Results 1 to 9 of 9

Thread: encrypted .exe?

  1. #1
    spamal
    Guest

    encrypted .exe?

    http://e-ditorial.com/editor201.exe

    A popular e-book creator and html compiler. It appears to be written in Delphi 3 or 4. When I tried to disassemble it in W32Dasm 8.9 it just gave me 2 pages of garbage. I don't think it is packed. Please help a newbie understand how to disasseble this bad boy. (I can't install SICE where I am).

    TIA,
    Spamal
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    LuTiN NoIR
    Guest
    Hello,

    Your program is packed with aspack 2.11. Use an unpacker to obtain an unpacked version .

    regards,
    LuTiN NoIR
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    spamal
    Guest
    Thanks, I unpacked it like a charm. The unpacked .exe runs fine. However, here is a strange thing... When I try to disassemble it, W32DASM v8.93 always hangs when processing the jumps. Could this be another layer of anti-disassembly protection?

    Thanks a lot,
    Spamal

    PS I am running the disassembler on Win2k
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    splaj
    Guest
    When you find a Delphi target ALWAYS use DEDE by DaFixer on it. Latest version does D2 -> D5

    With this tool I reversed ColorPilot 3.xx, Lockdown Pro , ASProtect, Softlocx5 (unpacked 1st)
    etc etc etc.

    from :-
    www.balbaro.com ?

    Try It
    You don't need WDasm89 for Delphi

    +SplAj
    'Patch+Play'

    Hey thanks for the 'tools' guys. What a year of advancement for the RCE.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    spamal
    Guest
    Well I tried patching the two jumps, but one didn't work, and the other gave me an external exception error when the two strings were compared. Any final ideas? I would like to reverse this without using SICE.

    Here is the code, split into 2 posts:

    * Reference to: System..LStrCmp()
    |
    0048FD24 E85341F7FF call 00403E7C
    0048FD29 0F85CC000000 jnz 0048FDFB
    0048FD2F 8D55F0 lea edx, [ebp-$10]

    * Reference to control TFormWelcome.eUser : TEdit
    |
    0048FD32 8B8310030000 mov eax, [ebx+$0310]

    * Reference to: Controls.TControl.GetText()
    |
    0048FD38 E8AB18FAFF call 004315E8
    0048FD3D 8B55F0 mov edx, [ebp-$10]
    0048FD40 A1588B4900 mov eax, dword ptr [$498B58]

    * Reference to: System..LStrAsg()
    |
    0048FD45 E8FA3DF7FF call 00403B44
    0048FD4A 8D55F0 lea edx, [ebp-$10]

    * Reference to control TFormWelcome.eSerial : TEdit
    |
    0048FD4D 8B8314030000 mov eax, [ebx+$0314]

    * Reference to: Controls.TControl.GetText()
    |
    0048FD53 E89018FAFF call 004315E8
    0048FD58 8B55F0 mov edx, [ebp-$10]
    0048FD5B A174884900 mov eax, dword ptr [$498874]

    * Reference to: System..LStrAsg()
    |
    0048FD60 E8DF3DF7FF call 00403B44
    0048FD65 A1588B4900 mov eax, dword ptr [$498B58]
    0048FD6A 8B00 mov eax, [eax]
    0048FD6C 50 push eax

    * Possible String Reference to: 'User'
    |
    0048FD6D B994FE4800 mov ecx, $0048FE94

    * Possible String Reference to: 'Software\Microdream\E-ditor 2\'
    |
    0048FD72 BAA4FE4800 mov edx, $0048FEA4
    0048FD77 B802000080 mov eax, $80000002
    |
    0048FD7C E8D7A6FEFF call 0047A458
    0048FD81 A174884900 mov eax, dword ptr [$498874]
    0048FD86 8B00 mov eax, [eax]
    0048FD88 50 push eax

    * Possible String Reference to: 'Software\Microdream\E-ditor 2\'
    |
    0048FD89 BAA4FE4800 mov edx, $0048FEA4

    * Possible String Reference to: 'Serial'
    |
    0048FD8E B9CCFE4800 mov ecx, $0048FECC
    0048FD93 B802000080 mov eax, $80000002
    |
    0048FD98 E8BBA6FEFF call 0047A458
    0048FD9D A1008A4900 mov eax, dword ptr [$498A00]
    0048FDA2 C60001 mov byte ptr [eax], $01
    0048FDA5 6A00 push $00
    0048FDA7 668B0DD4FE4800 mov cx, word ptr [$48FED4]
    0048FDAE B202 mov dl, $02

    * Possible String Reference to: 'E-ditor Pro 2 has been registered.T
    | hank you!'
    |
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    spamal
    Guest

    protection (con't)

    0048FDB0 B8E0FE4800 mov eax, $0048FEE0

    * Reference to: Dialogs.MessageDlg(System.AnsiString; Dialogs.TMsgDlgType; System.[Dialogs.TMsgDlgBtn]; Integer)
    |
    0048FDB5 E8CE47FCFF call 00454588
    0048FDBA 8B15008A4900 mov edx, [$498A00]
    0048FDC0 8A12 mov dl, byte ptr [edx]
    0048FDC2 80F201 xor dl, $01

    * Reference to control TFormWelcome.ib7 : TImgBtn
    |
    0048FDC5 8B8328030000 mov eax, [ebx+$0328]

    * Reference to: Controls.TControl.SetVisible(bool)
    |
    0048FDCB E83017FAFF call 00431500
    0048FDD0 8B15008A4900 mov edx, [$498A00]
    0048FDD6 8A12 mov dl, byte ptr [edx]
    0048FDD8 80F201 xor dl, $01

    * Reference to control TFormWelcome.ib8 : TImgBtn
    |
    0048FDDB 8B832C030000 mov eax, [ebx+$032C]

    * Reference to: Controls.TControl.SetVisible(bool)
    |
    0048FDE1 E81A17FAFF call 00431500
    0048FDE6 8B15588B4900 mov edx, [$498B58]
    0048FDEC 8B12 mov edx, [edx]

    * Reference to control TFormWelcome.LRegistered : TLabel
    |
    0048FDEE 8B8324030000 mov eax, [ebx+$0324]

    * Reference to: Controls.TControl.SetText(System.AnsiString)
    |
    0048FDF4 E81F18FAFF call 00431618
    0048FDF9 EB15 jmp 0048FE10
    0048FDFB 6A00 push $00
    0048FDFD 668B0DD4FE4800 mov cx, word ptr [$48FED4]
    0048FE04 B201 mov dl, $01

    * Possible String Reference to: 'Invalid Serial or User Name'
    |
    0048FE06 B81CFF4800 mov eax, $0048FF1C
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    spamal
    Guest
    Actually, killing the jump at
    0048FD29

    Makes it accept any password as "registered", but it doesn't unlock all of the features. When you use the program it still brands an ugly "unregistered version" on you compiled .exes
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Did you get it yet ?

    Here is my solution:-

    Change the bytes at 48FE06 from B81CFF4800
    to 8B45F89090 and this make a KEYGEN for you !

    Just enter your name and dummy serial. The messagebox wil now give you the valid serial
    instead of 'incorrect serial or user name'

    SPAMAL
    4FF2020..... bla bla

  9. #9
    spamal
    Guest
    Hehe, pretty elegant! I finally got ugly and reversed it the old-fashioned way, but yours is much better
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. encrypted harddisk
    By OHPen in forum RCE Cryptographics
    Replies: 13
    Last Post: January 29th, 2009, 12:55
  2. How to patch an encrypted dll after it's loaded?
    By scruffy in forum The Newbie Forum
    Replies: 2
    Last Post: September 10th, 2002, 22:38
  3. old encrypted cd
    By kqt in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 4th, 2002, 01:24
  4. Editing DOS encrypted files
    By Unregistered in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: October 10th, 2001, 06:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •