Can anyone recommend tutorial(S) on working with Delphi, where Dede/revendre etc cannot show the detail of the code?
The file in question was discussed in an earlier thread where Kayaker came up with a way of unpacking the UPX host which did not unpack correctly with UPX -d. (use icedeump \pedump 400000 file)
Having done this, with no clues from the usual tools, I just get hopelessly lost in the code. Registers (& the pointed to addresses) don't seem to show anything related to the days left or entered string.
The forms don't seem to have the usual names (e.g. no tmainform) & there are refs in the prog to bits being compressed which is why, I guess, Dede can't show the detail.
h*tp://www.legacyfamilytree.com/GENViewerDownload.asp
I'm pretty sure the process I need is 'butapplyclick' which is at o/s 1660166 (0x00195506) or 02131610 (0x0020869a) in the unpacked version of the file. Is there a way of using this location to find the proc in sice?
Alternatively a good tut would help.
TIA
Scally

Hi Scally,

DeDe is handy, but what it's most useful for is giving an RVA to break on for OnClick events. You see this under Procedures/Events - an RVA dword and a Hint word. All you need to do is figure out where DeDe gets this info from and get it yourself from the file. To do this you need to know how Delphi stores this info.

If you look at the pedump of that Genviewer proggy in Exescope you find under the TdlgEnterLicense form the OnClick event you're looking for:

object butApply: TBitBtn
Caption = 'Apply'
OnClick = butApplyClick

Even better than searching the resources with Exescope, get a copy of D-Peeper h*tp://batry.hypermart.net/D_Peeper.htm
which allows you to click directly on Delphi components (like the 'Apply' button in the reg box) and get their Event names.

If I use D_Peeper on that button I get:
OnClick = dlgEnterLicense.butApplyClick // TdlgEnterLicense

OK, now do a hex search for dlgEnterLicense or butApplyClick and you find:

001954FF 1400 6C61 5900 0D62 7574 4170 706C 7943 ..laY..butApplyC
0019550F 6C69 636B 1054 646C 6745 6E74 6572 4C69 lick.TdlgEnterLi
0019551F 6365 6E73 65 cense

The 7 bytes before the ascii are what's important.
The 1st WORD is the 'Hint' you would see in DeDe (0014)
The next DWORD is the RVA of that event (0059616C)
The next BYTE is the length of the text that follows (0D)

Now just set a bpx 59616C, enter some s/n and press Apply. And whaddya know, it breaks

And to think I almost deleted the thing

Kayaker

Kayaker, you forgot to mention that D-Peeper is a good exercise in playing with Asprotect

I usually avoid unpacking stuff like the plague (crypto/LMs/dongles my preference), but it was a fun little diversion!

Thanks for finding this new tool and a good way for me to waste half the morning! <g>

Oh, didn't I mention that little detail? ;D

Hi Kayaker,
Thanks, I've learned a lot from this & can now clear a lot of clutter of the HD.
I looked at a couple of tuts before that I found on the net & what was screwing me up was the hint, the tuts said look before the proc which I did - I saw 6159 000D & translated to 0D005961 (Ie nonsense)- when what I needed was to ignore the 000D & go back one. The protection was fairly easy after that, 5961ad/596243 & the initial compare on opening at 5979e9.
Thanks, I'll not be so feared of delphi again.... or maybe....
Scally