You are on page 1of 18

Page 1 of 18

Another way to find the Patch by XOR06


Intro
As a cracker it is always important to hide yourself and to help you do that Ill show you how to crack this IP-hider. In this tutorial we will be cracking a registration scheme from a real program which has a 1 day trial and a corresponding nag, it checks the serial with the sever, but only when you enter the serial. We are using a new way to find the right place to patch. We will go really deep into the code in this one. I assume that you know Olly and how to change the flags, edit the asm code, search for constants and so on, just some basic knowledge. I would like to thank nwokiller and R4ndom for proofreading and the great support. Remember, the best way to learn is to try to Patch the program yourself first (please disconnect from the internet first otherwise your attempt will be recorded on the server), if you dont succeed (or if you would like to see another approach) then read this tutorial. Have Fun!

Toolz
Olly ExeinfoPE PExplorerR6 Notepad++ V6.1.3 (or notes)

Target
AutoHideIP-5.2.8.6 You can find the target at http://www.autohideip.com/ Index Intro ...................................................................................................................................................................... 1 Toolz ..................................................................................................................................................................... 1 Target.................................................................................................................................................................... 1 Investigate the Target........................................................................................................................................... 2 Finding the Patch .................................................................................................................................................. 4 Finding the Patch in Olly ....................................................................................................................................... 7 Applying the Patch.............................................................................................................................................. 17 Final Notes .......................................................................................................................................................... 17 Thanks to: ........................................................................................................................................................... 18

Page 2 of 18

Investigate the Target


Run the target and youll see this (if you do not see this please set you Windows Time forward 1 day):

We can click Cancel or Ok, Let us start with the Cancel

If you click Cancel the program exit, and we dont want to buy it so let us click Enter SN and we come here again:

Okay you can see that I input some dummy code and click Ok, if you havent disconnected from the Net youll see this

Well click back and try again but this time disconnect from the internet first. Now you see this:

Page 3 of 18

Ahhh, we can also reg this app if we are not online!! Lets try that click Manual

Now you can see the Machine Data, hmm to get your right code you should send the company the machine code. So it must be used to calculate the correct serial. Well we just want to patch this so we should just enter the dummy serial again, and press Ok, but theres a programming error so if you do that it just tells you that the program is expired. You must restart the App so you see this.

Dont press Cancel, but just enter the dummy serial again, and press Ok, now you see this

Press Manual

Page 4 of 18

Enter the dummy serial and press Ok

There we got the badboy without the internet connecting. Let us take a look at this target in Olly

Finding the Patch


The target loads fine but if you look for strings, you wont finding anything we can use, if you try to use the execute to user code trick or even try to use the call stack you dont find anything easy to go after. If you load the program in EXEinfo PE you see why

Ahh this is a Borland Delphi program, so we just load it in DeDe right? Well you can try that but it wont work you dont find any forms or process. This is where this new approach comes in handy. Try to load the target in PExplorer and look at the resources

Page 5 of 18

You dont need to look in Strings or Dialog because you wont find anything, but look at the RC Data

Yeah thats right here you can see the Forms! Lets take a look in the ACTIVATEFROM

Page 6 of 18

Go on into pcActive to see what it hides

Can you see the tsManually? Could that be our manual activation form? Take a look in to it

Page 7 of 18

As you can see it has all the controls we had on Manually activation form, 4 labels, 2 buttons. Click at the btnOKManually and scroll all the way down in the right window

There you can see the OnClick = btnOKManuallyClick so that is the event it calls on click. As we know that Delphi uses these names to call the event (from R4ndoms Tutorial nr 17) we just have to search for this Event name in the program. You can do this search in any Hexview app as Hiew.v8.10 or in the Olly memory map to get the address.

Finding the Patch in Olly


We will get the address to the event from Olly so load the target file in Olly, and open the memory map

Page 8 of 18

Click on the top line and search for btnOKManuallyClick

We get a hit

Scroll up a little and you see the address of the event!

Page 9 of 18 Now you just have to remember the endians so the right address of the event is 630DE8. Lets go to that address

This is the start of the btnOKManuallyClick event. Place a Bp here and let the app run (still remember to disconnect from the net) and click you way to this again

Enter your dummy serial and click Ok, and Olly breaks here

Start stepping the codeand you will see that @ 00630E14 it moves our serial in to EAX so now we wake up

If you click in to the Call @ 00630E21 or 00630E2A youll see two large routineswhichare called from more than 10 places that is a lot if it is a serial check! That together with the fact that EAX still holds our serial and

Page 10 of 18 that there are no jumps around them tells me that it is not in there that the serial check is. Lets look at the call @ 00630E31. Right after there is a TEST AL,AL and a conditional jump! Could this be it? If you step one more time you see that you string in EAX is gone and that AL=0 so this jump would not jump! Lets change the flag so it jumps and let the app run.

Well that was the right place!! But if you clickOk you see this

Well this patch was not deep enough, so let us go much deeper in to the code and make the patch. Restart the target in Olly and go to the call @ 00630E31

Okay we know now that AL must be =1 so it jumps @ 00630E38. So lets go in to this Call and remember that Al should be 1 when we hit return

Page 11 of 18

Ok this looksgood; this routine is only called from 2 places. If you step down to the conditional JMP @ 0063C273 you can see that this will jump as Al = 0. It will jump down to 0063C2C5 where it will XOR EBX,EBX which sets EBX to = 0. But why is it interesting what EBX is? Well look @ 0063C2CE here it moves EBX into EAX and as you may remember we needed Al to be = 1. If we change the JE @ 0063C273 so it doesnt jump it will run all the code after. If you look @ 0063C2C1 you can see a MOV bl,1 command, so if we dont jump BL will be set to 1 and afterwards that is moved in to EAX, so when we come down to RETN 8 @ 0063C3D4 EAX is 1 as it should be. If you try it youll see that this is still not deep enough. We know that the JE @ 0063C273 should jump to so Al should be 1. Let us go into the call @0063C26C and remember that we should return form that call with al =1

Page 12 of 18

Hmm there are no conditional jumps in this routine, but that does not mean we are the wrong place. Lets take a look into that last part of this routine

Remember we need AL to be 1 when we hit the RETN command @ 0063C201. (Because of the Push @ 0063C1E1 the RETN @ 0063C1F3 just makes you JMP to 0063C1FB). Okay look at the code @ 0063C1FB it moves EBX in to EAX so before the push at @ 0063C1E1 bl must be 1. @ 0063C1D7 EAX is moved in to EBX so in the call @ 0063C1D2 EAX must be set to = 1 right?. Well lets go deeper and make that happen. Go into the Call.

Page 13 of 18

As we can see this looks a lot like the routine we just saw, and in fact we must do the very same againhere. We need to go in to the call @ 006357C0 and make sure that EAX is set to 1. Because we still need al to end up being 1. So lets go deeper. Go into the call @ 006357C0

Well now we are in a large routine with a lot of jumps but we just need to focus on that we just need to return from here EAX=1. So scroll down to the end of this routine

Page 14 of 18

Well this looks just like the other 2 routines we just came from, so you may suggest that we go in to the call @ 006358EB but if you go in there you will come to a routine which is called from over 70 places (it is used to decide what object to load). So if we change anything here it will not only affect the Serial check but also everything else. That is not good so we will not go in there. We are now as deep as we can go! Lets make the patch here then. Can you still remember what we need? Yes we need EAX to be 1, so let us change the call to MOV EAX,1 that uses all the bytes as the call. Let Olly run and you see this

You did it. Or did you? Well yes and no we are almost there but there is a problem when you restart the computer and run the program, it will reset the registration! Hmm how can it do that? Well it must change some file somewhere, when I close the program. That part I will not look after. When it loads it must check it somewhere in a file or a registrationkey and that we must find. We could use regmon or some other monitoring tool but that wont get us any closer because its not a registration key (how do I know? I checked). If it is not registration it must be some other file, but there arent any ini or dat files in the targets folder. Now there are more ways to solve this. The first long one is to find the breakpoint to the btnOKManuallyClick and set it again, let the program run until the breakpoint. Now you can look through the strings and see the string Settings and the trace it down to you get the path to the file. The second one is

Page 15 of 18 to use your experience if you have cracked for some time you would know that many apps use the ProgramData folder to store their settings files. So go to C:\ProgramData and youll find a folder named AutoHideIP click in to that and you see the file Settings.dat now open that file with Notes or another editor (I uses Notepad++ V6.1.3) and youll see this

These are all the settings for the app and look at line 1 RunTimes=148 hmm, it counts when it starts the app. Look at line 9 Activate.NeedReactivated=1 hmm maybe that should be 0 instead. Maybe we can just change it to 0 and Write protect the file? Lets try that and load the file in Olly

If you let the target run it will crash, hmm well lets use Olly to trace down where the app tries to write to the file (it crashes because it cant write to the file as we have just write protected it). Maybe we can find where it loads the file and reads the Activate.NeedReactivated. So how do we trace down to that? You just step with F8 and when you step over a call that makes the app crash you set a bp on it. Then restart the app run to the breakpoint and step in to that call, and step with F8 again until it crashes and do it all again all over until you get here.

Page 16 of 18

And why do I stop here? This call makes the app crash, and look at the comments. RunTimes can you remember that the first line in the settings line was RunTimes? , here it tries to write to the file the new RunTimes number, but it cant and crashes. Let us look in the Strings now, if RunTimes appears there thenActivate.NeedReactivated must be there to. (We could not look in the strings from the start because at that time the app has hidden all that information)

No click ok and place bp on the 4 hits here:

Page 17 of 18 (You can only set bp in the hits that have a command before it otherwise Olly complains). Remove the old breakpoints, remove the Write protection from the setting.dat file (we need the app to read more than the first line in the settings file and it only does that if it can write the RunTime to the file) and restart the app in Olly. Now Olly breaks here

Lets step down to the JE @ 0063CA56

It made a Call and then TEST AL,AL that looks like it checks for a value (1 or 0) and then it jumps. Hmm but wait we have changed the Activate.NeedReactived value to 0, so maybe the app should jump here? Let the program run

Well yes it runs fine so, the program should always jump @ 0063CA56. So Just change the JE to JMP (or change the call to (Mov EAX,1) and this target is finally cracked.

Applying the Patch


So as always just save the modification to file and run the cracked program. The first time you must disconnect from the net to come to the manually activation and enter any code you want.

Final Notes

Page 18 of 18 That was a long one but I wrote it because I think this was a good target to go very deep and to show you a simple way to find the right place to patch a Delphi program when DeDe fails. I hope you enjoyed the tutorial and learned something. If youd like to try again you can go patch the easy mode also.

For questions and discussion regarding this tutorial and other interesting stuff go to R4ndoms forum: http://www.thelegendofrandom.com/forum/index.php Thanks for now.. -XOR06

Thanks to:
Random for showing me the light again nwokiller for all his help The SSECS team Without these guys this wouldnt be possible.