Page 1 of 18

Another way to find the Patch by XOR06

Intro
As a ra ker it is al a s i porta t to hide ourself a d to help ou do that I ll sho
IP-hider.

ou ho to ra k this

In this tutorial we will be cracking a registration scheme fro a real progra which has a 1 day trial and a
corresponding nag, it checks the serial with the sever, but only when you enter the serial. We are using a
new way to find the right place to patch. We will go really deep into the code in this one.
I assume that you know Olly and how to change the flags, edit the asm code, search for constants and so on,
just some basic knowledge. I would like to thank nwokiller and R4ndom for proofreading and the great
support.
Remember, the best way to learn is to try to Patch the program yourself first (please disconnect from the
internet first otherwise your attempt will be recorded on the server), if ou do t su eed (or if you would
like to see another approach) then read this tutorial. Have Fun!

Toolz
Olly
ExeinfoPE
PExplorerR6
Notepad++ V6.1.3 (or notes)

Target
AutoHideIP-5.2.8.6
You can find the target at http://www.autohideip.com/
Index
Intro ...................................................................................................................................................................... 1
Toolz ..................................................................................................................................................................... 1
Target.................................................................................................................................................................... 1
Investigate the Target........................................................................................................................................... 2
Finding the Patch .................................................................................................................................................. 4
Finding the Patch in Olly ....................................................................................................................................... 7
Applying the Patch.............................................................................................................................................. 17
Final Notes .......................................................................................................................................................... 17
Thanks to: ........................................................................................................................................................... 18

Page 2 of 18

Investigate the Target

u the target a d ou ll see this (if you do not see this please set you Windows Time forward 1 day):

We can li k Ca el or Ok , Let us start ith the Cancel

If ou li k Ca el the progra

Oka

e it, a d e do t a t to u it so let us li k E ter N a d e o e

here again:

ou a see that I i put so e du

ode a d li k Ok , if you have t disconnected from the Net

ou ll see this

Well click back and try again but this time disconnect from the internet first. Now you see this:

Page 3 of 18

Ahhh, e a also reg this app if e are ot o li e!! Let s tr that li k Ma ual

Now you can see the Machine Data, hmm to get your right code you should send the company the machine
code. So it must be used to calculate the correct serial. Well we just want to patch this so we should just
e ter the du
serial agai , a d press Ok , but there s a programming error so if you do that it just tells
you that the program is expired. You must restart the App so you see this.

Don t press Ca el, ut just e ter the du

serial agai , a d press Ok , o

Press Manual

ou see this

Page 4 of 18

E ter the du

serial a d press Ok

There we got the badboy without the internet connecting. Let us take a look at this target in Olly

Finding the Patch

The target loads fine but if you look for strings, you wo t fi di g a thi g e a use, if ou tr to use the
e e ute to user ode tri k or e e tr to use the all sta k ou do t fi d a thi g eas to go after. If ou
load the program in EXEinfo PE you see why

Ahh this is a Borland Delphi program, so we just load it in DeDe right? Well ou a tr that ut it o t ork
ou do t fi d a for s or pro ess. This is here this e approach comes in handy. Try to load the target
in PExplorer and look at the resources

Page 5 of 18

You do t eed to look i tri gs or Dialog e ause ou o t fi d a thi g, ut look at the C Data

Yeah that s right here ou a see the For s! Let s take a look i the ACTIVATEFOM

Page 6 of 18

Go o i to p A ti e to see what it hides

Ca

ou see the tsMa uall ? Could that be our manual activation form? Take a look in to it

Page 7 of 18

As you can see it has all the controls we had on Manually activation form, 4 labels, 2 buttons. Click at the
btnOKManually and scroll all the way down in the right window

There ou a see the O Cli k = t OKMa uall Cli k so that is the e e t it alls on click. As we know that
Delphi uses these names to call the event (from R4ndoms Tutorial nr 17) we just have to search for this Event
name in the program. You can do this search in any Hexview app as Hiew.v8.10 or in the Olly memory map
to get the address.

Finding the Patch in Olly

We will get the address to the event from Olly so load the target file in Olly, and open the memory map

Page 8 of 18

Cli k o the top li e a d sear h for btnOKManuallyClick

We get a hit

Scroll up a little and you see the address of the event!

Page 9 of 18
Now you just have to remember the endians so the right address of the e e t is
address

DE . Let s go to that

This is the start of the btnOKManuallyClick event. Place a Bp here and let the app run (still remember to
disconnect from the net) and click you way to this again

E ter our du

serial a d li k Ok , a d Olly breaks here

Start stepping the codeand you will see that @ 00630E14 it moves our serial in to EAX so now we wake up

If ou li k i to the Call @
E or
E A ou ll see t o large routineswhichare called from more
than 10 places that is a lot if it is a serial check! That together with the fact that EAX still holds our serial and

Page 10 of 18
that there are no jumps around them tells me that it is not in there that the serial he k is. Let s look at the
call @ 00630E31. Right after there is a TEST AL,AL and a conditional jump! Could this be it? If you step one
more time you see that you string in EAX is gone and that AL= so this ju p ould ot ju p! Let s ha ge
the flag so it jumps and let the app run.

Well that was the right place!! But if you li k Ok

ou see this

Well this patch was not deep enough, so let us go much deeper in to the code and make the patch. Restart
the target in Olly and go to the call @ 00630E31

Okay we know now that AL

ust e = so it ju ps @
E . o let s go i to this Call a d re e
Al should be 1 when we hit return

er that

Page 11 of 18

Ok this looksgood; this routine is only called from 2 places. If you step down to the conditional JMP @
0063C273 you can see that this will jump as Al = 0. It will jump down to 0063C2C5 where it will XOR EBX,EBX
which sets EBX to = 0. But why is it interesting what EBX is? Well look @ 0063C2CE here it moves EBX into
EAX and as you may remember we needed Al to be = 1. If we change the JE @ 0063C273 so it does t ju p it
will run all the code after. If you look @ 0063C2C1 you can see a MOV bl,1 command, so if we do t jump BL
will be set to 1 and afterwards that is moved in to EAX, so when we come down to RETN 8 @ 0063C3D4 EAX
is 1 as it should be.
If ou tr it ou ll see that this is still ot deep e ough. We k o that the JE @
C
should ju p to so
Al should be 1. Let us go into the call @0063C26C and remember that we should return form that call with al
=1

Page 12 of 18

Hmm there are no conditional jumps in this routine, but that does not mean we are the wrong place. Let s
take a look into that last part of this routine

Remember we need AL to be 1 when we hit the RETN command @ 0063C201. (Because of the Push @
0063C1E1 the RETN @ 0063C1F3 just makes you JMP to 0063C1FB). Okay look at the code @ 0063C1FB it
moves EBX in to EAX so before the push at @ 0063C1E1 bl must be 1. @ 0063C1D7 EAX is moved in to EBX so
in the call @ 0063C1D2 EAX must be set to = right?. Well let s go deeper a d make that happen. Go into
the Call.

Page 13 of 18

As we can see this looks a lot like the routine we just saw, and in fact we must do the very same againhere.
We need to go in to the call @ 006357C0 and make sure that EAX is set to 1. Because we still need al to end
up being . o let s go deeper. Go i to the all @
C

Well now we are in a large routine with a lot of jumps but we just need to focus on that we just need to
return from here EAX=1. So scroll down to the end of this routine

Page 14 of 18

Well this looks just like the other 2 routines we just came from, so you may suggest that we go in to the call
@ 006358EB but if you go in there you will come to a routine which is called from over 70 places (it is used to
decide what object to load). So if we change anything here it will not only affect the Serial check but also
e er thi g else. That is ot good so e ill ot go i there. We are o as deep as e a go! Let s ake the
patch here then.
Can you still remember what we need? Yes we need EAX to be 1, so let us ha ge the all to MOV EAX,1
that uses all the bytes as the call. Let Olly run and you see this

You did it. Or did you?

Well yes and no we are almost there but there is a problem when you restart the computer and run the
program, it will reset the registration! Hmm how can it do that? Well it must change some file somewhere,
when I close the program. That part I will not look after. When it loads it must check it somewhere in a file or
a registrationkey and that e ust fi d. We ould use reg o or so e other o itori g tool ut that
o t get us a
loser e ause it s ot a registratio ke ho do I know? I checked). If it is not registration
it must be some other file, but there aren t any ini or dat files in the target s folder.
Now there are more ways to solve this. The first long one is to find the breakpoint to the
btnOKManuallyClick and set it again, let the program run until the breakpoint. Now you can look through
the strings and see the string Settings and the trace it down to you get the path to the file. The second one is

Page 15 of 18
to use your experience if you have cracked for some time you would know that many apps use the
ProgramData folder to store their settings files. So go to C:\ProgramData a d ou ll fi d a folder a ed
AutoHideIP li k i to that a d ou see the file etti gs.dat o ope that file ith Notes or a other
editor I uses Notepad++ V . . a d ou ll see this

These are all the settings for the app and look at line 1 RunTimes=148 hmm, it counts when it starts the app.
Look at li e Activate.NeedReactivated=1 h
a e that should e i stead. Maybe we can just
ha ge it to
a d Write prote t the file? Let s tr that a d load the file i Olly

If ou let the target ru it ill rash, h

ell let s use Olly to trace down where the app tries to write to the
file it rashes e ause it a t rite to the file as e ha e just rite prote ted it). Maybe we can find where
it loads the file and reads the Activate.NeedReactivated. So how do we trace down to that? You just step
with F8 and when you step over a call that makes the app crash you set a bp on it. Then restart the app run
to the breakpoint and step in to that call, and step with F8 again until it crashes and do it all again all over
until you get here.

Page 16 of 18

And why do I stop here? This call akes the app rash, a d look at the o
e ts. u Ti es a ou
remember that the first line in the settings line was u Ti es ? , here it tries to write to the file the new
u Ti es u er, ut it a t a d rashes. Let us look i the tri gs o , if u Ti es appears there
then Activate.NeedReactivated ust be there to. (We could not look in the strings from the start because
at that time the app has hidden all that information)

No li k ok a d pla e bp on the 4 hits here:

Page 17 of 18
(You can only set bp in the hits that have a command before it otherwise Olly complains). Remove the old
breakpoints, remove the Write protection from the setting.dat file (we need the app to read more than the
first line in the settings file and it only does that if it a rite the u Ti e to the file a d restart the app
in Olly. Now Olly breaks here

Let s step do

to the JE @ 0063CA56

It made a Call and then TEST AL,AL that looks like it checks for a value (1 or 0) and then it jumps. Hmm but
wait we have changed the Acti ate.Needea ti ed alue to
, so maybe the app should jump here? Let the
program run

Well yes it runs fine so, the program should always jump @ 0063CA56. So Just change the JE to JMP (or
change the call to (Mov EAX,1) and this target is finally cracked.

Applying the Patch

So as always just save the modification to file and run the cracked program. The first time you must
disconnect from the net to come to the manually activation and enter any code you want.

Final Notes

Page 18 of 18
That was a long one but I wrote it because I think this was a good target to go very deep and to show you a
simple way to find the right place to patch a Delphi program when DeDe fails.
I hope you enjoyed the tutorial and learned something. If you d like to try again you can go patch the easy
mode also.

For questions and discussion regardi g this tutorial a d other i teresti g stuff go to
http://www.thelegendofrandom.com/forum/index.php
Thanks for now..
-XOR06

Thanks to:
Random for showing me the light again
nwokiller for all his help
The SSECS team
Without these gu s this ould t e possi le.

do

s foru :