remobann.gif

Courtesy of fravia's pages of reverse engineering


June 1999, part of the remove banners section of the anti-advertisement lab.
About Banners
By TeRR0RNauT
Most banners are quite basic in design. The usual method is to either 
require a user to have some java-script in his/her page or automatically 
add it when index.html is downloaded. 
I'll start this essay with a standard banner example, Xoom.
Xoom has an irritating Banner bar which is automatically added
to each page. To counter this banner it is important to understand
how it works. What xoom does is add a frame ontop of your own page.
This can be fixed in a quite easy way with a little java-script.

<script language="java-script">
if (top != self )
  {
   top.location.href =  "http://..."
  }
</script>

This script first checks if it's loaded as the topmost document.
which it isn't because of the xoom banner. Then it puts another
page in the top frame. My first thought was to just reload the 
index.html, but that won't work because xoom will just put
another banner ontop of that which will cause an infinite loop.
So the best solution is to put this code in your index.html

<script language="java-script">
top.location.href =  "http://..."
</script>

There is no top check because we already know that we aren't on top.
The only thing that needs to be done is put another page ( not index.html )
on top.

I know that this first part is quite easy and has been done a
million times before that's why I'll continue with a far more
interesting target & solution.
Redirectors are quite handy, because they hide your true url and
because they allow you to move your page around without the visitors
ever noticing. I first had a redirector at txe.org but they have been down 
for ages now so I started looking for another one. Which I found
at tsx.org. They provide a free service. But if you want them to 
hide your url ,( i.e. put a frame with "blabla.tsx.org" as location 
ontop of your page ), they'll show a popup-banner.

I started by looking at the java-script code for the banner.

<script language="java-script">
<!--
var useHeight = 105;
if (document.screen) { useHeight = screen.availHeight }
var bannerX = 5; var bannerY = useHeight - 100;
window.open('/frame/index.cfm','tsxwindowXXX', <------- 999 posibilities
            'resizeable=no,scrollbars=no,width=600,height=47,innerWidth=600,innerHeight=47,
             titlebar=no,screenX='+bannerX+',screenY='+bannerY+',left='+bannerX+',top='+bannerY);
function stopError() { return true; }
window.onfiltered= stopError;
//-->
</script>

With java-script it's possible to close popup-banners but there's a catch.
To close a window you'll first have to define/open it with it's name as a reference.
This is no problem if the window allready exists but if it doesn't then a new window
will be openend. 

<script language="java-script">
<!--
popup = window.open(popupURL,popupname);
popup.close()
//-->
</script>

So if the window name is randomized then you'll have to open a
lot of windows, which makes this method quite unfeasable.

Then I had a thought and looked at their update page.
At this update page you can configure various settings of the 
redirector. Two settings are interesting, the keywords and Description tags.
Which translate into the following in the final redirect frame.

<META NAME="Keywords" Confiltered="">
<META NAME="Description" Confiltered="">

The idea is to put html-code into these fields which will 
disable the banner. But if you disable the code after these
tags then you'll have no frames as well so you'll have to put your 
frames code into this tag. The result should look somewhat like this :
<META NAME="Description" Confiltered=""></head><frameset rows="100%,*" border="0" frameborder="0" framespacing="0" framecolor="#000000"><frame src=""></frameset><body></body></html><"> <--- End of Content Tag
      The content tag             ^^   ^^            ^^                                                                                                ^^          ^^            ^
                                  ||Close head  Start Frames                                                                                       End Frames      ||    End with open bracket
                                  ||                                                                                                                            End HTML
                                  ||
                          Close content tag

The two most important things are the close content trick and
the final open bracket. Because the final open bracket the rest of
the page will be seen as between brackets, and therefore will not be
displayed or executed.
When you try to set the content tags to this string you'll notice
a problem. You can only enter 30 chars. Which is too little for a nice frameset.
But I noticed that this 30 char max was defined in the html form.
Forms are a way of entring information into a html page which can then
be sent to some cgi on a server. Because the max was defined in the form
it should be changeable. So I made a local copy and set the max to 255.
The only problem with a local copy is that the result will be sent to yourseld
so you'll have to edit the <base> tag , and maybe change a few relative
URL's.


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>TSX: Host Update</TITLE>


</HEAD>
<BODY BGCOLOR="#333333" TEXT="#FFFFFF" LINK="#3399FF" VLINK="#3366FF">
<P ALIGN="CENTER"><CENTER>
<TABLE CELLPADDING=8 CELLSPACING=8 BORDER=0>
<TR><TD WIDTH=164 ALIGN="CENTER" VALIGN="TOP">
<A HREF="/home.html">
<IMG SRC="logo.gif" WIDTH=164 HEIGHT=198 BORDER=0 ALT="TSX The Technosite Exchange"></A>
</TD><TD ALIGN="LEFT" VALIGN="TOP">

<FORM METHOD="POST" ACTION="update.cfm?Code=Process"> 


<INPUT TYPE="hidden" NAME="HostName" VALUE="terr0rnaut">
<INPUT TYPE="hidden" NAME="URL_required" VALUE="Please enter the URL">
<INPUT TYPE="hidden" NAME="Password_required" VALUE="Please enter your Password">
<INPUT TYPE="hidden" NAME="Owner_required" VALUE="Please enter the Owner's Name">
<INPUT TYPE="hidden" NAME="Email_required" VALUE="Please enter email address">
<H1>Host Update </H1>
<TABLE>
<TR><TD BGCOLOR="#666666"><B>HostName</B></TD>
<TD></TD></TR>
<TR><TD BGCOLOR="#666666"><B>URL</B></TD>
<TD><INPUT TYPE="text" NAME="URL" VALUE="" SIZE=30 MAXLENGTH=150></TD></TR>
<TR><TD BGCOLOR="#666666"><B>Owner</B></TD>
<TD><INPUT TYPE="text" NAME="Owner" VALUE="" SIZE=30 MAXLENGTH=50></TD></TR>
<TR><TD BGCOLOR="#666666"><B>Email</B></TD>
<TD><INPUT TYPE="text" NAME="Email" VALUE="" SIZE=30 MAXLENGTH=50></TD></TR>
<TR><TD BGCOLOR="#666666"><B>Password</B></TD>
<TD><INPUT TYPE="text" NAME="Password" SIZE=20 VALUE="" MAXLENGTH=50></TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>SiteHide™</B></TD>
<TD><INPUT TYPE="radio" NAME="Popup" VALUE="1" Checked > On<BR>
<INPUT TYPE="radio" NAME="Popup" VALUE="0" > Off</TD></TR>
<TR><TD BGCOLOR="#666666" VALIGN="TOP"><B>Adult</B></TD>
<TD><INPUT TYPE="radio" NAME="Adult" VALUE="1" > Yes<BR>
<INPUT TYPE="radio" NAME="Adult" VALUE="0" Checked > No</TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>Title</B></TD>
<TD><INPUT TYPE="text" NAME="Title" MAXLENGTH=50 SIZE=30 VALUE=""></TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>Keywords</B></TD>
<TD><INPUT TYPE="text" NAME="Keywords" MAXLENGTH=50 SIZE=30 VALUE=""></TD></TR>
<TR><TD BGCOLOR="#669966" VALIGN="TOP"><B>Description</B></TD>

<TD><INPUT TYPE="text" NAME="Description" MAXLENGTH=255 SIZE=30 VALUE=""></TD></TR>


<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#666699"><B>StartPage</B></TD>
<TD>
<INPUT TYPE="text" NAME="HomePage" VALUE="" SIZE=30 MAXLENGTH=150>
</TD></TR>
<TR><TD COLSPAN=2> </TD></TR>
<TR><TD BGCOLOR="#666666"> </TD>
<TD><INPUT TYPE="submit" VALUE="Update"></TD></TR>
</TABLE>
</FORM>
</TD></TR>
</TABLE>
</CENTER></P>
</BODY>
</HTML>

I loaded this page into my browser, changed the Description field
and pressed the update button ..It worked .
This is possible because TSX doesn't filter html chars from the content fields
and because they don't validate the length of the content fields.
I hope you have learned something, I certainly had a lot of
fun reversing TSX's banner code. And remember that this is not illegal.
I merely prefer rather wierd content fields, and their banner code isn't removed.
The browser just doesn't execute it anymore.
GreetZ TeRR0RNauT.

red

 


red

redhomepage red links red anonymity +ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?