http://e-ditorial.com/editor201.exe

A popular e-book creator and html compiler. It appears to be written in Delphi 3 or 4. When I tried to disassemble it in W32Dasm 8.9 it just gave me 2 pages of garbage. I don't think it is packed. Please help a newbie understand how to disasseble this bad boy. (I can't install SICE where I am).

TIA,
Spamal

Hello,

Your program is packed with aspack 2.11. Use an unpacker to obtain an unpacked version .

regards,
LuTiN NoIR

Thanks, I unpacked it like a charm. The unpacked .exe runs fine. However, here is a strange thing... When I try to disassemble it, W32DASM v8.93 always hangs when processing the jumps. Could this be another layer of anti-disassembly protection?

Thanks a lot,
Spamal

PS I am running the disassembler on Win2k

When you find a Delphi target ALWAYS use DEDE by DaFixer on it. Latest version does D2 -> D5

With this tool I reversed ColorPilot 3.xx, Lockdown Pro , ASProtect, Softlocx5 (unpacked 1st)
etc etc etc.

from :-
www.balbaro.com ?

Try It
You don't need WDasm89 for Delphi

+SplAj
'Patch+Play'

Hey thanks for the 'tools' guys. What a year of advancement for the RCE.

Well I tried patching the two jumps, but one didn't work, and the other gave me an external exception error when the two strings were compared. Any final ideas? I would like to reverse this without using SICE.

Here is the code, split into 2 posts:

* Reference to: System..LStrCmp()
|
0048FD24 E85341F7FF call 00403E7C
0048FD29 0F85CC000000 jnz 0048FDFB
0048FD2F 8D55F0 lea edx, [ebp-$10]

* Reference to control TFormWelcome.eUser : TEdit
|
0048FD32 8B8310030000 mov eax, [ebx+$0310]

* Reference to: Controls.TControl.GetText()
|
0048FD38 E8AB18FAFF call 004315E8
0048FD3D 8B55F0 mov edx, [ebp-$10]
0048FD40 A1588B4900 mov eax, dword ptr [$498B58]

* Reference to: System..LStrAsg()
|
0048FD45 E8FA3DF7FF call 00403B44
0048FD4A 8D55F0 lea edx, [ebp-$10]

* Reference to control TFormWelcome.eSerial : TEdit
|
0048FD4D 8B8314030000 mov eax, [ebx+$0314]

* Reference to: Controls.TControl.GetText()
|
0048FD53 E89018FAFF call 004315E8
0048FD58 8B55F0 mov edx, [ebp-$10]
0048FD5B A174884900 mov eax, dword ptr [$498874]

* Reference to: System..LStrAsg()
|
0048FD60 E8DF3DF7FF call 00403B44
0048FD65 A1588B4900 mov eax, dword ptr [$498B58]
0048FD6A 8B00 mov eax, [eax]
0048FD6C 50 push eax

* Possible String Reference to: 'User'
|
0048FD6D B994FE4800 mov ecx, $0048FE94

* Possible String Reference to: 'Software\Microdream\E-ditor 2\'
|
0048FD72 BAA4FE4800 mov edx, $0048FEA4
0048FD77 B802000080 mov eax, $80000002
|
0048FD7C E8D7A6FEFF call 0047A458
0048FD81 A174884900 mov eax, dword ptr [$498874]
0048FD86 8B00 mov eax, [eax]
0048FD88 50 push eax

* Possible String Reference to: 'Software\Microdream\E-ditor 2\'
|
0048FD89 BAA4FE4800 mov edx, $0048FEA4

* Possible String Reference to: 'Serial'
|
0048FD8E B9CCFE4800 mov ecx, $0048FECC
0048FD93 B802000080 mov eax, $80000002
|
0048FD98 E8BBA6FEFF call 0047A458
0048FD9D A1008A4900 mov eax, dword ptr [$498A00]
0048FDA2 C60001 mov byte ptr [eax], $01
0048FDA5 6A00 push $00
0048FDA7 668B0DD4FE4800 mov cx, word ptr [$48FED4]
0048FDAE B202 mov dl, $02

* Possible String Reference to: 'E-ditor Pro 2 has been registered.T
| hank you!'
|

0048FDB0 B8E0FE4800 mov eax, $0048FEE0

* Reference to: Dialogs.MessageDlg(System.AnsiString; Dialogs.TMsgDlgType; System.[Dialogs.TMsgDlgBtn]; Integer)
|
0048FDB5 E8CE47FCFF call 00454588
0048FDBA 8B15008A4900 mov edx, [$498A00]
0048FDC0 8A12 mov dl, byte ptr [edx]
0048FDC2 80F201 xor dl, $01

* Reference to control TFormWelcome.ib7 : TImgBtn
|
0048FDC5 8B8328030000 mov eax, [ebx+$0328]

* Reference to: Controls.TControl.SetVisible(bool)
|
0048FDCB E83017FAFF call 00431500
0048FDD0 8B15008A4900 mov edx, [$498A00]
0048FDD6 8A12 mov dl, byte ptr [edx]
0048FDD8 80F201 xor dl, $01

* Reference to control TFormWelcome.ib8 : TImgBtn
|
0048FDDB 8B832C030000 mov eax, [ebx+$032C]

* Reference to: Controls.TControl.SetVisible(bool)
|
0048FDE1 E81A17FAFF call 00431500
0048FDE6 8B15588B4900 mov edx, [$498B58]
0048FDEC 8B12 mov edx, [edx]

* Reference to control TFormWelcome.LRegistered : TLabel
|
0048FDEE 8B8324030000 mov eax, [ebx+$0324]

* Reference to: Controls.TControl.SetText(System.AnsiString)
|
0048FDF4 E81F18FAFF call 00431618
0048FDF9 EB15 jmp 0048FE10
0048FDFB 6A00 push $00
0048FDFD 668B0DD4FE4800 mov cx, word ptr [$48FED4]
0048FE04 B201 mov dl, $01

* Possible String Reference to: 'Invalid Serial or User Name'
|
0048FE06 B81CFF4800 mov eax, $0048FF1C

Actually, killing the jump at
0048FD29

Makes it accept any password as "registered", but it doesn't unlock all of the features. When you use the program it still brands an ugly "unregistered version" on you compiled .exes

Did you get it yet ?

Here is my solution:-

Change the bytes at 48FE06 from B81CFF4800
to 8B45F89090 and this make a KEYGEN for you !

Just enter your name and dummy serial. The messagebox wil now give you the valid serial
instead of 'incorrect serial or user name'

SPAMAL
4FF2020..... bla bla

Hehe, pretty elegant! I finally got ugly and reversed it the old-fashioned way, but yours is much better