Cracking binary boy
an Ad display free program
Anti advertisement
Anti-Advertisement
07 September 1999
by +Tsehp
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980907
+Tsehp
1000
AA
PC
Another tiny, yet valuable addition to our superior advertisement-free lifestyle.
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Cracking a new kind of shareware programs : ad display programs. Well I suggest this name ADNAG proggie...

Cracking binary boy
an Ad display free program

Written by +Tsehp


Introduction
Until now, you had to pay for registering the shareware so it doesn't display anymore nags or you've got disabled functions enabled.
This was working with a serial number or license file. Well this new type of programs is just sponsored so the author was paid by the sponsor before launching his shareware, oy maybe the sponsor is counting every hit on his page when you click on the banner.

We'll I don't like ads so here's the way to kill them in this prog.

Tools required
windasm 8.9 softice 3.x

Target's URL/FTP
http://www.binaryboy.com/

Program History
Binary boy is a program made to find binary attachments on usenet, very useful to find warez.

Essay
You launch, it shows you a banner changing every 3 seconds, pretty annoying you just can't stop watching this banner.
First I wonder : what could be the call to display this ?

Createbitmap ? drawicon ? fillrect ?
None oh this, it's not working with a single bpx in softice.
So I tried in softice HWND binboy and you see hidden window : advert.dll
You don't have to look any further : fire windasm on advert.dll located in windows\system or winnt\system32 Look at the exported functions, you will see _paint,
look at the adress and put a bpx on this adress with softice.
And it works ! Every time the banner changes, binboy call this exported function in advert.dll
Trace this function inside advert.dll and survey the banner, you arrive here : 
* Reference To: GDI32.StretchDIBits, Ord:0000h
   |
:XXXX (depends on your memory)
:XXXX E871750400 Call 0045DD24
:XXXX 85C0 test eax, eax
:XXXX 0F95C2 setne dl
here's the documentation of this function :

The StretchDIBits function copies the color data for a rectangle of pixels in a device-independent bitmap (DIB) to the specified destination rectangle. If the destination rectangle is larger than the source rectangle, this function stretches the rows and columns of color data to fit the destination rectangle. If the destination rectangle is smaller than the source rectangle, this function compresses the rows and columns by using the specified raster operation.

int StretchDIBits(

HDC hdc,

// handle of device context

int XDest,

// x-coordinate of upper-left corner of dest. rect.

int YDest,

// y-coordinate of upper-left corner of dest. rect.

int nDestWidth,

// width of destination rectangle

int nDestHeight,

// height of destination rectangle

int XSrc,

// x-coordinate of upper-left corner of source rect.

int YSrc,

// y-coordinate of upper-left corner of source rect.

int nSrcWidth,

// width of source rectangle

int nSrcHeight,

// height of source rectangle

CONST VOID *lpBits,

// address of bitmap bits

CONST BITMAPINFO *lpBitsInfo,

// address of bitmap data

UINT iUsage,

// usage

DWORD dwRop

// raster operation code

);
So you've got the choice : just NOP the call to this function or change the parameters and it will show whatever you want. Well I nopped it and it doesn't show anything.
Final suggestion : If you're tired to see ads on your favorite browser, just try adsOff from intertech...
great program.

+Tsehp

Final Notes
Well this prog is not the last and it's no protection at all. My dream is that the programmers will be paid by the sponsors before selling their programs so if we remove the ads after it will be no damage to him.
Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.
You are deep inside fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjava-script wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?