were two general locations. So lets find the next:
:004717C6 E8F545F9FF Call 00405DC0
:004717CB 8B55FC mov edx, dword ptr [ebp-04]
:004717CE 898214010000 mov dword ptr [edx+00000114], eax
:004717D4 8B45FC mov eax, dword ptr [ebp-04]
:004717D7 83B8E000000000 cmp dword ptr [eax+000000E0], 00000000
:004717DE 0F84A4000000 je 00471888
:004717E4 8B45FC mov eax, dword ptr [ebp-04]
:004717E7 83B8E400000000 cmp dword ptr [eax+000000E4], 00000000
:004717EE 0F8494000000 je 00471888
:004717F4 8B45FC mov eax, dword ptr [ebp-04]
:004717F7 83B8E800000000 cmp dword ptr [eax+000000E8], 00000000
:004717FE 0F8484000000 je 00471888
:00471804 8B45FC mov eax, dword ptr [ebp-04]
:00471807 83B8EC00000000 cmp dword ptr [eax+000000EC], 00000000
:0047180E 7478 je 00471888
:00471810 8B45FC mov eax, dword ptr [ebp-04]
:00471813 83B8F000000000 cmp dword ptr [eax+000000F0], 00000000
:0047181A 746C je 00471888
:0047181C 8B45FC mov eax, dword ptr [ebp-04]
:0047181F 83B8F400000000 cmp dword ptr [eax+000000F4], 00000000
:00471826 7460 je 00471888
:00471828 8B45FC mov eax, dword ptr [ebp-04]
:0047182B 83B8F800000000 cmp dword ptr [eax+000000F8], 00000000
:00471832 7454 je 00471888
:00471834 8B45FC mov eax, dword ptr [ebp-04]
:00471837 83B8FC00000000 cmp dword ptr [eax+000000FC], 00000000
:0047183E 7448 je 00471888
:00471840 8B45FC mov eax, dword ptr [ebp-04]
:00471843 83B80001000000 cmp dword ptr [eax+00000100], 00000000
:0047184A 743C je 00471888
:0047184C 8B45FC mov eax, dword ptr [ebp-04]
:0047184F 83B80401000000 cmp dword ptr [eax+00000104], 00000000
:00471856 7430 je 00471888
:00471858 8B45FC mov eax, dword ptr [ebp-04]
:0047185B 83B80801000000 cmp dword ptr [eax+00000108], 00000000
:00471862 7424 je 00471888
:00471864 8B45FC mov eax, dword ptr [ebp-04]
:00471867 83B80C01000000 cmp dword ptr [eax+0000010C], 00000000
:0047186E 7418 je 00471888
:00471870 8B45FC mov eax, dword ptr [ebp-04]
:00471873 83B81001000000 cmp dword ptr [eax+00000110], 00000000
:0047187A 740C je 00471888
:0047187C 8B45FC mov eax, dword ptr [ebp-04]
:0047187F 83B81401000000 cmp dword ptr [eax+00000114], 00000000
:00471886 7521 jne 004718A9
:00471888 6A00 push 00000000
:0047188A B8C4184700 mov eax, 004718C4
:0047188F 668B0DB8184700 mov cx, word ptr [004718B8]
:00471896 B201 mov dl, 01
:00471898 E833EAFCFF call 004402D0
:0047189D A1A8C94A00 mov eax, dword ptr [004AC9A8]
:004718A2 8B00 mov eax, dword ptr [eax]
:004718A4 E8D703FCFF call 00431C80
:004718A9 59 pop ecx
:004718AA 5D pop ebp
:004718AB C3 ret
What the fuck is all that noise? - You might say, but don't worry about it. Real easy, and annoying :) As you can see, HIEW has now taken us to address :0047188A where you see "C4184700"("Failed to...blah") at the end of that instruction. So now look at all those compares above, hmm, they all go to an address before the instruction that uses "Failed to...". But take a look at that last compare address at address :00471886. It is the only one that jumps past the "Failed.." message. So just goto the top compare address at :004717DE and make it "jmp" to the address that that last compare jumps to after the program has done all its checking bull,"004718A9". So at address :004717DE the instruction becomes "jmp 004718A9". Easy.
There folks, all done! - And not only does the program load correctly, but there is no longer any ads that pop up while using the program :)
Need I remind you to pay for this program if you wish to use it? Well, I think I just did. Although, it was kind of shitty of them putting that spyware shit in their program in the first place :)
Now you can rest knowing that there is no more Spyware in Net Vampire. haha
© The Immortal Descendants 2000 and Forever.
|
|
