Hi lorn,
I think I wasn't very clear in what I was trying to say... I'm pretty sure I unpacked it correctly (by hand, mind you), but even the original packed binary acted funny on my computer. It refused to get any stock quotes whatsoever. I
think I effectively cracked it, but since the whole app was broken on my computer (even packed/uncracked), I wasn't able to test it...
As for tracking the registry calls, my 2 cents here would be that since the app was written with Delphi 5, just use IDA (or something similar) to get the address of the TRegistry class constructor and methods, then set breakpoints there. (This is, of course, assuming that the authors used the TRegistry class instead of calling the winapi registry calls directly.) This way, you can see the high-level parameters passed into the VCL methods, which are nice and easy to read.
Regards,
Satyric0n
EDIT: Also, yes, the license key is stored in plain text in the registry. As I said, I found the 'Enter License Key' form's validation code, the code that then loads the key from the registry on app startup, and the code that shows the license/trial info on the about screen. If you want any specifics on these, I will be happy to provide them.
EDIT2:
Quote:
|
Originally Posted by gabri3l
I reached 500000 by adding the virtual address space of 400000 to the size of the code section. When your executable is run it is loaded into memory. For more info check out hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/virtual_address_space.asp
So with a code section starting at 1000 and a virtual address space starting at 400000 you get 401000 as the start of the code section when it is loaded into memory. Now you know that the size of your code section is 113000. So 401000 + 113000 gives you 514000. That is the end of your code section. I just rounded down to 500000 but to be specific you would have traced until eip < 514000.
|
Of course, all this is assuming you need to trace (which I would argue, is not very often). If you don't need to see the actual trace results, it is much easier to set a memory on-access breakpoint on the whole .code section.