Cracking using DeDe - first essay

Published by Tsehp April 2000

Prologue:

First of all I must thanks +DaFixer for magnificent tool which he made. Hey crackers take a good look on this tool especially if work with Delphi targets. I donít explain how to use it because it is so intuitive and +DaFixer say all important in his readme.txt. If needed Iíll wrote some first step for newbies. Feel free to mail me.

How start cracking?

Always, but ALWAYS is essential to know type of .exe with you playing. Type of exe determine which tools we use and right choose of tools may spare us many, many time. To determine type of exe except experience another tools may help very well fa, fs, gt Ė to find type of exe, is it protected or not etc.

But definitely one of the best tool for me is ExeScope. In special cases I use Restorator, but it is only when target have enormous type of dialogs which I must inspect quickly. I do not now explain technique for recognition if needed Iíll wrote essay especial for this theme - look prologue.

BTW, All this tool can be found on protools Ė thank you Kaparo.

What is our target and what tools we need?

    1. Target: ExeScope 5.12 Ė excellent little resource viewer/editor.
    2. Type of crack: Serial number fishing
    3. What program do if not regged: complain about that when try to save some changes
    4. Tools used: DeDe and if you do not like math, TRW Ė only because I am to lazy to reboot my win98 for Ice :-), old TD32 may be good too
    5. Little time, about 10 minutes with DeDe. Without DeDe It will take much more.

Letís crack target!

Fire DeDe choose our target and press Process button. After some time target is processed and ready for us to start exploring. Playing with DeDe you very quickly learn what is what and where it is. Now go on DFM section. This section is responsible for showing Delphi form in text format. Find out TFReg and inspect caption, oh this is our "Regist" caption which means that is form for we look. Do not be afraid if see some strange characters some in the description form or in hints, author of ExeScope, Toshi is Japanese.

Letís sniff some more, press DCU button and you find all events which are on specified form. Most beautiful part coming now: In left window select our DCU which depend on TFReg, in right window select event (RegBtnClick). Now press right mouse button and select disassemble. WOW what is this? Excellent disassembled code appear right in front of us! Not 10 MB or more of asm code, not somewhere without sense in code but exactly where we MUST be - inside event which happen when someone press button for registration. If you include Delphi symbols all Delphi functions are shown. If you do not know how to include symbols in your code read +DaFixerís readme.txt. If this isnít still enough fell free to email me.

After disassembling we have this situation (most important part):

* Possible Reference to Control 'NameEdit:TEdit'

0047D12A 8B83DC010000 mov eax, [ebx+$01DC]

* Reference to: Controls.TControl.GetTextBuf()

0047D130 E89B5FFAFF call 004230D0

0047D135 8B55FC mov edx, [ebp-$04]

0047D138 A1EC804800 mov eax, dword ptr [$4880EC]

* Reference to: System.LStrCat()

0047D13D E83A68F8FF call 0040397C

0047D142 8D55FC lea edx, [ebp-$04]

* Possible Reference to Control 'IDEdit:TEdit'

0047D145 8B83E0010000 mov eax, [ebx+$01E0]

* Reference to: Controls.TControl.GetTextBuf()

0047D14B E8805FFAFF call 004230D0

0047D150 8B55FC mov edx, [ebp-$04]

0047D153 A19C804800 mov eax, dword ptr [$48809C]

* Reference to: System.LStrCat()

0047D158 E81F68F8FF call 0040397C

0047D15D 8B159C804800 mov edx, [$48809C]

0047D163 8B12 mov edx, [edx]

0047D165 A1947F4800 mov eax, dword ptr [$487F94]

0047D16A 8B00 mov eax, [eax]

* Reference to published proc: TFMain.CheckCode <- People look this: no one todayís disassembler cant do that in this way, nor out beloved IDA without hard work and many hours of thinking, believe me.

0047D16C E8DB780000 call 00484A4C

0047D171 84C0 test al, al

0047D173 0F848D000000 jz 0047D206 <- What you mean how much need one to crack this jump (only nop or jmps)? But it is not OK because in code may be some other check for serial. Actually I think that it is, but I donít seek for it because want to show strength of DeDe.

Well this be very easy, but letís explore some more. In this case you can do this on follow two way

  1. Go directly where it say: TFMain.CheckCode and disassemble it like previous event
  2. Or copy this call address on clipboard, go on menu tools->disasemble proc, paste address and press OK. This is useful if procedure isnít published Ė for now this work on this way but in future this will be more easier. Trust me ;-).

Little theory for continuing. Delphi deals with global and locals variables references it on the following way: [ebp+xy] means that is pointer on global variable, [ebp-xy] means that it is pointer on local variable. When we continue our explore we found next:

 

00484A6C 8B45FC mov eax, [ebp-$04] <- pointer on local var. in eax

| or: System.LStrOfChar()

00484A6F E830F1F7FF call 00403BA4 <- Dede just fine find what is this call

but only if you include symbols

00484A74 83F80A cmp eax, +$0A <- look, look, our code must be 10 chars

00484A77 7527 jnz 00484AA0 <- if not, go out you bad cracker

00484A79 8B45FC mov eax, [ebp-$04]

00484A7C 803841 cmp byte ptr [eax], $41 <- is first char ĎAí

00484A7F 751F jnz 00484AA0 <- nope, go out you bad cracker

00484A81 8B45FC mov eax, [ebp-$04]

00484A84 0FB64008 movzx eax, byte ptr [eax+$08] <-take 8íth char in eax

00484A88 8B55FC mov edx, [ebp-$04]

00484A8B 0FB65209 movzx edx, byte ptr [edx+$09] <-take 9íth char in edx

00484A8F 03C2 add eax, edx <- add edx on eax, put all in eax

00484A91 B90A000000 mov ecx, $0000000A

00484A96 99 cdq

00484A97 F7F9 idiv ecx <-divide with ten

00484A99 83FA04 cmp edx, +$04 <-if remainder is 4 all ok you registered it! I suggest something like A23456708 for serial number because ($30+$38)/$A give us 4 remained. $30 and $38 are our last two chars 0 and 8 hex.

00484A9C 7502 jnz 00484AA0 <- nope, go out you bad cracker

00484A9E B301 mov bl, $01

00484AA0 33C0 xor eax, eax

00484AA2 5A pop edx

00484AA3 59 pop ecx

00484AA4 59 pop ecx

Like I say before if you do not like math just put bpx on $00484A99 in Ice, Trw, TD32 or some other windows debugger, but remember code must start with capital A and be 10 char long, and almost forgot you may use any name. Last word, ExeScope do not say nothing like ĎThank you or somethingí, but complain if enter wrong serial code.

 

Epilogue:

Basically this registering intermediate skill cracker may do only with DeDe without any problem. This is for first public tutorial fell free to send your comments or questions on

Godfather+

Godfather+