DELmaci.htm: RAINBOW TRIALS

	Rainbow trials Delphi five enterprise trial edition	Not Assigned
12.1.2000	by macilaci
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 98xxxx handle 1100 NA PC	All is covered at once, multiple tools used with fine accuracy. Datestamp and encryption routines. To be continued...
	There is a crack, a crack in everything That's how the light gets in
Rating	( )Beginner (X)Intermediate ( )Advanced ( )Expert

An interesting protection from professionals. Will we need a PENTIUM III computer to run these encrypted trials? Or any program that we get?

RAINBOW TRIALS
Delphi five enterprise trial edition
Written by macilaci

Introduction

          It looks that protectors are keeping smarter. They encrypt now whole programs! 

Hard times are comming. Only to create a bruteforcer and wait thousand years. Or reverse

the encryption method? To find weaknesses? Why when they provide the key with? Anyway,

I've found DELPHI Enterprise on Cover CD of computer magazine! YES, they offer a sixty

day trial period. Not bad. I thought.

Tools required

Softice or TRW debugger, Wdasm or IDApro, Procdump, Wisdec,Filemon,Regmon or ExeSpy or Boundschecker

Target's URL/FTP

http://www.borland.com /*available for download!*/, http://www.rnbo.com

Program History

Delphi? - A programming language or what? Rainbow trial? Never heard.

Essay

I - the setup script session

Great tool this Installshield decompiler. This time you'll need the Wisdec. Just for

bypassing the trial key check - or get your unique key from borland.

Start the Wisdec and load up the setup.ins script file. Start the decompilation and

wait a while. The decompilation stops at 0x0014d21. Cancel the decompilation process.

Now look at the string references. MSG_TRIAL_PSWD_FAIL looks fine. So go there and look

around. It looks like this:

00013964: FF96 ??? <-too many questions - could be like pswd.test(string)

00013966: 9642 ???

0001396842FF ???

0001396A: FF95 ???

0001396C: 0022 IF NumLocal[0006] = 00000000 THEN GOTO LABEL_03E3 ; our password jump!

0001397A: 0128 NumLocal[0006] = NumLocal[0002] >= 00000003 ; you've tried three times?

0001398C: 0022 IF NumLocal[0006] = 00000000 THEN GOTO LABEL_03E2

0001399A: 0112 LoadInternalString ("","MSG_TRIAL_PSWD_FAIL",StrLocal[0004])

000139B8: 002A MessageBox (StrLocal[0004],SEVERE) ;nice

000139C2: 0159 Abort ()

Change to /*use the wisdec help*/ and correct the CRC:

0001396C: 0022 IF NumLocal[0006] != 00000000 THEN GOTO LABEL_03E3

You will pass this check even when nothing has been entered.

II- sixty days left

After reboot run the delphi. Nice window appears after few seconds. Don't click

try yet. Instead hit the CTRL ALT DEL or better run the Procdump. Look at the running

tasks. Our window belongs the Activator! But the delphi is a separate process.

After this I disassembled the activator.exe and found nothing... Nothing useful.

Okay let's try with delphi.exe. Wdasm tells us that this isn't standart PE format and

all references will be terminated. I guessed encrypted exe. Now use the procdump to dump

it. Again Wdasm, but still nothing. Hmm. It's time for heavy artillery - IDApro and load

the dumped version. Some string references. I'm happy. Feature, version, license expiration

-still nothing - it looks like license management system. But our trial works without

a license file, so where it is?

Time for Filemon... Win.ini - no I think no /*I've met this in mijenix's trials*/

lservc - looks interesting,

found:

C:\WINDOWS\SYSTEM\SYSPRST.DLL ; well, this isn't standart PE format, the MZ header is missing too

C:\WINDOWS\SYSTEM\LSPRST.DLL ; the same as above

C:\WINDOWS\SYSTEM\LSPRST.TGZ ; this isn't packed file

C:\WINDOWS\SYSTEM\SYSPRST.TGZ ; this too

these files remain in your system directory after uninstalling too.

A small add on:

Delphi32 Open C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM

Delphi32 Read C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM

Delphi32 Close C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM

/*this file can be found in the PROJECTS directory too*/

Hidden attribute? Secret file? Oh my god!

I decided to run Regmon.

Delphi32 OpenKey HKLM\SOFTWARE\Ntpad\HELPMENU

Delphi32 QueryValueEx HKLM\SOFTWARE\Ntpad\HELPMENU\tin <-here

Delphi32 CloseKey HKLM\SOFTWARE\Ntpad\HELPMENU

Uses delphi notepad? But notepad doesn't use this entry.

Delphi32 SetValueEx HKLM\SOFTWARE\Rainbow\SentinelLM\CurrentVersion\Local\74099 SUCCESS "z }}~z$!{1#1$1 "$$! }|1#1z|{"{""|$1"

; oops this sets something, but I can't understand this string /*highly secret*/

I deleted these registry entries and files, ran the target... YESS, still sixty days left even after

date tamper. Now you can write small file to delete these valu and run the delphi. Always sixty

days left up to the date in the lservc file.

III -constant date/time trick

After I saw what's going on I decided to emulate inputs. The delete approach is effective but not

elegant. Stop, I found timefix.exe. Sweet - references to HKLM\SOFTWARE\Ntpad\HELPMENU\tin and some

more... Try now run the trial with Boundschecker. Sysprst,.... GetLocalTime!! 0x00d217d =0x004d217d

Let's see:

004D2170 sub esp, 0CCh

004D2176 lea eax, [esp+0CCh+var_BC]

004D217A push esi

004D217B push eax

004D217C call ds:GetLocalTime

004D2182 lea ecx, [esp+0D0h+var_CC]

004D2186 push ecx

004D2187 call ds:GetSystemTime

004D218D mov cx, ds:word_0_4858DA

004D2194 cmp [esp+0D0h+var_C2], cx

004D2199 jnz short loc_0_4D21D7

004D219B mov ax, ds:word_0_4858D8

...

004D224A mov eax, [esp+0E8h+var_BC]

004D224E and eax, 0FFFFh

004D2253 push eax

004D2254 call sub_0_4D73F0 ; this returns some strange value in eax and edx

004D2259 mov ecx, [esp+0ECh+arg_0]

004D2260 add esp, 1Ch

004D2263 test ecx, ecx

004D2265 jz shortoc_0_4D2269

004D2267 mov [ecx], eax

004D2269

004D2269 loc_0_4D2269: ; CODE XREF: sub_0_4D2170+F5j

004D2269 pop esi

004D226A add esp, 0CCh

004D2270 retn

004D2270 sub_0_4D2170 endp

Another encryption? Probably yes. Let's see the above routine sub_0_4D73F0:

004D7477 mov [esp+34h+var_14], ebx

004D747B mov [esp+34h+var_1C], ecx

004D747F lea edx, [esi+esi*4]

004D7482 add edx, [esp+34h+arg_14] ;the final edx value

004D7486 lea esi, [edx+eax+7C558180h] ;the final eax=esi value

004D748D mov eax, [esp+34h+arg_18]

004D7491 cmp eax, 1

004D7494 jz short loc_0_4D74B5

Write down the edx and eax and replace the location 004D747F:

004D747F mov edx, 0xbc218be0 ;your edx

mov esi, 0x3876ff50 ;your eax=esi

nop

nop ...

Now you don't have to delete the above mentioned entries and files you can set the time forward

and backward always 60 days left. Click try button. Set now the date forward. Try again. Oh no,

date tamper - couldn't get license string. The date is checked after pressing try button.

IV-more encrypted data

Do you remember the delphi.exe format? It has 11 segments. I looked for another encrypted dll.

found:

dcc50.dll

dclado50.bpl

dcldss50.bpl

dclib50.bpl

dclmid50.bpl

dclnet50.bpl ; this can be found in full install

dclwbm50.bpl ; this too

What a huge protection! I searched for similar location to 4d2170 in delphi.exe. I found.

Simple search 89 4c 24 18 8d 14 b6 03 54 24 4c /*the 004D747B location*/ and patch them like

the delphi.exe. All the above libraries needs patching.

V - run without activator

Back to our bounschecker record. Now look at this when the activator is running.

Api reference: WaitForSingleObject and before CreateProcessA in caitf32.dll module:

00401307 push 0

00401309 call j_CreateProcessA ;here start activator

0040130E test eax, eax

00401310 jz loc_0_4013C0

00401316 test ebx, ebx

00401318 jz loc_0_4013A9

0040131E push 0FFFFFFFFh

00401320 mov ecx, [ebp-14h]

00401323 push ecx

00401324 call j_WaitForInputIdle

00401329 mov [ebp-4], eax

0040132C cmp dword ptr [ebp-4], 0

00401330 jnz short loc_0_4013A0

00401332 push 64h

00401334 mov eax, [ebp-14h]

00401337 push eax

00401338 call j_WaitForSingleObject

...

0040138B push edx

0040138C mov ecx, [ebp-14h]

0040138F push ecx

00401390 call j_GetExitCodeProcess ;and get the result

00401395 jmp short loc_0_4013AE

This subroutine is called from this sub:

004018CC push 1

004018CE mov edx, [ebp+arg_0]

004018D1 push edx

004018D2 call sub_0_401288 ; call the activator routine

004018D7 add esp, 14h

004018DA mov ebx, eax

Each time we press TRY button in the eax is returned the 0x00002716 value. Other registers

doesn't affect the program run. Simple replace:

004018D2 mov eax, 0x00002716 ;now we can run it without activator

And the patch is done. Our trial is running any time we want.

The proggy detected time tamper. I think due the clock, write and read from syprst files.

I luckily found an error return?! In the delphi.exe dll:

0049499C push eax

0049499D call sub_0_494B3D ;checks the sysprst file and more..

004949A2 add esp, 4

004949A5 test eax, eax

004949A7 jnz short loc_0_4949C2 ;change this to jump

004949A9 push 100h

004949AE lea eax, [ebp+var_118]

004949B4 push eax

004949B5 call sub_0_49F129

004949BA add esp, 8

004949BD jmp loc_0_494B34

004949C2 loc_0_4949C2: ; CODE XREF: sub_0_494957+50j

004949C2 mov eax, 0C800100Fh ; probably an error code

004949C7 jmp loc_0_494B36

Final Notes

Always sixty days left? I'm not sure - waiting for delayed reaction of the program. I'm still

missing some answers. To be continued.

Does the C++ builder 5.0 use the same protection?

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside fravia's page of reverse engineering, choose your way out:

links

+ORC

academy database

javascript wars

tools

anonymity academy

cocktails

antismut CGI-scripts

mail_fravia+

Is reverse engineering legal?