Hi all,

ok i am working on trying to crack Abacus Pub's Flight sim design studio
i have tried to reverse with softice,IDA and w32dasm, i believe this program is in delphi but dede will not decompile it...

i have found the core of the serial check - a friend who is more advanced at cracking than me tried it - finally got it to install but only in demo mode..... e-mail me at swflatrunking@hotmail.com and i can provide the source code i have

Exported fn(): SerialCheck - Ord:0001h
:0040C450 55 push ebp
:0040C451 8BEC mov ebp, esp
:0040C453 8B4514 mov eax, dword ptr [ebp+14]
:0040C456 50 push eax
:0040C457 E850000000 call 0040C4AC
:0040C45C 84C0 test al, al
:0040C45E 7404 je 0040C464
:0040C460 B064 mov al, 64
:0040C462 EB15 jmp 0040C479

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C45E(C)
|
:0040C464 6A30 push 00000030

* Possible StringData Ref from Code Obj ->"SERIAL NUMBER ERROR"
|
:0040C466 6880C44000 push 0040C480

* Possible StringData Ref from Code Obj ->"Invalid Serial Number"
|
:0040C46B 6894C44000 push 0040C494
:0040C470 6A00 push 00000000

* Reference To: user32.MessageBoxA, Ord:0000h

if anyone can assist me in this - would be appreciated - and you can take the credit for the crack when it is complete ..

also i can provide dumps from softice, w32dasm, and IDA if needed

Thanks

Jason

Hey there, going by the only thing you provided it looks like
:0040C453 8B4514 mov eax, dword ptr [ebp+14] <--moving your serial to EAX
:0040C456 50 push eax
:0040C457 E850000000 call 0040C4AC <--the actual CALL that checks serial
:0040C45C 84C0 test al, al <-- AL must be 1 if it's 0 it will jump to the error box
:0040C45E 7404 je 0040C464
:0040C460 B064 mov al, 64 <--some flag maybe
:0040C462 EB15 jmp 0040C479 <-- jump passed the error box maybe good place

the 0040C457 E850000000 call 0040C4AC is the one place you should focus on, it could be that it's generating a real serial in there or maybe just checking the length of the serial. If you could provide some code from with in that CALL it would be easier to see what it does.
Just make sure that the je 0040C464 never executes this way you won't get the error message box, I don't know what the program does after that since you didn't include the code but that flag (MOV al, 64) looks like it has something to do with it.

Another thing, try using IDA to disassemble the program, it provides much more informtaion about functions that could be of great help.

hope that helped.
goatass

Ok here is the code for that call - see next reply for something i did

* Referenced by a CALL at Address:
|:0040C457
|
:0040C4AC 55 push ebp
:0040C4AD 8BEC mov ebp, esp
:0040C4AF 33C9 xor ecx, ecx
:0040C4B1 51 push ecx
:0040C4B2 51 push ecx
:0040C4B3 51 push ecx
:0040C4B4 51 push ecx
:0040C4B5 53 push ebx
:0040C4B6 33C0 xor eax, eax
:0040C4B8 55 push ebp
:0040C4B9 68BCC54000 push 0040C5BC
:0040C4BE 64FF30 push dword ptr fs:[eax]
:0040C4C1 648920 mov dword ptr fs:[eax], esp
:0040C4C4 8D45F0 lea eax, dword ptr [ebp-10]
:0040C4C7 8B5508 mov edx, dword ptr [ebp+08]
:0040C4CA E8ED6EFFFF call 004033BC
:0040C4CF 8B45F0 mov eax, dword ptr [ebp-10]
:0040C4D2 8D55F4 lea edx, dword ptr [ebp-0C]
:0040C4D5 E84A9DFFFF call 00406224
:0040C4DA 8B45F4 mov eax, dword ptr [ebp-0C]
:0040C4DD 8D55F8 lea edx, dword ptr [ebp-08]
:0040C4E0 E8079EFFFF call 004062EC
:0040C4E5 8B45F8 mov eax, dword ptr [ebp-08]
:0040C4E8 50 push eax
:0040C4E9 E8FA000000 call 0040C5E8
:0040C4EE 84C0 test al, al
:0040C4F0 7516 jne 0040C508
:0040C4F2 8B45F8 mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"DEMO"
|
:0040C4F5 BAD4C54000 mov edx, 0040C5D4
:0040C4FA E87170FFFF call 00403570
:0040C4FF 7407 je 0040C508
:0040C501 33DB xor ebx, ebx
:0040C503 E999000000 jmp 0040C5A1

i have the entire source code as a text file

ok i did some changing to the code but got it to install only in demo mode so i have to figure out how to bypass that call

Exported fn(): SerialCheck - Ord:0001h
:0040C450 55 push ebp
:0040C451 8BEC mov ebp, esp
:0040C453 8B4514 mov eax, dword ptr [ebp+14]
:0040C456 50 push eax
:0040C457 E850000000 call 0040C4AC
:0040C45C 84C0 test al, al
:0040C45E 7404 je 0040C464

**** Changed to je 0040c479*******

:0040C460 B064 mov al, 64
:0040C462 EB15 jmp 0040C479

and this is the Jump

:0040C47D 000000 BYTE 3 DUP(0)


:0040C480 53 push ebx
:0040C481 45 inc ebp
:0040C482 52 push edx
:0040C483 49 dec ecx
:0040C484 41 inc ecx
:0040C485 4C dec esp
:0040C486 204E55 and byte ptr [esi+55], cl
:0040C489 4D dec ebp
:0040C48A 42 inc edx
:0040C48B 45 inc ebp
:0040C48C 52 push edx
:0040C48D 204552 and byte ptr [ebp+52], al
:0040C490 52 push edx
:0040C491 4F dec edi
:0040C492 52 push edx
:0040C493 00496E add byte ptr [ecx+6E], cl
:0040C496 7661 jbe 0040C4F9
:0040C498 6C insb
:0040C499 6964205365726961 imul esp, dword ptr [eax+53], 61697265
:0040C4A1 6C insb
:0040C4A2 204E75 and byte ptr [esi+75], cl
:0040C4A5 6D insd
:0040C4A6 626572 bound esp, dword ptr [ebp+72]
:0040C4A9 000000 BYTE 3 DUP(0)

here is the code for IDA

040C450 ; Exported entry 1. SerialCheck
0040C450
0040C450 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
0040C450
0040C450 ; Attributes: bp-based frame
0040C450
0040C450 public SerialCheck
0040C450 SerialCheck proc near
0040C450
0040C450 arg_C = dword ptr 14h
0040C450
0040C450 push ebp
0040C451 mov ebp, esp
0040C453 mov eax, [ebp+arg_C]
0040C456 push eax
0040C457 call sub_40C4AC
0040C45C test al, al
0040C45E jz short loc_40C464
0040C460 mov al, 64h
0040C462 jmp short loc_40C479
0040C464 ; ---------------------------------------------------------------------------
0040C464
0040C464 loc_40C464: ; CODE XREF: SerialCheck+Ej
0040C464 push 30h
0040C466 push offset dword_40C480
0040C46B push offset dword_40C494
0040C470 push 0
0040C472 call j_MessageBoxA_0
0040C477 xor eax, eax
0040C479
0040C479 loc_40C479: ; CODE XREF: SerialCheck+12j
0040C479 pop ebp
0040C47A retn 14h
0040C47A SerialCheck endp ; sp = -14h
0040C47A
0040C47A ; ---------------------------------------------------------------------------
0040C47D align 4
0040C480 dword_40C480 dd 49524553h, 4E204C41h, 45424D55h, 52452052h, 524F52h
0040C480 ; DATA XREF: SerialCheck+16o
0040C494 dword_40C494 dd 61766E49h, 2064696Ch, 69726553h, 4E206C61h, 65626D75h
0040C494 ; DATA XREF: SerialCheck+1Bo
0040C494 dd 72h
0040C4AC
0040C4AC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
0040C4AC
0040C4AC ; Attributes: bp-based frame
0040C4AC
0040C4AC sub_40C4AC proc near ; CODE XREF: SerialCheck+7p
0040C4AC
0040C4AC var_10 = dword ptr -10h
0040C4AC var_C = dword ptr -0Ch
0040C4AC var_8 = dword ptr -8
0040C4AC var_4 = dword ptr -4
0040C4AC arg_0 = dword ptr 8
0040C4AC
0040C4AC push ebp
0040C4AD mov ebp, esp
0040C4AF xor ecx, ecx
0040C4B1 push ecx
0040C4B2 push ecx
0040C4B3 push ecx
0040C4B4 push ecx
0040C4B5 push ebx
0040C4B6 xor eax, eax
0040C4B8 push ebp
0040C4B9 push offset loc_40C5BC
0040C4BE push dword ptr fs:[eax]
0040C4C1 mov fs:[eax], esp
0040C4C4 lea eax, [ebp+var_10]
0040C4C7 mov edx, [ebp+arg_0]
0040C4CA call unknown_libname_25
0040C4CF mov eax, [ebp+var_10]
0040C4D2 lea edx, [ebp+var_C]
0040C4D5 call sub_406224
0040C4DA mov eax, [ebp+var_C]
0040C4DD lea edx, [ebp+var_8]
0040C4E0 call sub_4062EC
0040C4E5 mov eax, [ebp+var_8]
0040C4E8 push eax
0040C4E9 call sub_40C5E8
0040C4EE test al, al
0040C4F0 jnz short loc_40C508
0040C4F2 mov eax, [ebp+var_8]
0040C4F5 mov edx, offset _str_DEMO.Text
0040C4FA call @System@@LStrCmp$qqrv ; System __linkproc__ LStrCmp(void)
0040C4FF jz short loc_40C508
0040C501 xor ebx, ebx
0040C503 jmp loc_40C5A1

ok that's a alof code

The change you made is wrong because you skipped the MOV EAX,64 which is like I said some kind of flag so this is how to fix that problem:

:0040C457 E850000000 call 0040C4AC
:0040C45C 84C0 test al, al
:0040C45E 90 nop
:0040C45F 90 nop
:0040C460 B064 mov al, 64
:0040C462 EB15 jmp 0040C479

Here is another place to look at, as you can see from looking in IDA that this call is a compare - call @System@@LStrCmp$qqrv ; System __linkproc__ LStrCmp

0040C4E8 push eax
0040C4E9 call sub_40C5E8 <--don't know but if return 1 it's good
0040C4EE test al, al
0040C4F0 jnz short loc_40C508 <--bad jump (maybe)
0040C4F2 mov eax, [ebp+var_8] <-- your serial maybe ?
0040C4F5 mov edx, offset _str_DEMO.Text <--checks if you entered DEMO ?
0040C4FA call @System@@LStrCmp$qqrv ; System __linkproc__ LStrCmp(void)
0040C4FF jz short loc_40C508 <--did you enter DEMO as serial ? bad jump
0040C501 xor ebx, ebx
0040C503 jmp loc_40C5A1 <-- probably a good jump

check out what all the CALLs above this code do and check out all the stuff being pushed to these CALLs. Do a: d eax or d *eax to see what registers hold everytime they go into and come out of a CALL.

If you want a JZ or JNZ to NOT execute just NOP (90) it out so the program will proceed normally.

goatass

:0040C4E8 50 push eax
:0040C4E9 E8FA000000 call 0040C5E8 //This one could be interesting
:0040C4EE 84C0 test al, al
:0040C4F0 7516 jne 0040C508 //Jumps past the string ref for "DEMO"....possibly to registered version?
:0040C4F2 8B45F8 mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"DEMO"
|
:0040C4F5 BAD4C54000 mov edx, 0040C5D4

Why not let it go ahead in make the call and fuck with the code in that proc that affects the return value? Or better, analyze and fuck with the code, in the
"call :0040C457 E850000000 call 0040C4AC <--the actual CALL that checks serial"???

Code in that call (or maybe deeper level calls) supposely detertmines immediate results of the serial check - so maybe global variables (that may get tested later) get set that may need that that call to be made and get set some variables set right?

z

also i now know there are three types of licenses for this program - standard, pro, and Commercial..... i have found the .dll in the install directory that affects these as well

ok i dissasembled asreg02.dll in the program once it installed - the upgrade registration menu was disabled but i found some very very interesting code - i cannot post all the code here but if someone wants to take a look at it with me i can send it to you as a text file it is very very interesting indeed
e-mail swflatrunking@hotmail.com or ICQ 8074034

Thanks for the help so far