Xunlei 5.0.0.72 advertisement strip removal tutorial

Ad removal principle:

Here, of course, the middlebeer method MoveWindow (hwndChild, true) is used );
The advertisement bar class is TGradualPanel.

Ad Analysis
1. peidcheck main program: thunder.exe, no shell, Borland Delphi 6.0-7.0 compilation.

2. Use ollydbg to load Thunder.exe and then run the breakpoint bpx ShowWindow

00495474. 50 push eax
00495475. 8B45 FC mov eax, dword ptr ss: [ebp-4]
00495478. E8 F38DFEFF call Thunder1.0047E270
0049547D. 50 push eax; | hWnd is disconnected under this
0049547E. E8 6123F7FF call; ShowWindow
00495483. E9 05010000 jmp Thunder1.0049558D
00495488> 33C0 xor eax, eax

Change the code above
00495478. E8 F38DFEFF call Thunder.0047E270
0049547D. 50 push eax
0049547E E9 AD9F0900 jmp Thunder.0052F430 ---> no code
00495483. E9 05010000 jmp Thunder.0049558D

Add our code in 52f430
---------------
Note that when calling a function, it cannot be directly compiled in ollydbg. In this way, problems may occur in different operating systems.
Here we press Ctrl + N to find the function we want to call in the open form. (if not, we need to use lordpe in the original program.
Add the input table of the function to be called), select it, and press enter, as shown in the following figure.

Address disassembly comments
00406ED4 jmp dword ptr ds: [<& kernel32.LoadLibrary kernel32.LoadLibraryA --> press Enter here to go to the following

00406ED4 $-FF25 68535300 jmp dword ptr ds: [<& kernel32.LoadL>; kernel32.LoadLibraryA
Call 00406ED4 if we want to call LoadLibraryA!

----------------------------->
0052F430 68 68F45200 push Thunder.0052F468; ASCII "w. dll"
0052F435 E8 9A7AEDFF call
0052F43A 83F8 00 cmp eax, 0
0052F43D 74 11 je short Thunder.0052F450
0052F43F 68 60F45200 push Thunder.0052F460; ASCII "move"
0052F444 50 push eax
0052F445 E8 E21EEDFF call
0052F44A 3E: FF3424 push dword ptr ds: [esp]
0052F44E FFD0 call eax
0052F450 E8 8F83EDFF call
0052F455 ^ E9 2960F6FF jmp Thunder.00495483
0052F45A 90 nop

The following is the binary code of the above Code.

68 68 F4 52 00 E8 9A 7A ed ff 83 F8 00 74 11 68 60 F4 52 00 50 E8 E2 1E ed ff 3E FF 34 24 FF D0
E8 8F 83 ed ff E9 29 60 F6 FF 90 6C 00 00 00 00 6D 6F 76 65 00 00 00 00 77 2E 64 6C 6C 00 00 00

The following is the original w. dll Code w. cpp:
----------------------------------------------------------
# Include
# Pragma comment (linker, "/ENTRY: EntryPoint ")
// # Pragma comment (linker, "/ALIGN: 0x400 ")
Int a = 0;
Int apientry move (HWND );
Bool callback EnumChildProc (HWND, LPARAM );
BOOL EntryPoint ()
{
Return 1;
}
Int apientry move (HWND handle)
{
Char c [100];
Getclasssname (handle, c, 100 );
If (strcmp (c, "TfrmMain") = 0) // if the input handle is in the main window, list the child forms.
{
EnumChildWindows (handle, EnumChildProc, NULL );
}
Return 0;
}
Bool callback EnumChildProc (HWND hwndChild, LPARAM lParam)
{
Static int a = 0;
Char cl [100];
GetClassName (hwndChild, cl, 100 );
If (strcmp (cl