#ro0ted #OpNewblood What the blackhats don’t want you to know: Reversing Delphi Part 2
This is a part 2 of yesterdays Delphi walk through. Re-enter Spectator mode. – https://twitter.com/ro0ted/
CFF Explorer Suite
Load up target in .exe analyzer, ExeInfoPE.
Just to make sure if you wanted you scan for the code in ExeInfoPE:
And if you still aren’t convinced you can check in CFF Explorer Suite:
Let’s open Resource Hacker just for kicks…
As we talked about in last tutorial of how important the TForms are. What are the captions?
This is good news this means in DeDe we are going to have luck! Let’s run the target outside of Ollydbg to see what kind of animal we are dealing with
We got a Nag Screen.
When we click register we see what we what we saw in Resource Hacker in TForm 2. Let me show you:
Important note you can see the callbacks in a .exe through the TLS Table in exeinfoPE:
The Header reveals all hahah True Story well this shows us this info is located in .rdata which will help us in Ollydbg. Run Ollydbg:
Click Executable Modules:
Search all Referenced Text Strings:
Open up DeDe:
Dump successful. Go to Forms: Click Form2 Since we saw in Resource Hacker that’s the imporant one:
Proceed over to Procedures:
Let’s write down that address: 004A0079
Open Ollydbg we gotta patch it.
So jump to an address right click disassembler window select go to>expression:
Select RVA> Enter Address:
This is what you get in binary:
Go to Referenced Text Strings Search for UNREGISTERED we get this:
Run it> No Nag Screen:
Okay we are getting somewhere…
I entered fake info and came across this in the code:
Go to where the app is at on our machine:
Okay so the Delphi program creates a file when you enter register information. This is good because we know where to set a breakpoint.
Go back to all Referenced Strings Search for reginfo.dat:
Set a BP there after Double Clicking it.
Scroll to 49AC58 change the flag in the registers to Zero
the last conditional jump at address 49AC78
Do the samething> Run the program:
No nag screen, no unregistered text.
Cracking Delphi Part 2 +
(Visited 602 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.