Today's Tutorial will be on Unpacking and cracking a custom delphi stub.  Reason for this is because most tutorials today are on subjects of commercial protections.  This tutorial will focus mainly on unpacking, and using our brains to crack this particular application.  This Stub is really easy to unpack, but to the newbee this would be a bit difficult.  In this protection we have a few things to go on.  Like most protections there exists a SFX section that writes/decrypts the actual code section we so much desire.  To accomplish this a few prerequisites are required.  First off we must have OllyDbg installed and have the Re-Pair patch applied.  This will enable us to just forget the rest of the "hide Olly" tools.  Now like most packers we will have to fix the RestoreLastError API to SetLastError, or else we wont run on Win2K.  I will go over this process using Lord-PE instead of IMPREC only because we are trying to broaden our tool usage.  So our first objective is to find the OEP, Dump, Rebuild, Fix our API.  Later on we will earn to use our Call Stack and back trace to get our desired registration details.  This particular target requires 2 things (besides unpacking), they are:

1. A Evaluation license (so we can use the app at all).. We will go over this.

2. Registered License (So we can use the application even after it expires).. we will go over this as well.

This application produces 2 "License" files.  One which we will see is located in our "Doc's and settings/CPU NAME/Application Data/mmDesigner"

an the other resides in our installed directory. So we will force the application to produce the 2 files for us, then save our changes (patches) so we can use this product as long as we like.. But you are reminded... IF YOU USE THE APPLICATION... BUY IT!

And one last thing.. When we install we will have a few directories... the directory we are interested in is the mmdesigner.. There is a few exe's in this directory.. "mmad.exe" is the "loader" for the main exe.. so we wont touch this, instead we will touch the exe "_mmad.exe".  Because this is the main program. 
 

Hit "OK" and we are here:

Now this may look like a regular app, but believe me its not..... We must find the real EP of this program in order to do anything to it... If we click on the "M" or hit "ALT+M" (Memory Map) we see this:

We see that this program has a SFX section.. This is a pretty self explanatory section.. We are located here as we can tell from the EP we are at... This section will Write/Decrypt the real CODE section for us.. but we have to know when its done... Well how do we know this?  Simply by using a few BP's to find it.. First off its a given that it has to write the code section for us.. So.. lets place a BP on the CODE section using F2, then hit F9 to run it till we break there.

You should be here after hitting F9:

Okay this is pretty much a standard thing to see.. It is writing our section here.  And how do we know this????

We see it writes the bytes from one section to the next.  After we break here lets set a BP on the RETN and then hit F9 to break there.

Now we set another BP on the CODE Section and then run to break on it again...

After a long pause (like 10 seconds on my CPU).. might be less on yours if its faster than mine.

We land here..

And we see the rest of our section is decrypted..  SO all thats left now is to find the OEP and then dump/rebuild...

So again we set another BP on the RETN and then break there..

And then again we set another BP on the CODE section (Last time I promise)

Then hit F9 to break on it...

And there we have it.. THE OEP!!!!

Now all that's left to do is Dump it and then rebuild it...

So using the OllyDump Plugin.. we dump the application...  I assume you can do that alone... without any pictures... make sure you uncheck the "rebuild imports" option... we will use IMPREC to do this for us..

There's a picture anyway...

So save it as whatever.. and then startup IMPREC...

Then enter in our EP and then click the "IAT Autosearch" button, then click "Get Imports"...

Now just fix the already dumped file with our IAT.. Now lets start up Lord-PE and fix our bad API... I am sure a lot are wondering why exactly we need to fix this API.. Well the reason is simple.. RestoreLastError is not included in the kernel of Win2K.. Instead SetLastError is in place.  They both do the exact same thing.  Why did Billy include include this API in XP?...... who knows.. Only he will really ever know... If you look on MSDN you will find the following quote about it:

I highlighted the quote for you.  (this is excerpted from the Windows 2003 MSDN)

Since this is all I could find on it in about 5 minutes. :)

Then click the "PE Editor" button... and select our dumped file....

Then click the "Directories" button

Now click the left most button "..." on the Import Table option.

Now we know the bad API is in the Kernel32.dll.. so any Kernel32.dll we see lets scroll through the possible lists of API and then edit the one we want...

Now that we found it.. lets right click it then select "edit"

Now we see this screen...

SO just delete the Restore and make it say Set....

Now just save the changes and then we are all good to run on Win2K...

There this section is completed.. You learned to unpack a Custom Delphi Stub.. next section will deal with actual cracking it... Take a break and relax.. :)

1. A evaluation license (just to get it running) you can also get this code for free from the website.. but this is a tutorial and I wouldn't go over typing in our names and emails... :)

2. The actual "registered" license file..

Now that that's cleared up.. we can go at it..

I assume you have Olly and the newly dumped file loaded up already...

  We begin here ... EP.. of dumped file...

So lets get a idea of what we need to do in order to bypass the registration...

So hit F9 and run it...

Okay we see we need to have a code in order to evaluate this piece also :(

Not really sure why.. but okay.. lets move on.......

Hit F12 to pause this application, then hit ALT+K so we can see the call stack and try to figure out why we got here... and how we got here...

HMM.... not much to look at here... okay.. this will still help us.. go ahead and right click the last call in the list... and select the "Show Call" option.

We should now be here:

Nothing great here either.. its just a loop for the dialog... BUT!!!!

scroll down a bit and lets try and trace back a bit... In other words. lets find the last RETN and set a BP on it.. you should be at this RETN..

Now go ahead and set a BP on the RETN.. and hit F9 to run it (you wont break on it just yet)

Now hit the "Cancel" button on the main dialog...

And we break!!!!

Now we must trace back until we find our culprit caller...

So continue to hit F8 till we reach it...

Well that didn't take long huh!

okay.. look very closely here... I labeled our NAG call as such so we can get a grip on this..  If you look up you see JNZ... well somehow that JNZ doesn't jump.. cause we get the nag.. so... that call must hold some value to us... so lets set a BP on the call and restart it...

We are at the EP again and then hit F9 to run it.. hopefully we break on the CALL....

And we break :)

Okay we can go at this a few ways here...

1. Enter the call and trace it out.. find out where EAX would be equal to 1..

2. Make the JNZ -> JMP...

We enter the Call.. scroll down a bit...

We see it tries to see what our name is.. and then at the very end we get a MOV AL, POINTER...

Okay so obviously we don't know exactly what it wants.. so lets run it till the nag.. When we get the nag we will enter in our details.. then hit the "OK" button..

No whit the "OK" button...

and we don't break on the right spot.. :(

but (i hope you kept the BP on the call stack BP we used) we break on this..

All this tells us is that the author used 2 different checks for the license.. that's all..

So lets back trace this one...

Continue tracing back...

And this looks very interesting to me.. :)

We are on that JMP... came from the CALL above it.. look up.. you see a bunch of conditional jumps?  Well very obviously there is a MOV AL, 1.. now why on Gods green earth would it become this obvious?  Lets set a BP on the CALL above all the JE's..

And then hit the "OK" button again...

And we break! :)

So lets trace this call out a bit..  But before we do this.. lets get a understanding of what we need to happen...

First.. when we exit this call EAX must be equal to 1, second our pointer in EBP-4 must be equal to 0.. so we jump over this non (C) JMP below it... and MOV 1 to AL...

Okay enter the call...

And we see basically the same code structure as we did when we cancelled the nag... remember? 

If we look below a bit we see some more important things..

This call must return the value needed so we jump over the non (C) JMP... or else we are nagged again...

so set a BP on the CALL and trace into it..

Now hit F9 and break on it then enter the call..

Now this does sorta look the same.. except some strings are different..

As we can see.. .. well.. to me it looks like a possible hard coded string?  maybe for the user name and serial... but anyways.. the goal is to make it run registered.. so we do that.. ignoring the strings.. we see what would cause EAX to not equal 1...  We see a MOV BL, 1.. and then at the end of the section we see a MOV EAX, EBX.. so we must set this MOV BL, 1.  The first two JE's are only to check against a serial/name entered.. so since we entered one in.. we don't need to worry about this one...

Highlighted is the important things... we enter that call.. and we CANNOT jump... or else we suffer the demise of unregistered... This JE before the JMP must be our Jumper.. or else again we suffer a unregistered application...So we can just easily just NOP the JNZ.. as XOR'ing EAX wouldn't really matter since the pointer gets moved into it anyway... So it would get cancelled out anyway...so go ahead and NOP the JNZ..

And then trace till the call above the JE...when you reach it.. just make the JE -> JMP and then continue to trace a bit..

Now stop tracing when you hit the JNZ.... (after the JMP)

We see it jumps.. (no shit) cause BL = 1...

we see that at the end of the jump we XOR EAX... So keep with F8 till we reach the MOV EAX, EBX

Okay we are gonna set the Register :)

Trace till return... then execute it..

Now we are here...continue to trace, execute the JNZ...

We are now at the picture above.. we see its about to write our registration details for us :)

Continue tracing with F8 till we see this..

Now look in your stack...

You see it writes the license file to the Doc's and settings folder...

Obviously if our exe wasn't named dump it wouldn't say that...it would be the original exe name..."mmad_3.ini"  So don't forget to rename it when you rename the exe (if you do).  Okay that's complete... now for the real registration crack.. but first.. lets take a break shall we :)

be back in 5 minutes...

INTERMISSION!!!!!!!

(some stupid song plays in the background)

OKAY!..

I can only hope you saved any changes we made..?????  Because I will not go over them again...We left off here:

And now we hit F9 till we are greeted with the real registration nag...

See how it says registered to me.. but it still isn't registered???

what's up with that?  AT least I have 21 days to crack this :)

But we see the "EVALUATION COPY" string... that's very un-inviting....

So again we are left with the task of registering this application.. Well we are gonna use the same trick again... hit the F12 button then hit "ALT+K" to bring up the call stack..

And then we are here..

So we again scroll down till we see the exiting RETN.. and set a BP on it..

Then hit F9 to run again.. (we don't break exactly then).. then hit the "TRY" button on the nag screen...

Then execute the return.. and lets see why we are EVALUATION COPY....

That wasn't long at all :)

Do we see the theme yet???? again like before a JNZ decides if we are registered or not... the top most call is the deciding caller.. so lets set a BP on it.. then restart the application.. (hopefully you either know your changes or already made them).  So restart the application now..

And we break... :)

So before we go on.. let us think here... upon exiting the call Al is moved to a pointer, which is then compared to 0.. if we are equal we get the nag.. if we aren't then we jump over the nag.. So lets enter the call now...

Man some more crap.. well to simplify this a bit more.. lets look to the bottom of the code section..

And yes.. we see a easy out here.. :)

lets make the MOV AL, BYTE PTR SS:[EBP-1]  --> MOV AL, 1

And now lets break exit this function by executing the Returns till we are at the last one..

Now execute the Return..

Now lets hit the F9 button....

:)

nice !!!  Just save your changes and then enjoy!  I should also note that a file is now generated in your installed folder.."_mmad.LIC" just keep this for safe keeping..

Okay.. I just want to thank you for reading this.. and hopefully you learned something from it...

Until next time I remain..

MaDMAn_H3rCuL3s

1. You learned a basic approach to a Custom Delphi Stub.., plus revering it.....

2. Also that yet again.. ARTeam is #1...

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr] [Eggi] [EJ12N] [JohnWho] [Condzero][Stickman 373] [Bone Enterprise]        [Release Team]

[TSRH] [Exetools] [RCE Forums] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [C0n3r0n3] [ILCH] [And any others I missed]