Quote:
|
Originally Posted by lorn
Satyricon, thanks for the tip on the Tregsitry class. I noticed that the program was making some calls to my borland delphi in the registry, but I din't make the connection that it was a delphi program, duh  . Would the fact that it uses advapi32 for the registry calls and that it uses standard api calls like RegQueryValue etc., be how you determine if it's calling the winapi registry calls directly? I guess, the question is, how do you determine, if they're using the Tregistry class? |
Well, Delphi's TRegistry class is just an OO wrapper for the winapi calls, so the functions in advapi32 are going to get called regardless.
As for determining whether the authors of the app are using the TRegistry or calling the winapi directly, I can think of two ways to go about this (both involve disassembling the app in IDA and applying the appropriate VCL FLAIR filters):
- Set a breakpoint in RegQueryValue (for instance), then when you hit the bp, look up the call stack. Get the address of the function calling RegQueryValue and look it up in IDA to see if it's a VCL function (say, TRegistry.ReadString).
- In IDA, find the address of TRegistry.Create or TRegistry.ReadString or whatever. Then, either set a breakpoint at that address and start the app to see who calls it (again, just step up the call stack once), or use IDA to see every place in the app that calls it (using the code crossreferences) and look through them one-by-one (followed by looking at the surrounding code to see what strings are pushed onto the stack for calls to methods like ReadString, ReadInteger, etc).
Hope this helps.
EDIT:
Quote:
|
Originally Posted by lorn
As far as the validation code part... I was actually able to patch that part so it gave me a "licensed to ___" start up screen, and I thought I was in the clear, but Gabri3l brought to my attention that the prog actually checks the registry in the protection routine before it even starts to display anything or run the program. So, I'm aware of that code, but it didn't totally help me, because I wasn't able to get the serial out of it. Hope that makes sense. If you're seeing something else there that I'm not seeing (very likely) I'd definitely be all ears.
|
What you ideally want to do is patch the code that validates the license key you type in to always say it's valid. That way, whatever you type in to the Enter License Key form will validate, then when the program loads the license key from the registry and validates it (using that same function you already patched, hopefully), it will again think it's valid.
This is part of one of my main principles: If you're going to do a crack, always do it at the deepest level in code as possible. (If you want to see where I first mentioned this (and my other principles), you can read my tutorial on cracking WinAmp 5.02 here: http://www.exetools.com/forum/showthread.php?t=3640. Also, if you decide to follow that tutorial, you will need v5.02 of WinAmp (now old), which can be obtained here: hxxp://download.nullsoft.com/winamp/client/winamp502_full.exe. I reiterated these principles in this tutorial: http://www.exetools.com/forum/showthread.php?t=3645)
No, actually, what you REALLY want to do is find the code that validates the license key you type in, reverse it, and keygen it.
But I realize this is too much effort for most people...
