By ro0ted | February 20, 2015 - 20:21 | Posted in /b/ | 12 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Reversing Delphi Part 2

This is a part 2 of yesterdays Delphi walk through. Re-enter Spectator mode. – https://twitter.com/ro0ted/


 

 

 

Tools Used:

ExeInfoPE

CFF Explorer Suite

Ollydbg

Resource Hacker

DeDe

 


 

 

Load up target in .exe analyzer, ExeInfoPE.

Untitled

Just to make sure if you wanted you scan for the code in ExeInfoPE:

Untitled

Untitled

And if you still aren’t convinced you can check in CFF Explorer Suite:

Untitled

or

Untitled

Let’s open Resource Hacker just for kicks…

Untitled

As we talked about in last tutorial of how important the TForms are. What are the captions?

Untitled

This is good news this means in DeDe we are going to have luck! Let’s run the target outside of Ollydbg to see what kind of animal we are dealing with

Untitled

We got a Nag Screen.

Untitled

Untitled

When we click register we see what we what we saw in Resource Hacker in TForm 2. Let me show you:

Untitled

Important note you can see the callbacks in a .exe through the TLS Table in exeinfoPE:

Untitled

The Header reveals all hahah True Story well this shows us this info is located in .rdata which will help us in Ollydbg. Run Ollydbg:

Untitled

Click Executable Modules:

Untitled

Search all Referenced Text Strings:

Untitled

Open up DeDe:

Untitled

Dump successful. Go to Forms: Click Form2 Since we saw in Resource Hacker that’s the imporant one:

Untitled

Untitled

Untitled

Proceed over to Procedures:

Untitled

Let’s write down that address: 004A0079

Open Ollydbg we gotta patch it.

So jump to an address right click disassembler window select go to>expression:

Untitled

Select RVA> Enter Address:

 

Untitled

This is what you get in binary:

Untitled

Go to Referenced Text Strings Search for UNREGISTERED we get this:

Untitled

Run it> No Nag Screen:

Untitled

Okay we are getting somewhere…

I entered fake info and came across this in the code:

Untitled

Go to where the app is at on our machine:

Untitled

Untitled

Okay so the Delphi program creates a file when you enter register information. This is good because we know where to set a breakpoint.

Go back to all Referenced Strings Search for reginfo.dat:

Untitled

Set a BP there after Double Clicking it.

Untitled

Scroll to 49AC58 change the flag in the registers to Zero

Untitled

the last conditional jump at address 49AC78

Untitled

Do the samething> Run the program:

Untitled

No nag screen, no unregistered text.

ro0ted

 


 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2 +

 

(Visited 602 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.