Hi! Have been trying to understand this proggy, but I just can't get any further...

Can't understand the validation routine though I can trick it, almost... (It's registered to "Trial Version"
Am able to get access to all shuffles, but if I restart it's unregistered again.

It writes a file called (for me) solsuite.c12 which contains serial and name (You type it in after you have passed with the serial) and some other stuff...
I don't know how to break on access of that file...

Please tell me it will be too hard for me so I can give up! :P

Or do you have any ideas on the serial-validation?
I just get lost in the code...

solsuite.com

/Manko

Have you tried bpc CreatFile/CreateFileA ? or perhaps they're trying to be tricky and are using _lopen/_lcreate... just a few ideas... eve if they use the delphi functions you should end up in one of these eventually when opening a file... unless they're really realy sneaky and have their own ring-0 routines for opening files...

Sigh!

I had got it into my head that it wouldn't work so I didn't try...
It breaks and it reads and it computes and I still get lost...

Maybe I should just give up? ...but I hate that...
If I only understood more of what's going on...

So many flags and stuff, the stack's heavily used too I think...

Sometimes it feel so easy to follow, but sometimes...

This code seems harder to understand... Can't even find some points to patch... But I guess you WOULD make this part harder...

Hate being a helpless newbie... :P

/Manko

i usually go with deadlistings when i get stuck while debugging... just remember where in the code you break in... you get a bit better overview of the code in deadlistings IMHO

Manko:

Don't forget that if the program is Delphi, you can also look at it with DeDe.

Regards.

First thing I did.
Couldn't get it to dissassemble the parts I liked though...
And the whole thing took too much time and then went out of space..

/Manko

Yup, good idea.
Will do that. Too bad though I couldn't get DeDe to do the whole prog. And not really the parts I wanted either...

/Manko

Manko:

A few more pre-breakfast ramblings.

I reviewed some of the DaFixer's DeDe recent posts (and now noticed that you posted there on using DeDe). Maybe there is something on the stealthFIGHTER's site that can help you. He has a lot ot tutorials on his page which deal with name/serial issues in Delphi apps. Google with "stealthFIGHTER" will get you right there.


If you are making changes they don't appear to be writing to the .c12 file. Have you checked for file write API's and/or attempted to save your changes to file? Also have you checked if it is writing to the register with some information about a valid serial?

Regards.

I have an old version already and I will take a look and see if I can help you /give you some hints. Post my findings tomorrow.

// cHeCksUm

Well I have cracked the version I have (8.1 I think) so now I know I can help you . Well I have just done a nasty in memory byte patch (i.e. non permanent yet it doesn't have to be) so it accepted any code. Will try some other approaches like getting the valid serial etc. Just post if you need more help. In case you are wondering the tools I used are WDASM and OllyDebug. I simply used WDASM and searched for text strings. Then fired up OllyDebug and set some breakpoints on suspicious strings I found in WDASM and voila.

P.S. What version are u trying... it's quite possible that they changed the routine.... so maybe my info will not help.

// cHeCksUm

Hi!
nice game Manko
i have take a look at the proggie thinking that i will have found an easy protection because the old version (can't remember the release) had a very easy protection (bad_boy to good_boy convertion ).
i'm totally wrong because the target seems well protected!

here is some quick note:

when it runs, the proggie looks for filemon, dede (and maybe something else) and close them if running.
dede can't help me too much because there's no trace of interesting resources, i mean something like regForm...
in the dead_list i haven't found interesting messages that can bring me directly to a check routine.
i think that some string are crypted in some way; the code is full of crypted string.

moreover, the proggie has a simple breakpoint detection; it checks for all the api used. the funny thing is that there are two checks on each api but (fondamentally) are the same
here is how check if a breakpoint is placed on a single api:

4CA814:
...
004CA834 MOV AL,BYTE PTR DS:[ESI] ; i.e. esi -> "jmp@MessageBox"
004CA836 MOV AH,66
004CA838 ADD AH,AH ; 66h + 66h = CCh
004CA83A CMP AH,AL ; al is CCh if a bpx is present
004CA83C JE SHORT SOLSUITE.004CA842 ; if equals jump to bad boy...

the other method is a simple cmp between the first byte of the jump@ with 0CCh and you'll find it at 4CA87C.

those are very simple checking method and maybe it's simple to break this target but...who can say it!

those are only few words for now but hope it helps in some way

regards,
ZaiRoN

ahhh... I am downloading the new version as we speak... no wait as I speak... no that's not right.. as I write ... as they are on version 12.0 now!!! I didn't even know I had such old programs on my file server (8.1 that I have is from 2001!!!). Well as soon as it's down I'll take a look at it and see how much has changed... hopefully it will be more challenging now!!!

// cHeCksUm

I done it! Now all works great and looks good! Maybe I should write an essay about blind cracking? :P

btw, this was SolSuite 2002 v12, very different from earlier versions which were not so very tough, I understand...

Dede gave me great info to begin with; RegCode's the form to be looking at. The process of the okbutton is called help2, or something... I dissassemble with dede and break in softice on some of the early adresses. I just follow code, getting to know it... don't understand it all but I see things happening... getting an idea of where I'd like to go/not go...
look at jumps, forcing my way to the goal.
(Just patch 2 places...)
Work ok. Unlocked program. But at restart I'm unregged.
Got help to realise I needed to check createfilea.
regg is stored in solsuite.c12, also read on start.
after much tracing and confusion, decide to fiddle with similar code i alter before. change one jump, all is regged!
Don't understand a thing. Very confusing code...

Ask questions if you like, I'm content.
(almost... wish I knew more, what it do...)

Really tired... go bed, sleep till children wake me... sigh!

/Manko

And a really great THANKS to everyone who gave an interest in my predicament.

Now I go to bed!

/Manko

@ Manko
hmmmm.... After having disabled the five or so debugger checks I was able to get to the routine I wanted. It is similar to the old ones but all strings are encrypted. What I cannot find is the place in which in compares the real serial to the fake one. I know it has to be somewhere around 4cdbdb3 but I cannot find it. Can you shed some light on this issue!? I have been able to get the reg to accept any serial but I am missing one or a byte patch somewhere as it isn't working....grrrrr!!! Well seeing as how it's 7:34 in the morning I thikn it's time I go to bed!!! Check in with everyone tomorrow....

// cHeCksUm

Never saw those debugger checks, and they didn't affect me either!? Very irritating! I have NOT patched Sice but still it avoids detection?! Dede can't see it either...

So it's somewhat similar...? Maybe I spoke too hastily.
And you will easily find the other place you have to patch with
tracing from createfila... Probably this has already been done by you?

Can anyone explain this code to me? Don't understand them
and don't know how to see the results of them...

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004CBC75(C), :004CBC87(C)
|
:004CBD99 DD45B0 fld qword ptr [ebp-50]
:004CBD9C D81D74C14C00 fcomp dword ptr [004CC174]
:004CBDA2 DFE0 fstsw ax
:004CBDA4 9E sahf
:004CBDA5 7212 jb 004CBDB9
:004CBDA7 DD45B0 fld qword ptr [ebp-50]
:004CBDAA D81D8CC14C00 fcomp dword ptr [004CC18C]
:004CBDB0 DFE0 fstsw ax
:004CBDB2 9E sahf
:004CBDB3 0F860E010000 jbe 004CBEC7

I guess this one would have been easy to patch if I had only known more assembler... How about fishing a serial?
Possible? Maybe I will find out for my self when I understand those lines... (?)

Hmm... float-point? my serial in float in **ebp-50? real serial in **4cca8c. turn on to show real? then traceback "algo"... or check what gives the real serial in **4cc18c?

Probably ought to experiment... Perhaps later...

/Manko

@Manko:


No I was wrong the routines are changed quite a bit. However there is an "upgrade" version of the key in which you are thn prompted to enter a key from a previous version... think that is what confused me. Anyhow I cannot find the second byte patch you are talking about.... I have traced createfilea till my face was blue . I have managed to get the "registered to" to appear on the splash (under the unreg logo!?) but that about it. Could you maybe give me a hint. I too don't understand the floating point instructions. If one looks at [ebp-50] there is nothing in it... i.e. it is zeroed... so the right serial is not there. The instructions as far as I can tell seem to be adding up two floating point numbers... but like I said I don't understand it properly.

Two other things I am wondering. Do you know what the 52181165046432 number is and what it's checked against (might differ on your systme)!? Then there is and encrypted string (a12763ww) which unencrypts to 1abgfcGG. I have no idea what that is for either.

Some more misc info. There is a file in c:\windows called fmx_tia8.dfv which I have come to the almost certain conclusion that it is infact the encrypted date when the prog was installed. I'll delv into that some more. Also when the jump at 4CbDB3 is changed to always and the program accpets any code... it does infact write the info into the solsuite.c* file. However if one checks the about box it still says TRIAL version and like you knwo a restart and you get the TRIAL dialog etc. So somehow there is another check that is called. Well if you have more info I would appreciate some help as this is a very good learning session for me...

// cHeCksUm

Use the loader to start solsuite; bpx createfilea; first stop is some cfg or dat; f5; now eax holds solsuite.c12(or some other number), it contain your name and serial and other stuff; f11; in solsuite code; f10 till you get code similar to what you already know; patch the right jump; smile! (I'd hate to think this only work on my puter...)


Seen so many numbers in that one I've stopped caring... :P
No idea about the other one either, though I've seen it.


You saw that to?
I could never find that file.
Guess it was deleted every time I regged.
Jupp it's as it should be. It doesn't get fully regged until the solsuite.c12(any number?) "passes"... :P

/Manko

btw, cHeCksUm

ZaiRoN mentioned the api-calls were bugged. Maybe you are getting the "runarounds"?
Perhaps break on createfilea+3 instead!?
Though I can't for the life of me see why I shouldn't have been caught by it too... ?

/Manko

This is a typical Floating point comparison routine.
It basically copies a value to the FPU stack Compares it with another value. Sets FPU flags based on comparison, and then copies the Flags to the 8086 flags, so that something can be done based on the result (i.e.conditional jump, etc.)

Here is the breakdown of the first part: (The second part is doing the same thing with different values).


:004CBD99 DD45B0 fld qword ptr [ebp-50]

Takes the 64 bit value that is stored at the address that is in ebp-50, and converts it to 80 bit precision, and then pushes it on the FPU Stack (st(0)).

:004CBD9C D81D74C14C00 fcomp dword ptr [004CC174]

Floating point comparison. Compares st(0) with the value at the address specified by 4CC174. Then Pops st(0). Sets FPU flags based on result of comparison.

:004CBDA2 DFE0 fstsw ax

Stores the fpu status register (flags) in ax.

:004CBDA4 9E sahf

copies fpu status registers (flags) to 8086's flags register

:004CBDA5 7212 jb 004CBDB9

Jump if below. Jumps if Carry Flag has been set (Carry = 1)

Hope this helps...

I don't think there is a place where serials are being compared. The serial is independend of the name you enter later on. The program only needs two places to patch. I suggest you find first the place to patch after the serial is entered. After that you know how the ok/bad routine looks. After that search for references to solsuite.c12 and look for same code. It's easy to find.

@Manko

Thanks for the help I wil have another look at it tomorrow. I used OllyDebug for this session as I don't have softice that works on XP. So that is why I had to disable the annoying anti breakpoint crap. It was only four place (two NOPS and two RET). So that shouldn't be the problem. Most likely the reason I couldn't find the other patch point was because I was tired. I found the place where it read the file no probs just not anything that looked like the other check . Like I said I'll have a look at it tomorrow again. I also verified that the file in c:\windows is the encrypted date. Fiddled around with it and got an "extended" trial... nothing interesting.

@Iwarez

I understand that the serial is independant of the name however it still needs to check if your serial is valid. I guess it just applies the floating point math and expects some result or other.... I have to understand the fp math algo though...

// cHeCksUm

Found it!!! Can't believe I missed it in th first place. Well anyhow I have written a small "tute" (more of a description of what I did). Don't know if it's worth publishing here though. Thanks everyone for the help. Now any suggestions for the next target?

// cHeCksUm

Checksum i'd be interested in seeing your tute!!

Thanks

paul333

You are not the only one to request it. So I was thinking of posting it here.

As this is rather specific tute I am not sure it is appropriate to post here... I'll have to ask the moderators... if they ok it I'll post it in this thread else I can email it to you etc..

So moderators is it better to email this tute or post it here? Thanks.

// cHeCksUm

Sorry to be a pest Checksum.......how u getting on with the tute

Thanks

paul333

Hi cHeCksUm,

Send it to Woodmann


regards

Know why lightning never strikes the same place twice? Because ome time is enough to completely and utterly ruin your day/night!!! Yesterday @ 6'ish lightning struck out all our servers . Had a nice all-nighter @ work.... don't you just love lightning!!!

Well anyhow the tute is done I have sen it to a couple of people vi email. I will send it to Woodmann and see what he does with it. I just want to reitterate the fact that it is more of a "cracking note sheet" than a proper tutorial so don't get your hopes up; it's not an earth-shattering orgasmic wave of knowledge that will enlighten you and generally make you a better person.... incase that was your impression that is .

// cHeCksUm

Thanks Checksum...

im not looking for a fantastic tute..just a note saying where to patch the second jump

If ANYONE has been sent Checksums tute can you please forward to me please as i never got one

Thanks

paul333

well , it was really interesting to read all of these posts , but I must say that there are few things to explain :

first checksum was right there are two and maybe more
reg routine one for 12 version and one for the upgrade ,
but I don't think that there is a place which our fake serial
is compared to real one , instead there is a routine { this
is the registartion CORE } at the call before 005FE187
and after that there are some VERY INTERESTING COMPARE
instructions .

well check it if u want ?

BTW , don't even think to find a good serial by just tracing ,
if u want to find a good serial , trace the reg core and after
understanding what's going there write
a bruteforce proggie in your favorite code .

if u want a working serials for this version or something else email - me !

good luck everyone !

Checksum just checked my old email addy and got the tute you made for Solsuite 12..many thanks mate ..ill study it now for futore ref

paul333

Many thanks goes to the one who suggested the serial checking routine and the compares. Thanks to him I could make a valid serial. I learned a lot while keygenning. So, once again, thank you!