In this case, Net Vampire...

"Program(s)" because you might be able to do the same techniques below to "fix" other once-infested spyware programs after using OptOut.

Heh, the main purpose of this whole tut is just to make you aware of Spyware. There is also a story :)

Excerpt taken from http://grc.com/optout.htm
Go there to read more about Spyware and OptOut

What is Spyware?

Spyware is ANY SOFTWARE which employs a user's Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission.

Silent background use of an Internet "backchannel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed, consent for such use.

ANY SOFTWARE communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: Spyware.
I was going through the net one day and I saw that grc.com had a new program out called "OptOut". After going to the page of the program and reading through some things, I found out somethings I had not heard before. Fancyful tales of spyware programs and hidden agendas. I thought to myself wow, isn't that interesting. But, not once did I think that I would find that BULLSHIT on my computer. Alas, I was wrong. After running OptOut, I soon found that this Spyware was on MY computer! So, what did I do about it? I had OptOut get rid of it! And when OptOut does that, it states something to the effect of "After the spyware dlls are removed, the programs that use said Spyware dlls might not work correctly." So, I thought cool! Now I will know what programs were using that shit :) Days went by, until after a routine day of looking though the net, I found a nice big file to download.

So, I popped open "Net Vampire" and was just about to enter my download info, when BAMM! I get a message box stating "advert.dll not loaded". At last, I had found the program that was using the Spyware :)

The main problem though was that now I COULD'NT USE Net Vampire at all. All I got was a message box and then the program would call ExitProcess. That sucks, don't you agree? Now what to do about it? Well, what else: It is time to do some reversing :)

Well now, I don't really think you will LEARN much, if anything, from this. I must also say that I feel kind of weird writing this essay because it seems like this is just more like cracking than reversing, but whatever. I am just kind of telling a story here. But hey, if you learn something, THEN ALL THE BETTER :)

Well, here goes:

Tools used: I only used HIEW and my brain :)

Target: Net Vampire v3.3

Intention: My intention was to be able to use Net Vampire minus the Spyware bullshit.

Session:

I try not to use too many tools when they are not needed, as in this case.

First thing I did was to re-run the program(vampire.exe) to see what the exact message with the message box was. The message reads "Failed to load ADVERT.DLL". So that is all I needed to "fix" this program. Just that stupid-ass message.

All you have to do is run HIEW and pop in vampire.exe. Do a search through the exe for "Failed to load ADVERT.dll" and "advert.dll" by itself. Why look for "advert.dll"? The reason is that in order for vampire.exe to use that dll, it has to first be imported. And, it isn't in the file's import table, so it must imported via LoadLibrary or Getmodulehande, but I paid no attention to this while I was "fixing" vampire.exe.

Well I found the strings above at:
"Failed to load ADVERT.DLL" @ :004718AC
"advert.dll" @ :004718C4

So, hmm, what to do next? Easy, just hit f7(search) and look what instructions those locations are used in. REMEMBER to search for them by first reversing the addresses like so :004718AC should be searched for by looking for "AC184700" and :004718C4 by "C4184700". I found only two general locations in the whole file where these addresses were used. Look at the dissasemblies below:

:004715F4 55                      push ebp
:004715F5 8BEC                    mov ebp, esp
:004715F7 51                      push ecx
:004715F8 8945FC                  mov dword ptr [ebp-04], eax
:004715FB 68AC184700              push 004718AC
:00471600 E86348F9FF              Call 00405E68
:00471605 8B55FC                  mov edx, dword ptr [ebp-04]
:00471608 8982D8000000            mov dword ptr [edx+000000D8], eax
:0047160E 8B45FC                  mov eax, dword ptr [ebp-04]
:00471611 83B8D800000000          cmp dword ptr [eax+000000D8], 00000000
:00471618 7524                    jne 0047163E
:0047161A 6A00                    push 00000000
:0047161C 668B0DB8184700          mov cx, word ptr [004718B8]
:00471623 B201                    mov dl, 01
:00471625 B8C4184700              mov eax, 004718C4
:0047162A E8A1ECFCFF              call 004402D0
:0047162F A1A8C94A00              mov eax, dword ptr [004AC9A8]
:00471634 8B00                    mov eax, dword ptr [eax]
:00471636 E84506FCFF              call 00431C80
:0047163B 59                      pop ecx
:0047163C 5D                      pop ebp
:0047163D C3                      ret
Now, the first general location is dissasembled above. You can see that at address :004715FB, the code there has "AC184700" at it's end. So we know that that instruction is pushing "advert.dll" and if you look below many instructions you see that at address :00471625 the code there has "C4184700" at it's end, hmm, the location of "Failed to load ADVERT.DLL" :) Now, look just above a bit at address :00471618 and we see a "jne 0047163E" lets see, that would take us past the part where "Failed to..." is played with if the instruction above it wasn't equal. Why don't we just jump past that shit, What I did was change the jne to a jmp. I did this so I wouldn't be bothered again with that "Failed to ..." message.

Well, as I said before, there were two general locations. So lets find the next:
:004717C6 E8F545F9FF              Call 00405DC0
:004717CB 8B55FC                  mov edx, dword ptr [ebp-04]
:004717CE 898214010000            mov dword ptr [edx+00000114], eax
:004717D4 8B45FC                  mov eax, dword ptr [ebp-04]
:004717D7 83B8E000000000          cmp dword ptr [eax+000000E0], 00000000
:004717DE 0F84A4000000            je 00471888
:004717E4 8B45FC                  mov eax, dword ptr [ebp-04]
:004717E7 83B8E400000000          cmp dword ptr [eax+000000E4], 00000000
:004717EE 0F8494000000            je 00471888
:004717F4 8B45FC                  mov eax, dword ptr [ebp-04]
:004717F7 83B8E800000000          cmp dword ptr [eax+000000E8], 00000000
:004717FE 0F8484000000            je 00471888
:00471804 8B45FC                  mov eax, dword ptr [ebp-04]
:00471807 83B8EC00000000          cmp dword ptr [eax+000000EC], 00000000
:0047180E 7478                    je 00471888
:00471810 8B45FC                  mov eax, dword ptr [ebp-04]
:00471813 83B8F000000000          cmp dword ptr [eax+000000F0], 00000000
:0047181A 746C                    je 00471888
:0047181C 8B45FC                  mov eax, dword ptr [ebp-04]
:0047181F 83B8F400000000          cmp dword ptr [eax+000000F4], 00000000
:00471826 7460                    je 00471888
:00471828 8B45FC                  mov eax, dword ptr [ebp-04]
:0047182B 83B8F800000000          cmp dword ptr [eax+000000F8], 00000000
:00471832 7454                    je 00471888
:00471834 8B45FC                  mov eax, dword ptr [ebp-04]
:00471837 83B8FC00000000          cmp dword ptr [eax+000000FC], 00000000
:0047183E 7448                    je 00471888
:00471840 8B45FC                  mov eax, dword ptr [ebp-04]
:00471843 83B80001000000          cmp dword ptr [eax+00000100], 00000000
:0047184A 743C                    je 00471888
:0047184C 8B45FC                  mov eax, dword ptr [ebp-04]
:0047184F 83B80401000000          cmp dword ptr [eax+00000104], 00000000
:00471856 7430                    je 00471888
:00471858 8B45FC                  mov eax, dword ptr [ebp-04]
:0047185B 83B80801000000          cmp dword ptr [eax+00000108], 00000000
:00471862 7424                    je 00471888
:00471864 8B45FC                  mov eax, dword ptr [ebp-04]
:00471867 83B80C01000000          cmp dword ptr [eax+0000010C], 00000000
:0047186E 7418                    je 00471888
:00471870 8B45FC                  mov eax, dword ptr [ebp-04]
:00471873 83B81001000000          cmp dword ptr [eax+00000110], 00000000
:0047187A 740C                    je 00471888
:0047187C 8B45FC                  mov eax, dword ptr [ebp-04]
:0047187F 83B81401000000          cmp dword ptr [eax+00000114], 00000000
:00471886 7521                    jne 004718A9
:00471888 6A00                    push 00000000
:0047188A B8C4184700              mov eax, 004718C4
:0047188F 668B0DB8184700          mov cx, word ptr [004718B8]
:00471896 B201                    mov dl, 01
:00471898 E833EAFCFF              call 004402D0
:0047189D A1A8C94A00              mov eax, dword ptr [004AC9A8]
:004718A2 8B00                    mov eax, dword ptr [eax]
:004718A4 E8D703FCFF              call 00431C80
:004718A9 59                      pop ecx
:004718AA 5D                      pop ebp
:004718AB C3                      ret
What the fuck is all that noise? - You might say, but don't worry about it. Real easy, and annoying :) As you can see, HIEW has now taken us to address :0047188A where you see "C4184700"("Failed to...blah") at the end of that instruction. So now look at all those compares above, hmm, they all go to an address before the instruction that uses "Failed to...". But take a look at that last compare address at address :00471886. It is the only one that jumps past the "Failed.." message. So just goto the top compare address at :004717DE and make it "jmp" to the address that that last compare jumps to after the program has done all its checking bull,"004718A9". So at address :004717DE the instruction becomes "jmp 004718A9". Easy.

There folks, all done! - And not only does the program load correctly, but there is no longer any ads that pop up while using the program :)

Need I remind you to pay for this program if you wish to use it? Well, I think I just did. Although, it was kind of shitty of them putting that spyware shit in their program in the first place :)

Now you can rest knowing that there is no more Spyware in Net Vampire. haha

The Immortal Descendants 2000 and Forever.
program think