Help with Delphi 7 app [Archive] - RCE Messageboard's Regroupment

View Full Version : Help with Delphi 7 app

sloppysam

January 4th, 2005, 17:20

1. What is the problem....
I am stuck in where to go from here. I have located the routine but am unable to proceed.

2. What is the protection.....
When installed the progam is unpacked but it randomly generates a 7 digit installation number that it uses to compare to the serial number entered.

3. What tools are you using....
I used DEDE to find the section of code that does the compare routine. I then used ollydbg to watch the program and try to fish out the correct serial.

4. What tutorials have you read....
A few on Delphi, dede and I have been using olly for quite a while

5. Show your output listing WITH comments....

Code:

0050C74C     55             PUSH EBP                  ;  Push Button

0050C74D     8BEC           MOV EBP,ESP

0050C74F     B9 04000000    MOV ECX,4

0050C754  |> 6A 00          /PUSH 0

0050C756  |. 6A 00          |PUSH 0

0050C758  |. 49             |DEC ECX

0050C759  |.^75 F9          \JNZ SHORT Name Deleted.0050C754

0050C75B  |. 51             PUSH ECX

0050C75C  |. 53             PUSH EBX

0050C75D  |. 56             PUSH ESI

0050C75E  |. 57             PUSH EDI

0050C75F  |. 8BF8           MOV EDI,EAX

0050C761  |. 33C0           XOR EAX,EAX

0050C763  |. 55             PUSH EBP

0050C764  |. 68 D5C85000    PUSH Name Deleted.0050C8D5

0050C769  |. 64:FF30        PUSH DWORD PTR FS:[EAX]

0050C76C  |. 64:8920        MOV DWORD PTR FS:[EAX],ESP

0050C76F  |. B8 02000000    MOV EAX,2

0050C774  |. E8 AF6AEFFF    CALL Name Deleted.00403228

0050C779  |. 8BD8           MOV EBX,EAX

0050C77B  |. 8BC3           MOV EAX,EBX

0050C77D  |. 83E8 01        SUB EAX,1                          ;  Switch (cases 0..1)

0050C780  |. 72 04          JB SHORT Name Deleted.0050C786

0050C782  |. 74 3B          JE SHORT Name Deleted.0050C7BF

0050C784  |. EB 70          JMP SHORT Name Deleted.0050C7F6

0050C786  |> 68 CBBC0C00    PUSH 0CBCCB              ;  Case 0 of switch 0050C77D

0050C78B  |. 8D55 F4        LEA EDX,DWORD PTR SS:[EBP-C]

0050C78E  |. B8 28000000    MOV EAX,28

0050C793  |. E8 B8A3FFFF    CALL Name Deleted.00506B50

0050C798  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]

0050C79B  |. 8B15 C83D5900  MOV EDX,DWORD PTR DS:[593DC8]            ;  Name Deleted.00594CB4

0050C7A1  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]

0050C7A3  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]

0050C7A6  |. E8 3188EFFF    CALL Name Deleted.00404FDC

0050C7AB  |. 8B4D F8        MOV ECX,DWORD PTR SS:[EBP-8]             ; |

0050C7AE  |. B2 01          MOV DL,1                                 ; |

0050C7B0  |. A1 1C6F4F00    MOV EAX,DWORD PTR DS:[4F6F1C]            ; |

0050C7B5  |. E8 86A8FEFF    CALL Name Deleted.004F7040                   ; \FitnessA.004F7040

0050C7BA  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX

0050C7BD  |. EB 37          JMP SHORT Name Deleted.0050C7F6

0050C7BF  |> 68 BC129D00    PUSH 9D12BC                              ;  Case 1 of switch 0050C77D

0050C7C4  |. 8D55 EC        LEA EDX,DWORD PTR SS:[EBP-14]

0050C7C7  |. B8 29000000    MOV EAX,29

0050C7CC  |. E8 7FA3FFFF    CALL Name Deleted.00506B50

0050C7D1  |. 8B4D EC        MOV ECX,DWORD PTR SS:[EBP-14]

0050C7D4  |. 8B15 C83D5900  MOV EDX,DWORD PTR DS:[593DC8]            ;  Name Deleted.00594CB4

0050C7DA  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]

0050C7DC  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]

0050C7DF  |. E8 F887EFFF    CALL Name Deleted.00404FDC

0050C7E4  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]            ; |

0050C7E7  |. B2 01          MOV DL,1                                 ; |

0050C7E9  |. A1 1C6F4F00    MOV EAX,DWORD PTR DS:[4F6F1C]            ; |

0050C7EE  |. E8 4DA8FEFF    CALL Name Deleted.004F7040                   ; \Name Deleted.004F7040

0050C7F3  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX

0050C7F6  |> B9 ECC85000    MOV ECX,Name Deleted.0050C8EC                ;  ASCII "AKSDHASA"; Default case of switch 0050C77D

0050C7FB  |. B2 01          MOV DL,1

0050C7FD  |. A1 2C2F4F00    MOV EAX,DWORD PTR DS:[4F2F2C]

0050C802  |. E8 6169FEFF    CALL Name Deleted.004F3168

0050C807  |. 8BF0           MOV ESI,EAX

0050C809  |. 8D55 E8        LEA EDX,DWORD PTR SS:[EBP-18]

0050C80C  |. 8B87 24030000  MOV EAX,DWORD PTR DS:[EDI+324]

0050C812  |. E8 1901F7FF    CALL Name Deleted.0047C930

0050C817  |. 8B4D E8        MOV ECX,DWORD PTR SS:[EBP-18]

0050C81A  |. BA 00C95000    MOV EDX,Name Deleted.0050C900                ;  Grab code here

0050C81F  |. 8BC6           MOV EAX,ESI

0050C821  |. E8 0668FEFF    CALL Name Deleted.004F302C

0050C826  |. 68 00003540    PUSH 40350000

0050C82B  |. 6A 00          PUSH 0

0050C82D  |. A1 9C3B5900    MOV EAX,DWORD PTR DS:[593B9C]

0050C832  |. E8 BD74EFFF    CALL Name Deleted.00403CF4

0050C837  |. E8 E063EFFF    CALL Name Deleted.00402C1C

0050C83C  |. 52             PUSH EDX                                 ; |/Arg2

0050C83D  |. 50             PUSH EAX                                 ; ||Compare to Seed 8475015

0050C83E  |. 8D45 E4        LEA EAX,DWORD PTR SS:[EBP-1C]            ; ||

0050C841  |. E8 AED3EFFF    CALL Name Deleted.00409BF4                   ; |\Name Deleted.00409BF4

0050C846  |. 8B45 E4        MOV EAX,DWORD PTR SS:[EBP-1C]            ; |

0050C849  |. 50             PUSH EAX                                 ; |Arg1

0050C84A  |. B9 02000000    MOV ECX,2                                ; |

0050C84F  |. 8BD6           MOV EDX,ESI                              ; |

0050C851  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]             ; |

0050C854  |. E8 F7ADFEFF    CALL Name Deleted.004F7650                   ; \Name Deleted.004F7650

0050C859  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]

0050C85C  |. E8 1F3DF0FF    CALL Name Deleted.00410580

0050C861  |. 8BC3           MOV EAX,EBX

0050C863  |. E8 84BAFFFF    CALL Name Deleted.005082EC

0050C868  |. A1 303B5900    MOV EAX,DWORD PTR DS:[593B30]

0050C86D  |. 8338 00        CMP DWORD PTR DS:[EAX],0

0050C870  |. 74 1E          JE SHORT Name Deleted.0050C890               ;  COMPARE JUMP is bad no jump good

0050C872  |. 8D55 E0        LEA EDX,DWORD PTR SS:[EBP-20]

0050C875  |. B8 25000000    MOV EAX,25

0050C87A  |. E8 D1A2FFFF    CALL Name Deleted.00506B50

0050C87F  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP-20]

0050C882  |. E8 D909F3FF    CALL Name Deleted.0043D260

0050C887  |. 8BC7           MOV EAX,EDI

0050C889  |. E8 263BF9FF    CALL Name Deleted.004A03B4

0050C88E  |. EB 15          JMP SHORT Name Deleted.0050C8A5

0050C890  |> 8D55 DC        LEA EDX,DWORD PTR SS:[EBP-24]

0050C893  |. B8 26000000    MOV EAX,26

0050C898  |. E8 B3A2FFFF    CALL Name Deleted.00506B50

0050C89D  |. 8B45 DC        MOV EAX,DWORD PTR SS:[EBP-24]

0050C8A0  |. E8 BB09F3FF    CALL Name Deleted.0043D260      ;  Bad key message

0050C8A5  |> 33C0           XOR EAX,EAX

0050C8A7  |. 5A             POP EDX

0050C8A8  |. 59             POP ECX

0050C8A9  |. 59             POP ECX

0050C8AA  |. 64:8910        MOV DWORD PTR FS:[EAX],EDX

0050C8AD  |. 68 DCC85000    PUSH Name Deleted.0050C8DC

0050C8B2  |> 8D45 DC        LEA EAX,DWORD PTR SS:[EBP-24]

0050C8B5  |. BA 03000000    MOV EDX,3

0050C8BA  |. E8 3584EFFF    CALL Name Deleted.00404CF4

0050C8BF  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-18]

0050C8C2  |. E8 0984EFFF    CALL Name Deleted.00404CD0

0050C8C7  |. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]

0050C8CA  |. BA 04000000    MOV EDX,4

0050C8CF  |. E8 2084EFFF    CALL Name Deleted.00404CF4

0050C8D4  \. C3             RETN

6. NOW ask your question....
I could use some help on were to look, how to proceed. I can't seem to figure out where it is comparing what is entered for the serial to grab it. Is it that it doesn't store it anywere visible? If that is the case then any suggestions on how I can proceed attacking this routine.

Thanks

JMI

January 4th, 2005, 17:55

sloppysam:

Very nice job of attempting to follow the FAQ on your first post, and you did really well, until you got "sloppy" on one "critical" point. You failed to review your code snippet to remove identifying information about the identity of your target. Review your code above and notice how many times the words "Name Deleted" appears and you will see the magniture of your error.

ATTENTION TO DETAIL IS REQUIRED, although you were making a good effort. I stress this point because it is critical to avoid unwanted attacks upon this Board for posting "crack" information.

Regards,

sloppysam

January 4th, 2005, 18:08

Yes, thank you for pointing out my error, with a bit of appreciated humor. I am sure that this happens often and I thank you for being nice about it and fixing the problem. I will make note of this and fix this in the future before posting again.

Thank you

JMI

January 4th, 2005, 20:29

And thank you for understanding that it is not just mindless bitching. Some of the Rules are in place to attempt to make the management's job, and the understanding of the questions, easier. Others, like this particular one, are in place to try to protect the Board itself from frequent attacks on our ISP for allegations that we are hosting cracks.

You really DID make a very good first effort

, and it is NOT unusual that users forget to "clean-up" their code snippets, because they tend to think about the question they ask, but not carefully read the literal content of their code.

And, yes, where possible, I try to add some humour to my posts. And sometimes, it is even actually humourous and sometimes that is even appreciated.

Please also remember, that now that you have posted "target specific code" you may NOT post the name of the program, but you MAY communicate it to interested persons by PM or email.

Welcome and happy reversing.

Regards,

naides

January 4th, 2005, 22:43

Quote:

[Originally Posted by sloppysam]

Code:

0050C84A |. B9 02000000 MOV ECX,2 ; |
0050C84F |. 8BD6 MOV EDX,ESI ; |
0050C851 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
0050C854 |. E8 F7ADFEFF CALL Name Deleted.004F7650 ; \Name Deleted.004F7650
0050C859 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0050C85C |. E8 1F3DF0FF CALL Name Deleted.00410580
0050C861 |. 8BC3 MOV EAX,EBX
0050C863 |. E8 84BAFFFF CALL Name Deleted.005082EC
0050C868 |. A1 303B5900 MOV EAX,DWORD PTR DS:[593B30] ; start by the end: The flag that says 'badboy is a DWORD stored at address 593B30.
If that flag is equal to 0, DS:[EAX] is equal to 0 and the bad boy jump is taken. SO PUT A WATCH or a BPM on that address and see who reads it, and
more important who writes to it. Who or whatever stores a value different from 0 is the good boy routine. better yet, at the beginging of the routine ,
manually place a 00000001 value into that mem address, [593B30], and watch carefully who changes it.

0050C86D |. 8338 00 CMP DWORD PTR DS:[EAX],0
0050C870 |. 74 1E JE SHORT Name Deleted.0050C890 ; COMPARE JUMP is bad no jump good
0050C872 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0050C875 |. B8 25000000 MOV EAX,25
0050C87A |. E8 D1A2FFFF CALL Name Deleted.00506B50
0050C87F |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]

Thanks

Question: If you manually invert the

0050C870 |. 74 1E JE SHORT Name Deleted.0050C890

Do you get registered?

If you manually change the value stored at:

DWORD PTR DS:[593B30]

do you get the good boy message/behavoir??

sloppysam

January 4th, 2005, 23:40

I tried reversing the jmp so that it would be a jne as this works for many programs. What happens is that you get the good boy message but are not registered. This program stores everything in dat files and I believe that it checks at startup and if the correct number isn't there it doesn't say that it is registered.

I am going to try changing the memory and see what happens.

Thanks for the hints.

sloppysam

January 5th, 2005, 03:16

Quote:

start by the end: The flag that says 'badboy is a DWORD stored at address 593B30.
If that flag is equal to 0, DS:[EAX] is equal to 0 and the bad boy jump is taken. SO PUT A WATCH or a BPM on that address and see who reads it, and
more important who writes to it. Who or whatever stores a value different from 0 is the good boy routine. better yet, at the beginging of the routine ,
manually place a 00000001 value into that mem address, [593B30], and watch carefully who changes it.

When I change that memory address it always crashes the program. So I went further into the code figuring I could reverse some more jumps and see what happens.

Ok by reversing some more jumps I got the program to say that it is registered until you restart it. That means that it is getting the information from one of its .dat files. I need to get the program to bypass that on start up. So I went looking for the referenced memory address and found a bunch of compares to that address when the program starts up. 4 of the 5 do nothing obvious when reversed but one of them gives the message that this is now an invalid copy of the program and to reinstall it. Looks like we hit a nerve here.

So instead of changing it to a reversed jump i just changed it to jump to the location. That along with a couple other references to the date did it. Now it just says that there are negative days remaining. Thanks a bunch naides, you didn't give me the answer but you gave me an idea and it pointed me inthe right direction.

This is a really dirty solution but it works. Perhaps we could keep working on this to find a more eloquent solution?

naides

January 5th, 2005, 08:37

Quote:

[Originally Posted by sloppysam]
This is a really dirty solution but it works. Perhaps we could keep working on this to find a more eloquent solution?

Gr8!

You are 95% there. I would locate the routine that WRITES or somehow stores a 0 value there. it may even be read it from .dat file as a resource or something.