Rainbow trials
Delphi five enterprise trial edition
student
Not Assigned
12.1.2000
by macilaci
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
98xxxx
handle
1100
NA
PC

All is covered at once, multiple tools used with fine accuracy.
Datestamp and encryption routines.
To be continued...

There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (X)Intermediate ( )Advanced ( )Expert

An interesting protection from professionals. Will we need a PENTIUM III computer to run these encrypted trials? Or any program that we get?
RAINBOW TRIALS
Delphi five enterprise trial edition
Written by macilaci


Introduction
          It looks that protectors are keeping smarter. They encrypt now whole programs! 
Hard times are comming. Only to create a bruteforcer and wait thousand years. Or reverse
the encryption method? To find weaknesses? Why when they provide the key with? Anyway,
I've found DELPHI Enterprise on Cover CD of computer magazine! YES, they offer a sixty
day trial period. Not bad. I thought.



Tools required
Softice or TRW debugger, Wdasm or IDApro, Procdump, Wisdec,Filemon,Regmon or ExeSpy or Boundschecker

Target's URL/FTP
http://www.borland.com /*available for download!*/, http://www.rnbo.com

Program History
Delphi? - A programming language or what? Rainbow trial? Never heard.

Essay
I - the setup script session

    Great tool this Installshield decompiler. This time you'll need the Wisdec. Just for
bypassing the trial key check - or get your unique key from borland.
Start the Wisdec and load up the setup.ins script file. Start the decompilation and 
wait a while. The decompilation stops at 0x0014d21. Cancel the decompilation process.
Now look at the string references. MSG_TRIAL_PSWD_FAIL looks fine. So go there and look 
around. It looks like this:

00013964: FF96   ???       <-too many questions - could be like pswd.test(string)
00013966: 9642   ???
0001396842FF   ???
0001396A: FF95   ???
0001396C: 0022   IF NumLocal[0006] = 00000000 THEN GOTO LABEL_03E3       ; our password jump!
0001397A: 0128   NumLocal[0006] = NumLocal[0002] >= 00000003             ; you've tried three times?
0001398C: 0022   IF NumLocal[0006] = 00000000 THEN GOTO LABEL_03E2
0001399A: 0112   LoadInternalString ("","MSG_TRIAL_PSWD_FAIL",StrLocal[0004])
000139B8: 002A   MessageBox (StrLocal[0004],SEVERE)                       ;nice
000139C2: 0159   Abort ()

         Change to /*use the wisdec help*/ and correct the CRC:
0001396C: 0022   IF NumLocal[0006] != 00000000 THEN GOTO LABEL_03E3

You will pass this check even when nothing has been entered.


II- sixty days left

	After reboot run the delphi. Nice window appears after few seconds. Don't click 
try yet. Instead hit the CTRL ALT DEL or better run the Procdump. Look at the running
tasks. Our window belongs the Activator! But the delphi is a separate process. 
After this I disassembled the activator.exe and found nothing... Nothing useful.
Okay let's try with delphi.exe. Wdasm tells us that this isn't standart PE format and
all references will be terminated. I guessed encrypted exe. Now use the procdump to dump
it. Again Wdasm, but still nothing. Hmm. It's time for heavy artillery - IDApro and load 
the dumped version. Some string references. I'm happy. Feature, version, license expiration
-still nothing - it looks like license management system. But our trial works without
a license file, so where it is? 
	Time for Filemon... Win.ini - no I think no /*I've met this in mijenix's trials*/
lservc  - looks interesting, 
found:
C:\WINDOWS\SYSTEM\SYSPRST.DLL ; well, this isn't standart PE format, the MZ header is missing too
C:\WINDOWS\SYSTEM\LSPRST.DLL  ; the same as above
C:\WINDOWS\SYSTEM\LSPRST.TGZ  ; this isn't packed file
C:\WINDOWS\SYSTEM\SYSPRST.TGZ ; this too

these files remain in your system directory after uninstalling too.

A small add on:
Delphi32	Open	C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM	
Delphi32	Read	C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM
Delphi32	Close	C:\PROGRAM FILES\BORLAND\DELPHI5\BIN\SERVDAT.SLM
 /*this file can be found in the PROJECTS directory too*/
Hidden attribute? Secret file? Oh my god!

I decided to run Regmon.
Delphi32	OpenKey	        HKLM\SOFTWARE\Ntpad\HELPMENU		
Delphi32	QueryValueEx	HKLM\SOFTWARE\Ntpad\HELPMENU\tin	<-here
Delphi32	CloseKey	HKLM\SOFTWARE\Ntpad\HELPMENU
Uses delphi notepad? But notepad doesn't use this entry.

Delphi32	SetValueEx	HKLM\SOFTWARE\Rainbow\SentinelLM\CurrentVersion\Local\74099	SUCCESS	"z }}~z$!{1#1$1  "$$! }|1#1z|{"{""|$1"	
; oops this sets something, but I can't understand this string /*highly secret*/

I deleted these registry entries and files, ran the target... YESS, still sixty days left even after
date tamper. Now you can write small file to delete these valu and run the delphi. Always sixty 
days left up to the date in the lservc file.


III -constant date/time trick


	After I saw what's going on I decided to emulate inputs. The delete approach is effective but not
elegant. Stop, I found timefix.exe. Sweet - references to HKLM\SOFTWARE\Ntpad\HELPMENU\tin and some
more... Try now run the trial with Boundschecker. Sysprst,.... GetLocalTime!! 0x00d217d =0x004d217d

Let's see:

004D2170                 sub     esp, 0CCh
004D2176                 lea     eax, [esp+0CCh+var_BC]
004D217A                 push    esi
004D217B                 push    eax
004D217C                 call    ds:GetLocalTime
004D2182                 lea     ecx, [esp+0D0h+var_CC]
004D2186                 push    ecx
004D2187                 call    ds:GetSystemTime
004D218D                 mov     cx, ds:word_0_4858DA
004D2194                 cmp     [esp+0D0h+var_C2], cx
004D2199                 jnz     short loc_0_4D21D7
004D219B                 mov     ax, ds:word_0_4858D8
...
004D224A                 mov     eax, [esp+0E8h+var_BC]
004D224E                 and     eax, 0FFFFh
004D2253                 push    eax
004D2254                 call    sub_0_4D73F0      ; this returns some strange value in eax and edx
004D2259                 mov     ecx, [esp+0ECh+arg_0]
004D2260                 add     esp, 1Ch
004D2263                 test    ecx, ecx
004D2265                 jz      shortoc_0_4D2269
004D2267                 mov     [ecx], eax
004D2269
004D2269 loc_0_4D2269:                           ; CODE XREF: sub_0_4D2170+F5j
004D2269                 pop     esi
004D226A                 add     esp, 0CCh
004D2270                 retn
004D2270 sub_0_4D2170    endp

Another encryption? Probably yes. Let's see the above routine sub_0_4D73F0:


004D7477                 mov     [esp+34h+var_14], ebx
004D747B                 mov     [esp+34h+var_1C], ecx
004D747F                 lea     edx, [esi+esi*4]
004D7482                 add     edx, [esp+34h+arg_14]      ;the final edx value
004D7486                 lea     esi, [edx+eax+7C558180h]   ;the final eax=esi value
004D748D                 mov     eax, [esp+34h+arg_18]
004D7491                 cmp     eax, 1
004D7494                 jz      short loc_0_4D74B5

Write down the edx and eax and replace the location 004D747F:

004D747F                 mov edx, 0xbc218be0    ;your edx
			 mov esi, 0x3876ff50	;your eax=esi
                         nop
			 nop ...

Now you don't have to delete the above mentioned entries and files you can set the time forward
and backward always 60 days left. Click try button. Set now the date forward. Try again. Oh no, 
date tamper - couldn't get license string. The date is checked after pressing try button.
 
IV-more encrypted data

Do you remember the delphi.exe format? It has 11 segments. I looked for another encrypted dll.
found:
	dcc50.dll
	dclado50.bpl
	dcldss50.bpl
	dclib50.bpl
	dclmid50.bpl
	dclnet50.bpl ; this can be found in full install
	dclwbm50.bpl ; this too

What a huge protection! I searched for similar location to 4d2170 in delphi.exe. I found.
Simple search 89 4c 24 18 8d 14 b6 03 54 24 4c /*the 004D747B location*/ and patch them like 
the delphi.exe. All the above libraries needs patching.

V - run without activator

Back to our bounschecker record. Now look at this when the activator is running.
Api reference: WaitForSingleObject and before CreateProcessA in caitf32.dll module:

00401307                 push    0
00401309                 call    j_CreateProcessA        ;here start activator
0040130E                 test    eax, eax
00401310                 jz      loc_0_4013C0
00401316                 test    ebx, ebx
00401318                 jz      loc_0_4013A9
0040131E                 push    0FFFFFFFFh
00401320                 mov     ecx, [ebp-14h]
00401323                 push    ecx
00401324                 call    j_WaitForInputIdle
00401329                 mov     [ebp-4], eax
0040132C                 cmp     dword ptr [ebp-4], 0
00401330                 jnz     short loc_0_4013A0  
00401332                 push    64h
00401334                 mov     eax, [ebp-14h]
00401337                 push    eax
00401338                 call    j_WaitForSingleObject
...
0040138B                 push    edx
0040138C                 mov     ecx, [ebp-14h]
0040138F                 push    ecx
00401390                 call    j_GetExitCodeProcess	;and get the result
00401395                 jmp     short loc_0_4013AE

This subroutine is called from this sub:

004018CC                 push    1
004018CE                 mov     edx, [ebp+arg_0]
004018D1                 push    edx
004018D2                 call    sub_0_401288          ; call the activator routine
004018D7                 add     esp, 14h
004018DA                 mov     ebx, eax

Each time we press TRY button in the eax is returned the 0x00002716 value. Other registers
doesn't affect the program run. Simple replace: 

004018D2                 mov eax, 0x00002716        ;now we can run it without activator

And the patch is done. Our trial is running any time we want.

The proggy detected time tamper. I think due the clock, write and read from syprst files.
I luckily found an error return?! In the delphi.exe dll:

0049499C                 push    eax
0049499D                 call    sub_0_494B3D             ;checks the sysprst file and more..
004949A2                 add     esp, 4
004949A5                 test    eax, eax
004949A7                 jnz     short loc_0_4949C2       ;change this to jump
004949A9                 push    100h
004949AE                 lea     eax, [ebp+var_118]
004949B4                 push    eax
004949B5                 call    sub_0_49F129
004949BA                 add     esp, 8
004949BD                 jmp     loc_0_494B34
004949C2 loc_0_4949C2:                           ; CODE XREF: sub_0_494957+50j
004949C2                 mov     eax, 0C800100Fh          ; probably an error code
004949C7                 jmp     loc_0_494B36






Final Notes
Always sixty days left? I'm not sure - waiting for delayed reaction of the program. I'm still
missing some answers. To be continued.
Does the C++ builder 5.0 use the same protection?
  



Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?