(04 July 1997, slightly edited by Reverser)
Courtesy of Reverser's page of reverse engineering
Well, here it goes... another VERY interesting reverse engineering project! Are you not fed up
with having continuously to eliminate annoying cookies-requests from stupid commercial
ads and useless counters that pop unterminately up on every slow-loading, image-heavy
site of the Web? YES, we hate them! Therefore the first "amelioration" of Netscape,
proposed by ACP, is rightly dedicated to the extirpation of the cookies-evil weed,
apply it immediately to your copy of Netscape and Enjoy!
Welcome to my new project, PATCHING NETSCAPE!
by ACP, 04 July 1997
Why you ask?, COZ I WANT NETSCAPE TO WORK EXACTLY AS I WISH!
* I automatically assume you have knowlegde of Assembly, and some experience
in debugging Win32 Apps using WinICE.
IF NOT, STOP RIGHT THERE AND GO STUDY BASIC REVERSE ENGINEERING FIRST!
* Please ignore my lame english ;-]
* In this doc i will refer to (Netscape v3.0 GOLD), *ONLY*
but, if you read everything, and understand, you'll be able to patch
any version of Netscape YOURSELF!
* before patching, and in order for this patch to correctly work
you *MUST* enable the 'WARN BEFORE ACCEPTING A COOKIE' option.
in Options --> Network-Prefs --> Protocols
A. We want Netscape NOT TO ACCEPT COOKIES, NEVER... let's start:
- make sure you have WinICE ready and loaded
- make sure you have USER32.DLL loaded in WinICE's exports
- fire-up Netscape
- CTRL+D into WinICE,
- set a breakpoint on MessageBoxA
- exit WinICE's window.
B. Load the included HTML page, (netscape-patch.html) into Netscape.
WinICE should popup and you'll land smack inside the MessageBoxA Proc.
'P RET' *once!* and then press the 'CANCEL' button.
now, you're back in WinICE's window, keep 'P RET'ing back to Netscape until
you reach the following code:
Add ESP,8 <-- we land HERE after the last 'P RET' ! Test EAX,EAX JZ xxxxxxxx Now, you know that you're out of the "ConfirmCoockie()" function. C. All you have to do now, is applying some ZEN: scroll WinICE's code "window.class" tppabs="http://fravia.org/window.class" up, something like 3 lines of code... untill you'll reach the following code: 1. Call xxxxxxxx <-- this is some internal call, doesn't interest us! 2. Mov EAX,[EBP+xx] 3. Add ESP,8 <-- DO **NOT** skip this code line! 4. Push EAX <-- put a "JMP DO_NOT_SAVE_COOKIE" here. 5. Mov EAX,[ESP+xx] 6. Push EAX 7. Mov EAX,[EBP+xx] 8. Call [EBP+xx] <-- our "ConfirmCoockie()" call. 9. Add ESP,8 10. Test EAX,EAX 11. JZ DO_NOT_SAVE_COOKIE <-- jump out of the save coockie routine! .. ... Following code inside Netscape saves the coockies to disk and loads the cookies info into memory. After the ConfirmCookie() call, the error code returns in EAX. EAX="0" means that the user has pressed CANCEL! EAX="1" means that the user has pressed OKAY! *ONLY* after we did undestand this (which is simple), we can move to phase D. D. What do we do NEXT? Okay, now we need to SKIP the "ConfirmCookie()" call and SKIP the code that loads the cookies info into memory and saves the info to disk. We have therefore to patch NETSCAPE.EXE. Now, since we want Netscape to autokill all bloody cookies, we'll patch the code in memory (through winice) and test everything first, in order to see if we did everything OKAY, or if we have done some blunder. Only afterwards, once we have well checked everything, we're gonna patch physically the "real" EXE with an hexeditor. E. We're gonna patch Netscape in memory in order to "JMP" over the evil Call. Check now the code BEFORE the "ConfirmCookie()" call, please: HAve a look at line #3, which is (Add ESP,8) <-- VERY VERY IMPORTANT! at line #4 we'll insert (patch over) a jump out of the big routine. Why do we patch at line #4 (and not at line #3) you ask? Because if you patch at line #3 the StackPointer will not be incremented! You will therefore fuck up the following offset 'RET'(and your target is gonna jump crazy at the end of the routine, which is pretty bad... if you don't know how the 'RET' instruction works exactly, i suggest you learn it right now from Reverser:
F. Now we take a look at line #11 which is the jump out of the routine
in case the user pressed CANCEL.
we are going to jump from line #4 to the end of the routine.
at line #4, assemble with WinICE, 'JMP addr of --> DO_NOT_SAVE_COOKIE'
and that's IT!
Cookies will from now on be auto-killed, and the messagebox that annoyed
the user will not be shown anymore. Yet this was a "temporary" patch, in
fact we worked with Winice on our Netscape copy IN MEMORY, not on the
real program on our harddisk, duh?
I assume that you know how to write down the changes we have made to the
code above, in order to PERMANENTLY patch it, using an HexEditor (such
In case you can't handle it, here is the file offset and the original and
"new" byte info:
Make sure that your NETSCAPE.EXE file is EXACTLY -> 3164672 bytes long, this
patch would not work on other versions!
Comparing files netscape.exe and netscape.new
Offset Old New
00095788: 50 E9
00095789: 8B 74
0009578A: 44 20
0009578B: 24 00
0009578C: 3C 00
After this patch, your Netscape (3.0 GOLD) will auto kill cookies.
If you have another version, just adapt the instructions I gave you
with this essay.
Email me email@example.com any comments about this document.
C'ya later, ACP.
You are deep inside reverser's page of reverse engineering,
choose your way out:
Is reverse engineering legal?