Today, I wanted to use the Delphi Encryption Compendium(DEC) to hash a string. It is a little bit difficult to figure out how to use the components since they are poorly documented, but after a few minutes, I came up with this. At first, I tried to use the CalcBinary function, which allows you pass a string to it. It worked fine, but it is limited due to the fact that it would cast all input strings as an ansistring type. As a result, I switched to the CalcStream type to overcome this limitation. Here are two functions which you can use to calculate an MD5 hash for either a UnicodeString or AnsiString. These functions can be easily converted to a different hash type simply by changing the declaration and create type. The available hash types are:
THash_MD2, THash_MD4, THash_MD5, THash_RipeMD128, THash_RipeMD160, THash_RipeMD256, THash_RipeMD320, THash_SHA, THash_SHA1, THash_SHA256, THash_SHA384, THash_SHA512, THash_Haval128, THash_Haval160, THash_Haval192, THash_Haval224, THash_Haval256, Thash_Tiger, THash_Panama, THash_Whirlpool, THash_Whirlpool1, THash_Square, THash_Snefru128, THash_Snefru256, and THash_Sapphire.
You can specify haval rounds like this: hash.rounds:=3; //(3,4,and 5 are valid round types.)
Uses DECHash, DECFmt;
Function GetMD5_Unicode(input: UnicodeString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input)*2;
val.Write(input[1], len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));
hash.Free;
val.Free;
End;
Function GetMD5_Ansi(input: AnsiString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input);
val.Write(input[1] ,len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));
hash.Free;
val.Free;
End;
The Delphi Encryption Compendium(DEC) can be downloaded here:
https://github.com/winkelsdorf/DelphiEncryptionCompendium/releases
Until next time, happy programming and reversing. :)
THash_MD2, THash_MD4, THash_MD5, THash_RipeMD128, THash_RipeMD160, THash_RipeMD256, THash_RipeMD320, THash_SHA, THash_SHA1, THash_SHA256, THash_SHA384, THash_SHA512, THash_Haval128, THash_Haval160, THash_Haval192, THash_Haval224, THash_Haval256, Thash_Tiger, THash_Panama, THash_Whirlpool, THash_Whirlpool1, THash_Square, THash_Snefru128, THash_Snefru256, and THash_Sapphire.
You can specify haval rounds like this: hash.rounds:=3; //(3,4,and 5 are valid round types.)
Uses DECHash, DECFmt;
Function GetMD5_Unicode(input: UnicodeString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input)*2;
val.Write(input[1], len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));
hash.Free;
val.Free;
End;
Function GetMD5_Ansi(input: AnsiString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input);
val.Write(input[1] ,len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));
hash.Free;
val.Free;
End;
The Delphi Encryption Compendium(DEC) can be downloaded here:
https://github.com/winkelsdorf/DelphiEncryptionCompendium/releases
Until next time, happy programming and reversing. :)
Hey bro!!
ReplyDeleteGood job Mann,will you help me on reversing engineering a Delphi XE app.
Here is what it does
When I run the app it displays a button which opens a webpage on click and a labeled text (Not activated) in the side .
So all I know is that the button's caption has to change from Activate to Acrivated then the labelled text will disappear.
I tried to debug and I found these
Handle = 00020510
Title = Activate
Parent = 00020510
ID = Handle
Style =54010000
Class =TButton
Clasproc=FFFF056D
Thread =main
The way you understand programming you understand this more than me.
Thank you Mann
Best regards
I will reward your effort please!!
ReplyDeleteHere is my email
Alexiopuk2sefu@yahoo.com
Chester
ReplyDeleteI have been trying to reverse copy protection of a game,that is just GUI app for a month, till I had a look on the registered version and notice the difference. I loved the challenge cause I heard that Delphi apps ain't easy to reverse because their copy protection are mostly on buttons, so I noticed the changes to be made to the app to bypass protection is that, the button has to disappear and it's caption has to be there but with a letter "d" at the end. This is what I guessed to be the argument for it.
If (TButton = Activate ) the do begin; Tlabel = "Not Activated"; end; Else (TButton = Tlabel ); Tlabel = "Activated" end;
Sorry I am not yet a programmer I am still learning so what I am trying to say is that inside the Call TApplication.run there is an argument that checks the condition or state of TButton(Activate) if it's not changed then it will push the message "Not Activated" to the pump message queue to be displayed on the Tlabel. I have been trying and now what I am really doing is dying to find this argument and all I found is array(101) of applicable components and then a call to application process messages.
Please help me convert the above statements to assembly, then I will look for them. I even know that the message pump cycles four times before displaying "Not Activated" but I really need to find the origin of that message.
Any suggestion ya'l welcome
Have you tried searching for those strings/tlabels in the ollydbg and setting a hardware breakpoint on access to see where they are accessed in the program? You can search the entire memory in the memory window.
ReplyDeleteThanks let me try
ReplyDeleteNo luck Mann!!
ReplyDeleteI even tried Interactive Delphi Reconstructor and I have found these
Mov eax,[004A6098]; TButton
Call TButton.create; TButton.create
But I know nothing about Delphi and also when I searched for string "Activate" inside the call to Application.run. I found a binary string on
0043E158 38 DB 38 CHAR '8'
0043E159 00 DB 00
0043E15A 34EA4300 DD Acrobyte.0043EA400 Entry address
0043E15E 08 DB 08
0043E15F 41 63 74 69 76 61 74 65 ASCII "Activate"
So here the Character '8' I have seen it through CFF Explorer that it's has something to do with the button, which I have no idea.
But here is a link for the game, have a look
https://www.dropbox.com/s/jngpjku93motasg/acrobyte.exe?dl=0
Thanks for your kindness mann
Please don't hate it's only that I am too seriously about reversing Delphi.
ReplyDeleteI played overnight and I found something that may make sense to some Delphi programmers that wish to help
I opened the file with Hex Editor to see if I can change the assignment of the button but the hell I found the assignment
Function number:12
Number of components for this function:1
Component name:_27
Number of actions:0
ActionID:0
Param1:Please activate the software first!
NB(--.1..Checkout......_27) that's the detail of the TButton (Checkout)
I changed actionID:2 and the app minimizes on click,changed actionID:4 it closes on click,I changed again actionID:5 it moves from center to top left
Any suggestion please I appreciate.
Is this something you are trying to crack or simply retrieve the source code? I am not sure if you can read assembly, but a good approach to something like this is to use a debugger such as ollydbg for x86 and x64dbg for x64 to analyze the button routine. You can easily modify the assembly instructions to get the results you want. Delphi is not difficult to reverse engineer. In my opinion, it is easier than visual basic and about equal to c++.
ReplyDelete@Chester
ReplyDeleteI have noticed that the executable is packed or crypted using EMS Source Rescuer but I don't know how to indentify the packer or crypted since most Dependency walkers doesn't
They didn't encrypt the whole app but those useful strings are encrypted
ReplyDeleteDoes somebody here free to check copyright protection of an app and tell me please I can't see myself as loser.
ReplyDeletePeople write essays about cracking password and serial bypassing. What about app with just the Activate button like the one with the above link.
Please help me finding type of copyright protection that's all.
@Chester
ReplyDeleteOh Mann I did knew!!
Does DEC encrypt the component library and strings of Delphi Source?
Maybe that's why I am struggling with this app huh?
puk2sefu! upload again app! it's died!
ReplyDeletelink download die!
Delete