DELmaci.htm: RAINBOW TRIALS

	Rainbow trials Delphi five enterprise trial edition	Not Assigned
12.1.2000	by macilaci
	Courtesy of Fravia's page of reverse engineering	slightly edited by Fravia+
fra_00xx 98xxxx handle 1100 NA PC	All is covered at once, multiple tools used with fine accuracy. Datestamp and encryption routines. To be continued...
	There is a crack, a crack in everything That's how the light gets in
Rating	( )Beginner (X)Intermediate ( )Advanced ( )Expert

An interesting protection from professionals. Will we need a PENTIUM III computer to run these encrypted trials? Or any program that we get?

RAINBOW TRIALS
Delphi five enterprise trial edition
Written by macilaci

Introduction

          It looks that protectors are keeping smarter. They encrypt now whole programs! 
Hard times are comming. Only to create a bruteforcer and wait thousand years. Or reverse
the encryption method? To find weaknesses? Why when they provide the key with? Anyway,
I've found DELPHI Enterprise on Cover CD of computer magazine! YES, they offer a sixty
day trial period. Not bad. I thought.

Tools required

Softice or TRW debugger, Wdasm or IDApro, Procdump, Wisdec,Filemon,Regmon or ExeSpy or Boundschecker

Target's URL/FTP

http://www.borland.com /*available for download!*/, http://www.rnbo.com

Program History

Delphi? - A programming language or what? Rainbow trial? Never heard.

Essay

I - the setup script session

Great tool this Installshield decompiler. This time you'll need the Wisdec. Just for
bypassing the trial key check - or get your unique key from borland.
Start the Wisdec and load up the setup.ins script file. Start the decompilation and
wait a while. The decompilation stops at 0x0014d21. Cancel the decompilation process.
Now look at the string references. MSG_TRIAL_PSWD_FAIL looks fine. So go there and look
around. It looks like this:

00013964: FF96 ??? <-too many questions - could be like pswd.test(string)
00013966: 9642 ???
0001396842FF ???
0001396A: FF95 ???
0001396C: 0022 IF NumLocal[0006] = 00000000 THEN GOTO LABEL_03E3 ; our password jump!
0001397A: 0128 NumLocal[0006] = NumLocal[0002] >= 00000003 ; you've tried three times?
0001398C: 0022 IF NumLocal[0006] = 00000000 THEN GOTO LABEL_03E2
0001399A: 0112 LoadInternalString ("","MSG_TRIAL_PSWD_FAIL",StrLocal[0004])
000139B8: 002A MessageBox (StrLocal[0004],SEVERE) ;nice
000139C2: 0159 Abort ()

Change to /*use the wisdec help*/ and correct the CRC:
0001396C: 0022 IF NumLocal[0006] != 00000000 THEN GOTO LABEL_03E3

You will pass this check even when nothing has been entered.

II- sixty days left

After reboot run the delphi. Nice window appears after few seconds. Don't click
try yet. Instead hit the CTRL ALT DEL or better run the Procdump. Look at the running
tasks. Our window belongs the Activator! But the delphi is a separate process.
After this I disassembled the activator.exe and found nothing... Nothing useful.
Okay let's try with delphi.exe. Wdasm tells us that this isn't standart PE format and
all references will be terminated. I guessed encrypted exe. Now use the procdump to dump
it. Again Wdasm, but still nothing. Hmm. It's time for heavy artillery - IDApro and load
the dumped version. Some string references. I'm happy. Feature, version, license expiration
-still nothing - it looks like license management system. But our trial works without
a license file, so where it is?
Time for Filemon... Win.ini - no I think no /*I've met this in mijenix's trials*/
lservc - looks interesting,
found:
C:\WINDOWS\SYSTEM\SYSPRST.DLL ; well, this isn't standart PE format, the MZ header is missing too
C:\WINDOWS\SYSTEM\LSPRST.DLL ; the same as above
C:\WINDOWS\SYSTEM\LSPRST.TGZ ; this isn't packed file
C:\WINDOWS\SYSTEM\SYSPRST.TGZ ; this too

these files remain in your system directory after uninstalling too.

A small add on:
Delphi32 Open C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM
Delphi32 Read C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM
Delphi32 Close C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM
/*this file can be found in the PROJECTS directory too*/
Hidden attribute? Secret file? Oh my god!

I decided to run Regmon.
Delphi32 OpenKey HKLM\SOFTWARE\Ntpad\HELPMENU
Delphi32 QueryValueEx HKLM\SOFTWARE\Ntpad\HELPMENU\tin <-here
Delphi32 CloseKey HKLM\SOFTWARE\Ntpad\HELPMENU
Uses delphi notepad? But notepad doesn't use this entry.

Delphi32 SetValueEx HKLM\SOFTWARE\Rainbow\SentinelLM\CurrentVersion\Local\74099 SUCCESS "z }}~z$!{1#1$1 "$$! }|1#1z|{"{""|$1"
; oops this sets something, but I can't understand this string /*highly secret*/

I deleted these registry entries and files, ran the target... YESS, still sixty days left even after
date tamper. Now you can write small file to delete these valu and run the delphi. Always sixty
days left up to the date in the lservc file.

III -constant date/time trick

After I saw what's going on I decided to emulate inputs. The delete approach is effective but not
elegant. Stop, I found timefix.exe. Sweet - references to HKLM\SOFTWARE\Ntpad\HELPMENU\tin and some
more... Try now run the trial with Boundschecker. Sysprst,.... GetLocalTime!! 0x00d217d =0x004d217d

Let's see:

004D2170 sub esp, 0CCh
004D2176 lea eax, [esp+0CCh+var_BC]
004D217A push esi
004D217B push eax
004D217C call ds:GetLocalTime
004D2182 lea ecx, [esp+0D0h+var_CC]
004D2186 push ecx
004D2187 call ds:GetSystemTime
004D218D mov cx, ds:word_0_4858DA
004D2194 cmp [esp+0D0h+var_C2], cx
004D2199 jnz short loc_0_4D21D7
004D219B mov ax, ds:word_0_4858D8
...
004D224A mov eax, [esp+0E8h+var_BC]
004D224E and eax, 0FFFFh
004D2253 push eax
004D2254 call sub_0_4D73F0 ; this returns some strange value in eax and edx
004D2259 mov ecx, [esp+0ECh+arg_0]
004D2260 add esp, 1Ch
004D2263 test ecx, ecx
004D2265 jz shortoc_0_4D2269
004D2267 mov [ecx], eax
004D2269
004D2269 loc_0_4D2269: ; CODE XREF: sub_0_4D2170+F5j
004D2269 pop esi
004D226A add esp, 0CCh
004D2270 retn
004D2270 sub_0_4D2170 endp

Another encryption? Probably yes. Let's see the above routine sub_0_4D73F0:

004D7477 mov [esp+34h+var_14], ebx
004D747B mov [esp+34h+var_1C], ecx
004D747F lea edx, [esi+esi*4]
004D7482 add edx, [esp+34h+arg_14] ;the final edx value
004D7486 lea esi, [edx+eax+7C558180h] ;the final eax=esi value
004D748D mov eax, [esp+34h+arg_18]
004D7491 cmp eax, 1
004D7494 jz short loc_0_4D74B5

Write down the edx and eax and replace the location 004D747F:

004D747F mov edx, 0xbc218be0 ;your edx
mov esi, 0x3876ff50 ;your eax=esi
nop
nop ...

Now you don't have to delete the above mentioned entries and files you can set the time forward
and backward always 60 days left. Click try button. Set now the date forward. Try again. Oh no,
date tamper - couldn't get license string. The date is checked after pressing try button.

IV-more encrypted data

Do you remember the delphi.exe format? It has 11 segments. I looked for another encrypted dll.
found:
dcc50.dll
dclado50.bpl
dcldss50.bpl
dclib50.bpl
dclmid50.bpl
dclnet50.bpl ; this can be found in full install
dclwbm50.bpl ; this too

What a huge protection! I searched for similar location to 4d2170 in delphi.exe. I found.
Simple search 89 4c 24 18 8d 14 b6 03 54 24 4c /*the 004D747B location*/ and patch them like
the delphi.exe. All the above libraries needs patching.

V - run without activator

Back to our bounschecker record. Now look at this when the activator is running.
Api reference: WaitForSingleObject and before CreateProcessA in caitf32.dll module:

00401307 push 0
00401309 call j_CreateProcessA ;here start activator
0040130E test eax, eax
00401310 jz loc_0_4013C0
00401316 test ebx, ebx
00401318 jz loc_0_4013A9
0040131E push 0FFFFFFFFh
00401320 mov ecx, [ebp-14h]
00401323 push ecx
00401324 call j_WaitForInputIdle
00401329 mov [ebp-4], eax
0040132C cmp dword ptr [ebp-4], 0
00401330 jnz short loc_0_4013A0
00401332 push 64h
00401334 mov eax, [ebp-14h]
00401337 push eax
00401338 call j_WaitForSingleObject
...
0040138B push edx
0040138C mov ecx, [ebp-14h]
0040138F push ecx
00401390 call j_GetExitCodeProcess ;and get the result
00401395 jmp short loc_0_4013AE

This subroutine is called from this sub:

004018CC push 1
004018CE mov edx, [ebp+arg_0]
004018D1 push edx
004018D2 call sub_0_401288 ; call the activator routine
004018D7 add esp, 14h
004018DA mov ebx, eax

Each time we press TRY button in the eax is returned the 0x00002716 value. Other registers
doesn't affect the program run. Simple replace:

004018D2 mov eax, 0x00002716 ;now we can run it without activator

And the patch is done. Our trial is running any time we want.

The proggy detected time tamper. I think due the clock, write and read from syprst files.
I luckily found an error return?! In the delphi.exe dll:

0049499C push eax
0049499D call sub_0_494B3D ;checks the sysprst file and more..
004949A2 add esp, 4
004949A5 test eax, eax
004949A7 jnz short loc_0_4949C2 ;change this to jump
004949A9 push 100h
004949AE lea eax, [ebp+var_118]
004949B4 push eax
004949B5 call sub_0_49F129
004949BA add esp, 8
004949BD jmp loc_0_494B34
004949C2 loc_0_4949C2: ; CODE XREF: sub_0_494957+50j
004949C2 mov eax, 0C800100Fh ; probably an error code
004949C7 jmp loc_0_494B36

Final Notes

Always sixty days left? I'm not sure - waiting for delayed reaction of the program. I'm still
missing some answers. To be continued.
Does the C++ builder 5.0 use the same protection?

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

links

Is reverse engineering legal?