Delphi
Reversing |
|
|
by LaptoniC | ||
by +Tsehp | ||
Delphi reversing became more easier with the help of Dafixer's DEDE.It is very powerful tool.It can identify most of delphi functions, can dump process and disassemble it (good for packed exes) and much more.Lets try to learn what dede offers us.
Delphi reversing
Commercial stupidity
Written by LaptoniC
My target is written in delphi, it is packed with aspack v1.083 and it use harddisk number for serial calculation.Therefore there is only two approach is possible, first make a inline or memory patch, or make keygen.I will try to explain this two approaches.My language and knowledge is so poor therefore if something is wrong please accuse me and say the error via e-mail (kandirdim_at_hotmail)
SoftICE DEDE v2.34 Delphi and tcryptlib component if you want to code keygen.
www.bsoft.com.tr go to e-cafe link and download demo version
None.
As I said before there is two approach first is patch and other is keygen PATCH: The first step is finding the comparison.Open e-cafe and click the surfing man button and choose "Kayıt işlemi".You will see three edit boxes for serial.Write something switch to SoftICE and click "Tamam" button.( If you want to make your SoftICE session easier you can make sym file with the help of Dede.Go to export section and make map file.Then convert this map file to sym file and you are ready to go.)After several F12's you will land E-cafe's code. Follow the code and stop when you see this. 004DC60C 8D45FC lea eax, dword ptr [ebp-04] 004DC60F BA05000000 mov edx, 00000005 004DC614 E87379F2FF call 00403F8C 004DC619 8B45F8 mov eax, dword ptr [ebp-08];our serial 004DC61C 8B55FC mov edx, dword ptr [ebp-04];real serial 004DC61F E8B879F2FF call 00403FDC ;compare 004DC624 0F85E2000000 jne 004DC70C ;if not equal jump to bad cracker ..... 004DC70C B148 mov cl, 48 ;message box style (error) 004DC70E BA18C84D00 mov edx, 004DC818 ;Title of message 004DC713 B8DCC84D00 mov eax, 004DC8DC ;Beggar of message 004DC718 E8AF610000 call 004E28CC ;Show message Most easy way is send good serial to message box.Therefore when we enter bad serial program will show good serial.Lets test our patch in memory when you are at 004DC713 type a and enter. Then write 004DC70C B149 mov cl,49 ;messagebox style (info) :) 004DC70E BA18C84D00 mov edx,004DC81 ;Title of message 004DC713 8B45FC mov eax,[ebp-04] ;Real serial 004DC716 90 nop ;to fill space 004DC716 90 nop
As you know, patching packed program cant be done directly.You can use memory patchers like risc's process patcher or you can make inline patch.Here is the end of unpacker routine as you probably know... ... 8944241C MOV [ESP+1C], EAX 61 POPAD 7508 JNZ 00681563 ; you probaly think to change this jump to your patch B801000000 MOV EAX,00000001 C20C00 RET 000C 50 PUSH EAX 55 RET If you search 7508B801000000 you wouldn't find anything.Because loader itself is packed too. Therefore,you should patch loader, then program.It is long process and I am not professional on this subject, (any help or tutorial ? )so I used Aspatch and it works pretty good. Thanks Chafe.First part done.Lets go to second part and make a keygen. Note:You may think to change 004DC619 so that it sends real serial to eax.However, when program write serial to registry it use a value at [ebp-08].Therefore it shows thank you message but it writes bad serial to registry.
KEYGEN:
Here comes Dede's show.In order to disassemble with dede you should unpack it or you can use Dede's powerful tool "Process dumper".Open first Ecafe than Dede.Goto Tools/Dump Active Process.Choose Ecafe from process list and dump it.Wait a little bit and you will have super disassembly of our program.Lets find our registration screen.Go to Procedures and choose kayit. You will see some events.Click the BitBtn1Click event and scroll down a little bit.
* Possible String Reference to: "B27U03L88E" | 004DC55D BA04C84D00 mov edx, $004DC804 004DC562 E8794FF7FF call 004514E0 ... What is this "B27U03L88E" lets click call at 4DC562 you will see this..
* Reference to: System..LStrClr() | 00451510 E83B27FBFF call 00403C50 * Possible String Reference to: "TCryptLib.Password is too long" ;Aha :) | 00451515 B964154500 mov ecx, $00451564 0045151A B201 mov dl, $01 0045151C A198704000 mov eax, dword ptr [$407098] Again.Commercial stupidity.They use component tcryptlib.Lets search what is this component and what we can do.I found this component at http://ntadm.euro.ru .I have downloaded it and looked what is going on.It is simple xor algorithm.I disassembled sample exe file and try to identify what is what.There is 3 elements in this component; password, addkey,multkey.Addkey and multkey is integer values.When you encrypt string first password is pushed then addkey, multkey lastly string to encrypted is pushed.Lets look again our source.In order to make our disassembly more comprehensive lets make DSF file for this componet.What is DSF File ? "DSF files contain the symbols of the exports from different BPL libraries. DeDe disassemble engine use this symbol files to comment the class members method calls in ASM source it generates. The ideology is very close to the IDA symbol files for VCL, MFC etc." In order to make DSF file you need Delphi.Open delphi and install our component.After install you will have .bpl file in the projects/bpl directory of your delphi.Open Dede go to Tools/Bpl Dumper and dump it.After dump, load this dsf file to Dede.If you dont have Delphi to make dsf file, you can download from here.I suggest you to add this dsf file to default dsfs via option menu.Lets load again our target and look what we have now. * Possible String Reference to: "B27U03L88E" | 004DC55D BA04C84D00 mov edx, $004DC804 * Reference to: Kbcrypt.TCryptLib.WriteFPassword(System.AnsiString) ;super comment! | 004DC562 E8794FF7FF call 004514E0 004DC567 A1C4F94E00 mov eax, dword ptr [$4EF9C4] 004DC56C 8B00 mov eax, [eax] 004DC56E 8B8064020000 mov eax, [eax+$0264] 004DC574 BA9AAF3F00 mov edx, $003FAF9A ;addkey=4173722 (as decimal) 004DC579 E86250F7FF call 004515E0 ;control addkey length 004DC57E A1C4F94E00 mov eax, dword ptr [$4EF9C4] 004DC583 8B00 mov eax, [eax] 004DC585 8B8064020000 mov eax, [eax+$0264] 004DC58B BA3EC22300 mov edx, $0023C23E ;multkey=2343486 (as decimal) 004DC590 E8EF4FF7FF call 00451584 ;control multkey length 004DC595 8D4DFC lea ecx, [ebp-$04] 004DC598 A1C4F94E00 mov eax, dword ptr [$4EF9C4] 004DC59D 8B00 mov eax, [eax] 004DC59F 8B9048030000 mov edx, [eax+$0348] ;string to be crypted 004DC5A5 A1C4F94E00 mov eax, dword ptr [$4EF9C4] 004DC5AA 8B00 mov eax, [eax] 004DC5AC 8B8064020000 mov eax, [eax+$0264] * Reference to: Kbcrypt.TCryptLib.EncryptStr(System.AnsiString) ;Yes! | 004DC5B2 E85D54F7FF call 00451A14 ;crypt it 004DC5B7 8D45E8 lea eax, [ebp-$18] 004DC5BA 50 push eax 004DC5BB B904000000 mov ecx, $00000004 ;4 chars to copy 004DC5C0 BA01000000 mov edx, $00000001 ;from 1st position 004DC5C5 8B45FC mov eax, [ebp-$04] * Reference to: System..LStrCopy() | 004DC5C8 E8037BF2FF call 004040D0 ;copy it 004DC5CD FF75E8 push dword ptr [ebp-$18] 004DC5D0 68F8C74D00 push $004DC7F8 004DC5D5 8D45E4 lea eax, [ebp-$1C] 004DC5D8 50 push eax 004DC5D9 B904000000 mov ecx, $00000004 ;4 chars to copy 004DC5DE BA09000000 mov edx, $00000009 ;from 9th position 004DC5E3 8B45FC mov eax, [ebp-$04] * Reference to: System..LStrCopy() | 004DC5E6 E8E57AF2FF call 004040D0 ;copy it 004DC5EB FF75E4 push dword ptr [ebp-$1C] 004DC5EE 68F8C74D00 push $004DC7F8 004DC5F3 8D45E0 lea eax, [ebp-$20] 004DC5F6 50 push eax 004DC5F7 B904000000 mov ecx, $00000004 ;4 chars to copy 004DC5FC BA11000000 mov edx, $00000011 ;from 17. position 004DC601 8B45FC mov eax, [ebp-$04] * Reference to: System..LStrCopy() | 004DC604 E8C77AF2FF call 004040D0 ;copy it 004DC609 FF75E0 push dword ptr [ebp-$20] 004DC60C 8D45FC lea eax, [ebp-$04] 004DC60F BA05000000 mov edx, $00000005 * Reference to: System..LStrCatN() | 004DC614 E87379F2FF call 00403F8C ;stick together 004DC619 8B45F8 mov eax, [ebp-$08] ;our serial 004DC61C 8B55FC mov edx, [ebp-$04] ;real serial * Reference to: System..LStrCmp() | 004DC61F E8B879F2FF call 00403FDC ;compare it 004DC624 0F85E2000000 jnz 004DC70C ;jump bad boy Wow everything is clear now!.Our password is B27U03L88E addkey=4173722, multkey=2343486 We know it encrypts edx at 4DC59F with the cryptlib.After crypt,it strips some values and this is our serial.For example lets say after encryption we have 2017F93FE82F1A35302B then our serial is 2017-E82F-302B.Ok our problem is to find where this string comes from at 4DC59F.Lets fireup SoftICE and trace the code.When you are at 4DC59F look what is in edx by typing d edx. I saw WM6231132186.Program get this number via deviceiocontrol.It is somehow related with our harddisk properties.(I am not talking about the 8 digit hex number which can be get via getvolumeinformation).If you look the classes tab in Dede you will see that this program use Hdinfo component.I dont know the parameters to get this number via DeviceIocontrol.You can try if you want.Lets think again.There must be a relation between "Referans No:" and our serial or our Harddisk number.How can they know our harddisk number ? Lets go back to dede and click FormActivate at events sections. * Possible String Reference to: "I28R08E64M" ;password | 004DC203 BA98C34D00 mov edx, $004DC398 * Reference to: Kbcrypt.TCryptLib.WriteFPassword(System.AnsiString) ;super comment! 004DC208 E8D352F7FF call 004514E0 004DC20D 8B07 mov eax, [edi] 004DC20F 8B8064020000 mov eax, [eax+$0264] 004DC215 BAEDA62B00 mov edx, $002BA6ED ;addkey=2860781 004DC21A E8C153F7FF call 004515E0 004DC21F 8B07 mov eax, [edi] 004DC221 8B8064020000 mov eax, [eax+$0264] 004DC227 BA5C702B00 mov edx, $002B705C ;multkey=2846812 004DC22C E85353F7FF call 00451584 004DC231 8D4DFC lea ecx, [ebp-$04] 004DC234 8B07 mov eax, [edi] 004DC236 8B9048030000 mov edx, [eax+$0348];in edx, again hd number 004DC23C 8B07 mov eax, [edi] 004DC23E 8B8064020000 mov eax, [eax+$0264] * Reference to: Kbcrypt.TCryptLib.EncryptStr(System.AnsiString) ;Yes! | 004DC244 E8CB57F7FF call 00451A14 ;crypt it .... ;all this long lines ;just copies ;encrypted string and add '-' ;after every 4 chars * Possible Reference to Control 'RefenNo:TEdit' | 004DC308 8B861C020000 mov eax, [esi+$021C] * Reference to: Controls.TControl.SetText() ;put referans no to edit box. Hehe yea we found it.When we send "referans no" to this company they first decrypt it and find our harddisk number then they encrypt it again with another password,addkey and multkey. After encryption lets say we have 2017F93FE82F1A35302B.Then our serial becomes 2017-E82F-302B. I am not delphi guru but I have succeeded to make working keygen.Here is my source. procedure TForm1.Button1Click(Sender: TObject); begin Serial:=(Edit1.Text); Serial:=copy(Serial,1,4)+copy(Serial,6,4)+copy(Serial,11,4)+copy(Serial,16,4)+ copy(Serial,21,4)+copy(Serial,26,4); CryptLib1.Addkey:=2860781; CryptLib1.Multkey:=2846812; CryptLib1.Password:='I28R08E64M'; Serial:=CryptLib1.DecryptStr(Serial); CryptLib1.Addkey:=4173722; CryptLib1.Multkey:=2343486; CryptLib1.Password:='B27U03L88E'; Serial:=CryptLib1.EncryptStr(Serial); Edit2.Text:=copy(Serial,1,4)+'-'+copy(Serial,9,4)+'-'+copy(Serial,17,4); My keygen is not so optimized, you can optimize your keygen by removing some useless codes e.g. Lzh, some checking routines.... from tcryptlib component.
What we learned is simply "Do not use commercial protections" and power of DEDE. Greetings: Dafixer for DEDE (do you remember Merhaba Kardes :) ), risc,Accz,Psychothorn,Tsehp,snake,Chafe, Carpathia and all helpful guys at #cracking4newbies and #win32asm
LaptoniC (kandirdim_at_hotmail)