	  Ŀ
	                                                              Ŀ
	    
	          
	          
	                                               
	                                               
	                                   
	                                   
	                                   
	                                                
	                                                
	                       
	                       
	                 
	                                                                  
	                                                                  
	                         
	                 p r o u d l y     p r e s e n t s                
	                         
	                                                                  
	Ŀ                                            www.tscube.cjb.net
	  



                      ͻ
                        Tutorial for Fr1c crackme #7 
                      ͼ



Ŀ
1.Intro 


I decided to make this tutorial to show you the power of a awesome tool by DaFixer : DeDe 
(Delphi Decompiler). Now, go get this tool at protools.cjb.net and let's crack this baby ;)

note : I'm not a Delphi coder, so please forgive me if I'm not very clear on certain points.



Ŀ
2. Unpacking the crackme 


We have to :

1) Kill the nagscreen
2) Enable the 'Register' button
3) Make a keygen

The crackme is packed with UPX 0.94, so we are supposed to patch a packed crackme... but since
I'm too lazy to do it, we'll just patch the unpacked crackme ;)

I only have UPX 1.01 but it doesn't matter because this version can also unpack older versions.

=> 'UPX -d crackme7.exe'

Now we have an unpacked crackme (309ko instead of 134ko) that we can patch as much as we want ;)



Ŀ
3. Killing the nagscreen 


Note : before the nagscreen there is a SICE detection (meltice) but this shoudn't be a problem
if you have FROGSICE loaded. If it's not the case, do a 'R FL Z' at @442759

The nagscreen is a classic messagebox, but since it's Delphi, 'BPX MESSAGEBOXA' won't work.
There are zillions ways to find where this nagscreen is called in the crackme: 
- As it appears just at the beginning, you can hit F10 and F8 until you find the right spot ;)
- You can search for a good Stringdata ref in the dead listing
- you can 'BMSG Window_handle WM_DESTROY' (look at Tornado's Cracker's notes for more infos)
- ...

Anyway, here is the good spot :

* Possible StringData Ref from Data Obj ->"Kill me !! My name is NAG SCREEN!"
                                  |
:00442772 B844284400              mov eax, 00442844
:00442777 E84CF9FFFF              call 004420C8 -> NOP this call



Ŀ
4. Time to use DeDe 



	4.1. Wise words
	

first question : if YOU had coded this crackme, how would you have disabled this button ?
- You could have drawn the main crackme window and set the button disabled propriety to 'TRUE'
- You could have disabled the button at run-time with something like 'button.disabled = true'

fr1c choosed the second solution : he disabled the button at run time. So if we can find the
'CALL' responsible for disabling this button and if we NOP it, the job will be done.


	4.2. Using DeDe
	

Fire DeDe and load all the symbol files (.dsf) : Options -> Symbols -> Load

Now open 'crackme7.exe" and click on 'Process'. After a few seconds, the crackme is processed
and you can start viewing the results.

click on 'Procedures' and select 'Unit1'; you can see 4 events :

- Formcreate   -> code executed during crackme initialisation
- Button3Click -> code executed when users clicks on 'Exit'
- Button2Click -> code executed when users clicks on 'About'
- Button1Click -> code executed when users clicks on 'Register'

Double click on 'Formcreate' to see the initialisation code :


<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

00442704   53                     push    ebx
00442705   8BD8                   mov     ebx, eax

* Possible String Reference to: "CrackMe 7 by Fr1c - UNREGISTERED"
|
00442707   BA94274400             mov     edx, $00442794
0044270C   A134484400             mov     eax, dword ptr [$444834]

* Reference to: Controls.TControl.SetText(System.AnsiString)
|
00442711   E8BA16FEFF             call    00423DD0

* Possible String Reference to: "URSoft W32Dasm Ver 8.93 Program Dis
|                                assembler/Debugger"
|
00442716   68B8274400             push    $004427B8

* Possible String Reference to: "OWL_Window"
|
0044271B   68F0274400             push    $004427F0

* Reference to: SysAllocStringLen.FindWindowA
|
00442720   E8EB39FCFF             call    00406110
00442725   85C0                   test    eax, eax
00442727   7E11                   jle     0044273A

* Possible String Reference to: "W32Dasm FOUND"
|
00442729   B804284400             mov     eax, $00442804

* Reference to: Dialogs.ShowMessage(System.AnsiString)
|
0044272E   E895F9FFFF             call    004420C8
00442733   6A00                   push    $00

* Reference to: GetModuleFileNameA.ExitProcess
|
00442735   E83635FCFF             call    00405C70
0044273A   6A00                   push    $00
0044273C   6880000000             push    $00000080
00442741   6A03                   push    $03
00442743   6A00                   push    $00
00442745   6A03                   push    $03
00442747   68000000C0             push    $C0000000

* Possible String Reference to: "\\.\SICE"
|
0044274C   6814284400             push    $00442814

* Reference to: GetModuleFileNameA.CreateFileA
|
00442751   E8EA34FCFF             call    00405C40
00442756   83F8FF                 cmp     eax, -$01
00442759   7417                   jz      00442772
0044275B   50                     push    eax

* Reference to: GetModuleFileNameA.CloseHandle
|
0044275C   E8C734FCFF             call    00405C28

* Possible String Reference to: "SoftIce is DETECTED"
|
00442761   B828284400             mov     eax, $00442828

* Reference to: Dialogs.ShowMessage(System.AnsiString)
|
00442766   E85DF9FFFF             call    004420C8
0044276B   6A00                   push    $00

* Reference to: GetModuleFileNameA.ExitProcess
|
0044276D   E8FE34FCFF             call    00405C70

* Possible String Reference to: "Kill me !! My name is NAG SCREEN!"
|
00442772   B844284400             mov     eax, $00442844

* Reference to: Dialogs.ShowMessage(System.AnsiString)
|
00442777   E84CF9FFFF             call    004420C8
0044277C   33D2                   xor     edx, edx

* Possible Reference to Control 'Button1:TButton'
|
0044277E   8B83CC020000           mov     eax, [ebx+$02CC]
00442784   8B08                   mov     ecx, [eax]
00442786   FF5160                 call    dword ptr [ecx+$60] -> Disable button1 !!!
00442789   5B                     pop     ebx
0044278A   C3                     ret

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

Here you are, everything you need to know is shown thanks to DeDe :

1) WDASM detection using the FindWindow API (100% useless)
2) SICE detection using the CreateFile API
3) Nagscreen
4) 'Register' button disabling

To enable the button, just NOP the call at @442786 and you're done !


	4.3. It's only a crackme
	

In the 'real' world, it's not so easy to enable a button, because the code is not associated
with the button. For more infos, read the tuts on 'Re-enabling functions' at
www.ImmortalDescendants.org



Ŀ
5. The keygen 


Here is the serial check routine ('BPX HMEMCPY' etc...) :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

:004428AE 8B45F4                  mov eax, dword ptr [ebp-0C] -> name
:004428B1 E87E11FCFF              call 00403A34
:004428B6 8BF0                    mov esi, eax
:004428B8 85F6                    test esi, esi
:004428BA 7E41                    jle 004428FD
:004428BC BF01000000              mov edi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004428FB(C)
|

begin_loop
----------

:004428C1 8D55F4                  lea edx, dword ptr [ebp-0C]
:004428C4 8B45FC                  mov eax, dword ptr [ebp-04]
:004428C7 8B80C4020000            mov eax, dword ptr [eax+000002C4]
:004428CD E8CE14FEFF              call 00423DA0
:004428D2 8B45F4                  mov eax, dword ptr [ebp-0C]
:004428D5 0FB64438FF              movzx eax, byte ptr [eax+edi-01] -> name[i]
:004428DA 8BD8                    mov ebx, eax              }
:004428DC 6BC363                  imul eax, ebx, 00000063   }
:004428DF 8BD8                    mov ebx, eax              } serial[i] = (name[i]*0x63) ^ 0x06
:004428E1 83F306                  xor ebx, 00000006         }
:004428E4 8D45F0                  lea eax, dword ptr [ebp-10]
:004428E7 8BD3                    mov edx, ebx
:004428E9 E86E10FCFF              call 0040395C
:004428EE 8B55F0                  mov edx, dword ptr [ebp-10]
:004428F1 8D45F8                  lea eax, dword ptr [ebp-08]
:004428F4 E84311FCFF              call 00403A3C
:004428F9 47                      inc edi
:004428FA 4E                      dec esi
:004428FB 75C4                    jne 004428C1

end_loop
--------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004428BA(C)
|
:004428FD 8D55F4                  lea edx, dword ptr [ebp-0C]
:00442900 8B45FC                  mov eax, dword ptr [ebp-04]
:00442903 8B80C8020000            mov eax, dword ptr [eax+000002C8]
:00442909 E89214FEFF              call 00423DA0
:0044290E 8B55F4                  mov edx, dword ptr [ebp-0C] -> entered_serial
:00442911 8B45F8                  mov eax, dword ptr [ebp-08] -> generated_serial
:00442914 E82B12FCFF              call 00403B44
:00442919 750A                    jne 00442925

* Possible StringData Ref from Data Obj ->"Good work cracker!"
                                  |
:0044291B B864294400              mov eax, 00442964

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->


The keygen is very easy to do : look at my (C) Javascript Keygen for more details.

It seems that it's not possible to generate a valid serial for all letters, so don't use these
letters : a n O J 9 (maybe there are others)


Ŀ
6. Outro 


Thx to DaFixer for a great tool... and to _uno for telling me to use it ;)

    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 21/07/2000

www.tscube.cjb.net
