I am working on a teachers grade book that is a Delphi program and gives you 30 days or uses. It requires a user name and an activation code. After the time limits the nag screens are still there and all save and print functions are disabled. It is available here:
http://www.jacksoncorp.com/demoformcgi/Download.html version 5 for Windows

I used hmemcpy to break on the activation code pressed F12 7 times, then F10 26 times to end up here:

004C955F mov edx, [ebp+var_308] ; d edx=fake activation code
004C9565 lea eax, [ebp+var_100]
004C956B mov ecx, 0FFh
004C9570 call @System@@LStrToString$qqrv ; System __linkproc__ LStrToString(void)
004C9575 mov [ebp+var_200], 0
004C957C cmp [ebp+var_100], 0
004C9583 jz short loc_4C95A1
004C9585 lea eax, [ebp+var_200]
004C958B push eax
004C958C mov ecx, 1
004C9591 mov edx, 1
004C9596 lea eax, [ebp+var_100]; d eax=space + fake activation code
004C959C call @System@@Copy$qqrv ; System __linkproc__ Copy(void)
004C95A1
004C95A1 loc_4C95A1: ; CODE XREF: sub_4C9320+263 j
004C95A1 mov eax, dsff_5B26E0
004C95A6 mov eax, [eax]
004C95A8 cmp dword ptr [eax+150h], 1
004C95AF jz short loc_4C95C2
004C95B1 mov eax, dsff_5B26E0
004C95B6 mov eax, [eax]
004C95B8 call @System@TObject@Free$qqrv ; System::TObject::Free(void)
004C95BD jmp loc_4C97F1
004C95C2 ; ---------------------------------------------------------------------------
004C95C2
004C95C2 loc_4C95C2: ; CODE XREF: sub_4C9320+28F j
004C95C2 lea eax, [ebp+var_100]
004C95C8 mov edx, offset aExtension ; "EXTENSION"; d edx=space + EXTENSION
004C95CD xor ecx, ecx
004C95CF mov cl, [eax]
004C95D1 inc ecx

004C95D2 call @System@@AStrCmp$qqrv ; System __linkproc__ AStrCmp(void); I stepped into this call and saw my fake and the above EXTENSION being compared beginning at 00403db6 the 1st 3 characters in reverse – if you change the Z flags that follow you will see the rest of the comparison being made. Using EXTENSION as an activation code will give you an additional 30 days or uses. I stepped into other calls, but I could not see any cmps being made such as in this area that yielded what I thought was useable info.

004C95D2 call @System@@AStrCmp$qqrv ; System __linkproc__ AStrCmp(void)

004C95D7 jnz short loc_4C95F5; if you change this Z flag - at 004c95df it tells you t hat you are registered, but you are not

004C95D9 lea eax, [ebp+var_100]
004C95DF call sub_4C8F54; Congratulations message

Could someone please point me in the right direction.

Thanks

there is no needing to target the buttons, some hints,,,

(1) TDemoMsg2_Form.FormCreate @0x004C8A5C
(2) TSoldRegForm.FormCreate @0x004C8DD0
(3) Think about the invalid DosDateTime of the file "q.gq"

the rest is your's...

Nico_

Interesting one this. I have had a quick look and the registration code entered looks like it is made up of two parts. The first three characters are seperated and the rest are digits. The digits are converted into hexadecimal and are compared with a hexadecimal number generated from your registered name (and I think the first three characters have something to do with it on restarting the prog). The hex of the last digits is generated at CS:0041EDFC and the compare hex number is generated at CS:004C9307. Both numbers are returned in EAX. If you enter a dummy code (1st char must be a letter - possibly 1st 3, havent checked yet) and then break at the second address above, take a note of the value in EAX. Convert this to decimal and then restart the prog. Now enter the code as before but with digits 4 onwards as the decimal digits you have just converted. The prog is then registered - only until you restart, then it falls down here. I used "Timmy" and "Tim30094"

I have had an hour on it now but its 3:25 am in the UK and I need some sleep. If I get time tommorrow I will find out why it won't stay registered.

Thanks NicoDE and Timmy - I now have two very different avenues to explore regarding the protection used in this target.

This one is doing my head in !
When you first register it with a dummy serial it checks to see if the first character is in [A..Z] - fair enough. The next thing is that the first three characters of the serial are combined with the username to produce what the digits after the first three characters should be - BPX CS:4C9307, F10 this call and the hex of the digits is returned in EAX. This then registers the prog until it is restarted.
There are three interesting BPX's that you should use when the prog fires up, these are :
CS:510BE8 - checks if the first char is in [B,C,F,G,J,K,N,O]
CS:510C53 - checks if the second char is in [B,C,D]
CS:510CB1 - checks if the third char is [B]

Now you can register the program using a first char of [B,C,F,G,J,K,N,O] and ANYTHING ELSE - you just need to BPX on CS:4C9307 to get the last digits. I have tried many combinations of registration codes and they all work perfectly regardless of what date I set my system clock to. At the moment I am playing it safe with a code of "JCB******" but my question is - what are the checks on the second and third character for if they do not hinder the prog in any (apparent) way. Or am I just being a bit picky ?