Lets just put an end to this...
|
Program History
|
The
older versions of this target were gentle towards user. This does not happen any
more after version 4.1
The
first step is not to hurry on softices breakpointing. Sit down, use some good
old "zen cracking" attitude and think a little about what this prog could
do.
Now, since there is a feature to remove the ads - for people rich
enough to escape the advertisement hell reserved for slaves and poor sods - this
means that this target MUST keep a flag for it, a flag that decides wether the
owner has enough money to escape advertisement or not. Of course this flag
(let's say either true "poor_sucker= 0 give him hell" or false "poor_sucker= 1
he may escape without ads") must be either inside a kore or less "hidden" file
or inside the registry.
Dead easy, of course: We use the regmon tool and check and uncheck the display ads option. But
nothing interesting happens. I also tried to check with filemon,
just to see
if it looks for a flag hidden inside a lost file, nothing again.
My last
solution was to see if this program use a flag hidden inside its resources, and
to load a resource string, you can use loadlibraryA.
I found this part inside
its disassembly :
0046E270
0046E270 push ebp
0046E271 mov ebp, esp
0046E273 add
esp, 0FFFFFBF8h
0046E279 mov [ebp+var_8], edx
0046E27C mov [ebp+var_4],
eax
0046E27F push 400h
0046E284 lea eax, [ebp+var_408]
0046E28A push
eax
0046E28B mov eax, [ebp+var_4]
0046E28E push eax <-string number
inside the resource
0046E28F mov eax, ds:dword_5798B4
0046E294 push
eax
0046E295 call LoadStringA_0 <-Put a bpx on this with softice before
searching.
0046E29A mov ecx, eax
0046E29C lea edx,
[ebp+var_408]
0046E2A2 mov eax, [ebp+var_8]
0046E2A5 call
sub_403F2C
0046E2AA mov esp, ebp
0046E2AC pop ebp
0046E2AD retn
Then , after the bpx, you start a search, and you
stop just before the loadstring call, just at this location on win 2k.
The
String number pushed is 0xC49A, 50330 in decimal. Take a resource editor and
look for this string, nothing inside...
Easy to guess, on the regged version,
this string resource contains a flag, checked just before you start a
search.
To see what happens next, p-ret twice, you land here :
0054C24B ; CODE:0054C204=18j
0054C24B lea edx, [ebp-0FCh]
0054C251 mov
eax, [ebp-2Ch]
0054C254 call sub_4095B8
0054C259 mov edx,
[ebp-0FCh]
0054C25F lea eax, [ebp-2Ch]
0054C262 call
sub_403EDC
0054C267 mov edx, [ebp-2Ch]
0054C26A mov eax,
ds:dword_5778B0
0054C26F call sub_4DA868
0054C274 call
sub_46EDFC
0054C279 test al, al <- you are here
0054C27B jnz
loc_54C31A
0054C281 mov eax, ds:dword_5778C0
0054C286 cmp byte ptr
[eax+0Ch], 0
0054C28A jz short loc_54C2B4
0054C28C mov eax,
ds:dword_5778C0
0054C291 mov edx, [eax]
0054C293 call dword ptr
[edx+4]
The call 46edfc checks for the fake string inside the
resource, not presentif your app is not registered into their server, then al
contains 0 if so, the jz to 56eb06 is not taken and it shows the ads.
If
you force the jz to jump, the ads will never be showed.
I usually don't like cracks, sauf for
mere learning purposes, and ususally I would encourage readers to buy programs,
but our patience is really tested by these guys, who take your money and at the
same time spit on your faces with this awful banner autoshow feature. So I
encourage you to create this patch and spread it with the keygen, until those
guys remove the feature on the next version.
+Tsehp
