Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: Delphi (SolSuite 2002, 12.0) too hard for me?

  1. #1

    Delphi (SolSuite 2002, 12.0) too hard for me?

    Hi! Have been trying to understand this proggy, but I just can't get any further...

    Can't understand the validation routine though I can trick it, almost... (It's registered to "Trial Version")
    Am able to get access to all shuffles, but if I restart it's unregistered again.

    It writes a file called (for me) solsuite.c12 which contains serial and name (You type it in after you have passed with the serial) and some other stuff...
    I don't know how to break on access of that file...

    Please tell me it will be too hard for me so I can give up! :P

    Or do you have any ideas on the serial-validation?
    I just get lost in the code...

    solsuite.com

    /Manko

  2. #2

    Re: Delphi (SolSuite 2002, 12.0) too hard for me?

    Originally posted by Manko
    I don't know how to break on access of that file...
    Have you tried bpc CreatFile/CreateFileA ? or perhaps they're trying to be tricky and are using _lopen/_lcreate... just a few ideas... eve if they use the delphi functions you should end up in one of these eventually when opening a file... unless they're really realy sneaky and have their own ring-0 routines for opening files...

  3. #3
    Sigh!

    I had got it into my head that it wouldn't work so I didn't try...
    It breaks and it reads and it computes and I still get lost...

    Maybe I should just give up? ...but I hate that...
    If I only understood more of what's going on...

    So many flags and stuff, the stack's heavily used too I think...

    Sometimes it feel so easy to follow, but sometimes...

    This code seems harder to understand... Can't even find some points to patch... But I guess you WOULD make this part harder...

    Hate being a helpless newbie... :P

    /Manko

  4. #4
    i usually go with deadlistings when i get stuck while debugging... just remember where in the code you break in... you get a bit better overview of the code in deadlistings IMHO

  5. #5
    Manko:

    Don't forget that if the program is Delphi, you can also look at it with DeDe.

    Regards.
    JMI

  6. #6
    Originally posted by JMI
    Manko:

    Don't forget that if the program is Delphi, you can also look at it with DeDe.

    Regards.
    First thing I did.
    Couldn't get it to dissassemble the parts I liked though...
    And the whole thing took too much time and then went out of space..

    /Manko

  7. #7
    Originally posted by NervGaz
    i usually go with deadlistings when i get stuck while debugging... just remember where in the code you break in... you get a bit better overview of the code in deadlistings IMHO
    Yup, good idea.
    Will do that. Too bad though I couldn't get DeDe to do the whole prog. And not really the parts I wanted either...

    /Manko

  8. #8
    Manko:

    A few more pre-breakfast ramblings.

    I reviewed some of the DaFixer's DeDe recent posts (and now noticed that you posted there on using DeDe). Maybe there is something on the stealthFIGHTER's site that can help you. He has a lot ot tutorials on his page which deal with name/serial issues in Delphi apps. Google with "stealthFIGHTER" will get you right there.


    If you are making changes they don't appear to be writing to the .c12 file. Have you checked for file write API's and/or attempted to save your changes to file? Also have you checked if it is writing to the register with some information about a valid serial?

    Regards.
    JMI

  9. #9
    cHeCksUm
    Guest
    I have an old version already and I will take a look and see if I can help you /give you some hints. Post my findings tomorrow.

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    cHeCksUm
    Guest
    Well I have cracked the version I have (8.1 I think) so now I know I can help you . Well I have just done a nasty in memory byte patch (i.e. non permanent yet it doesn't have to be) so it accepted any code. Will try some other approaches like getting the valid serial etc. Just post if you need more help. In case you are wondering the tools I used are WDASM and OllyDebug. I simply used WDASM and searched for text strings. Then fired up OllyDebug and set some breakpoints on suspicious strings I found in WDASM and voila.

    P.S. What version are u trying... it's quite possible that they changed the routine.... so maybe my info will not help.

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi!
    nice game Manko
    i have take a look at the proggie thinking that i will have found an easy protection because the old version (can't remember the release) had a very easy protection (bad_boy to good_boy convertion ).
    i'm totally wrong because the target seems well protected!

    here is some quick note:

    when it runs, the proggie looks for filemon, dede (and maybe something else) and close them if running.
    dede can't help me too much because there's no trace of interesting resources, i mean something like regForm...
    in the dead_list i haven't found interesting messages that can bring me directly to a check routine.
    i think that some string are crypted in some way; the code is full of crypted string.

    moreover, the proggie has a simple breakpoint detection; it checks for all the api used. the funny thing is that there are two checks on each api but (fondamentally) are the same
    here is how check if a breakpoint is placed on a single api:

    4CA814:
    ...
    004CA834 MOV AL,BYTE PTR DS:[ESI] ; i.e. esi -> "jmp@MessageBox"
    004CA836 MOV AH,66
    004CA838 ADD AH,AH ; 66h + 66h = CCh
    004CA83A CMP AH,AL ; al is CCh if a bpx is present
    004CA83C JE SHORT SOLSUITE.004CA842 ; if equals jump to bad boy...

    the other method is a simple cmp between the first byte of the jump@ with 0CCh and you'll find it at 4CA87C.

    those are very simple checking method and maybe it's simple to break this target but...who can say it!

    those are only few words for now but hope it helps in some way

    regards,
    ZaiRoN

  12. #12
    cHeCksUm
    Guest
    ahhh... I am downloading the new version as we speak... no wait as I speak... no that's not right.. as I write ... as they are on version 12.0 now!!! I didn't even know I had such old programs on my file server (8.1 that I have is from 2001!!!). Well as soon as it's down I'll take a look at it and see how much has changed... hopefully it will be more challenging now!!!

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13

    Yippee! I cracked that mf right open!

    I done it! Now all works great and looks good! Maybe I should write an essay about blind cracking? :P

    btw, this was SolSuite 2002 v12, very different from earlier versions which were not so very tough, I understand...

    Dede gave me great info to begin with; RegCode's the form to be looking at. The process of the okbutton is called help2, or something... I dissassemble with dede and break in softice on some of the early adresses. I just follow code, getting to know it... don't understand it all but I see things happening... getting an idea of where I'd like to go/not go...
    look at jumps, forcing my way to the goal.
    (Just patch 2 places...)
    Work ok. Unlocked program. But at restart I'm unregged.
    Got help to realise I needed to check createfilea.
    regg is stored in solsuite.c12, also read on start.
    after much tracing and confusion, decide to fiddle with similar code i alter before. change one jump, all is regged!
    Don't understand a thing. Very confusing code...

    Ask questions if you like, I'm content.
    (almost... wish I knew more, what it do...)

    Really tired... go bed, sleep till children wake me... sigh!

    /Manko

  14. #14

    Thanks!

    And a really great THANKS to everyone who gave an interest in my predicament.

    Now I go to bed!

    /Manko

  15. #15
    cHeCksUm
    Guest
    @ Manko
    hmmmm.... After having disabled the five or so debugger checks I was able to get to the routine I wanted. It is similar to the old ones but all strings are encrypted. What I cannot find is the place in which in compares the real serial to the fake one. I know it has to be somewhere around 4cdbdb3 but I cannot find it. Can you shed some light on this issue!? I have been able to get the reg to accept any serial but I am missing one or a byte patch somewhere as it isn't working....grrrrr!!! Well seeing as how it's 7:34 in the morning I thikn it's time I go to bed!!! Check in with everyone tomorrow....

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  2. pupe 2002 >> translated to english
    By nick_name in forum Tools of Our Trade (TOT) Messageboard
    Replies: 8
    Last Post: April 27th, 2005, 10:41
  3. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50
  4. VBOX v4.5 - Corel WordPerfect Office 2002 Trial
    By dx50azlm in forum The Newbie Forum
    Replies: 12
    Last Post: September 21st, 2002, 07:13
  5. Armadillo Killer 2.5 beta 1 (14-Jul-2002)
    By Armkiller in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: July 23rd, 2002, 06:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •