Results 1 to 5 of 5

Thread: Need help with Delphi target

  1. #1

    Need help with Delphi target

    I am working on a teachers grade book that is a Delphi program and gives you 30 days or uses. It requires a user name and an activation code. After the time limits the nag screens are still there and all save and print functions are disabled. It is available here: version 5 for Windows

    I used hmemcpy to break on the activation code pressed F12 7 times, then F10 26 times to end up here:

    004C955F mov edx, [ebp+var_308] ; d edx=fake activation code
    004C9565 lea eax, [ebp+var_100]
    004C956B mov ecx, 0FFh
    004C9570 call @System@@LStrToString$qqrv ; System __linkproc__ LStrToString(void)
    004C9575 mov [ebp+var_200], 0
    004C957C cmp [ebp+var_100], 0
    004C9583 jz short loc_4C95A1
    004C9585 lea eax, [ebp+var_200]
    004C958B push eax
    004C958C mov ecx, 1
    004C9591 mov edx, 1
    004C9596 lea eax, [ebp+var_100]; d eax=space + fake activation code
    004C959C call @System@@Copy$qqrv ; System __linkproc__ Copy(void)
    004C95A1 loc_4C95A1: ; CODE XREF: sub_4C9320+263 j
    004C95A1 mov eax, dsff_5B26E0
    004C95A6 mov eax, [eax]
    004C95A8 cmp dword ptr [eax+150h], 1
    004C95AF jz short loc_4C95C2
    004C95B1 mov eax, dsff_5B26E0
    004C95B6 mov eax, [eax]
    004C95B8 call @System@TObject@Free$qqrv ; System::TObject::Free(void)
    004C95BD jmp loc_4C97F1
    004C95C2 ; ---------------------------------------------------------------------------
    004C95C2 loc_4C95C2: ; CODE XREF: sub_4C9320+28F j
    004C95C2 lea eax, [ebp+var_100]
    004C95C8 mov edx, offset aExtension ; "EXTENSION"; d edx=space + EXTENSION
    004C95CD xor ecx, ecx
    004C95CF mov cl, [eax]
    004C95D1 inc ecx

    004C95D2 call @System@@AStrCmp$qqrv ; System __linkproc__ AStrCmp(void); I stepped into this call and saw my fake and the above EXTENSION being compared beginning at 00403db6 the 1st 3 characters in reverse if you change the Z flags that follow you will see the rest of the comparison being made. Using EXTENSION as an activation code will give you an additional 30 days or uses. I stepped into other calls, but I could not see any cmps being made such as in this area that yielded what I thought was useable info.

    004C95D2 call @System@@AStrCmp$qqrv ; System __linkproc__ AStrCmp(void)

    004C95D7 jnz short loc_4C95F5; if you change this Z flag - at 004c95df it tells you t hat you are registered, but you are not

    004C95D9 lea eax, [ebp+var_100]
    004C95DF call sub_4C8F54; Congratulations message

    Could someone please point me in the right direction.

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    don't mess your time with buttons

    there is no needing to target the buttons, some hints,,,

    (1) TDemoMsg2_Form.FormCreate @0x004C8A5C
    (2) TSoldRegForm.FormCreate @0x004C8DD0
    (3) Think about the invalid DosDateTime of the file ""

    the rest is your's...

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Interesting one this. I have had a quick look and the registration code entered looks like it is made up of two parts. The first three characters are seperated and the rest are digits. The digits are converted into hexadecimal and are compared with a hexadecimal number generated from your registered name (and I think the first three characters have something to do with it on restarting the prog). The hex of the last digits is generated at CS:0041EDFC and the compare hex number is generated at CS:004C9307. Both numbers are returned in EAX. If you enter a dummy code (1st char must be a letter - possibly 1st 3, havent checked yet) and then break at the second address above, take a note of the value in EAX. Convert this to decimal and then restart the prog. Now enter the code as before but with digits 4 onwards as the decimal digits you have just converted. The prog is then registered - only until you restart, then it falls down here. I used "Timmy" and "Tim30094"

    I have had an hour on it now but its 3:25 am in the UK and I need some sleep. If I get time tommorrow I will find out why it won't stay registered.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Thanks NicoDE and Timmy - I now have two very different avenues to explore regarding the protection used in this target.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    This one is doing my head in !
    When you first register it with a dummy serial it checks to see if the first character is in [A..Z] - fair enough. The next thing is that the first three characters of the serial are combined with the username to produce what the digits after the first three characters should be - BPX CS:4C9307, F10 this call and the hex of the digits is returned in EAX. This then registers the prog until it is restarted.
    There are three interesting BPX's that you should use when the prog fires up, these are :
    CS:510BE8 - checks if the first char is in [B,C,F,G,J,K,N,O]
    CS:510C53 - checks if the second char is in [B,C,D]
    CS:510CB1 - checks if the third char is [B]

    Now you can register the program using a first char of [B,C,F,G,J,K,N,O] and ANYTHING ELSE - you just need to BPX on CS:4C9307 to get the last digits. I have tried many combinations of registration codes and they all work perfectly regardless of what date I set my system clock to. At the moment I am playing it safe with a code of "JCB******" but my question is - what are the checks on the second and third character for if they do not hinder the prog in any (apparent) way. Or am I just being a bit picky ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  2. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50
  3. [Help] Key-Lok II and MS Access target
    By FoxB in forum The Newbie Forum
    Replies: 0
    Last Post: May 4th, 2004, 00:59
  4. Yet another FLEXIm target ...
    By testing999 in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: August 16th, 2002, 07:48
  5. another target...??
    By SpekkeL! in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: January 14th, 2001, 09:11


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts