Delphi Reversing
 Commercial stupidity


by LaptoniC

Courtesy of Fravia's page of reverse engineering
slightly edited
by +Tsehp
There is a crack, a crack in everything That's how the light gets in
(x)Beginner (x)Intermediate ( )Advanced ( )Expert
   Delphi reversing  became more easier with the help of Dafixer's DEDE.It is very powerful
tool.It  can identify most of delphi functions, can dump process and disassemble it 
(good  for packed exes) and much more.Lets try to learn what dede offers us.  

Delphi reversing
 Commercial stupidity
Written by LaptoniC


My target is written in delphi, it is packed with aspack v1.083 and it use harddisk 
number for serial calculation.Therefore there is only two approach is possible, 
first make a inline or memory patch, or make keygen.I will try to explain this 
two approaches.My language and knowledge is so poor therefore if something is 
wrong please accuse me and say the error via e-mail (kandirdim_at_hotmail)  
Tools required
DEDE v2.34 
Delphi and tcryptlib component if you want to code keygen.   
Target's URL/FTP  go to e-cafe link and download demo version   
Program History
As I said before there is two approach first is patch and other is keygen

The first step is finding the comparison.Open e-cafe and click the surfing man button and
choose "Kayıt işlemi".You will see three edit boxes for serial.Write something switch to 
SoftICE and click "Tamam" button.( If you want to make your SoftICE session easier you can
make sym file with the help of Dede.Go to export section and make map file.Then convert this 
map file to sym file and you are ready to go.)After several F12's you will land E-cafe's code.
Follow the code and stop when you see this.

004DC60C 8D45FC                  lea eax, dword ptr [ebp-04]  
004DC60F BA05000000              mov edx, 00000005            
004DC614 E87379F2FF              call 00403F8C                
004DC619 8B45F8                  mov eax, dword ptr [ebp-08];our serial  
004DC61C 8B55FC                  mov edx, dword ptr [ebp-04];real serial  
004DC61F E8B879F2FF              call 00403FDC              ;compare  
004DC624 0F85E2000000            jne 004DC70C               ;if not equal jump to bad cracker  
004DC70C B148                    mov cl, 48           ;message box style (error) 
004DC70E BA18C84D00              mov edx, 004DC818    ;Title of message     
004DC713 B8DCC84D00              mov eax, 004DC8DC    ;Beggar of message     
004DC718 E8AF610000              call 004E28CC        ;Show message     

Most easy way is send good serial to message box.Therefore when we enter bad serial program 
will show good serial.Lets test our patch in memory when you are at 004DC713 type a and enter.
Then write 

004DC70C B149             	     mov      cl,49        ;messagebox style (info) :)
004DC70E BA18C84D00    		     mov      edx,004DC81  ;Title of message
004DC713 8B45FC          	     mov      eax,[ebp-04] ;Real serial      
004DC716 90        	             nop                   ;to fill space
004DC716 90        	             nop                   
As you know, patching packed program cant be done directly.You can use memory patchers like 
risc's process patcher or you can make inline patch.Here is the end of unpacker routine as 
you probably know...

 8944241C            MOV       [ESP+1C], EAX
 61                  POPAD
 7508                JNZ       00681563 ; you probaly think to change this jump to your patch
 B801000000          MOV       EAX,00000001
 C20C00              RET       000C
 50                  PUSH      EAX
 55                  RET

If you search 7508B801000000 you wouldn't find anything.Because loader itself is packed too.
Therefore,you should patch loader, then program.It is long process and I am not professional 
on this subject, (any help or tutorial ? )so I used Aspatch and it works pretty good.
Thanks Chafe.First part done.Lets go to second part and make a keygen.
Note:You may think to change 004DC619 so that it sends real serial to eax.However, when program
write serial to registry it use a value at [ebp-08].Therefore it shows thank you message but
it writes bad serial to registry.
Here comes Dede's show.In order to disassemble with dede you should unpack it or you can use 
Dede's powerful tool "Process dumper".Open first Ecafe than Dede.Goto Tools/Dump Active 
Process.Choose Ecafe from process list and dump it.Wait a little bit and you will have super 
disassembly of our program.Lets find our registration screen.Go to Procedures and choose kayit.
You will see some events.Click the BitBtn1Click event and scroll down a little bit.
* Possible String Reference to: "B27U03L88E"
004DC55D   BA04C84D00             mov     edx, $004DC804
004DC562   E8794FF7FF             call    004514E0


What is this "B27U03L88E" lets click call at 4DC562 you will see this..
* Reference to: System..LStrClr()
00451510   E83B27FBFF             call    00403C50

* Possible String Reference to: "TCryptLib.Password is too long"  ;Aha :)
00451515   B964154500             mov     ecx, $00451564
0045151A   B201                   mov     dl, $01
0045151C   A198704000             mov     eax, dword ptr [$407098]

Again.Commercial stupidity.They use component tcryptlib.Lets search what is this component and
what we can do.I found this component at .I have downloaded it and
looked what is going on.It is simple xor algorithm.I disassembled sample exe file and try to 
identify what is what.There is 3 elements in this component; password, addkey,multkey.Addkey
and multkey is integer values.When you encrypt string first password is pushed then addkey,
multkey lastly string to encrypted is pushed.Lets look again our source.In order to make our
disassembly more comprehensive lets make DSF file for this componet.What is DSF File ?

"DSF files contain the symbols of the exports from different BPL libraries. DeDe disassemble 
engine use this symbol files to comment the class members method calls in ASM source it
generates. The ideology is very close to the IDA symbol files for VCL, MFC etc."

In order to make DSF file you need Delphi.Open delphi and install our component.After install 
you will have .bpl file in the projects/bpl directory of your delphi.Open Dede go to Tools/Bpl
Dumper and dump it.After dump, load this dsf file to Dede.If you dont have Delphi to make dsf 
file, you can download from here.I suggest you to add this dsf file to default dsfs via option
menu.Lets load again our target and look what we have now.
* Possible String Reference to: "B27U03L88E"
004DC55D   BA04C84D00             mov     edx, $004DC804
* Reference to: Kbcrypt.TCryptLib.WriteFPassword(System.AnsiString) ;super comment!
004DC562   E8794FF7FF             call    004514E0
004DC567   A1C4F94E00             mov     eax, dword ptr [$4EF9C4]
004DC56C   8B00                   mov     eax, [eax]
004DC56E   8B8064020000           mov     eax, [eax+$0264]
004DC574   BA9AAF3F00             mov     edx, $003FAF9A ;addkey=4173722 (as decimal)
004DC579   E86250F7FF             call    004515E0 ;control addkey length
004DC57E   A1C4F94E00             mov     eax, dword ptr [$4EF9C4]
004DC583   8B00                   mov     eax, [eax]
004DC585   8B8064020000           mov     eax, [eax+$0264]
004DC58B   BA3EC22300             mov     edx, $0023C23E ;multkey=2343486 (as decimal)
004DC590   E8EF4FF7FF             call    00451584 ;control multkey length
004DC595   8D4DFC                 lea     ecx, [ebp-$04]
004DC598   A1C4F94E00             mov     eax, dword ptr [$4EF9C4]
004DC59D   8B00                   mov     eax, [eax]
004DC59F   8B9048030000           mov     edx, [eax+$0348] ;string to be crypted
004DC5A5   A1C4F94E00             mov     eax, dword ptr [$4EF9C4]
004DC5AA   8B00                   mov     eax, [eax]
004DC5AC   8B8064020000           mov     eax, [eax+$0264]
* Reference to: Kbcrypt.TCryptLib.EncryptStr(System.AnsiString) ;Yes!
004DC5B2   E85D54F7FF             call    00451A14  ;crypt it
004DC5B7   8D45E8                 lea     eax, [ebp-$18]
004DC5BA   50                     push    eax
004DC5BB   B904000000             mov     ecx, $00000004 ;4 chars to copy
004DC5C0   BA01000000             mov     edx, $00000001 ;from 1st position
004DC5C5   8B45FC                 mov     eax, [ebp-$04] 

* Reference to: System..LStrCopy()
004DC5C8   E8037BF2FF             call    004040D0   ;copy it
004DC5CD   FF75E8                 push    dword ptr [ebp-$18]
004DC5D0   68F8C74D00             push    $004DC7F8
004DC5D5   8D45E4                 lea     eax, [ebp-$1C]
004DC5D8   50                     push    eax
004DC5D9   B904000000             mov     ecx, $00000004 ;4 chars to copy
004DC5DE   BA09000000             mov     edx, $00000009 ;from 9th position
004DC5E3   8B45FC                 mov     eax, [ebp-$04]

* Reference to: System..LStrCopy()
004DC5E6   E8E57AF2FF             call    004040D0      ;copy it
004DC5EB   FF75E4                 push    dword ptr [ebp-$1C]
004DC5EE   68F8C74D00             push    $004DC7F8
004DC5F3   8D45E0                 lea     eax, [ebp-$20]
004DC5F6   50                     push    eax
004DC5F7   B904000000             mov     ecx, $00000004 ;4 chars to copy
004DC5FC   BA11000000             mov     edx, $00000011 ;from 17. position
004DC601   8B45FC                 mov     eax, [ebp-$04]

* Reference to: System..LStrCopy()
004DC604   E8C77AF2FF             call    004040D0 ;copy it
004DC609   FF75E0                 push    dword ptr [ebp-$20]
004DC60C   8D45FC                 lea     eax, [ebp-$04]
004DC60F   BA05000000             mov     edx, $00000005

* Reference to: System..LStrCatN()
004DC614   E87379F2FF             call    00403F8C ;stick together
004DC619   8B45F8                 mov     eax, [ebp-$08] ;our serial
004DC61C   8B55FC                 mov     edx, [ebp-$04] ;real serial

* Reference to: System..LStrCmp()
004DC61F   E8B879F2FF             call    00403FDC   ;compare it
004DC624   0F85E2000000           jnz     004DC70C   ;jump bad boy

Wow everything is clear now!.Our password is B27U03L88E addkey=4173722, multkey=2343486
We know it encrypts edx at 4DC59F with the cryptlib.After crypt,it strips some values and 
this is our serial.For example lets say after encryption we have 2017F93FE82F1A35302B then our
serial is 2017-E82F-302B.Ok our problem is to find where this string comes from at 4DC59F.Lets
fireup SoftICE and trace the code.When you are at 4DC59F look what is in edx by typing d edx.
I saw WM6231132186.Program get this number via deviceiocontrol.It is somehow related with our 
harddisk properties.(I am not talking about the 8 digit hex number which can be get via 
getvolumeinformation).If you look the classes tab in Dede you will see that this program use 
Hdinfo component.I dont know the parameters to get this number via DeviceIocontrol.You can 
try if you want.Lets think again.There must be a relation between "Referans No:" and our serial
or our Harddisk number.How can they know our harddisk number ? Lets go back to dede and click 
FormActivate at events sections.

* Possible String Reference to: "I28R08E64M"   ;password
004DC203   BA98C34D00             mov     edx, $004DC398
* Reference to: Kbcrypt.TCryptLib.WriteFPassword(System.AnsiString) ;super comment!
004DC208   E8D352F7FF             call    004514E0
004DC20D   8B07                   mov     eax, [edi]
004DC20F   8B8064020000           mov     eax, [eax+$0264]
004DC215   BAEDA62B00             mov     edx, $002BA6ED ;addkey=2860781
004DC21A   E8C153F7FF             call    004515E0
004DC21F   8B07                   mov     eax, [edi]
004DC221   8B8064020000           mov     eax, [eax+$0264]
004DC227   BA5C702B00             mov     edx, $002B705C ;multkey=2846812
004DC22C   E85353F7FF             call    00451584
004DC231   8D4DFC                 lea     ecx, [ebp-$04]
004DC234   8B07                   mov     eax, [edi]
004DC236   8B9048030000           mov     edx, [eax+$0348];in edx, again hd number
004DC23C   8B07                   mov     eax, [edi]
004DC23E   8B8064020000           mov     eax, [eax+$0264]
* Reference to: Kbcrypt.TCryptLib.EncryptStr(System.AnsiString) ;Yes!
004DC244   E8CB57F7FF             call    00451A14  ;crypt it
....    ;all this long lines
        ;just copies
        ;encrypted string and add '-'
        ;after every 4 chars
* Possible Reference to Control 'RefenNo:TEdit'
004DC308   8B861C020000           mov     eax, [esi+$021C]

* Reference to: Controls.TControl.SetText()    ;put referans no to edit box.

Hehe yea we found it.When we send "referans no" to this company they first decrypt it and
find our harddisk number then they encrypt it again with another password,addkey and multkey.
After encryption lets say we have 2017F93FE82F1A35302B.Then our serial becomes 
I am not delphi guru but I have succeeded to make working keygen.Here is my source.

procedure TForm1.Button1Click(Sender: TObject);                             
My keygen is not so optimized, you can optimize your keygen by removing some useless codes
e.g. Lzh, some checking routines.... from tcryptlib component.
Final Notes
What we learned is simply "Do not use commercial protections" and power of DEDE.

Dafixer for DEDE (do you remember Merhaba Kardes :) ), risc,Accz,Psychothorn,Tsehp,snake,Chafe,
Carpathia and all helpful guys at #cracking4newbies and #win32asm
LaptoniC (kandirdim_at_hotmail)
Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?