Protection: PECompact 2.x

Made in: Borland Delphi

There seems to be a CRC check somewhere which doesn’t let you use the application after unpacking it and a big deal of anti debugging methods are involved.

Error #17 0×008BF0FC

It appears to be coming from function which resides at 0×008DFDD0 RVA

.text:008DFE42                 mov     ecx, offset aEwdjk32489jhde ; "ewdjk32489jhde892klde;lk21e02134jldw;ql"...
.text:008DFE47                 mov     edx, offset aLqohm3nlt1eqgq ; "lQohM3nlt+1eqgQU+qcKO4f7QtOciTmcE6ZEhLk"...
.text:008DFE4C                 mov     eax, esi
.text:008DFE4E                 call    DecryptString
.text:008DFE53                 mov     edx, [ebp+var_C]
.text:008DFE56                 xor     ecx, ecx
.text:008DFE58                 mov     eax, esi
.text:008DFE5A                 call    MessageDlg

DecryptString

Found at 0×008CC158 RVA The strings are uncrypted there.

MessageDlg

This works like MessageBoxA in C++ for delphi, resides at 0×008BE024 RVA  and is used to display nag boxes including the ones which contain crypted text.

Checks after passing the #17 nag

text:008BF298

.text:008BF2F4

.text:008BF37B

JZ jumps. Decrypt and MessageDlg functions are followed by these jumps.. There actually are whole bunch of places where Decryption is used but I havent investigated.

Thats it for now but this will be my new sunday hobby. Contributions are welcome.

This a thread I started in a forum and I plan to update it when somebody replies to it. Posted it on my blog so I can “archive” it for my own use which may never come.

Methods?
By methods I mean the process which leads you to detection of “badboy” or helps you getting closer to it. I am not talking about methods here how to avoid them (NOPing/Codecaves/Changing registry flags and so on[Though chainging registry flags can help finding a bad- or goodboy.]). Neither I am talking about upacking or deobfuscating.

Methods I somewhat know:

1 Search for the Text string
This is something what i’ve seen in like 80% of the tutorials about cracking. I think its self explanationary and everybody on this forum knows it.

2 Api breakpointing
This is the second most used method in tutorials and thats for a reason, every program needs API’s to function. Unless programmers have decided to make their own functions which you end up analzying in IDA (atleast I do ) and that can get really long…
For example you set a breakpoint on all dialog text handling functions and narrow it down until you find the function which is used to copy the serial number you entered – then see what application is doing with it from there.

3 Step through the code and see where it leads you.
Usually this is something which is considered hard in tutorials because it means you have to have some assamblery knowledge. In logic, it applies to every “method” here but I wanted to note this one out because sometimes you are analyzing code line by line (F8/F7/ctrl+F9). Usually i’ve seen it called “digging deeper”

4 Conditional breakpoints
Havent seen this in tutorials – this method works for specific cases, for example you are in a loop and want to see “where it takes you” with a specific value for the variable in the loop. Probably it could be applied in variety of situations.
This is something I am not really good at and more experienced people could maybe share the variety of usages for this.

5 ID numbers for your advantage
This is something what I vaguely remember. You get the ID of a button or whatever element from window/dialog with winspy or reshack and then do SOMETHING with it, haha.
Yet again this is something what could use some clarification. If you know a good tutorial regarding this matter then please share!

6 Call stack
You get your nag screen running and then within a second you hit pause button in olly, next you check the “Call stack” and see what were the last instructions for the process to run.
Only place I’ve seen this method being used was on Lenas tutorials. If you know more, then please do share!
There is also similar method where you pause and trace until user code execution, from there you can see where was the last function called from and take action.

7 Signature scanning

You search for specific opcodes throughout the application to detect a certain type of protection or whatever your needs are.

To solve it I went to device manager – searched for the WMC ACM 1.0 APP which wasn’t working properly, chose “Update driver” and pointed it to “C:\Program Files (x86)\Samsung\Samsung PC Studio 3\USB Drivers”. I had to do this like 3 times because after every new driver it installed new one suddenly popped out.

Dont forget to select “include subfolders”.

Windows 7 Telnet

Windows 7 doesn’t have telnet installed by default. You can install it though with ease.
“Control Panel” -> “Programs and Features” -> “Turn Windows Features on or off”

Choose from the list “Telnet Client” and you are good to go.

Windows Command Line Mail

Press [Win]+R and type “cmd”.

When command line opens up you are ready to use telnet.

Open connection Syntax: telnet Hostname Port
Example: telnet mail.neti.ee 25

If the connection was made successfuly with the mail server then you should receive a 200 error code.

For example: 220 Elion mailsystem V.3

From there on you just have to mimic the SMTP (Simple Mail Transfer Protocol) to get your e-mail sent.

Protocol

S: 220 Elion mailsystem V.3
C: HELO mail.neti.ee
S: 250 NETI-Relayhost1.estpak.ee
C: MAIL FROM:<>
S: 250 Ok
C: RCPT TO:<>
S: 250 Ok
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: “Bob Example” <>
C: To: Alice Example <>
C: Date: Tue, 15 Jan 2010 00:25:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 header fields and 4 lines in the message body.
C: Your friend,
C: Bob
C: .
S: 250 2.0.0 Ok: queued as 965B7145
C: QUIT
S: 221 Bye

It even has some sort of code obfuscator which is constantly changing the HTML code so people like me couldn’t make themselves a friendly list to copy. That pissed me off even more and now i am going to publish their list on abc code hack to whoever wants it.

Free public proxy servers list .

Also you might want to get your hands on a proxy checker because they die quickly.

I found quite useful one from http://www.optinsoft.com/ – just check under their “Free Software” text on the right if you have hard time finding it.
Oh and on a side note, these are mostly HTTPS proxies but there are some HTTP ones too.