RE learning Diary . 1__remove the pop-up adds of WinRar

原创 2016年08月29日 01:10:33
Sunday , August 28 , 2016
Dear Diary,

Since last month,I've been interested in ReverseEngineering(RE) and taught myself from the scratch.Now I have some progress and this is my first little challenge.
I installed WinRar from a website this morning.It works good however,every time I open it ,an adds window will pop up and I have to close it.So I tried and succeeded to remove the pop-up window with what I learnt.
Tools I used including IDA and Hiew.
First,I noticed that the pop-up window has title of "WinRaR".
So I loaded it with IDA and searched the string "WinRaR"(Serach->text).I find the "offset WindowName;' WinRaR ' ".Then I select the element "WindowName" and press X ,then I get a set of xfer to it.
Inspected into these Address,I find two most suspicious code blocks.
These two both call Windows API function"CreateWindowExW".Consulting the man pages I learnt that this function is used to create child windows like pop-up window.This is the very function I'm looking for.But,which of them pops adds?or both of them do the job?From the man pages we know that this function takes several parameters and the first one is dwExStyle which controls the extended style of the window.The two blocks differ on it.The former is 0 and the latter is 16.Due to the pop-up window is just a simple frame with a picture,I guess the zero one is what we wanted.
Since I alreay got the target,the next thing need to do is to invalid this code block.Several approaches may make sense here.I can either replace the call instruction with NOP or simply make a jump to pass this function.Then I opened the file in Hiew and GoTo(F5) the target address 004A17DC.First I tried to replace the call instruction with several NOPs(I made backup just in case)
Save with F9 and we can see what happen.I opened the edited winrar.exe.Oh no,The file stops working and raised exception.But good news is that this time there was no adds window poped up.
"Keep going,you almost succeeded",I told myself.Then I looked into the assembly code in IDA again and found something new.After the "CreateWindowExW" API it called some other APIs like "SetWindowPos".
After consulting the man pages I realized that these API also affected the pop-up window created by "CreateWindowExW".When I invalid the "Create" function,these functions cited a non-existent object and then,exception occurred. 
Figured out the question,I am supposed to make the solution.Thanks to the Graph view provided by IDA,I found that all the APIs related to the pop-up window started from loc_4A16E0 and terminated in loc_4A183C.
As is shown in the graph,there many conditional jumps like jz and jl.After some time of analysis,I find a route to avoid block loc_4A16E0.
All I need to do is to change the jz loc_4A183C on address 004A16DA to jmp loc_4A183C and the jnz short loc_4A16D8 on 004A16C0 to jmp short loc_4A16D8 and the   jz   short loc_4A16E0 on 004A16D6 to jmp short loc_4A16D8.

When this done,let's check our product.HAHA,the WinRaR started as expected without the pop-up adds window,I succeeded :D
This may be a piece of cake for you professional guys,but for me,it's the first and an important step,LOL.

Thx for Reading!:)



Android 显示 pop-up message

之前一直是使用的是 Toast 来给用户进行简短的通知,但是现在的趋势是使用 snackbar 来取代 Toast,我们来了解一下 snackbar 的 使用Snackbar 是在 Design Su...
  • qq_28057541
  • qq_28057541
  • 2016年07月30日 17:04
  • 387

VS2008、VS2010、VS2012添加Pop-up Menu组件

VS2008、VS2010、VS2012中没有Pop-up Menu组件,右键菜单需要手动添加: 添加方法如下: 1、选择相应的类,单文档时选中View类在属性中添加WM_CONTEXTMENU消息如...
  • h_wlyfw
  • h_wlyfw
  • 2014年03月05日 10:13
  • 3151

Learning English grow diary

1、Life is a chess game,while happiness is devotion! 2、Mature men don't look back the past and smart...
  • a578133380
  • a578133380
  • 2013年09月19日 08:46
  • 455

Spring Learning Diary

  • Jiakunboy
  • Jiakunboy
  • 2016年04月27日 19:26
  • 809

A browser pop-up bloker is detected.Please allow the pop-up for this site

在oracle官方网站上下载软件时,弹出一个对话框: 解决办法,请参考:
  • 2016年11月30日 13:12
  • 1057

Windows Server 2008 ADDS新增功能

概览: 将新的服务管理器与 ADDS 结合使用 在 Server Core 上运行域服务 只读域控制器 更改密码、备份和审计 Windows Server 2008 中的...
  • xuhuojun
  • xuhuojun
  • 2008年05月11日 10:51
  • 2180

【matlab】怎么记录和保存运行结果-diary 命令

  • Richard_Yang2016
  • Richard_Yang2016
  • 2016年06月30日 09:46
  • 1073

Journey :Diary, Journal(旅行日记)

每当我们去旅行时,总会遇见一些有趣的事、不一样的人、美好的风景等,这些事物不应该只存在你的脑海里,你还可以把它们记录下来并分享给你的朋友。Journey :Diary, Journal(旅行日记)帮助...
  • c1007726825
  • c1007726825
  • 2016年03月25日 17:10
  • 271


以下是ffmpege0.11.1源码中的一个函数,稍微做了点修改 注意:编译器我arm-linux-gcc4.4.1,其他的编译器请读者自行验证 static av_always_inline av_...
  • u010346967
  • u010346967
  • 2017年02月18日 16:17
  • 880

Joint Learning of Single-image and Cross-image Representations for Person Re-identification

人物识别可以用两种方法解决: (1)在单个图片上做识别,给出一个阈值,计算距离相似性,判断两张图片是否匹配。 (2)在多张图片上做分类,可以考虑为二分类的问题。由于两种方法各有优点,在这篇文章中,...
  • xufengchi
  • xufengchi
  • 2016年10月29日 09:06
  • 404
您举报文章:RE learning Diary . 1__remove the pop-up adds of WinRar