Download - Another Way of Finding the Patch by XOR06
-
7/30/2019 Another Way of Finding the Patch by XOR06
1/18
Page 1 of18
Another way to find the Patch by XOR06
Intro
As a cracker it is always important to hide yourself and to help you do that Ill show you how to crack this
IP-hider.
In this tutorial we will be cracking a registration scheme from a real program which has a 1 day trial and a
corresponding nag, it checks the serial with the sever, but only when you enter the serial. We are using a
new way to find the right place to patch. We will go really deep into the code in this one.
I assume that you know Olly and how to change the flags, edit the asm code, search for constants and so on,
just some basic knowledge. I would like to thank nwokiller and R4ndom for proofreading and the great
support.
Remember, the best way to learn is to try to Patch the program yourself first (please disconnect from the
internet first otherwise your attempt will be recorded on the server), if you dont succeed (or if you would
like to see another approach) then read this tutorial. Have Fun!
ToolzOlly
ExeinfoPE
PExplorerR6
Notepad++ V6.1.3 (or notes)
TargetAutoHideIP-5.2.8.6
You can find the target athttp://www.autohideip.com/
Index
Intro ...................................................................................................................................................................... 1
Toolz ..................................................................................................................................................................... 1
Target .................................................................................................................................................................... 1
Investigate the Target ........................................................................................................................................... 2
Finding the Patch .................................................................................................................................................. 4
Finding the Patch in Olly ....................................................................................................................................... 7
Applying the Patch .............................................................................................................................................. 17
Final Notes .......................................................................................................................................................... 17
Thanks to: ........................................................................................................................................................... 18
http://www.autohideip.com/http://www.autohideip.com/http://www.autohideip.com/http://www.autohideip.com/ -
7/30/2019 Another Way of Finding the Patch by XOR06
2/18
Page 2 of18
Investigate the Target
Run the target and youll see this (if you do not see this please set you Windows Time forward 1 day):
We can click Cancel or Ok, Let us start with the Cancel
If you click Cancel the program exit, and we dont want to buy it so let us click Enter SN and we come
here again:
Okay you can see that I input some dummy code and click Ok, if you havent disconnected from the Net
youll see this
Well click back and try again but this time disconnect from the internet first. Now you see this:
-
7/30/2019 Another Way of Finding the Patch by XOR06
3/18
Page 3 of18
Ahhh, we can also reg this app if we are not online!! Lets try that click Manual
Now you can see the Machine Data, hmm to get your right code you should send the company the machine
code. So it must be used to calculate the correct serial. Well we just want to patch this so we should just
enter the dummy serial again, and press Ok, but theres a programming error so if you do that it just tells
you that the program is expired. You must restart the App so you see this.
Dont press Cancel, but just enter the dummy serial again, and press Ok, now you see this
Press Manual
-
7/30/2019 Another Way of Finding the Patch by XOR06
4/18
Page 4 of18
Enter the dummy serial and press Ok
There we got the badboy without the internet connecting. Let us take a look at this target in Olly
Finding the Patch
The target loads fine but if you look for strings, you wont finding anything we can use, if you try to use the
execute to user code trick or even try to use the call stack you dont find anything easy to go after. If you
load the program in EXEinfo PE you see why
Ahh this is a Borland Delphi program, so we just load it in DeDe right? Well you can try that but it wont work
you dont find any forms or process. This is where this new approach comes in handy. Try to load the target
in PExplorer and look at the resources
-
7/30/2019 Another Way of Finding the Patch by XOR06
5/18
Page 5 of18
You dont need to look in Strings or Dialog because you wont find anything, but look at the RC Data
Yeah thats right here you can see the Forms! Lets take a look in the ACTIVATEFROM
-
7/30/2019 Another Way of Finding the Patch by XOR06
6/18
Page 6 of18
Go on into pcActive to see what it hides
Can you see the tsManually? Could that be our manual activation form? Take a look in to it
-
7/30/2019 Another Way of Finding the Patch by XOR06
7/18
Page 7 of18
As you can see it has all the controls we had on Manually activation form, 4 labels, 2 buttons. Click at the
btnOKManually and scroll all the way down in the right window
There you can see the OnClick = btnOKManuallyClick so that is the event it calls on click. As we know that
Delphi uses these names to call the event (from R4ndoms Tutorial nr 17) we just have to search for this Event
name in the program. You can do this search in any Hexview app as Hiew.v8.10 or in the Olly memory map
to get the address.
Finding the Patch in Olly
We will get the address to the event from Olly so load the target file in Olly, and open the memory map
-
7/30/2019 Another Way of Finding the Patch by XOR06
8/18
Page 8 of18
Click on the top line and search for btnOKManuallyClick
We get a hit
Scroll up a little and you see the address of the event!
-
7/30/2019 Another Way of Finding the Patch by XOR06
9/18
Page 9 of18
Now you just have to remember the endians so the right address of the event is 630DE8. Lets go to that
address
This is the start of the btnOKManuallyClick event. Place a Bp here and let the app run (still remember to
disconnect from the net) and click you way to this again
Enter your dummy serial and click Ok, and Olly breaks here
Start stepping the codeand you will see that @ 00630E14 it moves our serial in to EAX so now we wake up
If you click in to the Call @ 00630E21 or 00630E2A youll see two large routineswhichare called from more
than 10 places that is a lot if it is a serial check! That together with the fact that EAX still holds our serial and
-
7/30/2019 Another Way of Finding the Patch by XOR06
10/18
Page 10 of18
that there are no jumps around them tells me that it is not in there that the serial check is. Lets look at the
call @ 00630E31. Right after there is a TEST AL,AL and a conditional jump! Could this be it? If you step one
more time you see that you string in EAX is gone and that AL=0 so this jump would not jump! Lets change
the flag so it jumps and let the app run.
Well that was the right place!! But if you clickOk you see this
Well this patch was not deep enough, so let us go much deeper in to the code and make the patch. Restart
the target in Olly and go to the call @ 00630E31
Okay we know now that AL must be =1 so it jumps @ 00630E38. So lets go in to this Call and remember that
Al should be 1 when we hit return
-
7/30/2019 Another Way of Finding the Patch by XOR06
11/18
Page 11 of18
Ok this looksgood; this routine is only called from 2 places. If you step down to the conditional JMP @
0063C273 you can see that this will jump as Al = 0. It will jump down to 0063C2C5 where it will XOR EBX,EBX
which sets EBX to = 0. But why is it interesting what EBX is? Well look @ 0063C2CE here it moves EBX into
EAX and as you may remember we needed Al to be = 1. If we change the JE @ 0063C273 so it doesnt jump it
will run all the code after. If you look @ 0063C2C1 you can see a MOV bl,1 command, so if we dont jump BL
will be set to 1 and afterwards that is moved in to EAX, so when we come down to RETN 8 @ 0063C3D4 EAX
is 1 as it should be.
If you try it youll see that this is still not deep enough. We know that the JE @ 0063C273 should jump to so
Al should be 1. Let us go into the call @0063C26C and remember that we should return form that call with al
= 1
-
7/30/2019 Another Way of Finding the Patch by XOR06
12/18
Page 12 of18
Hmm there are no conditional jumps in this routine, but that does not mean we are the wrong place. Lets
take a look into that last part of this routine
Remember we need AL to be 1 when we hit the RETN command @ 0063C201. (Because of the Push @
0063C1E1 the RETN @ 0063C1F3 just makes you JMP to 0063C1FB). Okay look at the code @ 0063C1FB it
moves EBX in to EAX so before the push at @ 0063C1E1 bl must be 1. @ 0063C1D7 EAX is moved in to EBX so
in the call @ 0063C1D2 EAX must be set to = 1 right?. Well lets go deeper and make that happen. Go into
the Call.
-
7/30/2019 Another Way of Finding the Patch by XOR06
13/18
Page 13 of18
As we can see this looks a lot like the routine we just saw, and in fact we must do the very same againhere.
We need to go in to the call @ 006357C0 and make sure that EAX is set to 1. Because we still need al to end
up being 1. So lets go deeper. Go into the call @ 006357C0
Well now we are in a large routine with a lot of jumps but we just need to focus on that we just need to
return from here EAX=1. So scroll down to the end of this routine
-
7/30/2019 Another Way of Finding the Patch by XOR06
14/18
Page 14 of18
Well this looks just like the other 2 routines we just came from, so you may suggest that we go in to the call
@ 006358EB but if you go in there you will come to a routine which is called from over 70 places (it is used to
decide what object to load). So if we change anything here it will not only affect the Serial check but also
everything else. That is not good so we will not go in there. We are now as deep as we can go! Lets make the
patch here then.
Can you still remember what we need? Yes we need EAX to be 1, so let us change the call to MOV EAX,1
that uses all the bytes as the call. Let Olly run and you see this
You did it. Or did you?
Well yes and no we are almost there but there is a problem when you restart the computer and run the
program, it will reset the registration! Hmm how can it do that? Well it must change some file somewhere,
when I close the program. That part I will not look after. When it loads it must check it somewhere in a file or
a registrationkey and that we must find. We could use regmon or some other monitoring tool but that
wont get us any closerbecause its not a registration key (how do I know? I checked). If it is not registration
it must be some other file, but there arent any ini or dat files in the targets folder.
Now there are more ways to solve this. The first long one is to find the breakpoint to the
btnOKManuallyClick and set it again, let the program run until the breakpoint. Now you can look through
the strings and see the string Settings and the trace it down to you get the path to the file. The second one is
-
7/30/2019 Another Way of Finding the Patch by XOR06
15/18
Page 15 of18
to use your experience if you have cracked for some time you would know that many apps use the
ProgramData folder to store their settings files. So go to C:\ProgramData and youll find a folder named
AutoHideIP click in to that and you see the file Settings.dat now open that file with Notes or another
editor (I uses Notepad++ V6.1.3) and youll see this
These are all the settings for the app and look at line 1 RunTimes=148 hmm, it counts when it starts the app.
Look at line 9 Activate.NeedReactivated=1 hmm maybe that should be 0 instead. Maybe we can just
change it to 0 and Write protect the file? Lets try that and load the file in Olly
If you let the target run it will crash, hmm well lets use Olly to trace down where the app tries to write to the
file (it crashes because it cant write to the file as we have just write protected it). Maybe we can find where
it loads the file and reads the Activate.NeedReactivated. So how do we trace down to that? You just step
with F8 and when you step over a call that makes the app crash you set a bp on it. Then restart the app run
to the breakpoint and step in to that call, and step with F8 again until it crashes and do it all again all over
until you get here.
-
7/30/2019 Another Way of Finding the Patch by XOR06
16/18
Page 16 of18
And why do I stop here? This call makes the app crash, and look at the comments. RunTimes can you
remember that the first line in the settings line was RunTimes? , here it tries to write to the file the new
RunTimes number, but it cant and crashes. Let us look in the Strings now, if RunTimes appears there
thenActivate.NeedReactivated must be there to. (We could not look in the strings from the start because
at that time the app has hidden all that information)
No click ok and place bp on the 4 hits here:
-
7/30/2019 Another Way of Finding the Patch by XOR06
17/18
Page 17 of18
(You can only set bp in the hits that have a command before it otherwise Olly complains). Remove the old
breakpoints, remove the Write protection from the setting.dat file (we need the app to read more than the
first line in the settings file and it only does that ifit can write the RunTime to the file) and restart the app
in Olly. Now Olly breaks here
Lets step down to the JE @ 0063CA56
It made a Call and then TEST AL,AL that looks like it checks for a value (1 or 0) and then it jumps. Hmm but
wait we have changed the Activate.NeedReactived value to 0, so maybe the app should jump here? Let the
program run
Well yes it runs fine so, the program should always jump @ 0063CA56. So Just change the JE to JMP (or
change the call to (Mov EAX,1) and this target is finally cracked.
Applying the Patch
So as always just save the modification to file and run the cracked program. The first time you must
disconnect from the net to come to the manually activation and enter any code you want.
Final Notes
-
7/30/2019 Another Way of Finding the Patch by XOR06
18/18
Page 18 of18
That was a long one but I wrote it because I think this was a good target to go very deep and to show you a
simple way to find the right place to patch a Delphi program when DeDe fails.
I hope you enjoyed the tutorial and learned something. If youd like to try again you can go patch the easy
mode also.
For questions and discussion regarding this tutorial and other interesting stuff go to R4ndoms forum:
http://www.thelegendofrandom.com/forum/index.php
Thanks for now..
-XOR06
Thanks to:
Random for showing me the light again
nwokiller for all his help
The SSECS team
Without these guys this wouldnt be possible.
http://www.thelegendofrandom.com/forum/index.phphttp://www.thelegendofrandom.com/forum/index.phphttp://www.thelegendofrandom.com/forum/index.php