View Full Version : Keygen and Banner Removal - Newbie/Intermediate
Muad'Dib
June 26th, 2001, 01:05
Though I agree that keygenning is not the highest eschelon of reverse engineering, I feel that it is important nonetheless. This project incorporates both a simple keygen (only a few [20-30] lines, I've done it and I'm a poor keygenner) and patching.
The Target:
HTML Encryptor v1.21
http://www.share2.com/htmlencr/download.htm
Upon running the program you will notice that there is a "GoldStone Software Group" banner at the top of the window. Adware, how annoying. Once a correct serial is found/generated and entered, and the program is restarted, the ad is still there. Either the author forgot to put removal code or he is greedy (I am thinking the latter...). The second challenge is to remove this banner and resize the window properly. I'm sure there are a few ways to do this, be creative.
In review, here are the challenges:
1. Create a working keygen for this program. (Don't worry, it's simple)
2. Remove the ad
3. If you want to do something extra, remove the "registration" tab upon complete registration.
I hope you enjoy this project, and maybe learn something from it. It shouldn't be too hard...
Kayaker
June 27th, 2001, 05:18
Hiyas,
Well I've been spending a bit of quality time with this one. The s/n routine is a classic Delphi serial sniff. I usually break into these with hmemcpy, F12 a few times and your name has been read in, then comes the s/n. Check out the contents of the registers (or the contents of the contents) before the calls and you can usually find your name and s/n being pushed without having to do bpm or bpr traces on them. After your name undergoes the keygen routine there's the classic Delphi EDI/ESI compare of good vs bad s/n.
As for the ad window, I dredged through the bloated code in and around the CreateWindowExA calls, used APISpy32 to get a listing, and WinShow to match the components names up with their hWnds. I found memory addresses holding the height and width of the ad window, traced them all over the place, and even did a couple of backtraces. In all my tracing did I find anything that looked like there was an option built in to eliminate the ad window with a simple jump patch. So you're likely right Muad'Dib that the guy never coded this into his proggy.
Most of the components use the same window creation calls (GetClassInfoA, RegisterClassA, CreateWindowExA, SetWindowPos...), and I couldn't find a unique patch point for just the ad window. Then I thought about creating an inline patch which checked when the TPanel component which holds the ad window came up, and bypass its CreateWindowExA call.
But I did find an easier way to get rid of the ad window. To start with, it helps to know how Delphi programs are set up and how they look in a hex editor. There's several tuts at the main site that give some general insight if you haven't messed with Delphi too much. Start with
Delphi Reverse Engineering: Adding functionality to a Delphi program by +DaFixer
http://www.woodmann.net/fravia/dafix_t1.htm
and the refs he gives.
Exescope will recognize the unpacked file enough that you can look at the TMainForm RCData info and perhaps figure out a way to eliminate the ad window.
One annoyance is that DeDe doesn't disassemble the unpacked program (/dump, /pedump or Procdump -ed). I think that there's a Delphi Section format that it's expecting in order to recognize it properly. If you look in the dumped file in a hexeditor closely you'll see the original PE header with the original sections (code, data, bss, idata, tls, rdata, reloc, rsrc) from before it was packed.
ResHacker might be a great tool for this as well because it allows you to modify Delphi component parameters and then recompile the script. Unfortunately it doesn't recognize the unpacked file either. I want to try replacing the Section header with the original and see if I can't get both DeDe and ResHacker recognizing the file. The problem with Delphi is that a lot of things are set runtime, so even if you modify say a Visible=True to Visible=False setting for a component, it defaults back to True at runtime.
Getting rid of the Registration tab is a stickler. I tried manually inserting a Visible or TabVisible qualifier into the resource but haven't had any luck. In Delphi it seems that specifying a 'Visible' entry in the component declarations makes it =False, NOT specifying it makes it default to =True. Mess around with some other Delphi apps and you may see what I mean. In any case, that's why I want to get ResHacker working, to see if it will help. If not, then I guess some convoluted inline patch is in order.
Let me know if anyone comes up with a method for getting rid of that &*^%#$! Registration tab.
Kayaker
Muad'Dib
June 27th, 2001, 23:25
I have been successful in removing the banner from the top of the window - as a hint, the TMainForm starts at 62A50 (raw offset). It only requires some simple editing, cut and pasting, and patching of 2 calls (to remove errors, you'll see what I mean...). In removing the tab after registration...hmm...this will be more difficult. I think that I can create a runtime patch to Check_If_Registered and then find and remove the tab. I'll post a message when I'm done with this part...If anyone needs help, feel free to ask...
Kayaker
June 28th, 2001, 21:07
Well, I got ResHacker to recognize the dumped file, and this really is a wonderful tool. Ad window and Registration tab gone like (snap of the fingers). The real challenge was convincing Reshacker to work and to rebuild the Import table afterwards so the proggy would run.
I d/l the latest ResHacker (3.28 ) which gives a message box that the resources in the file are corrupt when you select RCData/TMainForm. Exescope has no problems with this, but it doesn't do what Reshacker can. So I ran APISpy32 on Reshacker and paused it until I selected to view TMainForm. I found one API I could use to break into Reshacker- FindFirstFileA. (You can't use MessageBoxA with Delphi message boxes).
So I set a bp on FindFirstFileA (which is used to open a copy of the selected file from c:\windows\temp) and F12ed back and found this code:
:0049F056 837B0C00 CMP DWORD PTR [EBX+0C],00 ;starting address resource section
:0049F05A 751F JNZ 0049F07B ;should jump if section found
What is *supposed* to be in [EBX+0C] is the starting address of where Reshacker has stored in memory the resource section of the file you've opened. For some reason the dumped UPX file screws it up and it has 00 here instead of an address. It *is* in memory somewhere though, so you have to search for it and insert it into [EBX+0C].
The section it's looking for, which is consistent in all Delphi apps, starts with "TPF0". So I did a search in SoftIce with
s 30:0 L ffffffff "TPF0"
and found the section here:
0030:00CA9B50 30465054 614D5409 6F466E69 4D086D72 TPF0.TMainForm.M
0030:00CA9B60 466E6961 046D726F 7466654C 03011103 ainForm.Left....
0030:00CA9B70 03706F54 420B0087 6564726F 6F634972 Top....BorderIco
Then I just inserted the address 'CA9B50' in EBX+0C and Reshacker ran fine the rest of the way.
After this I changed the width and height of Panel2 (the Ad window) to be 0, added a TabVisible = False qualifier to the Registration tab, then recompiled the resource script and saved the file.
object Panel2: TPanel
Left = 0
Top = 0
Width = 417
Height = 60
object Registration: TTabSheet
Caption = 'Registration'
ImageIndex = 2
TabVisible = False
Now 1 problem remained, the program wouldn't run! This has to do with the way Reshacker saves the dumped file, not because of the changes I made. The Import table is moved around and the pointers are no longer valid. Sooo, the next step was to rebuild a valid Import table with Revirgin using the original dumped file and paste it on the end of the ResHacker modified file.
Note this use of Revirgin. It's not just for esoteric use in tracing redirected API's in selected protection schemes like Asprotect. I used it simply to build a complete new Import table from a working app that I could paste at a specific location in a new section, and changed the pointer in the PE header (@ PE+80h) to point to this new IT. Try it with regular notepad sometime.
This worked really well, if somewhat convoluted to accomplish it, but it's not really an attack on the Delphi window creation code, it's just modifying the resources instead with a program designed to do that. (works for me though
Kayaker
LaptoniC
June 28th, 2001, 23:16
First of all I appreciate for preparing this type of exercises for us.I have downloaded program and keygenned it.Here is what I did and how I made it.
Removing Banner
---------------
Open exe with exescope and go to RCDATA/TMAINFORM. We are looking for our banner.I have found with spy that its height is 60 and width is 417.So look for this values. object Panel2: TPanel is what we are looking for.Etiher change width and height to 1 or choose it till object OpenDG: TOpenDialog and cut them.You will see that banner will go.You can also change object Main: TPageControl Top behaviour and change height of main form.Removing Register tab should be done with same method but I havent tried
Keygen
------
Making keygen is easy too.Unpack program with upx -d parameter or use Procdump.Dissamble with dede and look for suspisous code which has some * Reference to: controls.TControl.GetText(TControl):System.String; which is the function of delphi to get text from forms.TransperantButton8CLick is our reg button on the form.Click on it and try to understand what is going on.However it is hard to understand delphi code because it so bloated.It is better to use SoftICE to point memory locations.Look for error messages There is a call just before error message and after this call there is compare.So this call must be our keygen rutine.You will also notice that it copies 3rd char of name and store and use this as constant for keygen.Some times it adds 3rd and 4th char and store this as constant.Everything is clear now.Just copy paste this rutines to ASM template and your keygen is ready to go.I made keygen but I dont want to put my source and break your fun.I will put it after everbody solved problem or any one of the moderators want me to do so.
Best Regards,
LaptoniC
Ps:If you dont have any experince with Win32ASM and keygenning I suggest you to download and read Shade's superb tutorial on http://snakepage.cjb.net
Kayaker
June 28th, 2001, 23:55
Sheeeittt!! Well the joke's on me ;p I never thought about using the upx -d command and whaddya know, it unpacks the file perfectly. Both Reshacker and DeDe recognize the unpacked file no problem! Makes sense I guess. The original structure of the file, including the PE header, Import table and even the file date, are restored. Guess I'm blinded by always dumping. Thanks for the lesson.
Regards,
Kayaker
Muad'Dib
June 29th, 2001, 01:24
Quote:
Kayaker (06-28-2001 21:55):
Sheeeittt!! Well the joke's on me ;p I never thought about using the upx -d command |
I was going to say "I used upx -d and it worked fine..." but I guess I don't have to now, do I?
I removed the resources manually. It was a bit of a pain, but I got it - and I learned about Delphi form structure in the mean time. Maybe this knowledge will come in handy sometime.
qferret
June 29th, 2001, 22:58
hehe....I'm used to the older versions of UPX that don't support unpacking
NeO'X'QuiCk
June 30th, 2001, 04:07
Done !!The window name can be deleted after unpacking BY exescore Like i did or rescource hacker!
!YOu can also see it in DEde:
00454B9F E8B0EFFAFF call 00403B54
00454BA4 83F804 cmp eax, +$04
00454BA7 7D09 jnl 00454BB2
00454BA9 C6059978450001 mov byte ptr [$457899], $01
00454BB0 EB55 jmp 00454C07
00454BB2 8B55F8 mov edx, [ebp-$08]
00454BB5 8B45FC mov eax, [ebp-$04]
|
00454BB8 E8BBECFFFF call 00453878
00454BBD A299784500 mov byte ptr [$457899], al
00454BC2 803D9978450000 cmp byte ptr [$457899], $00
00454BC9 7411 jz 00454BDC
* Possible String Reference to: 'HTMLEncryptor 1.21 -- UNREGISTER'
|
00454BCB BAC84C4500 mov edx, $00454CC8
* Possible reference to MainForm
|
00454BD0 A194784500 mov eax, dword ptr [$457894]
* Reference to: Controls.TControl.SetText(System.AnsiString)
|
00454BD5 E8DE2EFDFF call 00427AB8
00454BDA EB2B jmp 00454C07
* Possible String Reference to: 'HTMLEncryptor 1.21'
|
00454BDC BAF44C4500 mov edx, $00454CF4
For Keygen you just use softice and little tracing will do!Write the algo done an code it!
Best aproach is mix Dede and SOftice to get the resoult done!
NeO'X'QuiCk
NeO'X'QuiCk
June 30th, 2001, 04:24
And about the banner you have solution writen alread here SO FInd it and read it !
I would like to says that good job For Mund ,Kayaker,Rage and other for putting thing into project so the keep us buys!!
Keep a good work so we will have fun while doing it.
NeO
Rage9
June 30th, 2001, 09:54
hmmm, softice isnt giving me anything i want. haha. i break on hmemcpy as usual but it seems i only break on 3 program addresses, 421686, 428c78, and 42b473..... my guess (from just looking through W32Dasm and finding where the error message comes from and then going up and looking for some kinda call that returns somthing for the compare) is that the serial routine starts at 453878, i guess i could be wrong. Any help anyone?
-Brad
NeO'X'QuiCk
July 2nd, 2001, 05:57
Rage9 it difficult to help if you have writen the solution already in the board!!REad from the top to bottom use the same tools as guys infront of you and you will do it!
The solution for solving in writen up from mine post...just read it..
NeO
Clandestiny
July 3rd, 2001, 22:51
Quote:
NeO'X'QuiCk (07-02-2001 03:57):
Rage9 it difficult to help if you have writen the solution already in the board!!REad from the top to bottom use the same tools as guys infront of you and you will do it!
The solution for solving in writen up from mine post...just read it..
NeO |
Hi Neo,
At the risk of sounding harsh... But why post a response to a query for help if you can't give constructive *help* ?
Instructing Rage9 to "REad from the top to bottom use the same tools as guys infront of you " is a statement of the obvious. I have little doubt that Rage9 had already read the above posts before asking for help. We are all in the process of learning and what is clear to one individual may be ambiguous to another. IMHO, wagging the finger and preaching RTFM on a project that may well have more than one solution is non-constructive and possibly discouraging.
Regards,
Clandestiny
Kayaker
July 4th, 2001, 00:47
Hi Rage9,
Maybe this will help. The funny thing about most Delphi apps with a reg box like this is that they all behave in pretty much the same manner. You can enter your information, set a bpx hmemcpy, and F12 out of the break until you reach program code.
You did this, but those addresses you reached 421686, 428c78, 42b473 are only the beginnings of getting back to the main call which retrieved the edit box text. The thing about Delphi is that it's terribly overbloated, so you need to step through a lot of useless code to find the good stuff. There are several of these short POP, POP, RET sequences that you need to continue F12ing back through. When you do reach the right area you'll recognize it immediately because there'll usually be a long sequence of regular code unbroken by RETs.
On returning from getting the text in the edit boxes you should see the length of the text in EAX. This doesn't really matter, but it's good to be able to recognize the register values being kicked around. It's handy to keep your name and s/n of different lengths for this reason.
Again with Delphi, the calls in the main thread handling a protection routine often seem to be spaced shortly apart, with only a few other code lines in between them. This makes it easy to check the contents of the registers being MOVed before the calls, so you can usually find your name and s/n being manipulated in there somewhere. Note that often your user info will be in the *contents* of the address in the registers, not pointed to directly, so use 'd *eax' or whatever. You can also set "watches" in Softice by setting something like INIT="ww 5; watch *eax; watch *edx;" in winice.dat. "ww 5" opens up the Watch window 5 lines long. This way you can often spot your name and s/n being moved around easily.
The more elegant way of attacking this than 'bruteforcing' with hmemcpy is to use a combination of Exescope and DeDe. You can often find a likely address to set a break on using DeDe and looking for string references. W32dasm is usually worthless for this because it doesn't pick up the majority of good string refs with Delphi. Under "Procedures" in DeDe you'll find all the Unit names and their Events. This is where you'll find the good stuff. To narrow down the search, use Exescope and peruse the listing under RCData/TMainForm. Search for "Registration" (the Tab title) and you'll find
object Registration: TTabSheet
Caption = 'Registration'
object TransparentButton8: TTransparentButton
Left = 222
Top = 189
Width = 86
Height = 27
Caption = 'OK'
FrameStyle = fsLight
OnClick = TransparentButton8Click
end
This tells you right off the bat that when you click the OK button the TransparentButton8Click procedure is carried out. Double click on the entry in DeDe and you've got your listing and any breakpoint address you want. The rest should be straightforward.
Hope this helps,
Kayaker
TO Clandestiny :
I didnt want to be harsh.. but sometimes before posting the msg would help to read all posts again..I am not some good expert at cracking but the solution writen about and KAy.. explanation is more then enought that will you get into the right direction and to start the way... Because i cracking is very important where you start and how you can be looking for hours and hours but if you are looking not on the right place all for nothing...
But as i read there are some find what to look for in DEDE so i will put all the solution here from the board not useing the last post ok::Sorry Rage it wasnt meat like that but it made me mad...Because most of ppl dont even read the whole thing just post..
From the board the solution copyied:::
Kayaker
6. Re:Keygen and Banner Removal - Newbie/Intermediate
Sheeeittt!! Well the joke's on me I never thought about using the upx -d command and whaddya know, it unpacks the file perfectly. Both Reshacker and DeDe recognize the unpacked file no problem! Makes sense I guess. The original structure of the file, including the PE header, Import table and even the file date, are restored. Guess I'm blinded by always dumping. Thanks for the lesson.
Quote:
Kayaker (07-03-2001 22:47):
Hi Rage9,
Maybe this will help. The funny thing about most Delphi apps with a reg box like this is that they all behave in pretty much the same manner. You can enter your information, set a bpx hmemcpy, and F12 out of the break until you reach program code.
You did this, but those addresses you reached 421686, 428c78, 42b473 are only the beginnings of getting back to the main call which retrieved the edit box text. The thing about Delphi is that it's terribly overbloated, so you need to step through a lot of useless code to find the good stuff. There are several of these short POP, POP, RET sequences that you need to continue F12ing back through. When you do reach the right area you'll recognize it immediately because there'll usually be a long sequence of regular code unbroken by RETs.
On returning from getting the text in the edit boxes you should see the length of the text in EAX. This doesn't really matter, but it's good to be able to recognize the register values being kicked around. It's handy to keep your name and s/n of different lengths for this reason.
Again with Delphi, the calls in the main thread handling a protection routine often seem to be spaced shortly apart, with only a few other code lines in between them. This makes it easy to check the contents of the registers being MOVed before the calls, so you can usually find your name and s/n being manipulated in there somewhere. Note that often your user info will be in the *contents* of the address in the registers, not pointed to directly, so use 'd *eax' or whatever. You can also set "watches" in Softice by setting something like INIT="ww 5; watch *eax; watch *edx;" in winice.dat. "ww 5" opens up the Watch window 5 lines long. This way you can often spot your name and s/n being moved around easily.
The more elegant way of attacking this than 'bruteforcing' with hmemcpy is to use a combination of Exescope and DeDe. You can often find a likely address to set a break on using DeDe and looking for string references. W32dasm is usually worthless for this because it doesn't pick up the majority of good string refs with Delphi. Under "Procedures" in DeDe you'll find all the Unit names and their Events. This is where you'll find the good stuff. To narrow down the search, use Exescope and peruse the listing under RCData/TMainForm. Search for "Registration" (the Tab title) and you'll find
object Registration: TTabSheet
Caption = 'Registration'
object TransparentButton8: TTransparentButton
Left = 222
Top = 189
Width = 86
Height = 27
Caption = 'OK'
FrameStyle = fsLight
OnClick = TransparentButton8Click
end
This tells you right off the bat that when you click the OK button the TransparentButton8Click procedure is carried out. Double click on the entry in DeDe and you've got your listing and any breakpoint address you want. The rest should be straightforward.
Hope this helps,
Kayaker |
Sorry i copy the wrong part but lets continue:
Next upacking done:
Banner:
I have been successful in removing the banner from the top of the window - as a hint, the TMainForm starts at 62A50 (raw offset). It only requires some simple editing, cut and pasting, and patching of 2 calls (to remove errors, you'll see what I mean...). In removing the tab after registration...hmm...this will be more difficult. I think that I can create a runtime patch to Check_If_Registered and then find and remove the tab. I'll post a message when I'm done with this part...If anyone needs help, feel free to ask...
--------------------------------------------------------------------------------
-Muad'Dib
muaddib(at)immortaldescendants(dot)org
KAy...
I d/l the latest ResHacker (3.28 ) which gives a message box that the resources in the file are corrupt when you select RCData/TMainForm. Exescope has no problems with this, but it doesn't do what Reshacker can. So I ran APISpy32 on Reshacker and paused it until I selected to view TMainForm. I found one API I could use to break into Reshacker- FindFirstFileA. (You can't use MessageBoxA with Delphi message boxes).
After this I changed the width and height of Panel2 (the Ad window) to be 0, added a TabVisible = False qualifier to the Registration tab, then recompiled the resource script and saved the file.
object Panel2: TPanel
Left = 0
Top = 0
Width = 417
Height = 60
object Registration: TTabSheet
Caption = 'Registration'
ImageIndex = 2
TabVisible = False
LAptonic:
Removing Banner
---------------
Open exe with exescope and go to RCDATA/TMAINFORM. We are looking for our banner.I have found with spy that its height is 60 and width is 417.So look for this values. object Panel2: TPanel is what we are looking for.Etiher change width and height to 1 or choose it till object OpenDG: TOpenDialog and cut them.You will see that banner will go.You can also change object Main: TPageControl Top behaviour and change height of main form.Removing Register tab should be done with same method but I havent tried
And so and so .... i hope that you see mine reason...for because it really it is all posted except the algo for the keygen but i think that some thing you must do all if you like to teach ....
I apologize to Rage9
NeO
Kayaker
July 5th, 2001, 02:08
Hi Neo,
I'm not trying to turn this into a war of words, but there's 2 different issues here. Rage9's original question was re the *serial* routine, nothing more. You responded as if he had asked about removing the *banner*. He didn't. I know you're trying to help, and it is appreciated, but all your copy/pasting and suggestion to "REad from the top to bottom use the same tools as guys infront of you", didn't address his question at all, because no one had covered the s/n routine yet.
As you yourself just said, "...sometimes before posting the msg would help to read all posts again" ... "Because most of ppl dont even read the whole thing just post..."
I'm sure no one is taking offense to any of this, we're all just trying to learn and have a bit of fun together.
Regards,
Kayaker
LaptoniC
July 19th, 2001, 15:48
Almost 1 month passed.Should I post my source code of kg ?
Muad'Dib
July 20th, 2001, 11:30
Go right ahead

LaptoniC
July 20th, 2001, 14:02
I have tried to comment all code however I am newbie

If you find any errors in the source please letme know.Thanks.
Sphinx
July 31st, 2001, 05:38
hello all i just started this project
i found the routine and a working serial i`m going to keygen it no problem there but for the other challenges i`m going to try it changing code for layout of progam and so is new for me but i think i can do it with the help thats allready here
Sphinx
July 31st, 2001, 05:42
hello all i just started this project
i found the routine and a working serial i`m going to keygen it no problem there but for the other challenges i`m going to try it changing code for layout of progam and so is new for me but i think i can do it with the help thats allready here
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.