Hi guys,

I suppose it goes without saying now, "be gentle, if I knew all about this I wouldn't be asking" (okay, next time I promise )

I'm having some trouble with a Borland Delphi 6-7 project.

Here's a screenshot of DeDe and OllyDBG to show my issues:
hxxp://i25.tinypic.com/34p147n.png - PEiD, we're dealing with delphi
hxxp://i29.tinypic.com/2hz3kle.png - Callstack and example of how it seems to be "extracting" (though I can't find proof of this)
hxxp://i31.tinypic.com/2rnhawn.png - DeDe (project doesn't seem to have any forms)
hxxp://i27.tinypic.com/rljcqp.png - DeDe (and barely any procedures...)

The idea is to remove a "nag"/license screen. The program takes keyfiles and they seem rather complex, so I'm trying to patch my way out of it. I can't seem to find a "valid" (R)VA from where the nag screen is called.

Attaching to the process when the nag screen is active doesn't help, i just end up deep in a system dll (which I of course won't be patching) and returning to main module seems almost impossible (will take forever to go through).

Anyone have ANY ideas or suggestions I can try out?


As I'm trying to obey the rules of the forum (and common sense) I'm not sure if I should reveal what application this is concerning - so please let me know if some part needs more elaboration!

Thanks, and best wishes

- James

Yikes, for some reason I can't change to hxxp? I appologize, but whenever I try editing it keeps writing tt after save.


I've found some things in ResHacker that suggests .NET is also used in the app. Maybe the delphi part is a loader for it? If so, can I "extract" the .NET part? (I've tried pulling the full exe file into (Red Gate's) .NET Reflector without any luck

You will always endup in ntdll when attaching to a process, press ALT+F9 and Olly will break when you are back in your executable or one of its Dlls (normally).

Judging by the call stack, I would look at 04053EF9

Thanks for the quick reply,

however none of the offsets are reachable beforehand (as I tried to illustrate on the callstack far right).

And even if I keep running 'til return, I will of course always end AFTER where I want to break - it just doesn't seem reachable, so that's confusing me a lot - and the .NET part doesn't help either

The System_W* module is what's actually calling MessageBoxEx. You might want to take a look in there.

Heheh, we're just messing with your mind james. It's OK, that's by design since we already take care of direct links in forum scripting. And thanks for your common sense observation of the forum rules.

Kayaker

After attaching, presumably there is no useable info in the stacks window, you could set a BP on access in the code section of your app in your memory window, then hit F9, presumably the nag will want you to press a button or something, that should break right after the nag is generated, presumably it's not the square drab gray Armadillo nag with a count down - yes PE analyzers can lie to you - that's a whole different story.

SiGiNT

maybe you are dealing with the old version of .NET reactor, It could be a wrapper for the .NET assembly, the wrapper is just a loader coded by delphi.
I can't confirm this unless you post the file here.

I think I would use something like LordPE, or similar, and dump the process at the point where the nag is up, and then look through it with IDA, or maybe Hex Workshop just to see what I could see.

All very good ideas, thank you so much guys.

Kurapica: I will let you know in PM (or is it allowed to say in a thread?)

I checked the file last night and my assumption was correct, It's a .NET assembly protected by an old version of .NET reactor.

you can take a look at the code here :

http://img42.imageshack.us/img42/7832/shotf.png

That is great news, thanks Kurapica.

I hate to be a cheat, but I tried dumping with OllyDump and LordPE (which I admit I'm not very good at using). Both give me useless exe's (and LordPE resulted in two 200KB files, one for LordPE engine, one for IntelliDump). Could you perhabs point me in the right direction as to how I get a dump I can load in (Red Gate's) .NET Reflector (5.1.5.0)?

watch this tutor and you will learn how : http://portal.b-at-s.info/download.php?view.23

good luck

Thanks, awesome tut!