J
JayMore
Hi,
Last night, I was very upset with all that popunders windows that apears
when I quit some websites.
So, I start to look for a radical way to stop those windows to pop.
And I find how to do that, without any proxy or any additional software.
The idea is very "hard core", because you have to patch Internet Explorer !
The trick is to block I.E. to execute the "onUnload" javascript function.
Here is, step by step, how i did this thing (work on NT4 / IE6.0, but should
work with any version)
(Read the full text before doing any change.)
The tools you need :
- a good Hexadecimal editor (HEdit from Yuri software, UltraEdit, ...).
- full admin access to your computer
- a backup of your harddisk is recommended
First, you must have a clean Administrator account, without any software
starting when you login (I.Explorer or any I.E dll must not have been
loaded).
Reboot in "safe mode" (under NT : VGA mode) to load the minima softwares.
Login with an administrator account, then search for the "mshtml.dll" file
(under NT, it is located in winnt\system32 folder).
Do a backup copy of this file (a CTRL-C / CTRL-V is enough)
Edit with your favorite Hexa editor this DLL.
Search for the following Hexa string:
6F 00 6E 00 75 00 6E 00 6C 00 6F 00 61 00 64
It is the string "onunload", with a \0 between each character (unicode
encoding).
On my system, it is located at offset 215840 (0x34B20). The mshtlm.dll file
is 2764800 bytes longs)
When you have found this string, remeber the offset of this string, and
replace the "onunload" characters by "omumload" (note the n replaced by m).
Save the patched DLL, and reboot.
No BSoD should apears .
Now, every javascript trying to trigger an "onUnload" event will failed,
because the onUnload trigger doesn't exist anymore. Instead, they should
call the "omUmload" function, but none knows .
Notes :
- has I explored the DLL, I found a "onBeforeUnload" javascript function (a
few bytes before onUnload), I havn't patched it, cause it works find for me.
- if you can'nt save or edit the DLL because it is used by another program,
you have to search a little how to replace a DLL in used (it is possible,
of course).
- the new name "omUmload" has been randomly choose. Choose whatever you
want, but do not erase bytes outside the "onuload" area.
- if you have a (good) antivirus program, it will warn you that the DLL has
change : of course it have change !
- if this trick doesn't work, replace the patched DLL by the saved one.
The patch has been successfully tested on NT4 Server SP6 french, IE
6.0.2600.0000 french, MSHTML.DLL 6.00.2722.900.
Feel free to copy/modify/correct this text.
By the way, "I am not responsible if you crash your computer, do it at your
own risk, educational purpose only etc...".
Jay More / July, 25th, 2003
(e-mail address removed)
oh no, it is hotmail.com, sorry.
Last night, I was very upset with all that popunders windows that apears
when I quit some websites.
So, I start to look for a radical way to stop those windows to pop.
And I find how to do that, without any proxy or any additional software.
The idea is very "hard core", because you have to patch Internet Explorer !
The trick is to block I.E. to execute the "onUnload" javascript function.
Here is, step by step, how i did this thing (work on NT4 / IE6.0, but should
work with any version)
(Read the full text before doing any change.)
The tools you need :
- a good Hexadecimal editor (HEdit from Yuri software, UltraEdit, ...).
- full admin access to your computer
- a backup of your harddisk is recommended
First, you must have a clean Administrator account, without any software
starting when you login (I.Explorer or any I.E dll must not have been
loaded).
Reboot in "safe mode" (under NT : VGA mode) to load the minima softwares.
Login with an administrator account, then search for the "mshtml.dll" file
(under NT, it is located in winnt\system32 folder).
Do a backup copy of this file (a CTRL-C / CTRL-V is enough)
Edit with your favorite Hexa editor this DLL.
Search for the following Hexa string:
6F 00 6E 00 75 00 6E 00 6C 00 6F 00 61 00 64
It is the string "onunload", with a \0 between each character (unicode
encoding).
On my system, it is located at offset 215840 (0x34B20). The mshtlm.dll file
is 2764800 bytes longs)
When you have found this string, remeber the offset of this string, and
replace the "onunload" characters by "omumload" (note the n replaced by m).
Save the patched DLL, and reboot.
No BSoD should apears
.Now, every javascript trying to trigger an "onUnload" event will failed,
because the onUnload trigger doesn't exist anymore. Instead, they should
call the "omUmload" function, but none knows
.Notes :
- has I explored the DLL, I found a "onBeforeUnload" javascript function (a
few bytes before onUnload), I havn't patched it, cause it works find for me.
- if you can'nt save or edit the DLL because it is used by another program,
you have to search a little how to replace a DLL in used
(it is possible,of course).
- the new name "omUmload" has been randomly choose. Choose whatever you
want, but do not erase bytes outside the "onuload" area.
- if you have a (good) antivirus program, it will warn you that the DLL has
change : of course it have change
!- if this trick doesn't work, replace the patched DLL by the saved one.
The patch has been successfully tested on NT4 Server SP6 french, IE
6.0.2600.0000 french, MSHTML.DLL 6.00.2722.900.
Feel free to copy/modify/correct this text.
By the way, "I am not responsible if you crash your computer, do it at your
own risk, educational purpose only etc...".
Jay More / July, 25th, 2003
(e-mail address removed)
oh no, it is hotmail.com, sorry.
