Aureate Media ADs removing (+Tsehp)
As you launch the program it shows you a banner changing every 3 seconds, which is pretty
annoying ... you just can't stop watching this banner. First I wonder: What could be the
CALL to display this?
CreateBitmap? DrawIcon? FillRect?
None of this ... it's not working with a single BPX in SoftICE. So I tried in SoftICE
HWND binboy and you see hidden window: ADVERT.DLL ...
You don't have to look any further: Fire Win32Dasm on ADVERT.DLL located in Windows\System or
WinNT\System32 and look at the exported functions ... you will see _paint, look at the adress
and put a BPX on this adress with SoftICE.
And it works! Every time the banner changes, the program CALLs this exported function in
ADVERT.DLL ... trace this function inside ADVERT.DLL and survey the banner, you arrive here:
* Reference To: GDI32.StretchDIBits, Ord:0000h
|
:XXXX (depends on your memory)
:XXXX E871750400 Call 0045DD24
:XXXX 85C0 test eax, eax
:XXXX 0F95C2 setne dl
Here's the documentation of this function:
The StretchDIBits function copies the color data for a rectangle of pixels in a
device-independent bitmap (DIB) to the specified destination rectangle. If the
destination rectangle is larger than the source rectangle, this function stretches
the rows and columns of color data to fit the destination rectangle. If the
destination rectangle is smaller than the source rectangle, this function
compresses the rows and columns by using the specified raster operation.
int StretchDIBits(
HDC hdc, // handle of device context
int XDest, // x-coordinate of upper-left corner of dest. rect.
int YDest, // y-coordinate of upper-left corner of dest. rect.
int nDestWidth, // width of destination rectangle
int nDestHeight, // height of destination rectangle
int XSrc, // x-coordinate of upper-left corner of source rect.
int YSrc, // y-coordinate of upper-left corner of source rect.
int nSrcWidth, // width of source rectangle
int nSrcHeight, // height of source rectangle
CONST VOID *lpBits, // address of bitmap bits
CONST BITMAPINFO *lpBitsInfo, // address of bitmap data
UINT iUsage, // usage
DWORD dwRop // raster operation code
);
So you've got the choice: just NOP the CALL to this function or change the parameters and
it will show whatever you want. Well I nopped it and it doesn't show anything.
|
NAG Screen Cracking (josephCo)
This may seem confusing also ... but again, play around with it. You'll get used to
using it. When a NAG Screen pops up, enter SoftICE and type:
HWND
You should see something similar to:
|
Window-Handle
|
hQueue
|
SZ
|
QOwner
|
Class-Name
|
Window-Procedure
|
|
0080 (0)
|
2057
|
32
|
MSGSVR32
|
#32711 (switch_win)
|
17EF:00004B6E
|
|
0084 (1)
|
2057
|
32
|
EXPLORER
|
shell_trayWnd
|
1487:0000016C
|
|
...
|
...
|
...
|
...
|
...
|
...
|
What you want to do is scroll down the list of handles, and look at the QOWNER. Find the
handle of a process that belongs to your program, and if your NAG Screen has an OK button,
look for a BUTTON under class name. If your NAG Screen doesn't have one, then anything that
has BUTTON after it, won't be the handle you want to break on. This is trial and error
until you get the one you want (explained in a little bit). The list of handles
will probably be quite long, but usually the NAG Screen is amongst the first that belong
to your program.
TORN@DO's Tip
|
I highly recommend to use a tool like SMU Winspector
for cracking NAGs. It will save you the trial and error thing and will so ease your work,
which is always good.
SMU Winspector and other tools of that kind display all the information you need, the
Window-Handle, Window-Class Name, Window-Text, Parent Window-Handle, Parent-Window Class
Name, Parent Window-Text, Module ...
|
Once you think you've found your NAG Screen's handle, you will want to use the BMSG command.
If you want to see the exact paramaters it allows, while in SoftICE, type:
HELP BMSG
OK, now to our example. Lets assume your NAG has an OK button after the handle you want
to break on (easier to find), and you think you've found your proper handle. You
would want to type:
BMSG 0084 WM_DESTROY
Where 0084 is the handle of your NAG Screen. What this basically does, is tell SoftICE to
break after the NAG Screen has been erased from the screen. You will be deep inside of
some unknown API, so you will have to F12 (P RET) which stands for Pause on
RETurn back to your program's code. At this point you want to find where the initial
NAG was created (set BPX on most of the CALLs you come out of). The NAG Screen was
most likely created/destroyed in the same CALL, so if you find the proper one, do
whatever you need to do.
|
Splash Screens (Predator NLS)
The fastest way to crack NAG Screens is to use a Hex-Editor and your eyes. Start
your program and wait till the NAG Screen pops up. Now note down the captation of
the window and the first words of the dialog message. Then open your EXE (or DLL) and
search for the noted string. If you found it, scroll up and search for the 4 bytes
FF FF FF 80 ... and if they were there replace the 80h by 90h. After this patching, start
your program and you will never see the NAG again.
Sometimes it's necessary to press a button to continue. In this cases you must often use
a debugger!
|
|
00. INDEX
06. Tips & Tricks for Cracking
6 NAG Screens