Need some pointers

Hi, this is my first post here and I was hoping some of you could give me some pointers on how I could approach cracking this program:http://www.mechtrading.com/qcollector/esignal/index.htm. It's a program that is fully functional, but with some limitations to the amount of symbols (it's a stock downloader) you can download.

So far, I was able to unpack it (it uses Asp 1.23), disassemble, and map out how I think it works. The protection is based on a key that you enter through the About menu in a window that asks you to enter the key that they emailed you. From here, if it finds a good key, it stores the key in the registry. When you start the program it rechecks the license key either on file or in the registry or both and if it doesn't find it it resets everything. So obviously, if you just patch the key entry part, it resets the next time the program starts.

The other thing I tried was patching the start-up window, which tells you you have a trial copy limited to xyz symbols. The patch worked and gave me a screen which said it was now registered to "____", a name should have been here . It still didn't work, but the point is that I think it needs a name as well as a number.... there are no distinct fileds in the key paste window, you just paste whatever they gave you.

So, now I'm a bit lost. I've seen tuts on keys, but not when combined with reg entry. When I set bps on regvalue calls, it's tough to figure out if it's the one I need, or just a basic reg call. My idea was to make it so whatever value the registry call saw it would be good. Not sure if registry bp are the way to go, though. Any pointers on how some of you more experienced guys would do this would be really helpful.

Thanks and great board.

Hi, lorn.

I installed the app to see if I could give you a hand. After I unpacked it, I started to look through it, and things seemed broken. I assumed I unpacked it wrong, so I tried using the original packed binary, and I still couldn't get the app to work. It seems the app is either really buggy, or just doesn't like my computer.

Either way, sorry I can't be of any real help here. I uncovered some stuff looking through IDA's disassembly of the app (the 'Enter License Key' form's validation code, and the code that then loads the key from the registry on app startup, and the code that shows the license/trial info on the about screen), but I assume you have already seen all that.

Regards

[gabri3l]

Talked to you over email. It seems you progressed as far as you could before using Olly. This is where you started to have problems. You could not find calls to set breakpoints on in Olly.

Using stripper to unpack; your entry point lies outside of the code section. This is why Olly is giving you trouble. The code section for this program (after unpack) begins at 00401000. The entry point is at location 0058A000.
To verify this use LordPe to examine the file. You will see your entrypoint as 18A000. Then click the sections button. You will see size of the code section (.text) is only 113000.
1000 + 113000 = 114000 Which means 18A000 is very far outside your code section. What you need to do is let Olly run from the entry point until you get inside your code section.

Now, to correctly find API calls in Olly:
1. Make sure you have the commandbar plugin
2. load the file
3. In the commandbar type "tc eip<500000" without the quotes.
*I am using Win 2000, so your address may need to be different than mine.
**Basically you want to trace until the next execution occurs inside your code section.
4. Then press enter.
5. You should stop here: JMP DWORD PTR DS:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA
6. Search for all intermodular calls. And continue as normal.

Hopefully that helps you, and also gives you an idea as to WHY Olly was not finding the calls. I did not continue on and find a serial I figured I would leave that up to you.

To give everyone some background, gabri3l sent me an excellent tutorial on going through reg calls to help me out with this program. I think it's on this site in case someone wants to explore and learn more about them. I had some more questions for him about the tutorial (mainly about Olly not seeing the intermodular calls), and he just finished answering it above.

Thanks gabri3l. The tc eip command was the ticket. All the reg/intermodular calls are available now. Out of curiosity, how did you get to the 500000 number? Everything else makes more sense to me now.

Seeing the reg calls now is great, but unfortunately, the serial doesn't seem to be stored as an ascii like in your tutorial. Or if it is, it's definitely not as obvious. The good thing is that it only makes a few calls to the registry and actually makes a real interesting reg call to RegQueryInfoKeyA, but I'm not sure how to read the code. I'm trying to approach it though the hex values, if that's even how I should be approaching it. I'm going through some hex based serial tutorials to see if that helps any.

Thanks again for all your help. You've really helped me along.

[gabri3l]

lorn, if you have more to add to a subject please use the edit button rather than double posting.

In regards to Satyric0n's post I had the same problem on Win XP SP2. It would not run correctly packed or unpacked. It only ran on my Win 2000 computer.

I reached 500000 by adding the virtual address space of 400000 to the size of the code section. When your executable is run it is loaded into memory. For more info check out hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/virtual_address_space.asp

So with a code section starting at 1000 and a virtual address space starting at 400000 you get 401000 as the start of the code section when it is loaded into memory. Now you know that the size of your code section is 113000. So 401000 + 113000 gives you 514000. That is the end of your code section. I just rounded down to 500000 but to be specific you would have traced until eip < 514000.

Hi lorn,

I think I wasn't very clear in what I was trying to say... I'm pretty sure I unpacked it correctly (by hand, mind you), but even the original packed binary acted funny on my computer. It refused to get any stock quotes whatsoever. I think I effectively cracked it, but since the whole app was broken on my computer (even packed/uncracked), I wasn't able to test it...

As for tracking the registry calls, my 2 cents here would be that since the app was written with Delphi 5, just use IDA (or something similar) to get the address of the TRegistry class constructor and methods, then set breakpoints there. (This is, of course, assuming that the authors used the TRegistry class instead of calling the winapi registry calls directly.) This way, you can see the high-level parameters passed into the VCL methods, which are nice and easy to read.

Regards,
Satyric0n

EDIT: Also, yes, the license key is stored in plain text in the registry. As I said, I found the 'Enter License Key' form's validation code, the code that then loads the key from the registry on app startup, and the code that shows the license/trial info on the about screen. If you want any specifics on these, I will be happy to provide them.

EDIT2:

Quote:

Originally Posted by gabri3l

I reached 500000 by adding the virtual address space of 400000 to the size of the code section. When your executable is run it is loaded into memory. For more info check out hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/virtual_address_space.asp

So with a code section starting at 1000 and a virtual address space starting at 400000 you get 401000 as the start of the code section when it is loaded into memory. Now you know that the size of your code section is 113000. So 401000 + 113000 gives you 514000. That is the end of your code section. I just rounded down to 500000 but to be specific you would have traced until eip < 514000.

Of course, all this is assuming you need to trace (which I would argue, is not very often). If you don't need to see the actual trace results, it is much easier to set a memory on-access breakpoint on the whole .code section.

Quote:

Originally Posted by gabri3l

I reached 500000 by adding the virtual address space of 400000 to the size of the code section. When your executable is run it is loaded into memory....

Ahhh ok, thanks for the explanation. I checked out the link, it also had a good explanation on virtual address spaces... that was the element I wasn't understanding.

It's funny you guys are having those problems with XP. I'm running it on XP as well, and don't seem to be having any problems... aside from not being able to do what I want with it

...

Satyricon, thanks for the tip on the Tregsitry class. I noticed that the program was making some calls to my borland delphi in the registry, but I din't make the connection that it was a delphi program, duh . Would the fact that it uses advapi32 for the registry calls and that it uses standard api calls like RegQueryValue etc., be how you determine if it's calling the winapi registry calls directly? I guess, the question is, how do you determine, if they're using the Tregistry class?

As far as the validation code part... I was actually able to patch that part so it gave me a "licensed to ___" start up screen, and I thought I was in the clear, but Gabri3l brought to my attention that the prog actually checks the registry in the protection routine before it even starts to display anything or run the program. So, I'm aware of that code, but it didn't totally help me, because I wasn't able to get the serial out of it. Hope that makes sense. If you're seeing something else there that I'm not seeing (very likely) I'd definitely be all ears.

Thanks guys, for all your help. You guys are really cool.
Lorn

Quote:

Originally Posted by Satyric0n

Hi, lorn.

I installed the app to see if I could give you a hand. After I unpacked it, I started to look through it, and things seemed broken. I assumed I unpacked it wrong, so I tried using the original packed binary, and I still couldn't get the app to work. It seems the app is either really buggy, or just doesn't like my computer.

Either way, sorry I can't be of any real help here. I uncovered some stuff looking through IDA's disassembly of the app (the 'Enter License Key' form's validation code, and the code that then loads the key from the registry on app startup, and the code that shows the license/trial info on the about screen), but I assume you have already seen all that.

Regards

Hey Satyric0n,

I used stripper v2.07 to unpack it. It did the job, the program started right up and my patches worked as well. I tried using some other unpackers and they gave me problems that sounded a lot like you were describing :-). I guess the pure solution would have been to manually unpack the thing... but when you have a good unpacker it's hard to not go that route. Thanks for the attempt, though... appreciate it.

Take care