Please select a file

Copernic 4.55 reversing
 "If Unregistered then = ads"

antiad
Anti Advertisement
November 2000

by +Tsehp

+cracker!

Well, "Eyeball grasping" is all the rage nowadays, and more and more dirty tricks are used to force you to look at completely useless banners and idiotical advertisements that noone in his right mind would click onto. Why this actually happens beats me: in my experience and world, in order to find the sort of people that would really eventually click onto one of these banners you would have to visit a center for mentally handicapped in their terminal phase. Maybe I'm wrong, though, and in the real "Guinea Pigs" world that the advertisers dream of, there really exist hundred thousands of slaves who happily click on any commercial abomination they see and then - drooling for pleasure - buy the crap they deserve. I doubt it, though.
Anyway it is our holy duty to destroy these tricksters: they grasp our eyeballs? We'll grasp their - quite sensible - commercial balls. Here you go with the update of a simple, yet effective, essay by +Tsehp


There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner   (x)Intermediate   ( )Advanced   ( )Expert   ( )~S~

Ads are sneaking more and more inside your computer. Even if you pay for a program, its conceptors now don't hesitate to forward advertisement you NEVER WANTED to you. The money they get from their applications is not enough: they need you to click on their "big bucks" banners.

Lets just put an end to this...


Copernic 4.55 reversing
 If Unregistered then ads
Written by +Tsehp
Introduction

Almost everybody knows this application, it's an easy to use "meta search bot" that uses the most current search engines to perform your search. It's one of the most used, therefore, similar to what Micro$oft does, they (try to) use an almost monopolistic situation with the aim to transform your computer into a mall.
Without asking you if they are authorised to.

Just try this : download the copernic 2000 pro version 4.55 Use a regular, non burned serial (a lot of keygens exists), at first launch, it shows no ads and everything is working fine. But this tool is auto updating to have the last links to search engines, and when it does, it shows you at the next search beautiful banners at the top of your screen... Of course  you can't disable the ads : tools,options,uncheck display ads while searching and you've got the opportunity to buy the program.
Of course it is possible to destroy all this devious - and *illegal* - activity, and since you should have the right to control what happens inside your pc, I will show how to perform an easy crack.

Tools required
Softice (latest version 4.05)
ida 4.14

The crack has been performed on my actual OS: win 2000

Target's URL/FTP
[www.copernic.com]    Install the free version and use it - against itself - in order to find the pro version ;-) 

Program History
The older versions of this target were gentle towards user. This does not happen any more after version 4.1

Essay


The first step is not to hurry on softices breakpointing. Sit down, use some good old "zen cracking" attitude and think a little about what this prog could do.

Now, since there is a feature to remove the ads - for people rich enough to escape the advertisement hell reserved for slaves and poor sods - this means that this target MUST keep a flag for it, a flag that decides wether the owner has enough money to escape advertisement or not. Of course this flag (let's say either true "poor_sucker= 0 give him hell" or false "poor_sucker= 1 he may escape without ads") must be either inside a kore or less "hidden" file or inside the registry.
Dead easy, of course: We use the regmon tool and check and uncheck the display ads option. But nothing interesting happens. I also tried to check with filemon,
just to see if it looks for a flag hidden inside a lost file, nothing again.
My last solution was to see if this program use a flag hidden inside its resources, and to load a resource string, you can use loadlibraryA.
I found this part inside its disassembly :


0046E270
0046E270 push ebp
0046E271 mov ebp, esp
0046E273 add esp, 0FFFFFBF8h
0046E279 mov [ebp+var_8], edx
0046E27C mov [ebp+var_4], eax
0046E27F push 400h
0046E284 lea eax, [ebp+var_408]
0046E28A push eax
0046E28B mov eax, [ebp+var_4]
0046E28E push eax <-string number inside the resource
0046E28F mov eax, ds:dword_5798B4
0046E294 push eax
0046E295 call LoadStringA_0 <-Put a bpx on this with softice before searching.
0046E29A mov ecx, eax
0046E29C lea edx, [ebp+var_408]
0046E2A2 mov eax, [ebp+var_8]
0046E2A5 call sub_403F2C
0046E2AA mov esp, ebp
0046E2AC pop ebp
0046E2AD retn


Then , after the bpx, you start a search, and you stop just before the loadstring call, just at this location on win 2k.
The String number pushed is 0xC49A, 50330 in decimal. Take a resource editor and look for this string, nothing inside...
Easy to guess, on the regged version, this string resource contains a flag, checked just before you start a search.

To see what happens next, p-ret twice, you land here :

0054C24B ; CODE:0054C204=18j
0054C24B lea edx, [ebp-0FCh]
0054C251 mov eax, [ebp-2Ch]
0054C254 call sub_4095B8
0054C259 mov edx, [ebp-0FCh]
0054C25F lea eax, [ebp-2Ch]
0054C262 call sub_403EDC
0054C267 mov edx, [ebp-2Ch]
0054C26A mov eax, ds:dword_5778B0
0054C26F call sub_4DA868
0054C274 call sub_46EDFC
0054C279 test al, al <- you are here
0054C27B jnz loc_54C31A
0054C281 mov eax, ds:dword_5778C0
0054C286 cmp byte ptr [eax+0Ch], 0
0054C28A jz short loc_54C2B4
0054C28C mov eax, ds:dword_5778C0
0054C291 mov edx, [eax]
0054C293 call dword ptr [edx+4]


The call 46edfc checks for the fake string inside the resource, not presentif your app is not registered into their server, then al contains 0 if so, the jz to 56eb06 is not taken and it shows the ads.

If you force the jz to jump, the ads will never be showed.
Final Notes
I usually don't like cracks, sauf for mere learning purposes, and ususally I would encourage readers to buy programs, but our patience is really tested by these guys, who take your money and at the same time spit on your faces with this awful banner autoshow feature. So I encourage you to create this patch and spread it with the keygen, until those guys remove the feature on the next version.

+Tsehp

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

Fravia+
You are deep inside fravia's searchlores.org
Petit image

(c) 2000: [fravia+], all rights reserved