PDA

View Full Version : HELP NEEDED - Beginner unable to set breakpoints and keygen.


aaraujo
May 3rd, 2013, 16:21
Hi Reversers,

I like security as a hobby and I not so often I read and play with a few simple KeyGen games and I enjoy it.

Reversing and KeyGen is very interesting but I'm a beginner and my questions are probably very dumb but I will be very thankful if you could help me.

Until the moment I have reversed simple keygen applications using techniques such as:

- Look for string text reference to find the interesting code area.
- Keygen fishing.
- And bypass IsDebugPresent check.

Yeah, I know, really basic stuff. Here is a video similar to what I do in general…

http://http://www.youtube.com/watch?v=tJY_Tv7o5bE ("http://http://www.youtube.com/watch?v=tJY_Tv7o5bE")

Just for learning sometimes I try to reverse a few small and medium application that I buy for Windows and looks like simple products without many protections.

This is a software that I acquired 2 months ago and the whole installation is around 50MB. One of the motivations to try apply my basic knowledge here is because I like to see if what I learned in keygens really work in real-life, my experience that medium softwares are much harder since keygens are very small and easy to find the routines that you want.

*** Just to keep it very clear, I have a license for this program and my intention is only learn and increase my knowledge. Since I have no commercial intention in break it or create any damage I will not disclosure the application - I hope you understand. ***

OK, let's go. The application consist of one main executable (~33MB), 6 DLLs (very small ones and some of them are libeay32.dll, etc) and around 90 .xsd files (XML format). My first step was try to identify the programming language used and if a packer was present, please, see screenshots below:

2750

2751

It really appears to be developed in Delphi, with CFF I confirmed it. Also, there is no section that points for an packer looking at CFF information and EXE Information and RDG also say it's clean. However, RDG found IsDebugPresent and pointed for an protection software as you may see. However, I'm not sure if it's a false-positive.

On my application the serial is entered in a field like that:

2752

And once I enter a wrong serial number (30 chars long) I get a message like that:

2753

I guess it's not a MessageBox, or at least it's very custom one. For this kind of messages should I keep breakpoints at MessageBoxA, etc? Or there is a different API?

Below is a screenshot once I attach to the application running:

2754

When I press "run" at OllyDB it's what I get:

Sorry guys, 5 images is the maximum allowed by this forum system.

http://img803.imageshack.us/img803/2025/06whenipressrun.png

Here is a list of SEH chain:

http://img844.imageshack.us/img844/5811/07onceiopennedmodulesfe.png

Here are the "Windows" available, including the one that I would like to disassemble, examine and put a breakpoint:

http://img6.imageshack.us/img6/1662/mabletoseetheexactlywin.png

However it fails to debug, see below, please:

http://img12.imageshack.us/img12/2602/09howeveritfailstodebug.png

Is it some kind of protection? How to disable this part of code, put breakpoints, etc?

Looking at "Text String References" I'm able to see just partial messages and not the one displayed on my custom "MessageBox".

http://img855.imageshack.us/img855/4460/10textstringreferencedc.png

Also, There are many parts that looks like an message that will be completed on the fly, for example "A chave informata esta" which means "They key entered is" or "Chave incorrecta n" which means "Wrong key at".

http://img5.imageshack.us/img5/3382/11ionlyseetextstringsre.png

Additionally, I noted that are parts of the application when some texts are not stored as a "TextString", instead I see "char by char" in sequence at OllyDb creating a few strings (also not very useful to me).

If I define a breakpoint in any of these TextStrings it's what happen - an exception:

http://img546.imageshack.us/img546/2574/12onceisetupabreakpoing.png

Is it a protection? Any idea how to bypass it?

From here the only thing that I'm able to do it pass control to the application and all is over.

Also, if I refuse to pass control to the application and I continue with F7/F8 I get something like that:

http://img577.imageshack.us/img577/1059/13withafewstepsanderror.png

It ends with an instruction not recognized by OllyDB. Any idea?

I also tried to set breakpoints in Names from User32.dll such as GetDlgItemTextA and GetDlgItemTextW since I believe they are the APIs used to read my entered serial number. The strange thing is that they are exported and not imported as demonstrated below. Is it normal?

http://img822.imageshack.us/img822/6456/14settingbreakpointatge.png

Once I created the breakpoint and stated stepping into I got this exception again and I was forced to pass control to application and game over again.

http://img46.imageshack.us/img46/1970/15exceptionforcemetopas.png

I was thinking it could be some basic Anti-debugging protections, so I enabled "aadp4olly" and "Olly Advanced" with many options but it was unable to solve the issues, so, I'm not so sure anymore about what is issue is.

All help and answers are very appreciated, but please, keep in mind that I'm a beginner.

Thanks.

aaraujo
May 9th, 2013, 19:07
Hi All,

I have some updates, I hope that someone could help me...

I tried to comment the unrecognized instruction but it failed on the same way, others appear.

I was unable to set any breakpoint that works, if I set a breakpoint it moves to this strange behavior and I'm forced to pass control to application and I lost control.

First I updated my PEid database from this link:

https://code.google.com/p/reverse-engineering-scripts/downloads/detail?name=UserDB.TXT

The following screenshot demonstrates PE details:

http://img444.imageshack.us/img444/8295/16pedetails.png

Here are details about PE sections:

Looks a bit strange for a not packed binary, right? But I can't figure out the correct packer.

http://img5.imageshack.us/img5/5764/17pesections.png

Entropy and and Fast Check say "not packed", but EP check points as packed:

http://img571.imageshack.us/img571/6251/18epappearstobepacked.png

Here is the original EP found:

http://img12.imageshack.us/img12/990/19originalep.png

RDG Packer Detector pointed that Obsidium protection was present, however I guess it's a false positive. See the unpacker failing to recognize the format:

The unpacker is available here: http://down.52pojie.cn/Tools/Unpackers/

http://img29.imageshack.us/img29/7/20obsidiumunpackingfail.png

Also, the great Ferrit Anti-Anti-Debuggin script for OllyDB was not enough to allow me to debug it. Please, see below:

http://img836.imageshack.us/img836/4352/21ferritantiantidebugis.png

http://img42.imageshack.us/img42/8721/22ferritantiantidebugis.png

From here I'm forced to pass control to application and I lost control of if as demonstrated on my first post. I tried to freeze all threads and just keep the main thread running but it continues to fail.

Resource Hacker is unable to read Delphi resources:

http://img812.imageshack.us/img812/9861/23resourcehackerfailsto.png

Even Resource Hacker FX fails because it says a new version Delphi was used to compile.

http://img560.imageshack.us/img560/7538/24resourcehackerfxfails.png

Delphi Decompiler also failed. First I tried attach to my target:

http://img11.imageshack.us/img11/89/25dedeattachingtotarget.png

Once the analysis finished it found the Classes Info:

http://img600.imageshack.us/img600/5935/26dedeloadedtarget.png

But the important thing are the "Forms" and "Procedures" and nothing was found:

http://img600.imageshack.us/img600/986/27dedeisunabletofindany.png

IDR (Interactive Delphi Reconstructor) also appears to be useless since the target application was compiled with Delphi 2011 or 2012 and no definition file is available for this version.

Thanks.

Best regards.