Delphi Reverse Engineering Study Notes [2]

Source: Internet
Author: User
The KeyGen RE is difficult.
You can write three articles at the same time. I will analyze it later. But I promise, yes
All of them will be RE-generated and distributed in PEDIY.

PS: it was originally intended to be sent to the CSDN Blog, but that Blog is a bit bad and cannot be sent. So it is thrown
PEDIY is coming. I don't think anyone will pay attention to it. The result is actually seen by the people who want to avoid it most ...... Actually someone's
Conjecture is true. He wrote an article and showed it to me. So I took a program and opened it. Fortunately
The program has not been processed by some software, or it will be useless. No.

========================================================== ========================================================== =

The following process LicenseProc is sub_404DD4. For ease of viewing, here we first rip the main framework

0000: 00404DD4 sub_404DD4 proc near
0000: 00404DD4
0000: 00404DD4 Paint = PAINTSTRUCT ptr-48 h
0000: 00404DD4 pt = POINT ptr-8
0000: 00404DD4 hWnd = dword ptr 8
0000: 00404DD4 Msg = dword ptr 0Ch
0000: 00404DD4 wParam = dword ptr 10 h
0000: 00404DD4 lParam = word ptr 14 h
// Four parameters and two local variables
0000: 00404DD4
0000: 00404DD4 push ebp
0000: 00404DD5 mov ebp, esp
// Standard Delphi call framework
0000: 00404DD7 add esp, 0FFFFFFB8h
// Sub esp, 48 h. Note that the above Paint = PAINTSTRUCT ptr-48 h
// It is quite interesting.
0000: 00404DDA push ebx
0000: 00404DDB xor ebx, ebx
0000: 00404DDD mov eax, [ebp + Msg]
0000: 00404DE0 cmp eax, 111 h; WM_COMMAND
0000: 00404DE5 jg short loc_404E0B
0000: 00404DE7 jz loc_404EF8
// I have never reversed VC, but it is obviously not the same as the general thinking here.
// WM_COMMAND is used as the dividing line to reduce judgment.
0000: 00404DED sub eax, 0Fh; WM_PAINT
// Sub! It's not cmp!
0000: 00404DF0 jz loc_404EBD
0000: 00404DF6 sub eax, 1Ch; WM_DRAWITEM
0000: 00404DF9 jz loc_404F3F
0000: 00404DFF sub eax, 0E5h; WM_INITDIALOG
0000: 00404E04 jz short loc_404E2B
0000: 00404E06 jmp loc_404F8D
// Exit here
0000: 00404E0B loc_404E0B:
0000: 00404E0B sub eax, 136 h; WM_CTLCOLORDLG
0000: 00404E10 jz loc_404F4B
0000: 00404E16 sub eax, 2; WM_CTLCOLORSTATIC
0000: 00404E19 jz loc_404F6C
0000: 00404E1F sub eax, 0C9h; WM_LBUTTONDOWN
0000: 00404E24 jz short loc_404E79
0000: 00404E26 jmp loc_404F8D
// Exit
0000: 00404F8D loc_404F8D:
0000: 00404F8D
0000: 00404F8D xor ebx, ebx
// The following uses ebx as the return value.
0000: 00404F8F loc_404F8F:
0000: 00404F8F
0000: 00404F8F mov eax, ebx
0000: 00404F91 pop ebx
0000: 00404F92 mov esp, ebp
0000: 00404F94 pop ebp
0000: 00404F95 retn 10 h

The main message loop is obtained based on the SDK program.

Function LicenseProc (hDlg: HWND; Msg, wParam, lParam: DWORD) RESULT; stdcall;
Result: = 0;

Case Msg

Something unusual happened. It uses two uncommon messages: WM_CTLCOLORDLG and

First look at WM_COMMAND:

0000: 00404EF8 loc_404EF8:
0000: 00404EF8 mov eax, [ebp + wParam]
0000: 00404EFB sub eax, 3E9h
// As shown in the example, it is a sub trick, and the parameter is passed as a value.
// Combined with the dump RC, you can see that this is the ID of a button.
0000: 00404F00 jz short loc_404F0C
0000: 00404F02 dec eax
0000: 00404F03 jz short loc_404F23
0000: 00404F05 sub eax, 2
0000: 00404F08 jz short loc_404F30
0000: 00404F0A jmp short loc_404F3B
0000: 00404F0C loc_404F0C:
0000: 00404F0C mov ds: dword_4060B0, 0 FFFFFFFFh
// Note that this is the returned Flag! Because the program starts with 0.
// You only need to assign a value here. Note: True in Delphi is not 0!
0000: 00404F16 push 0; nResult
0000: 00404F18 mov eax, [ebp + hWnd]
0000: 00404F1B push eax; hDlg
0000: 00404F1C call EndDialog
0000: 00404F21 jmp short loc_404F3B
0000: 00404F23 loc_404F23:
0000: 00404F23 push 0; nResult
0000: 00404F25 mov eax, [ebp + hWnd]
0000: 00404F28 push eax; hDlg
0000: 00404F29 call EndDialog
0000: 00404F2E jmp short loc_404F3B
0000: 00404F30 loc_404F30:
0000: 00404F30 push 0; nResult
0000: 00404F32 mov eax, [ebp + hWnd]
0000: 00404F35 push eax; hDlg
0000: 00404F36 call EndDialog
0000: 00404F3B
0000: 00404F3B loc_404F3B:
0000: 00404F3B
0000: 00404F3B xor ebx, ebx
0000: 00404F3D jmp short loc_404F8F

Okay. Now the WM_COMMAND processing is available.

Case wParam
Flag: = True;
EndDialog (hDlg, 0 );
EndDialog (hDlg, 0 );
EndDialog (hDlg, 0 );

It's clear, isn't it? The following are WM_CTLCOLORDLG and WM_CTLCOLORSTATIC.

0000: 00404F4B loc_404F4B:
0000: 00404F50 mov eax, [ebp + wParam]
0000: 00404F53 push eax; HDC
0000: 00404F54 call SetTextColor
0000: 00404F59 push 1; int
0000: 00404F5B mov eax, [ebp + wParam]
0000: 00404F5E push eax; HDC
0000: 00404F5F call SetBkMode
0000: 00404F64 mov ebx, ds: hbr
// This is a bit confusing. You can see from the description of CreateSolidBrush if the function
// Failed. null is returned, which is false. This is probably used here.
// Once CreateSolidBrush fails, exit. A little interesting.
0000: 00404F6A jmp short loc_404F8F
0000: 00404F6C loc_404F6C:
0000: 00404F6C push 0A0A0A0h; COLORREF
0000: 00404F71 mov eax, [ebp + wParam]
0000: 00404F74 push eax; HDC
0000: 00404F75 call SetTextColor
0000: 00404F7A push 1; int
0000: 00404F7C mov eax, [ebp + wParam]
0000: 00404F7F push eax; HDC
0000: 00404F80 call SetBkMode
0000: 00404F85 mov ebx, ds: hbr
0000: 00404F8B jmp short loc_404F8F

Provide the corresponding SRC:

SetTextColor (wParam, $ A0A0A0 );
SetBkMode (wParam, TRANSPARENT );
Result: = h_Brush;
// You can change it to Result: = h_Brush <> nil;
// Of course, the function return type should be changed.
SetTextColor (wParam, $ A0A0A0 );
SetBkMode (wParam, TRANSPARENT );
Result: = h_Brush;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.