Name : Download Accelerator Version : 3.5 Editor : Lidan Target : DownloadAccelerator.exe Tools : W32Dasm 8.93 Hacker's View 6.01 Brain Cracker : LW2000 Tutorial : No.6 http://www.lidan.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. Install Download Accelerator. After installing go online and rightclick on a for example zip file. Save it. You get a new dialog from Download Accelerator. Save it with the Download Accelerator, but choose NOT regular download! 2. *BOOM* Works fine, but what the hell does this advertising data in our window? That's not nice, Download Accelerator load this shit in background. It slows down our connection! 3. Lets crack this bitch of a program. Copy DownloadAccelerator.exe to backup.exe. Mhmm, interesting a ADFiles directory. Lets take a look in it! OK, here stores the program our adverts. But from where comes this shit? Take a look at the registry. Start Regedit and go to [HKEY_LOCAL_MACHINE\Software\Lidan\Download Accelerator]. Mhmm, whats this: "AdSite"="fv4r<8142;942545403641elk/dap1c4u0fn4" i think this key differs by you, but shit lets kill it ;) doubleclick on this string and delete it. "AdSite"="" this we've got now. 4. So, lets go online and check it out! Mhmm, New messagebox: "AD Site is empty, cannot continue" Alright, open our baby in W32DASM. 5. Click the SDR Button. Find "AD Site is empty, cannot continue". Doubleclick on this string and close the SDR window. You see this: * Reference To: MFC42.Ordinal:0320, Ord:0320h | :00402023 E83EEF0000 Call 00410F66 :00402028 8B07 mov eax, dword ptr [edi] :0040202A 8B48F8 mov ecx, dword ptr [eax-08] :0040202D 85C9 test ecx, ecx <-- Mhmm, interesting :0040202F 7534 jne 00402065 <-- Bad Boy :00402031 8B442410 mov eax, dword ptr [esp+10] :00402035 50 push eax * Reference To: ADVAPI32.RegCloseKey, Ord:0145h | :00402036 FF1524D64100 Call dword ptr [0041D624] :0040203C 6A00 push 00000000 :0040203E 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"AD Site is empty, cannot continue" | :00402040 6830A24100 push 0041A230 <-- Here we are 6. OK we go to the code location 0040202F, If you look at 0040202F you see a jump. If not equal then we go to 00402065 else we will popup this nasty messagebox! We are going to change this... Place the bar at : :0040202F 7534 jne 00402065 In the statusbar you will see the offset 142Fh (the h is for hex and you can forget it) Our offset is 142F. 7. Exit W32Dasm and load hiew with DownloadAccelerator.exe. Press Enter twice to go to decode mode. Press F5 to go to code location 142F. Press F3 to edit the file and change 7534 to 7434. This changed jne to je. Now, he will always jump except you have a ADSite. Press F9 to update and F10 to quit. 8. So, lets go online and check it out! Congratulation! No advertising data! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best!