Results 1 to 8 of 8

Thread: Help with Delphi 7 app

  1. #1
    sloppysam
    Guest

    Help with Delphi 7 app

    1. What is the problem....
    I am stuck in where to go from here. I have located the routine but am unable to proceed.

    2. What is the protection.....
    When installed the progam is unpacked but it randomly generates a 7 digit installation number that it uses to compare to the serial number entered.

    3. What tools are you using....
    I used DEDE to find the section of code that does the compare routine. I then used ollydbg to watch the program and try to fish out the correct serial.

    4. What tutorials have you read....
    A few on Delphi, dede and I have been using olly for quite a while

    5. Show your output listing WITH comments....

    Code:
    0050C74C     55             PUSH EBP                  ;  Push Button
    0050C74D     8BEC           MOV EBP,ESP
    0050C74F     B9 04000000    MOV ECX,4
    0050C754  |> 6A 00          /PUSH 0
    0050C756  |. 6A 00          |PUSH 0
    0050C758  |. 49             |DEC ECX
    0050C759  |.^75 F9          \JNZ SHORT Name Deleted.0050C754
    0050C75B  |. 51             PUSH ECX
    0050C75C  |. 53             PUSH EBX
    0050C75D  |. 56             PUSH ESI
    0050C75E  |. 57             PUSH EDI
    0050C75F  |. 8BF8           MOV EDI,EAX
    0050C761  |. 33C0           XOR EAX,EAX
    0050C763  |. 55             PUSH EBP
    0050C764  |. 68 D5C85000    PUSH Name Deleted.0050C8D5
    0050C769  |. 64:FF30        PUSH DWORD PTR FS:[EAX]
    0050C76C  |. 64:8920        MOV DWORD PTR FS:[EAX],ESP
    0050C76F  |. B8 02000000    MOV EAX,2
    0050C774  |. E8 AF6AEFFF    CALL Name Deleted.00403228
    0050C779  |. 8BD8           MOV EBX,EAX
    0050C77B  |. 8BC3           MOV EAX,EBX
    0050C77D  |. 83E8 01        SUB EAX,1                          ;  Switch (cases 0..1)
    0050C780  |. 72 04          JB SHORT Name Deleted.0050C786
    0050C782  |. 74 3B          JE SHORT Name Deleted.0050C7BF
    0050C784  |. EB 70          JMP SHORT Name Deleted.0050C7F6
    0050C786  |> 68 CBBC0C00    PUSH 0CBCCB              ;  Case 0 of switch 0050C77D
    0050C78B  |. 8D55 F4        LEA EDX,DWORD PTR SS:[EBP-C]
    0050C78E  |. B8 28000000    MOV EAX,28
    0050C793  |. E8 B8A3FFFF    CALL Name Deleted.00506B50
    0050C798  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
    0050C79B  |. 8B15 C83D5900  MOV EDX,DWORD PTR DS:[593DC8]            ;  Name Deleted.00594CB4
    0050C7A1  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]
    0050C7A3  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
    0050C7A6  |. E8 3188EFFF    CALL Name Deleted.00404FDC
    0050C7AB  |. 8B4D F8        MOV ECX,DWORD PTR SS:[EBP-8]             ; |
    0050C7AE  |. B2 01          MOV DL,1                                 ; |
    0050C7B0  |. A1 1C6F4F00    MOV EAX,DWORD PTR DS:[4F6F1C]            ; |
    0050C7B5  |. E8 86A8FEFF    CALL Name Deleted.004F7040                   ; \FitnessA.004F7040
    0050C7BA  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
    0050C7BD  |. EB 37          JMP SHORT Name Deleted.0050C7F6
    0050C7BF  |> 68 BC129D00    PUSH 9D12BC                              ;  Case 1 of switch 0050C77D
    0050C7C4  |. 8D55 EC        LEA EDX,DWORD PTR SS:[EBP-14]
    0050C7C7  |. B8 29000000    MOV EAX,29
    0050C7CC  |. E8 7FA3FFFF    CALL Name Deleted.00506B50
    0050C7D1  |. 8B4D EC        MOV ECX,DWORD PTR SS:[EBP-14]
    0050C7D4  |. 8B15 C83D5900  MOV EDX,DWORD PTR DS:[593DC8]            ;  Name Deleted.00594CB4
    0050C7DA  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]
    0050C7DC  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]
    0050C7DF  |. E8 F887EFFF    CALL Name Deleted.00404FDC
    0050C7E4  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]            ; |
    0050C7E7  |. B2 01          MOV DL,1                                 ; |
    0050C7E9  |. A1 1C6F4F00    MOV EAX,DWORD PTR DS:[4F6F1C]            ; |
    0050C7EE  |. E8 4DA8FEFF    CALL Name Deleted.004F7040                   ; \Name Deleted.004F7040
    0050C7F3  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
    0050C7F6  |> B9 ECC85000    MOV ECX,Name Deleted.0050C8EC                ;  ASCII "AKSDHASA"; Default case of switch 0050C77D
    0050C7FB  |. B2 01          MOV DL,1
    0050C7FD  |. A1 2C2F4F00    MOV EAX,DWORD PTR DS:[4F2F2C]
    0050C802  |. E8 6169FEFF    CALL Name Deleted.004F3168
    0050C807  |. 8BF0           MOV ESI,EAX
    0050C809  |. 8D55 E8        LEA EDX,DWORD PTR SS:[EBP-18]
    0050C80C  |. 8B87 24030000  MOV EAX,DWORD PTR DS:[EDI+324]
    0050C812  |. E8 1901F7FF    CALL Name Deleted.0047C930
    0050C817  |. 8B4D E8        MOV ECX,DWORD PTR SS:[EBP-18]
    0050C81A  |. BA 00C95000    MOV EDX,Name Deleted.0050C900                ;  Grab code here
    0050C81F  |. 8BC6           MOV EAX,ESI
    0050C821  |. E8 0668FEFF    CALL Name Deleted.004F302C
    0050C826  |. 68 00003540    PUSH 40350000
    0050C82B  |. 6A 00          PUSH 0
    0050C82D  |. A1 9C3B5900    MOV EAX,DWORD PTR DS:[593B9C]
    0050C832  |. E8 BD74EFFF    CALL Name Deleted.00403CF4
    0050C837  |. E8 E063EFFF    CALL Name Deleted.00402C1C
    0050C83C  |. 52             PUSH EDX                                 ; |/Arg2
    0050C83D  |. 50             PUSH EAX                                 ; ||Compare to Seed 8475015
    0050C83E  |. 8D45 E4        LEA EAX,DWORD PTR SS:[EBP-1C]            ; ||
    0050C841  |. E8 AED3EFFF    CALL Name Deleted.00409BF4                   ; |\Name Deleted.00409BF4
    0050C846  |. 8B45 E4        MOV EAX,DWORD PTR SS:[EBP-1C]            ; |
    0050C849  |. 50             PUSH EAX                                 ; |Arg1
    0050C84A  |. B9 02000000    MOV ECX,2                                ; |
    0050C84F  |. 8BD6           MOV EDX,ESI                              ; |
    0050C851  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]             ; |
    0050C854  |. E8 F7ADFEFF    CALL Name Deleted.004F7650                   ; \Name Deleted.004F7650
    0050C859  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]
    0050C85C  |. E8 1F3DF0FF    CALL Name Deleted.00410580
    0050C861  |. 8BC3           MOV EAX,EBX
    0050C863  |. E8 84BAFFFF    CALL Name Deleted.005082EC
    0050C868  |. A1 303B5900    MOV EAX,DWORD PTR DS:[593B30]
    0050C86D  |. 8338 00        CMP DWORD PTR DS:[EAX],0
    0050C870  |. 74 1E          JE SHORT Name Deleted.0050C890               ;  COMPARE JUMP is bad no jump good
    0050C872  |. 8D55 E0        LEA EDX,DWORD PTR SS:[EBP-20]
    0050C875  |. B8 25000000    MOV EAX,25
    0050C87A  |. E8 D1A2FFFF    CALL Name Deleted.00506B50
    0050C87F  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP-20]
    0050C882  |. E8 D909F3FF    CALL Name Deleted.0043D260
    0050C887  |. 8BC7           MOV EAX,EDI
    0050C889  |. E8 263BF9FF    CALL Name Deleted.004A03B4
    0050C88E  |. EB 15          JMP SHORT Name Deleted.0050C8A5
    0050C890  |> 8D55 DC        LEA EDX,DWORD PTR SS:[EBP-24]
    0050C893  |. B8 26000000    MOV EAX,26
    0050C898  |. E8 B3A2FFFF    CALL Name Deleted.00506B50
    0050C89D  |. 8B45 DC        MOV EAX,DWORD PTR SS:[EBP-24]
    0050C8A0  |. E8 BB09F3FF    CALL Name Deleted.0043D260      ;  Bad key message
    0050C8A5  |> 33C0           XOR EAX,EAX
    0050C8A7  |. 5A             POP EDX
    0050C8A8  |. 59             POP ECX
    0050C8A9  |. 59             POP ECX
    0050C8AA  |. 64:8910        MOV DWORD PTR FS:[EAX],EDX
    0050C8AD  |. 68 DCC85000    PUSH Name Deleted.0050C8DC
    0050C8B2  |> 8D45 DC        LEA EAX,DWORD PTR SS:[EBP-24]
    0050C8B5  |. BA 03000000    MOV EDX,3
    0050C8BA  |. E8 3584EFFF    CALL Name Deleted.00404CF4
    0050C8BF  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-18]
    0050C8C2  |. E8 0984EFFF    CALL Name Deleted.00404CD0
    0050C8C7  |. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]
    0050C8CA  |. BA 04000000    MOV EDX,4
    0050C8CF  |. E8 2084EFFF    CALL Name Deleted.00404CF4
    0050C8D4  \. C3             RETN
    6. NOW ask your question....
    I could use some help on were to look, how to proceed. I can't seem to figure out where it is comparing what is entered for the serial to grab it. Is it that it doesn't store it anywere visible? If that is the case then any suggestions on how I can proceed attacking this routine.

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    sloppysam:

    Very nice job of attempting to follow the FAQ on your first post, and you did really well, until you got "sloppy" on one "critical" point. You failed to review your code snippet to remove identifying information about the identity of your target. Review your code above and notice how many times the words "Name Deleted" appears and you will see the magniture of your error.

    ATTENTION TO DETAIL IS REQUIRED, although you were making a good effort. I stress this point because it is critical to avoid unwanted attacks upon this Board for posting "crack" information.

    Regards,
    JMI

  3. #3
    sloppysam
    Guest
    Yes, thank you for pointing out my error, with a bit of appreciated humor. I am sure that this happens often and I thank you for being nice about it and fixing the problem. I will make note of this and fix this in the future before posting again.

    Thank you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    And thank you for understanding that it is not just mindless bitching. Some of the Rules are in place to attempt to make the management's job, and the understanding of the questions, easier. Others, like this particular one, are in place to try to protect the Board itself from frequent attacks on our ISP for allegations that we are hosting cracks.

    You really DID make a very good first effort , and it is NOT unusual that users forget to "clean-up" their code snippets, because they tend to think about the question they ask, but not carefully read the literal content of their code.

    And, yes, where possible, I try to add some humour to my posts. And sometimes, it is even actually humourous and sometimes that is even appreciated.

    Please also remember, that now that you have posted "target specific code" you may NOT post the name of the program, but you MAY communicate it to interested persons by PM or email.

    Welcome and happy reversing.

    Regards,
    JMI

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by sloppysam

    Code:
    0050C84A  |. B9 02000000    MOV ECX,2                                ; |
    0050C84F  |. 8BD6           MOV EDX,ESI                              ; |
    0050C851  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]             ; |
    0050C854  |. E8 F7ADFEFF    CALL Name Deleted.004F7650                   ; \Name Deleted.004F7650
    0050C859  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]
    0050C85C  |. E8 1F3DF0FF    CALL Name Deleted.00410580
    0050C861  |. 8BC3           MOV EAX,EBX
    0050C863  |. E8 84BAFFFF    CALL Name Deleted.005082EC
    0050C868  |. A1 303B5900    MOV EAX,DWORD PTR DS:[593B30]  ; start by the end:  The flag that says 'badboy is a DWORD stored at address 593B30.
     If that flag is equal to 0, DS:[EAX] is equal to 0 and the bad boy jump is taken. SO PUT A WATCH or a BPM on that address and see who reads it, and 
    more important who writes to it. Who or whatever stores a value different from 0 is the good boy routine. better yet, at the beginging of the routine , 
    manually place a 00000001 value into that mem address, [593B30], and watch carefully who changes it.  
    
    0050C86D  |. 8338 00        CMP DWORD PTR DS:[EAX],0
    0050C870  |. 74 1E          JE SHORT Name Deleted.0050C890               ;  COMPARE JUMP is bad no jump good
    0050C872  |. 8D55 E0        LEA EDX,DWORD PTR SS:[EBP-20]
    0050C875  |. B8 25000000    MOV EAX,25
    0050C87A  |. E8 D1A2FFFF    CALL Name Deleted.00506B50
    0050C87F  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP-20]

    Thanks
    Question: If you manually invert the

    0050C870 |. 74 1E JE SHORT Name Deleted.0050C890

    Do you get registered?

    If you manually change the value stored at:

    DWORD PTR DS:[593B30]

    do you get the good boy message/behavoir??

  6. #6
    sloppysam
    Guest
    I tried reversing the jmp so that it would be a jne as this works for many programs. What happens is that you get the good boy message but are not registered. This program stores everything in dat files and I believe that it checks at startup and if the correct number isn't there it doesn't say that it is registered.

    I am going to try changing the memory and see what happens.

    Thanks for the hints.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    sloppysam
    Guest
    start by the end: The flag that says 'badboy is a DWORD stored at address 593B30.
    If that flag is equal to 0, DS:[EAX] is equal to 0 and the bad boy jump is taken. SO PUT A WATCH or a BPM on that address and see who reads it, and
    more important who writes to it. Who or whatever stores a value different from 0 is the good boy routine. better yet, at the beginging of the routine ,
    manually place a 00000001 value into that mem address, [593B30], and watch carefully who changes it.
    When I change that memory address it always crashes the program. So I went further into the code figuring I could reverse some more jumps and see what happens.

    Ok by reversing some more jumps I got the program to say that it is registered until you restart it. That means that it is getting the information from one of its .dat files. I need to get the program to bypass that on start up. So I went looking for the referenced memory address and found a bunch of compares to that address when the program starts up. 4 of the 5 do nothing obvious when reversed but one of them gives the message that this is now an invalid copy of the program and to reinstall it. Looks like we hit a nerve here.

    So instead of changing it to a reversed jump i just changed it to jump to the location. That along with a couple other references to the date did it. Now it just says that there are negative days remaining. Thanks a bunch naides, you didn't give me the answer but you gave me an idea and it pointed me inthe right direction.

    This is a really dirty solution but it works. Perhaps we could keep working on this to find a more eloquent solution?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by sloppysam
    This is a really dirty solution but it works. Perhaps we could keep working on this to find a more eloquent solution?
    Gr8!

    You are 95% there. I would locate the routine that WRITES or somehow stores a 0 value there. it may even be read it from .dat file as a resource or something.

Similar Threads

  1. Tools for 16-bit Delphi?
    By FrankRizzo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: June 17th, 2009, 06:28
  2. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  3. FSG 2 and Delphi...
    By Ghostz in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: September 4th, 2006, 13:32
  4. TNG Delphi Plugin SQK Fix :
    By Epsylon3 in forum Plugins (General)
    Replies: 1
    Last Post: December 1st, 2004, 05:14
  5. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •