System Security-advertisement Analysis for a network sniffing Software

First, use Peid to check the shell. The program is not shelled by Delphi. Use dede to open the program and analyze it. During the analysis, we need to guess how the advertisement is set or downloaded.

After the analysis, we first look at the form resources in the main form, and soon we can find that the component used to play the advertisement is TWBS1.

The Code is as follows:

object pnl3: TPanel Left = 244 Top = 0 Width = 470 Height = 60 Color = clWhite TabOrder = 0 object TWBS1: TWebBrowser Left = -11 Top = -17 Width = 580 Height = 193 TabOrder = 0 ControlData = { 4C000000F23B0000F21300000000000000000000000000000000000000000000 000000004C000000000000000000000001000000E0D057007335CF11AE690800 2B2E126208000000000000004C0000000114020000000000C000000000000046 8000000000000000000000000000000000000000000000000000000000000000 00000000000000000100000000000000000000000000000000000000} end end

A friend who knows Delphi may soon think that this component usually sets the url to display the webpage through Navigate or Navigate2. For example

procedure Navigate(const URL: WideString); overload;

We guess that Navigate may be called in OnCreate of the main form or in OnTimer of a TTimer component, so we come to the dede selection process page, then select Unit1 as the unit of the main form to find the OnCreate event corresponding to the FormCreate process.

The Code is as follows:

00505F34 55 push Pull 8BEC mov ebp, pushed 6A00 push $ pushed 505f39 6A00 push $ pushed 505f3b 6A00 push $ pushed 505f3d 53 push Pull 56 push Pull 8BD8 mov ebx, pushed 33C0 xor eax, eax00505F43 55 push ebp * Possible String Reference t publish success