Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Saturday, October 01 2022 @ 04:25 AM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Cracking delphi

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> N2C Member Chat
View previous topic :: View next topic  
Author Message
SeRiALiZeR
Occasional Poster
Occasional Poster


Joined: 10 Oct 2005
Posts: 33

PostPosted: Mon Jul 10, 2006 12:14 pm    Post subject: Cracking delphi Reply with quote

I need help with cracking nag in this proggy:

http://www.benutec.com/download/spymypc_trial.exe

Program is writen in Borland Delphi 6.0-7.0.Can you help me with this? I cracked lot of delphi programs but my weak point was always cracking nag in delphi.Some tutorial would be great.Thanks

greetz
Back to top
View user's profile Send private message
dila
Occasional Poster
Occasional Poster


Joined: 13 Jul 2005
Posts: 44
Location: England

PostPosted: Mon Jul 10, 2006 2:03 pm    Post subject: Reply with quote

If you load unpacked delphi apps in a resource editor (e.g ResHack) you can't modify the dialogs using the GUI editor but you can see the scripts that describe the GUI. The delphi resource scripts also have events for command button clicks, window load/exit, timers .etc
I once removed a nag by replacing the form OnLoad event with the function called on the "run trial version" button, and the nag screen disapeared as soon as the window is displayed.
It's quite a crude method, but it's worked a few times for me, without any actual code reversing at all.
Back to top
View user's profile Send private message
SKiLLa
Frequent poster
Frequent poster


Joined: 29 Mar 2005
Posts: 79

PostPosted: Tue Jul 11, 2006 6:41 pm    Post subject: Reply with quote

Search for string-refs and you'll find some trial-related strings, follow it in disasm, BP first cmd of the function(s), run the app, on BP check stack and load the return-address in the disassembler. Repeating this 'BP first cmd of the function' sequence you'll finally end up here:

Code:

004655D9        FF53 68          call    [ebx+68]
004655DC        803C24 00        cmp     byte ptr [esp], 0
004655E0        75 12            jnz     short 004655F4


(Returning from the call [ebx+68]) ... scroll up a little and you'll see a call to 00403340 ... change that function so it always returns [AL] = 0 and you're good to go ...

You might need to patch at some other place too, but with the fix above the app runs without a nag & expiry on my VM Wink Good luck !
Back to top
View user's profile Send private message
SeRiALiZeR
Occasional Poster
Occasional Poster


Joined: 10 Oct 2005
Posts: 33

PostPosted: Thu Jul 13, 2006 9:53 pm    Post subject: Reply with quote

SKiLLa wrote:
... change that function so it always returns [AL] = 0 and you're good to go ...


I did not quite understand what to patch here.If you can,please post some
picture.Thanks Smile

SeRiALiZeR
Back to top
View user's profile Send private message
SKiLLa
Frequent poster
Frequent poster


Joined: 29 Mar 2005
Posts: 79

PostPosted: Fri Jul 14, 2006 7:45 am    Post subject: Reply with quote

Just patch the function @ 00403340 anyway you like as long as it returns [AL] = 0. I don't have the target installed anymore, but simply overwriting the first cmds of the function should work:

00403340 MOV AL, 0
00403342 RETN

Good Luck !
Back to top
View user's profile Send private message
SeRiALiZeR
Occasional Poster
Occasional Poster


Joined: 10 Oct 2005
Posts: 33

PostPosted: Fri Jul 14, 2006 10:20 am    Post subject: Reply with quote

Please see picture.


untitled.JPG
 Description:
 Filesize:  173.15 KB
 Viewed:  19939 Time(s)

untitled.JPG


Back to top
View user's profile Send private message
SKiLLa
Frequent poster
Frequent poster


Joined: 29 Mar 2005
Posts: 79

PostPosted: Fri Jul 14, 2006 12:58 pm    Post subject: Reply with quote

You can patch your highlighted call @004655B8 (NOP'ing it and also NOP'ing the conditional JMPs below it) but it's more robust & elegant to the patch the function @00403340 itself, since the function @00403340 is (or can be) called multiple times from within the program. In most cases you want to try to patch at the deepest level since it's likely to require the least number of bytes to be patched. Ofcourse with the more complex verification schemes things can differ, but it's a good thumb-rule.

So make the patch @00403340 as I posted above instead of @004655B8 Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> N2C Member Chat All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2022 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 1.00 seconds