Log in

View Full Version : Newbie Roadblock, some help please


PipeLN
September 18th, 2002, 18:33
I have a wonderful little delphi prog that just keeps on protecting itself and now I need a little help. If the program is registered you have full functions. If unregistered you are limited to a certain number of items in the DB. Here is the background:

Unpacked the program, fired up W32DASM and found no String Refs (don't know why, it works on other progs just fine). Then I used DEDE and got exactly what I needed.

First, it had a serial check. I nopped out the instruction to go to the verify routine and this worked well and I thought I was close to wrapping up. I put in a fake serial, clicked ok and then it starts accessing the internet. It does a server check by going to a webpage that either returns a 0 (bad boy) or a 1 (good boy) and a little message. It only takes two arguments like this: http://www.server.com/register.asp?Key="KEY"&machineid="MACHINE ID" . I assume it has a database that only allows the program to be used if the keycode and machine ID are correct. I don't know if the keycode is based on the machine id or not. So I changed it to check my server which returns a 1 every time.

So this is what I know about the protection on this app:

Enter Serial
Checks serial to make sure it is a valid serial.
If it is a valid serial, it goes to a web page and verifies this serial against this machine ID.

Now I need to figure out the routine that checks the serial and see if I can come up with a keygen. There are so many calls and jumps that I could spend days wading through the code and never get anywhere. I have narrowed it down to one section of code that is called each time it needs to know if the key is correct (I think). I didn't know what to snip out so sorry if it is long:

0059AE00 55 push ebp
0059AE01 8BEC mov ebp, esp
0059AE03 83C4D8 add esp, -$28
0059AE06 53 push ebx
0059AE07 33C9 xor ecx, ecx
0059AE09 894DF8 mov [ebp-$08], ecx
0059AE0C 894DF4 mov [ebp-$0C], ecx
0059AE0F 8955FC mov [ebp-$04], edx
0059AE12 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrAddRef;
|
0059AE15 E8D2A0E6FF call 00404EEC
0059AE1A 33C0 xor eax, eax
0059AE1C 55 push ebp

* Possible String Reference to: 'éê”æÿëë‹Ã[‹å]Ã'
|
0059AE1D 68F1AE5900 push $0059AEF1

***** TRY
|
0059AE22 64FF30 push dword ptr fs:[eax]
0059AE25 648920 mov fs:[eax], esp
0059AE28 33DB xor ebx, ebx
0059AE2A 8D45F4 lea eax, [ebp-$0C]
0059AE2D 50 push eax
0059AE2E B903000000 mov ecx, $00000003
0059AE33 BA01000000 mov edx, $00000001
0059AE38 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE3B E81CA1E6FF call 00404F5C
0059AE40 8D45F8 lea eax, [ebp-$08]
0059AE43 50 push eax
0059AE44 B908000000 mov ecx, $00000008
0059AE49 BA04000000 mov edx, $00000004
0059AE4E 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE51 E806A1E6FF call 00404F5C
0059AE56 8D45FC lea eax, [ebp-$04]
0059AE59 50 push eax
0059AE5A B9FF000000 mov ecx, $000000FF
0059AE5F BA0D000000 mov edx, $0000000D
0059AE64 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE67 E8F0A0E6FF call 00404F5C
0059AE6C 8B45F4 mov eax, [ebp-$0C]

* Possible String Reference to: 'PHT' <----Huh?
|
0059AE6F BA08AF5900 mov edx, $0059AF08

* Reference to: system.@LStrCmp;
| or: system.@LStrCmp;
|
0059AE74 E8CF9FE6FF call 00404E48
0059AE79 755B jnz 0059AED6
0059AE7B 8D55F0 lea edx, [ebp-$10]
0059AE7E B904000000 mov ecx, $00000004
0059AE83 8B45F8 mov eax, [ebp-$08]

|
0059AE86 E8051DF7FF call 0050CB90
0059AE8B 84C0 test al, al
0059AE8D 7447 jz 0059AED6
0059AE8F 8D55E8 lea edx, [ebp-$18]
0059AE92 B908000000 mov ecx, $00000008
0059AE97 8B45FC mov eax, [ebp-$04]

|
0059AE9A E8F11CF7FF call 0050CB90
0059AE9F 84C0 test al, al
0059AEA1 7433 jz 0059AED6
0059AEA3 8D55D8 lea edx, [ebp-$28]
0059AEA6 B910000000 mov ecx, $00000010

* Possible String Reference to: '50D93887C578BEEE265F16F5321CFBAD' <---Not Key, possibly an old hardcoded key that is invalid now?
|
0059AEAB B814AF5900 mov eax, $0059AF14

|
0059AEB0 E8DB1CF7FF call 0050CB90
0059AEB5 84C0 test al, al
0059AEB7 741D jz 0059AED6
0059AEB9 8D55D8 lea edx, [ebp-$28]
0059AEBC B910000000 mov ecx, $00000010
0059AEC1 8B45F0 mov eax, [ebp-$10]

|
0059AEC4 E87F2DF8FF call 0051DC48
0059AEC9 8D55E8 lea edx, [ebp-$18]
0059AECC 8D45D8 lea eax, [ebp-$28]

* Reference to : TAboutForm.~PROC~0051DC74()
|
0059AECF E8A02DF8FF call 0051DC74
0059AED4 8BD8 mov ebx, eax
0059AED6 33C0 xor eax, eax
0059AED8 5A pop edx
0059AED9 59 pop ecx
0059AEDA 59 pop ecx
0059AEDB 648910 mov fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '‹Ã[‹å]Ã'
|
0059AEDE 68F8AE5900 push $0059AEF8
0059AEE3 8D45F4 lea eax, [ebp-$0C]
0059AEE6 BA03000000 mov edx, $00000003

* Reference to: system.@LStrArrayClr;
|
0059AEEB E8709BE6FF call 00404A60
0059AEF0 C3 ret

0059AEF1 E9EA94E6FF jmp 004043E0
0059AEF6 EBEB jmp 0059AEE3

****** END
|
0059AEF8 8BC3 mov eax, ebx
0059AEFA 5B pop ebx
0059AEFB 8BE5 mov esp, ebp
0059AEFD 5D pop ebp
0059AEFE C3 ret


I am too new to understand what is important in the above code (besides the obvious refs). I don't want someone to give it away because this is something I want to do myself. I just need a little breakdown of what the above code may do and a gentle SHOVE in the right direction.

I don't want to include the software name but if you want to take a look at the exe PM me.

|PipeLN|

naides
September 19th, 2002, 01:47
0059AE00 55 push ebp
0059AE01 8BEC mov ebp, esp
0059AE03 83C4D8 add esp, -$28
0059AE06 53 push ebx
0059AE07 33C9 xor ecx, ecx
0059AE09 894DF8 mov [ebp-$08], ecx
0059AE0C 894DF4 mov [ebp-$0C], ecx
0059AE0F 8955FC mov [ebp-$04], edx
0059AE12 8B45FC mov eax, [ebp-$04]

* Reference to: system.@LStrAddRef;
|
0059AE15 E8D2A0E6FF call 00404EEC
0059AE1A 33C0 xor eax, eax
0059AE1C 55 push ebp

* Possible String Reference to: 'éê?æÿëë?Ã[?å]Ã' WHAT IS THIS?
0059AE1D 68F1AE5900 push $0059AEF1

***** TRY
|
0059AE22 64FF30 push dword ptr fs:[eax]
0059AE25 648920 mov fs:[eax], esp
0059AE28 33DB xor ebx, ebx
0059AE2A 8D45F4 lea eax, [ebp-$0C] DESTINATION ADDRESS FOR @lStrCopy (1)
0059AE2D 50 push eax
0059AE2E B903000000 mov ecx, $00000003 THREE CHARS TO COPY
0059AE33 BA01000000 mov edx, $00000001 FROM POSITION 1
0059AE38 8B45FC mov eax, [ebp-$04] SOURCE STRING ADDRESS

* Reference to: system.@LStrCopy; COPY IT
| or: system.@LStrCopy;
|
0059AE3B E81CA1E6FF call 00404F5C
0059AE40 8D45F8 lea eax, [ebp-$08] DESTINATION OF THE NEXT CHARS
0059AE43 50 push eax
0059AE44 B908000000 mov ecx, $00000008 EIGHT CHARS TO COPY (2)
0059AE49 BA04000000 mov edx, $00000004 FROM POSITION 4
0059AE4E 8B45FC mov eax, [ebp-$04] SOURCE STRING ADDRESS

* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE51 E806A1E6FF call 00404F5C COPY IT
0059AE56 8D45FC lea eax, [ebp-$04] DESTINATION ADDRESS
0059AE59 50 push eax
0059AE5A B9FF000000 mov ecx, $000000FF 256 CHARS TO COPY
0059AE5F BA0D000000 mov edx, $0000000D FROM POSITION 13
0059AE64 8B45FC mov eax, [ebp-$04] FROM THE SOURCE STRING. GOT RID OF THE FIRST 12 CHARS

* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE67 E8F0A0E6FF call 00404F5C COPY IT
0059AE6C 8B45F4 mov eax, [ebp-$0C] REMEMBER THE FIRST THREE CHARS OF THE STRING? IN (1)?

* Possible String Reference to: 'PHT' <----Huh?
|
0059AE6F BA08AF5900 mov edx, $0059AF08 NOW THE ADDRESS OF 'PTH' IS IN EDX

* Reference to: system.@LStrCmp;
| or: system.@LStrCmp;
|
0059AE74 E8CF9FE6FF call 00404E48 ARE THE FIRST 3 CHARS == 'PTH'
0059AE79 755B jnz 0059AED6 IF NOT GO TO BADBOY?
0059AE7B 8D55F0 lea edx, [ebp-$10] I DO NOT KNOW WHAT IS IN EBP-10
0059AE7E B904000000 mov ecx, $00000004 PARAMETER FOR NEXT CALL
0059AE83 8B45F8 mov eax, [ebp-$08] CHARACTERS 4 TO 12 COPIED IN (2)

|
0059AE86 E8051DF7FF call 0050CB90 BETTER CHECK WHAT THIS CALL DO
0059AE8B 84C0 test al, al IF al==0
0059AE8D 7447 jz 0059AED6 FORK OFF!!!
0059AE8F 8D55E8 lea edx, [ebp-$18] I DON'T KNOW WHAT IS IN EBP-18
0059AE92 B908000000 mov ecx, $00000008 PARAMETER FOR THE MISTERIOUS 50CB90 CALL
0059AE97 8B45FC mov eax, [ebp-$04] NOW THE ADDRESS OF THE REST OF THE STRING

|
0059AE9A E8F11CF7FF call 0050CB90 CALL THE FAMOUS 50CB90 (LIKELY TO BE THE CHECK)
0059AE9F 84C0 test al, al RETURNED 0 IN al?
0059AEA1 7433 jz 0059AED6 FORK OFF!!!
0059AEA3 8D55D8 lea edx, [ebp-$28] ANOTHER MISTERIOUS PARAMETER IN THE STACK
0059AEA6 B910000000 mov ecx, $00000010 ANOTHER PRAMETER FOR THE FAMOUS CALL

* Possible String Reference to: '50D93887C578BEEE265F16F5321CFBAD' <---Not Key, possibly an old hardcoded key that is invalid now?
|
0059AEAB B814AF5900 mov eax, $0059AF14 NOW WE GIVE IT A HARCODED STRING

|
0059AEB0 E8DB1CF7FF call 0050CB90 CALL OUR KEY ROUTINE
0059AEB5 84C0 test al, al al == 0?
0059AEB7 741D jz 0059AED6 F**K OFF!!!
0059AEB9 8D55D8 lea edx, [ebp-$28] SAME PARAMETER AS BEFORE, MOST BE THE ADDRESS OF A STRING!
0059AEBC B910000000 mov ecx, $00000010 SAME PARAMETER AS BEFORE
0059AEC1 8B45F0 mov eax, [ebp-$10] NOW GIVES EBP-10 AS PARAMETER ANOTHER STRING ADDRESS?

|
0059AEC4 E87F2DF8FF call 0051DC48 A DIFFERENT CALL TO BE EXPLORED
0059AEC9 8D55E8 lea edx, [ebp-$18]
0059AECC 8D45D8 lea eax, [ebp-$28]

* Reference to : TAboutForm.~PROC~0051DC74() WONDER WHAT THIS DOES?
|
0059AECF E8A02DF8FF call 0051DC74
0059AED4 8BD8 mov ebx, eax PRESERVE EAX IN EBX
0059AED6 33C0 xor eax, eax THIS IS WHERE ALL THE FORK OFF BRACHES END UP
0059AED8 5A pop edx
0059AED9 59 pop ecx
0059AEDA 59 pop ecx
0059AEDB 648910 mov fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '?Ã[?å]Ã'
|
0059AEDE 68F8AE5900 push $0059AEF8 dELPHI HAS THIS TYPE OF STRINGS
0059AEE3 8D45F4 lea eax, [ebp-$0C] FIRST THREE CHARS FROM (1)
0059AEE6 BA03000000 mov edx, $00000003 PARAMETER FOR

* Reference to: system.@LStrArrayClr;
|
0059AEEB E8709BE6FF call 00404A60
0059AEF0 C3 ret

0059AEF1 E9EA94E6FF jmp 004043E0
0059AEF6 EBEB jmp 0059AEE3

****** END
|
0059AEF8 8BC3 mov eax, ebx
0059AEFA 5B pop ebx
0059AEFB 8BE5 mov esp, ebp
0059AEFD 5D pop ebp
0059AEFE C3 ret

PipeLN
September 19th, 2002, 16:09
Thanks for the info naides! So now I know the serial is a string of 12 letters/numbers probably starting with PHT. I am now able to follow the code and see WHY it won't register. Now I just have to find the flag that makes the program think it is registered and I will be set.

Will post more results later today. If any of you want to take a crack at this little program, PM me and I will give you the URL.

|PipeLN|