Cracking using DeDe - first essay
Published by Tsehp April 2000
Prologue:
First of all I must thanks +DaFixer for magnificent tool which he made. Hey crackers take a good look on this tool especially if work with Delphi targets. I don’t explain how to use it because it is so intuitive and +DaFixer say all important in his readme.txt. If needed I’ll wrote some first step for newbies. Feel free to mail me.
How start cracking?
Always, but ALWAYS is essential to know type of .exe with you playing. Type of exe determine which tools we use and right choose of tools may spare us many, many time. To determine type of exe except experience another tools may help very well fa, fs, gt – to find type of exe, is it protected or not etc.
But definitely one of the best tool for me is ExeScope. In special cases I use Restorator, but it is only when target have enormous type of dialogs which I must inspect quickly. I do not now explain technique for recognition if needed I’ll wrote essay especial for this theme - look prologue.
BTW, All this tool can be found on protools – thank you Kaparo.
What is our target and what tools we need?
Let’s crack target!
Fire DeDe choose our target and press Process button. After some time target is processed and ready for us to start exploring. Playing with DeDe you very quickly learn what is what and where it is. Now go on DFM section. This section is responsible for showing Delphi form in text format. Find out TFReg and inspect caption, oh this is our "Regist" caption which means that is form for we look. Do not be afraid if see some strange characters some in the description form or in hints, author of ExeScope, Toshi is Japanese.
Let’s sniff some more, press DCU button and you find all events which are on specified form. Most beautiful part coming now: In left window select our DCU which depend on TFReg, in right window select event (RegBtnClick). Now press right mouse button and select disassemble. WOW what is this? Excellent disassembled code appear right in front of us! Not 10 MB or more of asm code, not somewhere without sense in code but exactly where we MUST be - inside event which happen when someone press button for registration. If you include Delphi symbols all Delphi functions are shown. If you do not know how to include symbols in your code read +DaFixer’s readme.txt. If this isn’t still enough fell free to email me.
After disassembling we have this situation (most important part):
* Possible Reference to Control 'NameEdit:TEdit'
0047D12A 8B83DC010000 mov eax, [ebx+$01DC]
* Reference to: Controls.TControl.GetTextBuf()
0047D130 E89B5FFAFF call 004230D0
0047D135 8B55FC mov edx, [ebp-$04]
0047D138 A1EC804800 mov eax, dword ptr [$4880EC]
* Reference to: System.LStrCat()
0047D13D E83A68F8FF call 0040397C
0047D142 8D55FC lea edx, [ebp-$04]
* Possible Reference to Control 'IDEdit:TEdit'
0047D145 8B83E0010000 mov eax, [ebx+$01E0]
* Reference to: Controls.TControl.GetTextBuf()
0047D14B E8805FFAFF call 004230D0
0047D150 8B55FC mov edx, [ebp-$04]
0047D153 A19C804800 mov eax, dword ptr [$48809C]
* Reference to: System.LStrCat()
0047D158 E81F68F8FF call 0040397C
0047D15D 8B159C804800 mov edx, [$48809C]
0047D163 8B12 mov edx, [edx]
0047D165 A1947F4800 mov eax, dword ptr [$487F94]
0047D16A 8B00 mov eax, [eax]
* Reference to published proc: TFMain.CheckCode
<- People look this: no one today’s disassembler cant do that in this way, nor out beloved IDA without hard work and many hours of thinking, believe me.0047D16C E8DB780000 call 00484A4C
0047D171 84C0 test al, al
0047D173 0F848D000000 jz 0047D206
<- What you mean how much need one to crack this jump (only nop or jmps)? But it is not OK because in code may be some other check for serial. Actually I think that it is, but I don’t seek for it because want to show strength of DeDe.Well this be very easy, but let’s explore some more. In this case you can do this on follow two way
Little theory for continuing. Delphi deals with global and locals variables references it on the following way: [ebp+xy] means that is pointer on global variable, [ebp-xy] means that it is pointer on local variable. When we continue our explore we found next:
00484A6C 8B45FC mov eax, [ebp-$04]
<- pointer on local var. in eax| or: System.LStrOfChar()
00484A6F E830F1F7FF call 00403BA4
<- Dede just fine find what is this callbut only if you include symbols
00484A74 83F80A cmp eax, +$0A
<- look, look, our code must be 10 chars00484A77 7527 jnz 00484AA0
<- if not, go out you bad cracker00484A79 8B45FC mov eax, [ebp-$04]
00484A7C 803841 cmp byte ptr [eax], $41
<- is first char ‘A’00484A7F 751F jnz 00484AA0
<- nope, go out you bad cracker00484A81 8B45FC mov eax, [ebp-$04]
00484A84 0FB64008 movzx eax, byte ptr [eax+$08]
<-take 8’th char in eax00484A88 8B55FC mov edx, [ebp-$04]
00484A8B 0FB65209 movzx edx, byte ptr [edx+$09]
<-take 9’th char in edx00484A8F 03C2 add eax, edx
<- add edx on eax, put all in eax00484A91 B90A000000 mov ecx, $0000000A
00484A96 99 cdq
00484A97 F7F9 idiv ecx <-divide with ten
00484A99 83FA04 cmp edx, +$04
<-if remainder is 4 all ok you registered it! I suggest something like A23456708 for serial number because ($30+$38)/$A give us 4 remained. $30 and $38 are our last two chars 0 and 8 hex.00484A9C 7502 jnz 00484AA0
<- nope, go out you bad cracker00484A9E B301 mov bl, $01
00484AA0 33C0 xor eax, eax
00484AA2 5A pop edx
00484AA3 59 pop ecx
00484AA4 59 pop ecx
Like I say before if you do not like math just put bpx on $00484A99 in Ice, Trw, TD32 or some other windows debugger, but remember code must start with capital A and be 10 char long, and almost forgot you may use any name. Last word, ExeScope do not say nothing like ‘Thank you or something’, but complain if enter wrong serial code.
Epilogue:
Basically this registering intermediate skill cracker may do only with DeDe without any problem. This is for first public tutorial fell free to send your comments or questions on