Hello,
Well done one target found the next, although it seems to be much harder :|. I am looking at the delphi target Muzicman 4.0 Build 909. The problem is I have no idea what to breakpoint to get close to the serial routine as the normal breakpoints don't work. There is no confirmation/acknowledgement of either wrong or right code to break on. I have also tried breaking on for example createfilea to see when it checks the license file (which I don't have) but no luck, I kinda get lost tracing routines that seem to have little to do with the license. Aslo alot of problems with the program crashing when certain bytes are patched. I would appreciate any help.

// SuperCali

Hi

Did you try to use DaFixer's DeDe. If not try it. Everything is easier.
ftp.balbaro.com
Last version is 3.00b

The version in its web site is different: V4.0 Build 930.
h**p://w*w.muzicman.com/code/mzminstall.exe

Seems that this one can't be registered coz it will ALWAYS show "unregistered version" in its splash form(read the following code). I can't find where to enter the so-called serial number

Decompress it with UPX, then use DeDe to get the asm list:

procedure TSplashForm.FormShow(Sender: TObject);
begin
{
0052B074 push ebp
0052B075 mov ebp, esp
0052B077 push $00
0052B079 push $00
0052B07B push ebx
0052B07C mov ebx, eax
0052B07E xor eax, eax
0052B080 push ebp

* Possible String Reference to: 'ér‡íÿëë[YY]Ã'
|
0052B081 push $0052B0FD

***** TRY
|
0052B086 push dword ptr fs:[eax]
0052B089 mov fs:[eax], esp

* Possible String Reference to: 'Unregistered Version '
|
0052B08C push $0052B114
0052B091 lea eax, [ebp-$08]
0052B094 push eax
0052B095 mov eax, dword ptr [$572A6C]
0052B09A mov eax, [eax]

First of all I'd like to say that the version I have is Build 925 or 927. See according to the site when I downloaded it said version 927, the program says 925 so I am unsure. There is a registration box under settigns, registration.

Well I've looked some more at teh target and it seems rather strange!? Once decompiled in IDA I found several references like "Please register etc" and a "entered serial number", howevere I can't find any place where these functions could be called from. I did however find one interesting function:

test eax, 80000000h
setz al
ret

at rva 40f1a5. However chaning this to for example setne crashes the program with wome strange error after inisilization. I would be willing to bet my right hand that it crashes due to some CRC like check, becuase the error message is something like, before the program terminates:

"Exception EOIeSystemErrror in module muzicman at 1152a5. The operation completed successfully. "

Also I found two routines called readownerkey and writeownerkey (in DeDe) which call the following code:

push ebp
CODE:00557205 mov ebp, esp
CODE:00557207 add esp, 0FFFFFEE0h
CODE:0055720D push ebx
CODE:0055720E xor edx, edx
CODE:00557210 mov [ebp+var_120], edx
CODE:00557216 xor eax, eax
CODE:00557218 push ebp
CODE:00557219 push offset loc_5572DC
CODE:0055721E push dword ptr fs:[eax]
CODE:00557221 mov fs:[eax], esp
CODE:00557224 push 1 ; uMode
CODE:00557226 call SetErrorMode
CODE:0055722B mov [ebp+uMode], eax
CODE:0055722E xor eax, eax
CODE:00557230 push ebp
CODE:00557231 push offset loc_5572BC
CODE:00557236 push dword ptr fs:[eax]
CODE:00557239 mov fs:[eax], esp
CODE:0055723C mov eax, ds:dword_574808
CODE:00557241 mov bl, [eax]
CODE:00557243 mov [ebp+VolumeNameBuffer], 0
CODE:0055724A push 0 ; nFileSystemNameSize
CODE:0055724C push 0 ; lpFileSystemNameBuffer
CODE:0055724E lea eax, [ebp+FileSystemFlags]
CODE:00557251 push eax ; lpFileSystemFlags
CODE:00557252 lea eax, [ebp+MaximumComponentLength]
CODE:00557255 push eax ; lpMaximumComponentLength
CODE:00557256 lea eax, [ebp+VolumeSerialNumber]
CODE:00557259 push eax ; lpVolumeSerialNumber
CODE:0055725A push 105h ; nVolumeNameSize
CODE:0055725F lea eax, [ebp+VolumeNameBuffer]
CODE:00557265 push eax ; lpVolumeNameBuffer
CODE:00557266 lea eax, [ebp+var_120]
CODE:0055726C mov edx, ebx
CODE:0055726E call sub_404024
CODE:00557273 lea eax, [ebp+var_120]
CODE:00557279 mov edx, offset loc_5572F4
CODE:0055727E call sub_404104
CODE:00557283 mov eax, [ebp+var_120]
CODE:00557289 call sub_4042C0
CODE:0055728E push eax ; lpRootPathName
CODE:0055728F call GetVolumeInformationA
CODE:00557294 test eax, eax
CODE:00557296 jz short loc_5572A0
CODE:00557298 mov eax, [ebp+VolumeSerialNumber]
CODE:0055729B mov [ebp+var_4], eax
CODE:0055729E jmp short loc_5572A5
CODE:005572A0 ; ---------------------------------------------------------------------------
CODE:005572A0
CODE:005572A0 loc_5572A0: ; CODE XREF: sub_557204+92j
CODE:005572A0 xor eax, eax
CODE:005572A2 mov [ebp+var_4], eax
CODE:005572A5
CODE:005572A5 loc_5572A5: ; CODE XREF: sub_557204+9Aj
CODE:005572A5 xor eax, eax
CODE:005572A7 pop edx
CODE:005572A8 pop ecx
CODE:005572A9 pop ecx
CODE:005572AA mov fs:[eax], edx
CODE:005572AD push offset loc_5572C3
CODE:005572B2
CODE:005572B2 loc_5572B2: ; CODE XREF: CODE:005572C1j
CODE:005572B2 mov eax, [ebp+uMode]
CODE:005572B5 push eax ; uMode
CODE:005572B6 call SetErrorMode
CODE:005572BB retn


If one nop's out the seterror code functions one can change the code inbetween otherwise not. Interestingly ther is a function called checkownerkey at 557188 but it is not called from anywhere in the program taht I can find!? The unregistered version from teh spalsh can be removed by changing 52630c to c3 btw. Well this is how far I have come until now, but I would really need some help as I am completely stuck at the moment. Thanks for all the ideas.

// SuperCali

Hello there is a registration box under settign in the program. Click the > (play icon looking button) at the bottom of the vertical row of five icons in the middle of the app, then settings and you'll see it.

// SuperCali

strange
I have not figure out where the reg key is stored
Used RegMon, but no luck
And also used CreateFileA & GetPrivateProfileStringA, nothing found

Checked all the references to TSettingsForm::KeyEntry(which is a EditBox), no luck yet.

This prog saves the reg key to EventLog.txt, but never read it out when it launches.

My problem too, I can't find where it stores the key, or the function to compare the key! When one looks in DeDe at the function checkownerkey it simply points to some function which as far as I can tell never is called !? I cracked some previous versions of the app by simply disabling the protection features ( back then it only displayed a message and paused your playlist after a "random" amount of time, it was a simple patch of say 3-4 bytes along with one c3 for the check routine that crashed the program). Now the protection however is completely diffirent, but I'm not giving up till this baby is history !!!

B.t.w. there is a function that is called twice during execution, once rigth at the beginning, and once right at the end in which it displays the not regged limit 400 database message (555958). There is a point there when it sleeps, why does it call sleep at that point (5559c5)? Also the answer might lie in the database file. From what I gather the program uses .dbt ending for non-registerd users and .db for registered ones, I'm gonna look into that some more. Well back to work, see if I can't get past it.

// SuperCali