Cracking Delphi Programs

By CodeRipper
Tools used: DeDe by DaFixer, Olly debugger, PE Explorer, De Decompiler Lite

I. Let you familiarize with Delphi:

A form is a class which contain a lot of buttons, radiobutons etc. So if we have a form called TfrmPurchase we can have a lot of properties/events: TfrmPurchase.btnOKClick called when we click OK TfrmPurchase.btnCancelClick - called when we click Cancel TfrmPurchase.FormCreate is called when the form is created; default when you double click on Form TfrmPurchase.FormShow - is called when the form is showed TfrmPurchase.TimerTimer is called when the timer is out (something like WM_TIMER from VISUAL C++) TfrmPurchase.Edit1Change - called when the contents of Edit1 is changed TfrmPurchase.Memo1Change - called when the contents of Memo1 is changed If we have on the body of TForm1.Button1Click (under Nag Form.exe): Form1.DestroyWindowHandle; // kill Form1 Form2.ShowModal; // show the Form2 Form3.ShowModal; // show the Form3 The code will look like this: 0045241F MOV EAX,DWORD PTR DS:[455B74] ; reference to Form1 (under Class Information the BSS value) 00452424 MOV EDX,DWORD PTR DS:[EAX] ; now edx contain VMT Ptr (Classes Info in DeDe) 00452426 CALL DWORD PTR DS:[EDX+B4] 0045242C MOV EAX,DWORD PTR DS:[454378] ; reference to TForm2 instance (DATA) 00452431 MOV EAX,DWORD PTR DS:[EAX] ; now eax contains the HEAP value 00452433 MOV EDX,DWORD PTR DS:[EAX] ; now edx contain VMT Ptr 00452435 CALL DWORD PTR DS:[EDX+F8] 0045243B MOV EAX,DWORD PTR DS:[454220] ; reference to TForm2 instance ; (DATA) 00452440 MOV EAX,DWORD PTR DS:[EAX] 00452442 MOV EDX,DWORD PTR DS:[EAX] 00452444 CALL DWORD PTR DS:[EDX+F8] For finding these values you must go at Classes Info (in DeDe), double click on the wanted form and look on the right part you will see DATA,BSS,HEAP. A class is an abstract structure witch contains methods and variables (properties). An object is an instance of one class, a materialization of a class. Objects are kept in a special memory called HEAP.

Delphi use for parsing parameters to functions EAX, EDX, ECX, if they are more then 3 parameters will be used the stack (push parameter_4, push parameter_5). Note that these parameters are passed in reverse order. Delphi deals with global and local variables reference it on the following way: - [ebp+value] means that is pointer to a global variable - [ebp-value] means that it is pointer to a local variable Example: 00484A6C 8B45FC mov eax, [ebp-$04] ; pointer to a local variable in eax 00484A6F E830F1F7FF call 00403BA4 ; call System.LStrOfChar()

II. How a Delphi program looks at entry point:

The code of program: begin Application.Initialize; Application.CreateForm(TForm1, Form1); the NAG form which is first created Application.CreateForm(TForm2, Form2); Application.CreateForm(TForm3, Form3); Application.Run; end. The compiled code will be: 00452668 PUSH EBP 00452669 MOV EBP,ESP 0045266B ADD ESP,-10 0045266E MOV EAX,004524C0 00452673 CALL .00405C94 ; this is the _InitExe routine that also initialize units 00452678 MOV EAX,DWORD PTR DS:[454260] ; TApplication instance (Classes Info) 0045267D MOV EAX,DWORD PTR DS:[EAX] 0045267F CALL .00450578 ; Forms.TApplication.Initialize() 00452684 MOV ECX,DWORD PTR DS:[454344] ; for killing the Form1 we must change ; this to jmp 0045269C ; You should notice that the first form which is created is considerate here as being the main form 0045268A MOV EAX,DWORD PTR DS:[454260] 0045268F MOV EAX,DWORD PTR DS:[EAX] 00452691 MOV EDX,DWORD PTR DS:[452274] 00452697 CALL .00450590 ; Application.CreateForm(TForm1, Form1); 0045269C MOV ECX,DWORD PTR DS:[454378] 004526A2 MOV EAX,DWORD PTR DS:[454260] 004526A7 MOV EAX,DWORD PTR DS:[EAX] 004526A9 MOV EDX,DWORD PTR DS:[451F04] 004526AF CALL .00450590 ; Application.CreateForm(TForm2, Form2); 004526B4 MOV ECX,DWORD PTR DS:[454220] 004526BA MOV EAX,DWORD PTR DS:[454260] 004526BF MOV EAX,DWORD PTR DS:[EAX] 004526C1 MOV EDX,DWORD PTR DS:[4520C8] 004526C7 CALL .00450590 ; Application.CreateForm(TForm3, Form3); 004526CC MOV EAX,DWORD PTR DS:[454260]

004526D1 MOV EAX,DWORD PTR DS:[EAX] 004526D3 CALL .00450610 ; Application.Run; 004526D8 CALL .00403DC8 ; close the application (call ExitProcess) _InitExe - Initialization of units means running its initialization code. So you must step into 00405C94 and trace until you reach the IniUnits() routine. If you enter under 00405C94 you will see a GetModuleHandleA, after that is a call in which you must enter, after you enter inside him you will see another one -> step over this call whit F8 and return (RETN), you will see another call -> this time step into this call and you will find: 00403C1C MOV DWORD PTR DS:[455014],JMP.&kernel32.RaiseException 00403C26 MOV DWORD PTR DS:[455018],JMP.&kernel32.RtlUnwind 00403C30 MOV DWORD PTR DS:[45563C],EAX 00403C35 XOR EAX,EAX 00403C37 MOV DWORD PTR DS:[455640],EAX 00403C3C MOV DWORD PTR DS:[455644],EDX 00403C42 MOV EAX,DWORD PTR DS:[EDX+4] 00403C45 MOV DWORD PTR DS:[45502C],EAX 00403C4A CALL .00403B08 00403C4F MOV BYTE PTR DS:[455034],0 00403C56 CALL .00403BB4 ; you must trace into inside this one 00403C5B RETN If you enter inside call 00403BB4 you will find: 00403BDC CMP EDI,EBX 00403BDE JLE SHORT .00403BF7 00403BE0 MOV EAX,DWORD PTR SS:[EBP-4] 00403BE3 MOV ESI,DWORD PTR DS:[EAX+EBX*8] ; prepare the offset of initialization ; routine of a unit 00403BE6 INC EBX ; increase processed units counter 00403BE7 MOV DWORD PTR DS:[455640],EBX 00403BED TEST ESI,ESI ; is there any initialization routine for this unit? 00403BEF JE SHORT .00403BF3 ; if no, then process next unit 00403BF1 CALL ESI ; else call it! 00403BF3 CMP EDI,EBX ; did we processed all units? 00403BF5 JG SHORT .00403BE0 ; if no go back You can get a list whit all units from the program: Open the exe file with PE Explorer and go to Resource Viewer/Editor; double click on RC Data and click to PACKAGEINFO and you will see a list with all units from the program.

How we can simply find the offset of a method:

Load CrackMe#3.exe in Resource Tuner or PE Explorer and go at RC Data. TFORM1 has two buttons Button1 and Button2, Button1 has the event OnClick Button1Click and Button2 has the event OnClick Button2Click. Also we have a menu called MainMenu1 a submenu called Help1 and the menu item is called About1 -> About1 has the event OnClick About1Click.

In the case of an Editbox we could also have the event OnChange Edit1Change (called when the text from Edit1 is changed). Next step: We load the file under a hexeditor and we search for the ASCII string "Button1Click": 000531C0 000531D0 000531E0 000531F0 07 42 75 74 74 6F 6E 31 61 62 65 6C 31 F8 02 00 6C 32 01 00 13 00 28 3E 6E 31 43 6C 69 63 6B 05 F4 02 00 00 01 00 06 4C 00 01 00 06 4C 61 62 65 45 00 0C 42 75 74 74 6F 54 47 6F 6F 64 02 00 60 .Button1......L abel1......Labe l2....(>E..Butto n1Click.TGood..

The red value before the finded string represents the address of methods called when you click "Button1": 00453E28 Similar in the case of About1 we have 00454814. Similar in the case of Label3Click we have 00454824.

How we can easily find the code executed when you press a button or a menu items
Purpose of this: You got the code called when you click a menu item and we want to find the address which is called when you click on any menu item! Same things works for a Visual C++ program which use MFC42.DLL. 1. In the case of labels/buttons: We set a breakpoint to 00454824, we click on Label3 and after we return from 00454824 we find: 0043248E TEST BYTE PTR DS:[EBX+1C],10 00432492 JNZ SHORT CrackMe#.004324A6 00432494 CMP DWORD PTR DS:[EBX+6C],0 00432498 JE SHORT CrackMe#.004324A6 0043249A MOV EDX,EBX 0043249C MOV EAX,DWORD PTR DS:[EBX+6C] 0043249F MOV ECX,DWORD PTR DS:[EAX] 004324A1 CALL DWORD PTR DS:[ECX+18] 004324A4 JMP SHORT CrackMe#.004324BE 004324A6 CMP WORD PTR DS:[EBX+122],0 004324AE JE SHORT CrackMe#.004324BE 004324B0 MOV EDX,EBX 004324B2 MOV EAX,DWORD PTR DS:[EBX+124] 004324B8 CALL DWORD PTR DS:[EBX+120] ; this one calls the method 00454824 004324BE POP EBX ; we are here 004324BF RETN The address 004324B8 is called in the case of all buttons and all of labels, just set a breakpoint on it.

2. In the case of menu items: We set a breakpoint to 00454814, we click on About and after we return from 00454814 we find: 00442791 MOV EAX,DWORD PTR DS:[EAX+40] 00442794 CMP EAX,DWORD PTR DS:[EBX+88] 0044279A JE SHORT CrackMe#.004427AC 0044279C MOV EDX,EBX 0044279E MOV EAX,DWORD PTR DS:[EBX+8C] 004427A4 CALL DWORD PTR DS:[EBX+88] 004427AA JMP SHORT CrackMe#.004427DC 004427AC TEST BYTE PTR DS:[EBX+1C],10 004427B0 JNZ SHORT CrackMe#.004427C4 004427B2 CMP DWORD PTR DS:[EBX+44],0 004427B6 JE SHORT CrackMe#.004427C4 004427B8 MOV EDX,EBX 004427BA MOV EAX,DWORD PTR DS:[EBX+44] 004427BD MOV ECX,DWORD PTR DS:[EAX] 004427BF CALL DWORD PTR DS:[ECX+18] 004427C2 JMP SHORT CrackMe#.004427DC 004427C4 CMP WORD PTR DS:[EBX+8A],0 004427CC JE SHORT CrackMe#.004427DC 004427CE MOV EDX,EBX 004427D0 MOV EAX,DWORD PTR DS:[EBX+8C] 004427D6 CALL DWORD PTR DS:[EBX+88] ; this one calls the method 00454814 004427DC POP ESI ; we are here 004427DD POP EBX 004427DE RETN The address 004427D6 is called in the case of all buttons and all of menu items, just set a breakpoint on it.

Disable a menu item:

EnableMenuItem api is sometimes used to disable a menu item: 0012F074 0012F078 0012F07C 0012F080 0044C24A CALL to EnableMenuItem from CrackMe#.0044C245 002E0598 hMenu = 002E0598 0000F020 ItemID = F020 (61472.) 00000001 Flags = MF_BYCOMMAND|MF_GRAYED|MF_STRING

Also can be used AppendMenuA or AppendMenuW: BOOL AppendMenu( HMENU hMenu, UINT uFlags, UINT_PTR uIDNewItem, LPCTSTR lpNewItem

); If the uFlags is 1 the menu item will be disabled, if uFlags is 0 the menu item will be enabled!

I. Killing NAG FORMS

Do he ReleaseCapture on Olly (ReleaseCapture is from user32.dll) under same way can be also used for MessageDlg/ShowMessage You should see something like this: 0045306D MOV DL,1 0045306F MOV EAX,DWORD PTR DS:[410458] 00453074 CALL HelpMan_.0040CB8C 00453079 CALL HelpMan_.004037B0 0045307E CALL JMP.&user32.GetCapture 00453083 TEST EAX,EAX 00453085 JE SHORT HelpMan_.00453098 00453087 PUSH 0 ; lParam = 0 00453089 PUSH 0 ; wParam = 0 0045308B PUSH 1F ; Message = WM_CANCELMODE 0045308D CALL JMP &user32.GetCapture 00453092 PUSH EAX ; hWnd 00453093 CALL JMP.&user32.SendMessageA 00453098 CALL JMP.&user32.ReleaseCapture 0045309D MOV EAX,DWORD PTR SS:[EBP-4] ; ReleaseCapture return to this 004530A0 OR BYTE PTR DS:[EAX+2CC],8 004530A7 CALL JMP.&user32.GetActiveWindow Delete the hardware breakpoint and set a hardware breakpoint to last ret and Run with F9. Press Continue on form. You should now break to last ret. Now we step over with F8 a lot of times until we see something like this: 006A0349 MOV EAX,DWORD PTR DS:[6AB3EC] 006A034E MOV EAX,DWORD PTR DS:[EAX] 006A0350 MOV EDX,DWORD PTR DS:[EAX] 006A0352 CALL DWORD PTR DS:[EDX+D8] ; this create the form which could be a nasty NAG - nop him and you will kill the NAG! 006A0358 MOV EAX,DWORD PTR DS:[6AB76C] ; we land here A strange way to kill the NAG: For some NAGS replace at 006A0352 with the method called when you click Try or Continue ( example: call TReminderForm.TryButtonClick) and now the beach always starts without NAG!

II. Killing hardest NAGS:

For some nags first way (replaing the NAG creation whit nop) wont work so here is the second way of doing it. Do he ReleaseCapture on Olly (ReleaseCapture is from user32.dll) You will now break to user32 code, return from it and you will see: (this is common to all Delphi functions): 00492477 MOV DL,1 00492479 MOV EAX,DWORD PTR DS:[419F78] 0049247E CALL scrwon.0040E2A0 00492483 CALL scrwon.0040427C 00492488 CALL scrwon.00407680 ; JMP to USER32.GetCapture 0049248D TEST EAX,EAX 0049248F JE SHORT scrwon.004924A2 00492491 PUSH 0 00492493 PUSH 0 00492495 PUSH 1F 00492497 CALL scrwon.00407680 ; JMP to USER32.GetCapture 0049249C PUSH EAX 0049249D CALL scrwon.004079A0 ; JMP to USER32.SendMessageA 004924A2 CALL scrwon.00407960 ; JMP to USER32.ReleaseCapture 004924A7 MOV EAX,DWORD PTR DS:[5CCBF0] ; we land here 004924AC CALL scrwon.0049535C 004924B1 XOR EAX,EAX 004924B3 PUSH EBP 004924B4 PUSH scrwon.004926D5 004924B9 PUSH DWORD PTR FS:[EAX] 004924BC MOV DWORD PTR FS:[EAX],ESP 004924BF MOV EAX,DWORD PTR SS:[EBP-4] 004924C2 OR BYTE PTR DS:[EAX+2F4],8 004924C9 CALL scrwon.00407670 ; JMP to USER32.GetActiveWindow Delete the hardware breakpoint and set a hardware breakpoint to the last ret from code and Run with F9. Press Continue on form. You should now break at last ret. Now step over with F8 until we see something like: 005BFAB9 MOV EDX,DWORD PTR DS:[5CBC24] 005BFABF MOV DWORD PTR DS:[EDX],EAX 005BFAC1 MOV EAX,DWORD PTR DS:[5CBC24] 005BFAC6 MOV EAX,DWORD PTR DS:[EAX] 005BFAC8 MOV EDX,DWORD PTR DS:[EAX] 005BFACA CALL DWORD PTR DS:[EDX+EC] ; this create the code 005BFAD0 MOV EAX,DWORD PTR DS:[5CBC24] ; we land here Now restart the application and set hardware breakpoint on execute to 005BFACA. You should now break to 005BFACA step into this call and you will see: .. 0049252B PUSH EBP 0049252C PUSH scrwon.004926B3 00492531 PUSH DWORD PTR FS:[EAX] 00492534 MOV DWORD PTR FS:[EAX],ESP

00492537 0049253A 0049253F 00492541 00492542 00492547 0049254A 0049254D 0049254F 00492551 00492556 00492559 0049255E 0049255F 00492564 00492567 00492569 0049256F 00492574 00492579 0049257E 00492585 00492587 0049258A 00492594 00492596 00492599 004925A0 004925A2 004925A5 004925AA 004925AD 004925B4

MOV EAX,DWORD PTR SS:[EBP-4] CALL scrwon.00492350 XOR EAX,EAX PUSH EBP PUSH scrwon.00492607 PUSH DWORD PTR FS:[EAX] MOV DWORD PTR FS:[EAX],ESP PUSH 0 PUSH 0 PUSH 0B000 MOV EAX,DWORD PTR SS:[EBP-4] CALL scrwon.00476A8C PUSH EAX CALL scrwon.004079A0 ; JMP to USER32.SendMessageA MOV EAX,DWORD PTR SS:[EBP-4] XOR EDX,EDX MOV DWORD PTR DS:[EAX+24C],EDX MOV EAX,DWORD PTR DS:[5CCBF0] CALL scrwon.004964D8 MOV EAX,DWORD PTR DS:[5CCBF0] CMP BYTE PTR DS:[EAX+9C],0 JE SHORT scrwon.00492596 (74 04) MOV EAX,DWORD PTR SS:[EBP-4] MOV DWORD PTR DS:[EAX+24C],2 JMP SHORT scrwon.004925AA MOV EAX,DWORD PTR SS:[EBP-4] CMP DWORD PTR DS:[EAX+24C],0 JE SHORT scrwon.004925AA MOV EAX,DWORD PTR SS:[EBP-4] CALL scrwon.004922A4 MOV EAX,DWORD PTR SS:[EBP-4] CMP DWORD PTR DS:[EAX+24C],0 JE SHORT scrwon.0049256F

This code is a loop which wait for user to press a button, if button Continue is pressed the je from 00492585 will jump and the application will actually run. But this code is used for all forms of application and if you change the je forever you will have a bug. So we must change code at 005BFACA to jump to our code cave. In our code cave we enter: MOV BYTE PTR [00492585],075 ; change je to jne CALL DWORD PTR DS:[EDX+0EC] ; call the changed code MOV BYTE PTR [00492585],074 ; we restore back to je JMP 005BFAD0 ; jump right after NAG creation The problem: The NAG is still showed for some seconds. I tried to find a way to set a form invisible butt I couldnt do. Form1.Hide; Form2.Show;

Form3.Show; get translated into: 0045103C MOV EAX,DWORD PTR DS:[454B74] 00451041 CALL Project1.0044B808 ; Form1.Hide 00451046 MOV EAX,DWORD PTR DS:[453358] 0045104B MOV EAX,DWORD PTR DS:[EAX] 0045104D CALL HideForm.0044B810 ; Form2.Show 00451052 MOV EAX,DWORD PTR DS:[453200] 00451057 MOV EAX,DWORD PTR DS:[EAX] 00451059 CALL Project1.0044B810 ; Form3.Show Under Form1.Hide you will see: 0044B808 XOR EDX,EDX 0044B80A CALL .00447BBC 0044B80F RETN Under Form2.Show/ Form3.Show you will see: 0044B810 PUSH EBX 0044B811 MOV EBX,EAX 0044B813 MOV DL,1 0044B815 MOV EAX,EBX 0044B817 CALL HideForm.00447BBC 0044B81C MOV EAX,EBX 0044B81E CALL Project1.0042DF74 0044B823 POP EBX 0044B824 RETN We set a breakpoint on SetWindowPos and you will fiind: 0044FDC8 PUSH EBP 0044FDC9 MOV EBP,ESP 0044FDCB PUSH EBX 0044FDCC MOV EBX,EAX 0044FDCE MOV EAX,DWORD PTR SS:[EBP+8] 0044FDD1 MOV EAX,DWORD PTR DS:[EAX-4] ; mov in eax contents of DWORD PTR DS:[453B40], now EAX = 00951294 0044FDD4 MOV EAX,DWORD PTR DS:[EAX+30h] ; hwnd pointed by DS:[009512C4] hWnd = 'Project1',class='TApplication' 0044FDD7 PUSH EAX ; hWnd 0044FDD8 CALL JMP.&user32.IsWindowVisible 0044FDDD CMP EAX,1 0044FDE0 SBB EAX,EAX 0044FDE2 INC EAX 0044FDE3 CMP AL,BYTE PTR DS:[451FCC] 0044FDE9 JNZ SHORT .0044FE1E 0044FDEB CMP BL,BYTE PTR DS:[451FCC] 0044FDF1 JE SHORT .0044FE1E 0044FDF3 MOVZX EAX,BL 0044FDF6 MOVZX EAX,WORD PTR DS:[EAX*2+451FD0] ; we patch this to put in eax 97h so the form will be hidden!

0044FDFE PUSH EAX ; Flags = SWP_NOSIZE|SWP_NOMOVE| SWP_NOZORDER|SWP_NOACTIVATE|SWP_HIDEWINDOW (97h) 0044FDFF PUSH 0 ; Height = 0 0044FE01 PUSH 0 ; Width = 0 0044FE03 PUSH 0 ;Y=0 0044FE05 PUSH 0 ;X=0 0044FE07 PUSH 0 ; InsertAfter = HWND_TOP 0044FE09 MOV EAX,DWORD PTR SS:[EBP+8] 0044FE0C MOV EAX,DWORD PTR DS:[EAX-4] ; For Form1 - 00951294 0044FE0F MOV EAX,DWORD PTR DS:[EAX+30] ; handle of Window 0044FE12 PUSH EAX ; hWnd = 001700A2 ('Project1',class='TApplication') 0044FE13 CALL JMP.&user32.SetWindowPos 0044FE18 MOV BYTE PTR DS:[451FCC],BL 0044FE1E POP EBX 0044FE1F POP EBP 0044FE20 RETN When the form is showed SWP_HIDEWINDOW (97h) is replaced by SWP_SHOWWINDOW (value is 57h) Few line down you will see: 0044FE24 PUSH EBP 0044FE25 MOV EBP,ESP 0044FE27 PUSH ECX 0044FE28 PUSH EBX 0044FE29 PUSH ESI 0044FE2A PUSH EDI 0044FE2B MOV DWORD PTR SS:[EBP-4],EAX 0044FE2E MOV EAX,DWORD PTR SS:[EBP-4] 0044FE31 CMP DWORD PTR DS:[EAX+30],0 0044FE35 JE SHORT .0044FEA3 0044FE37 MOV EAX,DWORD PTR DS:[454B44] 0044FE3C CALL .0044CA00 0044FE41 MOV ESI, EAX ; return number of Forms (03) 0044FE43 DEC ESI 0044FE44 TEST ESI,ESI 0044FE46 JL SHORT .0044FE9A 0044FE48 INC ESI 0044FE49 XOR EDI,EDI ; prepare the counter 0044FE4B MOV EDX,EDI ; begin of loop 0044FE4D MOV EAX,DWORD PTR DS:[454B44] 0044FE52 CALL .0044C9EC 0044FE57 MOV EBX,EAX 0044FE59 CMP BYTE PTR DS:[EBX+57],0 ; always 0 when is hidden while when is showed is second time 1 0044FE5D JE SHORT .0044FE96 0044FE5F CMP DWORD PTR DS:[EBX+198],0 0044FE66 JE SHORT .0044FE8B 0044FE68 MOV EAX,EBX

0044FE6A 0044FE6F 0044FE71 0044FE73 0044FE79 0044FE7A 0044FE7C 0044FE81 0044FE82 0044FE87 0044FE89 0044FE8B 0044FE8C 0044FE8E 0044FE93 0044FE94 0044FE96 0044FE97 0044FE98 0044FE9A 0044FE9B 0044FE9D 0044FEA2 0044FEA3 0044FEA4 0044FEA5 0044FEA6 0044FEA7 0044FEA8

CALL Project1.00434E90 TEST AL,AL JE SHORT Project1.0044FE8B MOV EAX,DWORD PTR DS:[EBX+198] PUSH EAX MOV EAX,EBX CALL Project1.00434BBC PUSH EAX ; hParent CALL user32.IsChild TEST EAX,EAX JNZ SHORT.0044FE96 PUSH EBP MOV AL,1 CALL .0044FDC8 ; is called when a Form is showed POP ECX JMP SHORT .0044FEA3 INC EDI DEC ESI JNZ SHORT .0044FE4B PUSH EBP XOR EAX,EAX CALL .0044FDC8 ; is called when a Form is hidden POP ECX POP EDI POP ESI POP EBX POP ECX POP EBP RETN

This is all. I hope you enjoy reading this.