PipeLN
September 18th, 2002, 18:33
I have a wonderful little delphi prog that just keeps on protecting itself and now I need a little help. If the program is registered you have full functions. If unregistered you are limited to a certain number of items in the DB. Here is the background:
Unpacked the program, fired up W32DASM and found no String Refs (don't know why, it works on other progs just fine). Then I used DEDE and got exactly what I needed.
First, it had a serial check. I nopped out the instruction to go to the verify routine and this worked well and I thought I was close to wrapping up. I put in a fake serial, clicked ok and then it starts accessing the internet. It does a server check by going to a webpage that either returns a 0 (bad boy) or a 1 (good boy) and a little message. It only takes two arguments like this: http://www.server.com/register.asp?Key="KEY"&machineid="MACHINE ID" . I assume it has a database that only allows the program to be used if the keycode and machine ID are correct. I don't know if the keycode is based on the machine id or not. So I changed it to check my server which returns a 1 every time.
So this is what I know about the protection on this app:
Enter Serial
Checks serial to make sure it is a valid serial.
If it is a valid serial, it goes to a web page and verifies this serial against this machine ID.
Now I need to figure out the routine that checks the serial and see if I can come up with a keygen. There are so many calls and jumps that I could spend days wading through the code and never get anywhere. I have narrowed it down to one section of code that is called each time it needs to know if the key is correct (I think). I didn't know what to snip out so sorry if it is long:
0059AE00 55 push ebp
0059AE01 8BEC mov ebp, esp
0059AE03 83C4D8 add esp, -$28
0059AE06 53 push ebx
0059AE07 33C9 xor ecx, ecx
0059AE09 894DF8 mov [ebp-$08], ecx
0059AE0C 894DF4 mov [ebp-$0C], ecx
0059AE0F 8955FC mov [ebp-$04], edx
0059AE12 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrAddRef;
|
0059AE15 E8D2A0E6FF call 00404EEC
0059AE1A 33C0 xor eax, eax
0059AE1C 55 push ebp
* Possible String Reference to: 'éê”æÿëë‹Ã[‹å]Ã'
|
0059AE1D 68F1AE5900 push $0059AEF1
***** TRY
|
0059AE22 64FF30 push dword ptr fs:[eax]
0059AE25 648920 mov fs:[eax], esp
0059AE28 33DB xor ebx, ebx
0059AE2A 8D45F4 lea eax, [ebp-$0C]
0059AE2D 50 push eax
0059AE2E B903000000 mov ecx, $00000003
0059AE33 BA01000000 mov edx, $00000001
0059AE38 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE3B E81CA1E6FF call 00404F5C
0059AE40 8D45F8 lea eax, [ebp-$08]
0059AE43 50 push eax
0059AE44 B908000000 mov ecx, $00000008
0059AE49 BA04000000 mov edx, $00000004
0059AE4E 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE51 E806A1E6FF call 00404F5C
0059AE56 8D45FC lea eax, [ebp-$04]
0059AE59 50 push eax
0059AE5A B9FF000000 mov ecx, $000000FF
0059AE5F BA0D000000 mov edx, $0000000D
0059AE64 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE67 E8F0A0E6FF call 00404F5C
0059AE6C 8B45F4 mov eax, [ebp-$0C]
* Possible String Reference to: 'PHT' <----Huh?
|
0059AE6F BA08AF5900 mov edx, $0059AF08
* Reference to: system.@LStrCmp;
| or: system.@LStrCmp;
|
0059AE74 E8CF9FE6FF call 00404E48
0059AE79 755B jnz 0059AED6
0059AE7B 8D55F0 lea edx, [ebp-$10]
0059AE7E B904000000 mov ecx, $00000004
0059AE83 8B45F8 mov eax, [ebp-$08]
|
0059AE86 E8051DF7FF call 0050CB90
0059AE8B 84C0 test al, al
0059AE8D 7447 jz 0059AED6
0059AE8F 8D55E8 lea edx, [ebp-$18]
0059AE92 B908000000 mov ecx, $00000008
0059AE97 8B45FC mov eax, [ebp-$04]
|
0059AE9A E8F11CF7FF call 0050CB90
0059AE9F 84C0 test al, al
0059AEA1 7433 jz 0059AED6
0059AEA3 8D55D8 lea edx, [ebp-$28]
0059AEA6 B910000000 mov ecx, $00000010
* Possible String Reference to: '50D93887C578BEEE265F16F5321CFBAD' <---Not Key, possibly an old hardcoded key that is invalid now?
|
0059AEAB B814AF5900 mov eax, $0059AF14
|
0059AEB0 E8DB1CF7FF call 0050CB90
0059AEB5 84C0 test al, al
0059AEB7 741D jz 0059AED6
0059AEB9 8D55D8 lea edx, [ebp-$28]
0059AEBC B910000000 mov ecx, $00000010
0059AEC1 8B45F0 mov eax, [ebp-$10]
|
0059AEC4 E87F2DF8FF call 0051DC48
0059AEC9 8D55E8 lea edx, [ebp-$18]
0059AECC 8D45D8 lea eax, [ebp-$28]
* Reference to : TAboutForm.~PROC~0051DC74()
|
0059AECF E8A02DF8FF call 0051DC74
0059AED4 8BD8 mov ebx, eax
0059AED6 33C0 xor eax, eax
0059AED8 5A pop edx
0059AED9 59 pop ecx
0059AEDA 59 pop ecx
0059AEDB 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '‹Ã[‹å]Ã'
|
0059AEDE 68F8AE5900 push $0059AEF8
0059AEE3 8D45F4 lea eax, [ebp-$0C]
0059AEE6 BA03000000 mov edx, $00000003
* Reference to: system.@LStrArrayClr;
|
0059AEEB E8709BE6FF call 00404A60
0059AEF0 C3 ret
0059AEF1 E9EA94E6FF jmp 004043E0
0059AEF6 EBEB jmp 0059AEE3
****** END
|
0059AEF8 8BC3 mov eax, ebx
0059AEFA 5B pop ebx
0059AEFB 8BE5 mov esp, ebp
0059AEFD 5D pop ebp
0059AEFE C3 ret
I am too new to understand what is important in the above code (besides the obvious refs). I don't want someone to give it away because this is something I want to do myself. I just need a little breakdown of what the above code may do and a gentle SHOVE in the right direction.
I don't want to include the software name but if you want to take a look at the exe PM me.
|PipeLN|
Unpacked the program, fired up W32DASM and found no String Refs (don't know why, it works on other progs just fine). Then I used DEDE and got exactly what I needed.
First, it had a serial check. I nopped out the instruction to go to the verify routine and this worked well and I thought I was close to wrapping up. I put in a fake serial, clicked ok and then it starts accessing the internet. It does a server check by going to a webpage that either returns a 0 (bad boy) or a 1 (good boy) and a little message. It only takes two arguments like this: http://www.server.com/register.asp?Key="KEY"&machineid="MACHINE ID" . I assume it has a database that only allows the program to be used if the keycode and machine ID are correct. I don't know if the keycode is based on the machine id or not. So I changed it to check my server which returns a 1 every time.
So this is what I know about the protection on this app:
Enter Serial
Checks serial to make sure it is a valid serial.
If it is a valid serial, it goes to a web page and verifies this serial against this machine ID.
Now I need to figure out the routine that checks the serial and see if I can come up with a keygen. There are so many calls and jumps that I could spend days wading through the code and never get anywhere. I have narrowed it down to one section of code that is called each time it needs to know if the key is correct (I think). I didn't know what to snip out so sorry if it is long:
0059AE00 55 push ebp
0059AE01 8BEC mov ebp, esp
0059AE03 83C4D8 add esp, -$28
0059AE06 53 push ebx
0059AE07 33C9 xor ecx, ecx
0059AE09 894DF8 mov [ebp-$08], ecx
0059AE0C 894DF4 mov [ebp-$0C], ecx
0059AE0F 8955FC mov [ebp-$04], edx
0059AE12 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrAddRef;
|
0059AE15 E8D2A0E6FF call 00404EEC
0059AE1A 33C0 xor eax, eax
0059AE1C 55 push ebp
* Possible String Reference to: 'éê”æÿëë‹Ã[‹å]Ã'
|
0059AE1D 68F1AE5900 push $0059AEF1
***** TRY
|
0059AE22 64FF30 push dword ptr fs:[eax]
0059AE25 648920 mov fs:[eax], esp
0059AE28 33DB xor ebx, ebx
0059AE2A 8D45F4 lea eax, [ebp-$0C]
0059AE2D 50 push eax
0059AE2E B903000000 mov ecx, $00000003
0059AE33 BA01000000 mov edx, $00000001
0059AE38 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE3B E81CA1E6FF call 00404F5C
0059AE40 8D45F8 lea eax, [ebp-$08]
0059AE43 50 push eax
0059AE44 B908000000 mov ecx, $00000008
0059AE49 BA04000000 mov edx, $00000004
0059AE4E 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE51 E806A1E6FF call 00404F5C
0059AE56 8D45FC lea eax, [ebp-$04]
0059AE59 50 push eax
0059AE5A B9FF000000 mov ecx, $000000FF
0059AE5F BA0D000000 mov edx, $0000000D
0059AE64 8B45FC mov eax, [ebp-$04]
* Reference to: system.@LStrCopy;
| or: system.@LStrCopy;
|
0059AE67 E8F0A0E6FF call 00404F5C
0059AE6C 8B45F4 mov eax, [ebp-$0C]
* Possible String Reference to: 'PHT' <----Huh?
|
0059AE6F BA08AF5900 mov edx, $0059AF08
* Reference to: system.@LStrCmp;
| or: system.@LStrCmp;
|
0059AE74 E8CF9FE6FF call 00404E48
0059AE79 755B jnz 0059AED6
0059AE7B 8D55F0 lea edx, [ebp-$10]
0059AE7E B904000000 mov ecx, $00000004
0059AE83 8B45F8 mov eax, [ebp-$08]
|
0059AE86 E8051DF7FF call 0050CB90
0059AE8B 84C0 test al, al
0059AE8D 7447 jz 0059AED6
0059AE8F 8D55E8 lea edx, [ebp-$18]
0059AE92 B908000000 mov ecx, $00000008
0059AE97 8B45FC mov eax, [ebp-$04]
|
0059AE9A E8F11CF7FF call 0050CB90
0059AE9F 84C0 test al, al
0059AEA1 7433 jz 0059AED6
0059AEA3 8D55D8 lea edx, [ebp-$28]
0059AEA6 B910000000 mov ecx, $00000010
* Possible String Reference to: '50D93887C578BEEE265F16F5321CFBAD' <---Not Key, possibly an old hardcoded key that is invalid now?
|
0059AEAB B814AF5900 mov eax, $0059AF14
|
0059AEB0 E8DB1CF7FF call 0050CB90
0059AEB5 84C0 test al, al
0059AEB7 741D jz 0059AED6
0059AEB9 8D55D8 lea edx, [ebp-$28]
0059AEBC B910000000 mov ecx, $00000010
0059AEC1 8B45F0 mov eax, [ebp-$10]
|
0059AEC4 E87F2DF8FF call 0051DC48
0059AEC9 8D55E8 lea edx, [ebp-$18]
0059AECC 8D45D8 lea eax, [ebp-$28]
* Reference to : TAboutForm.~PROC~0051DC74()
|
0059AECF E8A02DF8FF call 0051DC74
0059AED4 8BD8 mov ebx, eax
0059AED6 33C0 xor eax, eax
0059AED8 5A pop edx
0059AED9 59 pop ecx
0059AEDA 59 pop ecx
0059AEDB 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '‹Ã[‹å]Ã'
|
0059AEDE 68F8AE5900 push $0059AEF8
0059AEE3 8D45F4 lea eax, [ebp-$0C]
0059AEE6 BA03000000 mov edx, $00000003
* Reference to: system.@LStrArrayClr;
|
0059AEEB E8709BE6FF call 00404A60
0059AEF0 C3 ret
0059AEF1 E9EA94E6FF jmp 004043E0
0059AEF6 EBEB jmp 0059AEE3
****** END
|
0059AEF8 8BC3 mov eax, ebx
0059AEFA 5B pop ebx
0059AEFB 8BE5 mov esp, ebp
0059AEFD 5D pop ebp
0059AEFE C3 ret
I am too new to understand what is important in the above code (besides the obvious refs). I don't want someone to give it away because this is something I want to do myself. I just need a little breakdown of what the above code may do and a gentle SHOVE in the right direction.
I don't want to include the software name but if you want to take a look at the exe PM me.
|PipeLN|