aaraujo
May 3rd, 2013, 16:21
Hi Reversers,
I like security as a hobby and I not so often I read and play with a few simple KeyGen games and I enjoy it.
Reversing and KeyGen is very interesting but I'm a beginner and my questions are probably very dumb but I will be very thankful if you could help me.
Until the moment I have reversed simple keygen applications using techniques such as:
- Look for string text reference to find the interesting code area.
- Keygen fishing.
- And bypass IsDebugPresent check.
Yeah, I know, really basic stuff. Here is a video similar to what I do in general…
http://http://www.youtube.com/watch?v=tJY_Tv7o5bE ("http://http://www.youtube.com/watch?v=tJY_Tv7o5bE")
Just for learning sometimes I try to reverse a few small and medium application that I buy for Windows and looks like simple products without many protections.
This is a software that I acquired 2 months ago and the whole installation is around 50MB. One of the motivations to try apply my basic knowledge here is because I like to see if what I learned in keygens really work in real-life, my experience that medium softwares are much harder since keygens are very small and easy to find the routines that you want.
*** Just to keep it very clear, I have a license for this program and my intention is only learn and increase my knowledge. Since I have no commercial intention in break it or create any damage I will not disclosure the application - I hope you understand. ***
OK, let's go. The application consist of one main executable (~33MB), 6 DLLs (very small ones and some of them are libeay32.dll, etc) and around 90 .xsd files (XML format). My first step was try to identify the programming language used and if a packer was present, please, see screenshots below:
2750
2751
It really appears to be developed in Delphi, with CFF I confirmed it. Also, there is no section that points for an packer looking at CFF information and EXE Information and RDG also say it's clean. However, RDG found IsDebugPresent and pointed for an protection software as you may see. However, I'm not sure if it's a false-positive.
On my application the serial is entered in a field like that:
2752
And once I enter a wrong serial number (30 chars long) I get a message like that:
2753
I guess it's not a MessageBox, or at least it's very custom one. For this kind of messages should I keep breakpoints at MessageBoxA, etc? Or there is a different API?
Below is a screenshot once I attach to the application running:
2754
When I press "run" at OllyDB it's what I get:
Sorry guys, 5 images is the maximum allowed by this forum system.
http://img803.imageshack.us/img803/2025/06whenipressrun.png
Here is a list of SEH chain:
http://img844.imageshack.us/img844/5811/07onceiopennedmodulesfe.png
Here are the "Windows" available, including the one that I would like to disassemble, examine and put a breakpoint:
http://img6.imageshack.us/img6/1662/mabletoseetheexactlywin.png
However it fails to debug, see below, please:
http://img12.imageshack.us/img12/2602/09howeveritfailstodebug.png
Is it some kind of protection? How to disable this part of code, put breakpoints, etc?
Looking at "Text String References" I'm able to see just partial messages and not the one displayed on my custom "MessageBox".
http://img855.imageshack.us/img855/4460/10textstringreferencedc.png
Also, There are many parts that looks like an message that will be completed on the fly, for example "A chave informata esta" which means "They key entered is" or "Chave incorrecta n" which means "Wrong key at".
http://img5.imageshack.us/img5/3382/11ionlyseetextstringsre.png
Additionally, I noted that are parts of the application when some texts are not stored as a "TextString", instead I see "char by char" in sequence at OllyDb creating a few strings (also not very useful to me).
If I define a breakpoint in any of these TextStrings it's what happen - an exception:
http://img546.imageshack.us/img546/2574/12onceisetupabreakpoing.png
Is it a protection? Any idea how to bypass it?
From here the only thing that I'm able to do it pass control to the application and all is over.
Also, if I refuse to pass control to the application and I continue with F7/F8 I get something like that:
http://img577.imageshack.us/img577/1059/13withafewstepsanderror.png
It ends with an instruction not recognized by OllyDB. Any idea?
I also tried to set breakpoints in Names from User32.dll such as GetDlgItemTextA and GetDlgItemTextW since I believe they are the APIs used to read my entered serial number. The strange thing is that they are exported and not imported as demonstrated below. Is it normal?
http://img822.imageshack.us/img822/6456/14settingbreakpointatge.png
Once I created the breakpoint and stated stepping into I got this exception again and I was forced to pass control to application and game over again.
http://img46.imageshack.us/img46/1970/15exceptionforcemetopas.png
I was thinking it could be some basic Anti-debugging protections, so I enabled "aadp4olly" and "Olly Advanced" with many options but it was unable to solve the issues, so, I'm not so sure anymore about what is issue is.
All help and answers are very appreciated, but please, keep in mind that I'm a beginner.
Thanks.
I like security as a hobby and I not so often I read and play with a few simple KeyGen games and I enjoy it.
Reversing and KeyGen is very interesting but I'm a beginner and my questions are probably very dumb but I will be very thankful if you could help me.
Until the moment I have reversed simple keygen applications using techniques such as:
- Look for string text reference to find the interesting code area.
- Keygen fishing.
- And bypass IsDebugPresent check.
Yeah, I know, really basic stuff. Here is a video similar to what I do in general…
http://http://www.youtube.com/watch?v=tJY_Tv7o5bE ("http://http://www.youtube.com/watch?v=tJY_Tv7o5bE")
Just for learning sometimes I try to reverse a few small and medium application that I buy for Windows and looks like simple products without many protections.
This is a software that I acquired 2 months ago and the whole installation is around 50MB. One of the motivations to try apply my basic knowledge here is because I like to see if what I learned in keygens really work in real-life, my experience that medium softwares are much harder since keygens are very small and easy to find the routines that you want.

*** Just to keep it very clear, I have a license for this program and my intention is only learn and increase my knowledge. Since I have no commercial intention in break it or create any damage I will not disclosure the application - I hope you understand. ***
OK, let's go. The application consist of one main executable (~33MB), 6 DLLs (very small ones and some of them are libeay32.dll, etc) and around 90 .xsd files (XML format). My first step was try to identify the programming language used and if a packer was present, please, see screenshots below:
2750
2751
It really appears to be developed in Delphi, with CFF I confirmed it. Also, there is no section that points for an packer looking at CFF information and EXE Information and RDG also say it's clean. However, RDG found IsDebugPresent and pointed for an protection software as you may see. However, I'm not sure if it's a false-positive.
On my application the serial is entered in a field like that:
2752
And once I enter a wrong serial number (30 chars long) I get a message like that:
2753
I guess it's not a MessageBox, or at least it's very custom one. For this kind of messages should I keep breakpoints at MessageBoxA, etc? Or there is a different API?
Below is a screenshot once I attach to the application running:
2754
When I press "run" at OllyDB it's what I get:
Sorry guys, 5 images is the maximum allowed by this forum system.

http://img803.imageshack.us/img803/2025/06whenipressrun.png
Here is a list of SEH chain:
http://img844.imageshack.us/img844/5811/07onceiopennedmodulesfe.png
Here are the "Windows" available, including the one that I would like to disassemble, examine and put a breakpoint:
http://img6.imageshack.us/img6/1662/mabletoseetheexactlywin.png
However it fails to debug, see below, please:
http://img12.imageshack.us/img12/2602/09howeveritfailstodebug.png
Is it some kind of protection? How to disable this part of code, put breakpoints, etc?
Looking at "Text String References" I'm able to see just partial messages and not the one displayed on my custom "MessageBox".
http://img855.imageshack.us/img855/4460/10textstringreferencedc.png
Also, There are many parts that looks like an message that will be completed on the fly, for example "A chave informata esta" which means "They key entered is" or "Chave incorrecta n" which means "Wrong key at".
http://img5.imageshack.us/img5/3382/11ionlyseetextstringsre.png
Additionally, I noted that are parts of the application when some texts are not stored as a "TextString", instead I see "char by char" in sequence at OllyDb creating a few strings (also not very useful to me).
If I define a breakpoint in any of these TextStrings it's what happen - an exception:
http://img546.imageshack.us/img546/2574/12onceisetupabreakpoing.png
Is it a protection? Any idea how to bypass it?
From here the only thing that I'm able to do it pass control to the application and all is over.

Also, if I refuse to pass control to the application and I continue with F7/F8 I get something like that:
http://img577.imageshack.us/img577/1059/13withafewstepsanderror.png
It ends with an instruction not recognized by OllyDB. Any idea?
I also tried to set breakpoints in Names from User32.dll such as GetDlgItemTextA and GetDlgItemTextW since I believe they are the APIs used to read my entered serial number. The strange thing is that they are exported and not imported as demonstrated below. Is it normal?
http://img822.imageshack.us/img822/6456/14settingbreakpointatge.png
Once I created the breakpoint and stated stepping into I got this exception again and I was forced to pass control to application and game over again.

http://img46.imageshack.us/img46/1970/15exceptionforcemetopas.png
I was thinking it could be some basic Anti-debugging protections, so I enabled "aadp4olly" and "Olly Advanced" with many options but it was unable to solve the issues, so, I'm not so sure anymore about what is issue is.
All help and answers are very appreciated, but please, keep in mind that I'm a beginner.
Thanks.