another way of finding the patch by xor06

7/30/2019 Another Way of Finding the Patch by XOR06

1/18

Page 1 of18

Another way to find the Patch by XOR06

Intro

As a cracker it is always important to hide yourself and to help you do that Ill show you how to crack this

IP-hider.

In this tutorial we will be cracking a registration scheme from a real program which has a 1 day trial and a

corresponding nag, it checks the serial with the sever, but only when you enter the serial. We are using a

new way to find the right place to patch. We will go really deep into the code in this one.

I assume that you know Olly and how to change the flags, edit the asm code, search for constants and so on,

just some basic knowledge. I would like to thank nwokiller and R4ndom for proofreading and the great

support.

Remember, the best way to learn is to try to Patch the program yourself first (please disconnect from the

internet first otherwise your attempt will be recorded on the server), if you dont succeed (or if you would

like to see another approach) then read this tutorial. Have Fun!

ToolzOlly

ExeinfoPE

PExplorerR6

Notepad++ V6.1.3 (or notes)

TargetAutoHideIP-5.2.8.6

You can find the target athttp://www.autohideip.com/

Index

Intro ...................................................................................................................................................................... 1

Toolz ..................................................................................................................................................................... 1

Target .................................................................................................................................................................... 1

Investigate the Target ........................................................................................................................................... 2

Finding the Patch .................................................................................................................................................. 4

Finding the Patch in Olly ....................................................................................................................................... 7

Applying the Patch .............................................................................................................................................. 17

Final Notes .......................................................................................................................................................... 17

Thanks to: ........................................................................................................................................................... 18
http://www.autohideip.com/http://www.autohideip.com/http://www.autohideip.com/http://www.autohideip.com/


2/18

Page 2 of18

Investigate the Target

Run the target and youll see this (if you do not see this please set you Windows Time forward 1 day):

We can click Cancel or Ok, Let us start with the Cancel

If you click Cancel the program exit, and we dont want to buy it so let us click Enter SN and we come

here again:

Okay you can see that I input some dummy code and click Ok, if you havent disconnected from the Net

youll see this

Well click back and try again but this time disconnect from the internet first. Now you see this:


3/18

Page 3 of18

Ahhh, we can also reg this app if we are not online!! Lets try that click Manual

Now you can see the Machine Data, hmm to get your right code you should send the company the machine

code. So it must be used to calculate the correct serial. Well we just want to patch this so we should just

enter the dummy serial again, and press Ok, but theres a programming error so if you do that it just tells

you that the program is expired. You must restart the App so you see this.

Dont press Cancel, but just enter the dummy serial again, and press Ok, now you see this

Press Manual


4/18

Page 4 of18

Enter the dummy serial and press Ok

There we got the badboy without the internet connecting. Let us take a look at this target in Olly

Finding the Patch

The target loads fine but if you look for strings, you wont finding anything we can use, if you try to use the

execute to user code trick or even try to use the call stack you dont find anything easy to go after. If you

load the program in EXEinfo PE you see why

Ahh this is a Borland Delphi program, so we just load it in DeDe right? Well you can try that but it wont work

you dont find any forms or process. This is where this new approach comes in handy. Try to load the target

in PExplorer and look at the resources


5/18

Page 5 of18

You dont need to look in Strings or Dialog because you wont find anything, but look at the RC Data

Yeah thats right here you can see the Forms! Lets take a look in the ACTIVATEFROM


6/18

Page 6 of18

Go on into pcActive to see what it hides

Can you see the tsManually? Could that be our manual activation form? Take a look in to it


7/18

Page 7 of18

As you can see it has all the controls we had on Manually activation form, 4 labels, 2 buttons. Click at the

btnOKManually and scroll all the way down in the right window

There you can see the OnClick = btnOKManuallyClick so that is the event it calls on click. As we know that

Delphi uses these names to call the event (from R4ndoms Tutorial nr 17) we just have to search for this Event

name in the program. You can do this search in any Hexview app as Hiew.v8.10 or in the Olly memory map

to get the address.

Finding the Patch in Olly

We will get the address to the event from Olly so load the target file in Olly, and open the memory map


8/18

Page 8 of18

Click on the top line and search for btnOKManuallyClick

We get a hit

Scroll up a little and you see the address of the event!


9/18

Page 9 of18

Now you just have to remember the endians so the right address of the event is 630DE8. Lets go to that

address

This is the start of the btnOKManuallyClick event. Place a Bp here and let the app run (still remember to

disconnect from the net) and click you way to this again

Enter your dummy serial and click Ok, and Olly breaks here

Start stepping the codeand you will see that @ 00630E14 it moves our serial in to EAX so now we wake up

If you click in to the Call @ 00630E21 or 00630E2A youll see two large routineswhichare called from more

than 10 places that is a lot if it is a serial check! That together with the fact that EAX still holds our serial and


10/18

Page 10 of18

that there are no jumps around them tells me that it is not in there that the serial check is. Lets look at the

call @ 00630E31. Right after there is a TEST AL,AL and a conditional jump! Could this be it? If you step one

more time you see that you string in EAX is gone and that AL=0 so this jump would not jump! Lets change

the flag so it jumps and let the app run.

Well that was the right place!! But if you clickOk you see this

Well this patch was not deep enough, so let us go much deeper in to the code and make the patch. Restart

the target in Olly and go to the call @ 00630E31

Okay we know now that AL must be =1 so it jumps @ 00630E38. So lets go in to this Call and remember that

Al should be 1 when we hit return


11/18

Page 11 of18

Ok this looksgood; this routine is only called from 2 places. If you step down to the conditional JMP @

0063C273 you can see that this will jump as Al = 0. It will jump down to 0063C2C5 where it will XOR EBX,EBX

which sets EBX to = 0. But why is it interesting what EBX is? Well look @ 0063C2CE here it moves EBX into

EAX and as you may remember we needed Al to be = 1. If we change the JE @ 0063C273 so it doesnt jump it

will run all the code after. If you look @ 0063C2C1 you can see a MOV bl,1 command, so if we dont jump BL

will be set to 1 and afterwards that is moved in to EAX, so when we come down to RETN 8 @ 0063C3D4 EAX

is 1 as it should be.

If you try it youll see that this is still not deep enough. We know that the JE @ 0063C273 should jump to so

Al should be 1. Let us go into the call @0063C26C and remember that we should return form that call with al

= 1


12/18

Page 12 of18

Hmm there are no conditional jumps in this routine, but that does not mean we are the wrong place. Lets

take a look into that last part of this routine

Remember we need AL to be 1 when we hit the RETN command @ 0063C201. (Because of the Push @

0063C1E1 the RETN @ 0063C1F3 just makes you JMP to 0063C1FB). Okay look at the code @ 0063C1FB it

moves EBX in to EAX so before the push at @ 0063C1E1 bl must be 1. @ 0063C1D7 EAX is moved in to EBX so

in the call @ 0063C1D2 EAX must be set to = 1 right?. Well lets go deeper and make that happen. Go into

the Call.


13/18

Page 13 of18

As we can see this looks a lot like the routine we just saw, and in fact we must do the very same againhere.

We need to go in to the call @ 006357C0 and make sure that EAX is set to 1. Because we still need al to end

up being 1. So lets go deeper. Go into the call @ 006357C0

Well now we are in a large routine with a lot of jumps but we just need to focus on that we just need to

return from here EAX=1. So scroll down to the end of this routine


14/18

Page 14 of18

Well this looks just like the other 2 routines we just came from, so you may suggest that we go in to the call

@ 006358EB but if you go in there you will come to a routine which is called from over 70 places (it is used to

decide what object to load). So if we change anything here it will not only affect the Serial check but also

everything else. That is not good so we will not go in there. We are now as deep as we can go! Lets make the

patch here then.

Can you still remember what we need? Yes we need EAX to be 1, so let us change the call to MOV EAX,1

that uses all the bytes as the call. Let Olly run and you see this

You did it. Or did you?

Well yes and no we are almost there but there is a problem when you restart the computer and run the

program, it will reset the registration! Hmm how can it do that? Well it must change some file somewhere,

when I close the program. That part I will not look after. When it loads it must check it somewhere in a file or

a registrationkey and that we must find. We could use regmon or some other monitoring tool but that

wont get us any closerbecause its not a registration key (how do I know? I checked). If it is not registration

it must be some other file, but there arent any ini or dat files in the targets folder.

Now there are more ways to solve this. The first long one is to find the breakpoint to the

btnOKManuallyClick and set it again, let the program run until the breakpoint. Now you can look through

the strings and see the string Settings and the trace it down to you get the path to the file. The second one is


15/18

Page 15 of18

to use your experience if you have cracked for some time you would know that many apps use the

ProgramData folder to store their settings files. So go to C:\ProgramData and youll find a folder named

AutoHideIP click in to that and you see the file Settings.dat now open that file with Notes or another

editor (I uses Notepad++ V6.1.3) and youll see this

These are all the settings for the app and look at line 1 RunTimes=148 hmm, it counts when it starts the app.

Look at line 9 Activate.NeedReactivated=1 hmm maybe that should be 0 instead. Maybe we can just

change it to 0 and Write protect the file? Lets try that and load the file in Olly

If you let the target run it will crash, hmm well lets use Olly to trace down where the app tries to write to the

file (it crashes because it cant write to the file as we have just write protected it). Maybe we can find where

it loads the file and reads the Activate.NeedReactivated. So how do we trace down to that? You just step

with F8 and when you step over a call that makes the app crash you set a bp on it. Then restart the app run

to the breakpoint and step in to that call, and step with F8 again until it crashes and do it all again all over

until you get here.


16/18

Page 16 of18

And why do I stop here? This call makes the app crash, and look at the comments. RunTimes can you

remember that the first line in the settings line was RunTimes? , here it tries to write to the file the new

RunTimes number, but it cant and crashes. Let us look in the Strings now, if RunTimes appears there

thenActivate.NeedReactivated must be there to. (We could not look in the strings from the start because

at that time the app has hidden all that information)

No click ok and place bp on the 4 hits here:


17/18

Page 17 of18

(You can only set bp in the hits that have a command before it otherwise Olly complains). Remove the old

breakpoints, remove the Write protection from the setting.dat file (we need the app to read more than the

first line in the settings file and it only does that ifit can write the RunTime to the file) and restart the app

in Olly. Now Olly breaks here

Lets step down to the JE @ 0063CA56

It made a Call and then TEST AL,AL that looks like it checks for a value (1 or 0) and then it jumps. Hmm but

wait we have changed the Activate.NeedReactived value to 0, so maybe the app should jump here? Let the

program run

Well yes it runs fine so, the program should always jump @ 0063CA56. So Just change the JE to JMP (or

change the call to (Mov EAX,1) and this target is finally cracked.

Applying the Patch

So as always just save the modification to file and run the cracked program. The first time you must

disconnect from the net to come to the manually activation and enter any code you want.

Final Notes


18/18

Page 18 of18

That was a long one but I wrote it because I think this was a good target to go very deep and to show you a

simple way to find the right place to patch a Delphi program when DeDe fails.

I hope you enjoyed the tutorial and learned something. If youd like to try again you can go patch the easy

mode also.

For questions and discussion regarding this tutorial and other interesting stuff go to R4ndoms forum:

http://www.thelegendofrandom.com/forum/index.php

Thanks for now..

-XOR06

Thanks to:

Random for showing me the light again

nwokiller for all his help

The SSECS team

Without these guys this wouldnt be possible.
http://www.thelegendofrandom.com/forum/index.phphttp://www.thelegendofrandom.com/forum/index.phphttp://www.thelegendofrandom.com/forum/index.php

another way of finding the patch by xor06

Documents