|
Copernic 4.55 reversing
"If Unregistered then =
ads"
|
Anti Advertisement |
|
November 2000 |
by
+Tsehp
|
|
|
| |
Well, "Eyeball
grasping" is all the rage nowadays, and more and more dirty tricks are
used to force
you to look at completely useless banners and idiotical
advertisements that noone in his right mind would click onto. Why this
actually happens beats me: in my experience and world, in order to find
the sort of
people that would really eventually click onto one of these banners you
would have to visit a center
for mentally handicapped in their terminal phase. Maybe I'm wrong,
though, and in the real "Guinea Pigs" world that the advertisers dream
of, there really exist hundred thousands of slaves who happily click on
any commercial abomination they see and then - drooling for pleasure -
buy the crap they deserve. I doubt it, though.
Anyway it is our holy
duty to destroy these tricksters: they grasp our eyeballs? We'll grasp
their - quite sensible - commercial balls. Here you go with the update of
a simple,
yet effective, essay by +Tsehp
|
| There
is a crack, a crack in
everything
That's how the light gets in
|
| Rating
|
(x)Beginner (x)Intermediate (
)Advanced (
)Expert (
)~S~
|
Ads are sneaking more and more inside your computer. Even if you pay
for
a
program, its conceptors now don't hesitate to forward advertisement you
NEVER WANTED
to you. The money
they
get from their applications is not enough: they need you to click on
their
"big bucks" banners.
Lets just put an end to this...
Copernic 4.55
reversing
If
Unregistered then ads
Written by +Tsehp
Almost everybody knows this application, it's an easy to use "meta
search bot" that
uses the
most current search engines to perform your search. It's one of the most
used, therefore,
similar to what Micro$oft does, they (try to) use
an almost
monopolistic situation with the aim to transform your computer into a
mall.
Without
asking you
if they are authorised to.
Just try this : download the copernic 2000 pro version 4.55 Use a
regular, non
burned serial (a lot of keygens exists), at first launch, it shows no
ads and
everything is working fine. But this tool is auto updating to have the
last links
to search engines, and when it does, it shows you at the next search
beautiful
banners at the top of your screen... Of course you can't disable
the ads
: tools,options,uncheck display ads while searching and you've got the
opportunity
to buy the program.
Of course it is possible to
destroy all this devious - and *illegal* - activity, and since you
should
have the right
to control what happens inside your pc, I will show how to perform an
easy
crack.
Softice (latest version 4.05)
ida 4.14
The crack has been performed on my actual OS: win 2000
[www.copernic.com]
Install the free version and use it - against itself - in order to find
the pro
version
;-)
The older versions of
this target were
gentle towards user. This does not happen any more after version 4.1
The first step is not to hurry on softices breakpointing. Sit down,
use some
good old "zen cracking" attitude and think a little about what this
prog could
do.
Now, since there is a feature to remove the ads - for people rich
enough to
escape the advertisement hell reserved for slaves and poor sods - this
means
that this target MUST keep a flag for it, a flag that decides wether
the owner
has enough money to escape advertisement or not. Of course this flag
(let's
say either true "poor_sucker= 0 give him hell" or false
"poor_sucker= 1 he may
escape without ads") must be either inside a kore or less "hidden"
file or inside
the registry.
Dead easy, of course: We use the regmon tool
and check
and uncheck the display ads option. But nothing interesting happens. I
also
tried to check with filemon,
just to see if it looks for a flag hidden inside a lost file, nothing
again.
My last solution was to see if this program use a flag hidden inside
its resources,
and to load a resource string, you can use loadlibraryA.
I found this part inside its disassembly :
0046E270
0046E270 push ebp
0046E271 mov ebp, esp
0046E273 add esp, 0FFFFFBF8h
0046E279 mov [ebp+var_8], edx
0046E27C mov [ebp+var_4], eax
0046E27F push 400h
0046E284 lea eax, [ebp+var_408]
0046E28A push eax
0046E28B mov eax, [ebp+var_4]
0046E28E push eax <-string number inside the resource
0046E28F mov eax, ds:dword_5798B4
0046E294 push eax
0046E295 call LoadStringA_0 <-Put a bpx on this with softice
before searching.
0046E29A mov ecx, eax
0046E29C lea edx, [ebp+var_408]
0046E2A2 mov eax, [ebp+var_8]
0046E2A5 call sub_403F2C
0046E2AA mov esp, ebp
0046E2AC pop ebp
0046E2AD retn
Then , after the bpx, you start a search,
and you stop
just before the loadstring call, just at this location on win 2k.
The String number pushed is 0xC49A, 50330 in decimal. Take a resource
editor
and look for this string, nothing inside...
Easy to guess, on the regged version, this string resource contains a
flag,
checked just before you start a search.
To see what happens next, p-ret twice, you land here :
0054C24B ; CODE:0054C204=18j
0054C24B lea edx, [ebp-0FCh]
0054C251 mov eax, [ebp-2Ch]
0054C254 call sub_4095B8
0054C259 mov edx, [ebp-0FCh]
0054C25F lea eax, [ebp-2Ch]
0054C262 call sub_403EDC
0054C267 mov edx, [ebp-2Ch]
0054C26A mov eax, ds:dword_5778B0
0054C26F call sub_4DA868
0054C274 call sub_46EDFC
0054C279 test al, al <- you are here
0054C27B jnz loc_54C31A
0054C281 mov eax, ds:dword_5778C0
0054C286 cmp byte ptr [eax+0Ch], 0
0054C28A jz short loc_54C2B4
0054C28C mov eax, ds:dword_5778C0
0054C291 mov edx, [eax]
0054C293 call dword ptr [edx+4]
The call 46edfc checks for the fake string inside the resource, not
presentif
your app is not registered into their server, then al contains 0 if so,
the jz
to 56eb06 is not taken and it shows the ads.
If you force the jz to jump, the ads will never be showed.
I usually don't like cracks, sauf for mere learning purposes, and
ususally
I would encourage readers to buy programs, but our patience is really
tested by
these guys, who take your money and at the same time spit on your faces
with
this awful banner autoshow feature. So I encourage you to create this
patch and spread
it with the keygen, until those guys remove the feature on the next
version.
+Tsehp
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a
longer period than the allowed one. Should you want to STEAL this
software instead, you don't need to crack its protection scheme at
all:
you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.
Fravia+
You are deep inside fravia's searchlores.org
(c) 2000: [fravia+], all rights
reserved