03 December 2013

Gametop.com Games without Gametop.com Redirection

I like this game library site, there are dozen HQ free racing (my favorite genre) games  for download. As we know the games upon exiting will launch your browser pointing to their site. There seems to be no catch here, no suspicious parameter etc. it's simply "open this url" call, although a googling for privacy concern of these games return a few security paranoid's comments.

Having a look from dependency walker I believe ShellExecute is responsible for the call. I try hex it with another same-length function name of shell32.dll (e.g. CheckEscapes) and yeah that's it.

EDIT:

Steps:
  1. Download and install free hex editor: WXHexeditor / HexEditor or HxD
    in this case I use HexEditor.
  2. Download the game, in this case Battle Rush.
  3. Browse battle rush executable, open it in HexEditor
  4. battle rush.exe
  5. In HexEditor pres Ctrl-H to bring Find and Replace dialog, find "ShellExecuteA" and for the replacement use "CheckEscapesA" click Replace All. You'll be asked to turn off read only mode, Click ok :
  6. Replace the function
  7. A confirmation of the function being replaced will shown like below. If not, it may be in another name e.g. "ShellExecuteW" -> "CheckEscapesW" just give it a try. You can now save the file. Try run it.
  8. Confirmation

5 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. i tired it with desert hawk and received the error message "this app can't run on your pc" ii am using win10 32bit.

    ReplyDelete
  3. I've downloaded some games from gametop and used HxD and replaced "ShellExecuteA" with "CheckEscapesA" and it makes the game unplayable until I switch it back (had to run as administrator to edit).

    ReplyDelete
    Replies
    1. Ah I should know something like this generally trial and error process with luck. There might also counter measure from gametop as well. Realistic patching will need IDA Pro to understand it well. Sorry

      Delete
  4. I finally caught it!
    Thank you very much ≧◡≦

    ReplyDelete