View Full Version : Need help in this crackme (delphi project)
happyboy
November 12th, 2003, 06:21
Hello...
I am a newbie and I am trying to crack the "Crackme" in the attachments but because I'm using WinXP I can't put a breakpoint 4 "hmemcpy" and I can't also use any vb calls (such as __vbastrcomp" cuz it's not a vb program...
actually this crackme contains many parts 2 crack (nag-serial-name and serial) so tell what calls should I put a breakpoint 4 4 each part...
thanx alot...
cuPegasus
November 12th, 2003, 10:16
hi happyboy,
This CrackMe isn't that hard. It's written in Delphi. You can reverse it by using OllyDbg only...
Hint: set a "bpx MessageBoxA", this will help you alot in finding the correct codeparts for each protection (look at the stack, there's the caller stored)
The "serial only" is a hardcoded string...
The "serial-name" is funny. The layout for serial cintains hardcoded parts. It looks like "??-????-???????"...
work well,
Pegasus
happyboy
November 12th, 2003, 15:21
actually I don't know how 2 use ollydbg and I couldn't find good tuts about it...so if u don't mind please tell me how 2 set the breakpoint u mentioned...
cuPegasus
November 12th, 2003, 16:06
setting breakpoints in OllyDbg is familiar to SI. You need an PlugIn called CommandBar. Then you're able to handle OllyDbg such as SI.
The most important breakpoint is @ 42A1A9 (call MessageBoxA)
The application will break during startup (to show the entry MessageBox you have to delete).
If you went to Name/serial, press "check it baby!", you'll break again @ 42A1A9. Take a look at the stack: there is an entry who called this messagebox (42FB37). Trace back to the beginning of this routine (42F998) and reverse the algo. The procedure for hardcoded serial is the same....
happyboy
November 13th, 2003, 08:53
thank u very much...actually I think that OllyDbg is more useful than SICE...so i'm goin' 2 use it from now on thoough there's no enough tuts about it...
MaRKuS-DJM
November 13th, 2003, 12:18
you aren't right... softice is more effective because it's an system debugger and olly only an app debugger... but it's much easier to handle olly!
bl00dk@
November 14th, 2003, 02:57
The Serial/Name part:
This is very easy just break on messageboxa and when back in crackme's code then search for your fake serial, on the 2nd found instance you'll see the real serial right above.
The Serial part:
Break on messageboxa and when back in crackme's code then search for your fake serial, put a breakpoint on the 2nd found instance(bpm xxxxxx r). Leave SI & Click on "Check it Baby!" and when SI breaks press F11 twice, EDI now contains the right Serial.
Foreigner
November 14th, 2003, 15:13
Hi all,
the crackme is written in Delphi and I was wondering why no one speaks about Dede... It's very easy to solve delphi crackme using this great tool, don't you think?
Regards,
foreigner
cuPegasus
November 14th, 2003, 16:51
maybe... But i don't use it. Analyzing this File in DeDe takes longer than cracking it with SI/Olly .... and the disassembled text is the same...
happyboy
November 14th, 2003, 20:12
hello everyone...
I cracked it but I am trying 2 make a keygen for the name-serial part of the crackme...wish me luck.
ZaiRoN
November 15th, 2003, 05:26
Hi,
the three tools mentioned (Olly, SI and Dede) are valid for solving this challenge, it depends on your personal attitude.
Personally, I prefer to use all the available tools (combining them, why not).
Happyboy: good luck
It could be great to see two final tutorials for this challenge, one using Olly/SI approach and one using Dede...
ZaiRoN
cuPegasus
November 15th, 2003, 10:35
Tutor with OllyDbg...
cRk
November 15th, 2003, 11:23
great tut cuPegagus! but i think you used many bytes to kill that nag/messageboxa you see this delphi form begin at 0042F784 and the rest of those bytes are not needed... so is better to kill it clean with just a C3
6A/C3
Best Regards!
cuPegasus
November 15th, 2003, 11:41
This technique works, too.
But by NOPPING the 6 relevated bytes the code keeps readable. Also i'm not a friend of "1byte patching". The patched areas are fast to find with the used technique...
It's a "clean" way, just my two cents...
ZaiRoN
November 23rd, 2003, 12:19
Hi All,
first of all I would like to thank cuPegasus for his tutorial.
I did write this simple txt file to describe how to approach the crackme using Dede. The minimini tutorial is based upon cuPegasus's tutorial because for solving the crackme with only Dede it is not so easy. Why? Well, mainly because you works only with the dead list. Dede will help you to locate all the informations you will need in order to solve the crackme but the use of a debugger is needed and this is the reason why I will use some parts from the other tutorial. I hope these notes will help you to take familiarity with this tool.
I also hope cuPegasus does not mind me for stealing some parts from his tutorial
Ciao,
ZaiRoN
cRk
November 25th, 2003, 01:24
cuPegasus your comment make me thing you did reply in some arrogant way. i never said your way was wrong and it will do the same job.. but i'm always open minded to share knowledge + new ideas
ZaiRoN this is how Dede get the info about the Forms.. and where begins, where Ends..
on 0042F784 (6A00) begin the form of the messageboxa....
look in reverse order with your hex editor, in this case i used HexWorkshop in hex value, look for 84F74200
and you'll find --->
636B1100
84F742000A466F726D437265
ck....B..FormCreate
means that's the RVA for the begin of that form.....
to kill the form we can change or point the rva of the form/begin to other RVA where indicated other function like exit.. or C3 or something else
with your hex editor you should see something like this also
636B1000
7CF742000965786974436C69
ck..|.B..exitClick
7CF74200 = 42F77C00 and gives the exit command when you have pressed the Exit button
just change 84F74200 for 9CF74200 and see what happends!
9CF74200 = 42F79C00 (C3) = End/Return of Form
Best Regards!
ZaiRoN
November 26th, 2003, 04:55
Hi cRk,
hmmm, maybe I misunderstood you but what do you mean by 'form'? The initial nag it's not a form, it's only a simple message box.
Quote:
on 0042F784 (6A00) begin the form of the messageboxa.... |
42F784 is the initial address of the routine that is called when the FormCreate event happens...
ciao,
ZaiRoN
cRk
November 26th, 2003, 12:54
Quote:
[Originally Posted by ZaiRoN]Hi cRk,
hmmm, maybe I misunderstood you but what do you mean by 'form'? The initial nag it's not a form, it's only a simple message box.42F784 is the initial address of the routine that is called when the FormCreate event happens...
ciao,
ZaiRoN |
Sure!

but usually delphi app. call/make Form in this way and not just the main Form, in this case it is a messageboxa
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.