Bypassing a Serial in a Delphi program by XOR06

Intro

Welcome again, nice to see you back! In this tutorial we will be cracking a registration from a ‘real’ program
which uses a Serial check protection. The twist on this one is, that it is a Delphi program.

I assume, that you know Olly and how to change flags etc- just basic knowledge. I also assume that you
know how to use DeDe (if not please read R4ndom’s Tutorial #17: Working With Delphi Binaries ). Do I have
to say; “This is only for learning so please: if you do like it, pay for it!”?

Remember the best way to learn is to try to Patch the program yourself first, if you don’t succeed (or if you
would like to see another approach) then read this tutorial. Have Fun!

Toolz
Olly
DeDe

Target
SolSuite Solitaire 2012
You can find the target at http://www.solsuite.com/download.htm

Index
Intro ............................................................................................................................................................... 1
Toolz .............................................................................................................................................................. 1
Target............................................................................................................................................................. 1
Investigate The Target ................................................................................................................................... 2
Target in DeDe ............................................................................................................................................... 3
Finding the Serial check Patch ....................................................................................................................... 4
Final Notes ..................................................................................................................................................... 8
Thanks to: ...................................................................................................................................................... 8
 Investigate The Target

Run the target and you’ll see this splash:

Then (if you press cancel to all the pop ups) you’ll see this:

If you choose the “About” in the “Help” menu this pops up:

Now try to choose the “Activate SolSuite” in the “Help” menu

We will attack this dialog so let’s input some info and click “Ok”
 The Badboy!! Normally we would now load the target in Olly, but because this target is written in Delphi,
we will instead start with loading our target in DeDe.

Target in DeDe

Go to “Forms” and find TfmRegCode. This is our registration dialog (if in doubt Double-Click)
Then click on “Procedure”and find the “TfmRegCode” in the left window

Let’s take a look in the window on the right. The author of the target is trying to trick us. If we look for the
btnOkClick we will never find anything!! But the name BtnHelp2Click, we’ve never bumped into before??
And there is already a BtnHelpClick. That is weird,so let’s look into that BtnHelp2Click. It’s @ 0090714C.
 Finding the Serial check Patch

Load Olly, go to that address from DeDe (0090714C) and set a BP.

Restart Olly, go to the Registration dialog and input your data like this

Press “Ok” and Olly breaks here

Ok, Now we need to do a lot of tracing and there are many loops so remember, that you can always place a
BP after a loop and just let Olly run the loop (just remember to remove the BP after). Keep stepping till you
see this:

We have stepped through a lot of tests until we come here but this is the first “Test AL,AL”, and that
triggered my interest. Why is this different? Set a BP on the JE command on the next line. If we do nothing
it will jump. Let us change that flag so it does not jump, and let Olly run.
 Hmm that was not right, but we are on the right track. Press “Cancel” and then “Ok” on the registration
dialog. Let Olly run till our new BP.

Now remove the BP (as it was not the right place) and continue stepping. Olly jumps to 00907510 and after
a few steps, you should be at the next “Test Al,AL”

Last time we changed something around a Test AL,AL we got a new dialog, so it looks logical that these
decide what dialog to show. Let’s try again here. Set BP. Change the flags so it will jump and let Olly run.

Then you see this:

 And then this

The Goodboy!! If you Click “Cancel” here all is fine (until you will update or look in the about box) But if you
click “Check for Updates” you’ll see this

So it looks like the Patch has not made it all good (if you try to restart the target you will see that it has not
saved the registration). When Clicking “Ok” here you will be back on the main program.You will not be able
to choose the “Activate SolSuite” in the “Help” menu because that part of our patch worked. So Restart
Olly and work through the registration dialog again and break at our last BP.

Now we are here, and since the patch did not work for the entire registration check we will go a little
deeper into the code. We now that this JNZ is decided by the “Test AL,AL”, and if you were looking as you
where tracing down then you would see that AL is set in the Call just above at 00907524. (if you did not you
should set a BP right before the Call and look at AL. Then Step over the Call and Look at AL)

Set a BP at that Call and let Olly run. Click “Ok” again and you should break here

Step in to that Call and remember we want to return from it with AL = 1 so we make the jump.
If you scroll down you’ll see this is a long routine but there are no RETN’s so it will run it all. So let’s look at
the end of this routine then.

Let’s look at this code for a while. There are no places where AL is set to 1, but there is a place where
BL is set to 1. Why that? Well Olly tells us that this routine ends at 005F3D75 and before that BL is never
moved into AL.

Look at this line I highlighted here

This “Push SolSuite.005F3D7D”pushes the address onto the stack so when we hit the “RETN” command on
005F3D75 we will return to 005F3D7D!! Look at that line “Mov EAX, EBX” (in this case the same as MOV
AL,BL) and then return out of this Routine. So now we know that if BL = 1 it will be moved into AL before
leaving this routine. With that in mind Look at 005F3D3D, as AL is always 0 when coming out from this
routine, it must jump at that JNZ!! (if you are not sure set a BP on that JNZ and run).

Change that JNZ to JZ and save it to file. It will not work if you just let Olly run because as you may have
seen in the Olly information Window when entering this routine it is called from a lot of places. It is also
called before the program loads. Therefore you must choose between, restarting Olly and activate the
patch OR just save it to a file.

Final Notes

Yeah that is it; the program runs as regged now. This just shows that it does not have to be much harder to
patch a program, just because it is written in Delphi.

For questions and discussion regarding this tutorial and other interesting stuff go to R4ndom’s forum:

http://www.thelegendofrandom.com/forum/index.php

Thanks for now..

-XOR06

Thanks to:

Random for showing me the light again

NwoKiller for all his help
DMichael for sharing his wisdom
The TPoDT team

Without these guys this wouldn’t be possible.