Netscape 4.08-Cookie-Patch
24/02/00 by DR Farohar 23/02/00
Cookies be gone! (Fravia used the same sentence to start his introduction to the same kind of tutorial... Well, I would be pretty pissed off if everybody would copy me but there are so many things that are burned into my mind that they happen automatically. In the end you act and live on what you have learned and Fravia (and the others on his site) where/are my teachers. So everything on this site is dedicated to those people and not to be seen as copy, etc. The more this site grows, the more it will find its own style.) Another tutorial on removing any cookie activity from your computer... At the moment only for Netscape but I'm working on M$ IE. If finished I'll create a program that will do that automatically. You'll find it in our Tools Section.
Faro
Target group:
Newbies.
Prerequisites:
- Basic knowledge of SoftIce
- how to patch a program using a hex-editor
Tools used:
-
SoftIce (demo version available at http://www.numega.com (check out the various tutorials on cracking SoftIce.. but this program is worth to be paid for!!!))
- Netscape 4.08 as actual target
- a hexeditor of your choice
- This html-document to trigger the cookie check routine.
Patch:
I got the idea for that a from reading a tutorial which did exactly the same. I don't remember who wrote this tutorial but I will add his name when I found it in the mess of saved tutorials on my computer. His patch was for a Netscape Gold version. The main reason for this tutorial is that I wanted (and will) write a program that en/disables this feature in M$ IE and Netscape so some can enable it when needed (yeah, cookies are not always a bad thing, it depends on how and when you use them as with everything ['tis is life-reversing again]). I could not yet figure our how to break into IE's cookie routine but that is mainly because I did not try hard. I will add this as well.
This tutorial shows one of the many ways Reverse Engeneering can be used to actually improve a program or change it so it fits one's needs. This is only ONE reason why you should study RE and why cracking should not always been seen as a negative thing.
Load the test html-document and click on the "create cookie" button (make shure you enabled cookies and set NS on ???show cookie thingy???) You'll see a message box popping up which asks you if you allow this cookie to get saved on your computer. So we set a bpx on MessageBoxA and do the procedure again. SoftIce will break and we press F12. The message box pops up so we press "OK" and find ourselves back in SoftIce right there:
|
|
|
|
|
|
|
|
0063553A |
... |
CALL ... |
The call, I patched it before writing the values down... will update this as well |
0063553F |
C745FCFFFFFFFF |
MOV DWORD PTR [EBD-04],FFFFFFFF |
thats where we land on |
|
|
|
|
|
|
|
|
We see the call is exactly one line above our current location, so press F6 to change to the code window, move your cursor on the call and press F9 to set a breakpoint. Ctrl+D back out of SoftIce and press "create cookie" again. This time SoftIce will break before the message box will be created and our current position in SoftIce should be exactly on the call which would perform the calling of the message box. We nop the call with 5 nops (or if more elegant with something like inx ax, dec ax, nop, inc ax, dec ax). To do that press "a" and enter nop followed by ENTER. Obviously you'll have to do that 5 times. Having done that press escape to stop editing and press Ctrl+D to leave softice. NS should not check for cookies anymore. Before you go on and HEX-patch your NS executable now, stop and read the rest :) I am not shure if this patch works 100% because if I leave NS and run it again it still does not accept cookies (which it should because we only memory-patched NS). Also if you try to change your properties it wont let us do it and talks about some missing dll files.. the reason why I'm not going to check it right now is that I have to go to the computing room right now and while doing that I will update the HP. I will check and update this file in the next 7 days. The reason for the above will propably be that we patched the whole function and not just the function to disable the cookies which is a subfunction of another one (the one we patched) so we have to trace into this call and patch another call... I will check that tomorrow or the day after tomorrow. If you are desperate you can try by yourself, should not be a problem because you know from where to go on. BTW: to find the check for which button was pressed single step through the code with F10, stepping over 3 returns, until you reach a test eax,eax followed by a jnz 005565A1. So patching this will show the same effect you only see this nasty message box popping up all the time. As I said, update of this doc in the near future.
Disclaimer: The stuff on this page should be legal. If you encounter any
illegal files/info/etc. please mail us and we will remove it.
Copyright DR Farohar / Mental Surgery Crew -- © 1999, 2000. All rights reversed.