Or just search for protools on http://www.google.com
First lets look with w32dasm to see where the ads are coming from. Well W32dasm doesn't seem to work correctly on this so an educated guess by anyone would say it's packed.
Start the program called Un-Pack, open the file lingochess.exe and run the Un-Pack program and it will identify the file like so:
Packed by UPX v.0.76.2-1.??
So we downloaded the older versions of UPX from http://www.exetools.com and all the .76 ones didn't work. So we just grab the latest and unpacked it with that. For those that don't know how to upack a UPX executable you can use the -d option, like so:
UPX -d lingochess.exe (this must be run from a command line if you don't know)
Now lingochess is unpacked.
Well lets just take a second to show what is in this, you can skip this step but i like to show where adware can be seen in W32dasm, just disassemble it and check the Strn Ref's and you will find these:
"http://www.kuemmeltransporte.de/Advertising/1d"
"http://www.kuemmeltransporte.de/Advertising/1e"
"http://www.kuemmeltransporte.de/Advertising/1f"
"http://www.kuemmeltransporte.de/Advertising/1i"
"http://www.kuemmeltransporte.de/Advertising/2d"
"http://www.kuemmeltransporte.de/Advertising/2e"
"http://www.kuemmeltransporte.de/Advertising/2f"
"http://www.kuemmeltransporte.de/Advertising/2i"
Just add an htm to the end of any of these and load it in your browser to see a big fat ad.
http://www.kuemmeltransporte.de/Advertising/1en.htm
Ok, this is where the trusty old Resource Hacker comes in. Let's just open it in that and look for the annoying ads.
Check here:
RCDATA
-TFRMRDCHESS <-our main form 'chess', obvious
-0
Look for these lines and remove them!
object Panel1: TPanel
Left = 434
Top = 282
Width = 186
Height = 186
BevelOuter = bvNone
Color = clWhite
TabOrder = 1
object WebBrowser1: TWebBrowser <-a reference to the webbrowser, hmm..
Left = -12
Top = -17
Width = 229
Height = 230
TabOrder = 0
OnNavigateComplete2 = WebBrowser1NavigateComplete2 <-navigate, maybe when i click an ad?
ControlData = {
4C000000AB170000C51700000000000000000000000000000000000000000000
000000004C000000000000000000000001000000E0D057007335CF11AE690800
2B2E126204000000000000004C0000000114020000000000C000000000000046
8000000000000000000000000000000000000000000000000000000000000000
00000000000000000100000000000000000000000000000000000000}
end
end
object Panel2: TPanel
Left = 10
Top = 480
Width = 610
Height = 68
BevelOuter = bvNone
Color = clWhite
TabOrder = 2
object WebBrowser2: TWebBrowser <-a reference to the webbrowser, hmm..
Left = -12
Top = -17
Width = 675
Height = 124
TabOrder = 0
OnNavigateComplete2 = WebBrowser1NavigateComplete2 <-navigate, maybe when i click an ad?
ControlData = {
4C000000C3450000D10C00000000000000000000000000000000000000000000
000000004C000000000000000000000001000000E0D057007335CF11AE690800
2B2E126204000000000000004C0000000114020000000000C000000000000046
8000000000000000000000000000000000000000000000000000000000000000
00000000000000000100000000000000000000000000000000000000}
end
end
object RefreshBannerTimer: TTimer <-refresh banner, trash it too
Interval = 500000 <-time between banner changes
OnTimer = RefreshBannerTimerTimer
Left = 744
Top = 592
end
As you can see we just wiped where the program called the banners and loads them. We also wiped the banner change timer as well, compile and save the program. Run it, no more banners. Now its ready, just drag and drop it back on UPX.exe and repack it, program adware cracked.