Use Dede to crack the Delphi software

Yesterday I practiced how to crack the Delphi software. I would like to share with you the process of cracking. For Beginners, I hope to give them a role in fishing.

First, analyze our target software and do not ask me what software is being cracked. To protect intellectual property rights, you must capture it from dolls.

The target software is a sales system with time restrictions. After the installation is complete, it can run normally. After the system time is adjusted for one year, the software cannot run normally, and then the system time is adjusted back, the effect is still the same.

When you use expired software, the system can still log on, but when you click the menu, the words that your software has expired will pop up.

Start:

1. Observe the directory structure of the program. The program is mainly an exe file, and the remaining two ddl statements are used to view the attributes, which are from borland.

2. Use UltraEdit to open the main execution file of the software and check whether the header is shelled. Look at the resource code in the middle, and the characters starting with TLabel appear. Obviously, this software is developed by Delphi.

3. Use Dede to open the exe file of the software for analysis and secondary detailed analysis.

4. We know that there is obviously no expiration verification during the login process, but it is verified before the menu Form pops up. The goal is clear, and we go straight to the main Form file. Open the form tag and find the TMainForm. In the code on the right, we can see the common code in the toolbar.

Object ToolButton4: TToolButton
Left = 1, 124
Top = 0
Cursor = crHandPoint
Hint = 'customer data Management'
Caption = 'toolbutton4'
ImageIndex = 4
OnClick = ToolButton4Click
End

Select several buttons for the event. For example, OnClick = ToolButton4Click and OnClick = ToolButton5Click

5. Enter the process tag, select MainFormUnit from it, find the selected ToolButton4Click and ToolButton5Click In the event address list on the right, right-click, and disassemble. The generated code contains such a section.

* Reference to: TMainForm. Proc_005FA21C ()
|
005FABB4 E863F6FFFF call 005FA21C
005FABB9 84C0 test al, al
005 FABBB 0F85B3000000 jnz 005FAC74

Here, if jnz jumps, the entire process is over. Without a doubt, the call above jnz is the place for verification.

Double-click the call and we will track it in. There is nothing special, but such code is found

* Possible String Reference to: 'The data backup and recovery window cannot be opened.
| Other Windows'
|
005FA24B BA64A25F00 mov edx, $005FA264

In other words, after checking whether the global function has expired, other validity checks are also performed. If you check other click events, you will find that there are still some user permission checks. So let's look up

* Reference to: THYMain. _ PROC_00547434 ()
|
005FA228 E807D2F4FF call 00547434
005FA22D 84C0 test al, al
005FA22F 7404 jz 005FA235
005FA231 B301 mov bl, $01
005FA233 EB22 jmp 005FA257
 

This 00547434 statement can be executed only after execution. Suspicious. We will continue to trace it and double-click the function.

What do we see when a miracle happens?

* Possible String Reference to: 'The software you are using is a trial version. Will the trial period reach?
| ??? =Peptide =?
| Permission to use the purchased software. Otherwise, what will affect you?
| Metric? The data you have entered will not be lost. After registration?
| Shanzhi district? '
|
00547457 BAA8745400 mov edx, $005474A8

Obviously, this function is used to determine the expiration point. Once it expires, a warning window will be issued.

The location is found. Let's analyze the structure carefully. There are two areas for check.

00547434 53 push ebx
00547435 56 push esi
00547436 8BF0 mov esi, eax
00547438 33DB xor ebx, ebx

* Reference to field THYMain. OFFS_003C
|
0054743A 837E3C02 cmp dword ptr [esi + $ 3C], + $02
0054743E 7407 jz 00547447
00547440 8BC6 mov eax, esi

* Reference to: HYMainUnit. Proc_00545E00
|
00547442 E8B9E9FFFF call 00545E00

* Reference to field THYMain. OFFS_003C
|
00547447 837E3C01 cmp dword ptr [esi + $ 3C], + $01
0054744B 7522 jnz 0054746F

* Reference to TApplication instance
|
0054744D a1380000000 mov eax, dword ptr [$00603138]
00547452 8B00 mov eax, [eax]

* Reference to field TApplication. Handle: HWnd
|
00547454 8B4024 mov eax, [eax + $24]

* Possible String Reference to: 'The software you are using is a trial version. Will the trial period reach?
| ??? =Peptide =?
| Permission to use the purchased software. Otherwise, what will affect you?
| Metric? The data you have entered will not be lost. After registration?
| Shanzhi district? '
|
00547457 BAA8745400 mov edx, $005474A8

* Reference to: Unit_00500794.Proc_00500ED4
|
0054745C E8739AFBFF call 00500ED4
00547461 33D2 xor edx, edx

* Reference to field THYMain. OFFS_00C4
|
00547463 8B86C4000000 mov eax, [esi + $00C4]

* Possible reference to virtual method THYMain. OFFS_00C0
|
00547469 FF96C0000000 call dword ptr [esi + $00C0]

* Reference to field THYMain. OFFS_003C
|
0054746F 837E3C02 cmp dword ptr [esi + $ 3C], + $02
00547473 7524 jnz 00547499

* Reference to TApplication instance
|
00547475 a1380000000 mov eax, dword ptr [$00603138]
0054747A 8B00 mov eax, [eax]

* Reference to field TApplication. Handle: HWnd
|
0054747C 8B4024 mov eax, [eax + $24]

* Possible String Reference to: 'The software you are using is a trial version. If you want to continue?
| Hao, Hao?
| Permission (the data you have entered will not be lost, after registration
| Continue to use )'
|
0054747F BA48755400 mov edx, $00547548

* Reference to: Unit_00500794.Proc_00500ED4
|
00547484 E84B9AFBFF call 00500ED4
00547489 33D2 xor edx, edx

* Reference to field THYMain. OFFS_00C4
|
0054748B 8B86C4000000 mov eax, [esi + $00C4]

* Possible reference to virtual method THYMain. OFFS_00C0
|
00547491 FF96C0000000 call dword ptr [esi + $00C0]
00547497 B301 mov bl, $01
00547499 8BC3 mov eax, ebx
0054749B 5E pop esi
0054749C 5B pop ebx
0054749D C3 ret

One is 0054744B jnz 0054746F

The other is 00547473 jnz 00547499.

Obviously, let alone the following: 75-> EB's work. I finally breathed a sigh of relief,

6. Note that the addresses here are relative addresses. Dede provides a tool to go to the physical address, in the tool menu. We can use it to obtain the physical address of the two statements: 0014684B, 00146873

7. Open UltraEdit and find the two addresses. Do what you should do!

Postscript: my undergraduate course has worked hard on assembly language. I don't know if it is comforting or helpless!

 

This article from the CSDN blog, reproduced please indicate the source: http://blog.csdn.net/danny_xcz/archive/2005/05/26/381080.aspx