From: Kashif on 09/24/2003
Introduction
This target was very protected for not having to be registered. The goal of this tutorial is to remove the banner ads from the program. Our main executable, paltalk.exe, was the only one protected and it was packed with WWpack32 v.1.00/1.11/1.12, it also had CRC error checking on itself and would announce corruption and quit working once modified.
The Essay
First things first is we have to identify why w32dasm keeps crashing whenever you try to disassemble the code. Lets use Un-pack, you can get it at protools or crackpl. Google search it, you will find. Using unpack run the program and load paltalk and it will tell you:
WWPack32 v.1.00/1.11/1.12
Then it is even nice enough to suggest to ya to use procdump, which we will!
Run procdump next, just click unpack and scroll down to WWPack32 II and chose paltalk. The unpacked copy grows from 544k to 1.48M. Now we can see the code guts in w32dasm.
Before we go any further though, run paltalk and sign in, ect, you will see a banner ad across the bottom. Right click on that banner and click properties. You will see this:
http://advertising.paltalk.com:8080/admedia/173x23/meta_scroll02.gif
If you go to that page you will see the banner in your browser. Keep this in mind for later!
Next check out the disassembled code in W32dasm and click the SDR's and scroll down, our goal is to trash the banner so look forhttp://advertising.paltalk.com and you will find this:
"HTTP/1.0"
"http:"
"http://161.58.192.192/bannerless.html" <-interesting?
"http://161.58.192.192/download/0.x/%d/aff_inst"
"http://161.58.192.192/permgrp_01.htm"
"http://advertising.paltalk.com/perl/groupBanne" <----------4 references
"http://advertising.paltalk.com/perl/mvBanner.p" <----------2 references
"http://advertising.paltalk.com/perl/pallistBan" <----------4 references
"http://advertising.paltalk.com/perl/pmBanner.p" <----------4 references
"http://advertising.paltalk.com/perl/searchBann" <----------2 references
"http://www.iconnecthere.com/about/eng/terms_an"
"http://www.paltalk.com/cgi-bin/framemaker.pl?u"
"http://www.paltalk.com/download/0.x/pal_instal"
"http://www.paltalk.com/l90.html?first_name=%s&"
"http://www.paltalk.com/location2.txt"
"http://www.paltalk.com/morpheusim.html"
"http://www.paltalk.com/palpass.html?email=%s&n"
I will just save time by telling you that we would normally go through and check out each reference but in this case there is 16 or them and I dont want to type em all out. However the one we want is here: "http://advertising.paltalk.com/perl/pallistBan"
There is 4 places where this shows up, they are:
--------------------------------------------------------------------------------
:00433249 68E0565400 push 005456E0 (offset 33249)
* Possible StringData Ref from Data Obj ->"http://advertising.paltalk.com/perl/pallistBan"
->"ner.pl?%s&client=morpheus"
:0043324E 685C404C00 push 004C405C
---------------------------