Thursday, August 27, 2015

Delphi Tips: Hashing a String With Delphi Encryption Compendium(DEC)

Today, I wanted to use the Delphi Encryption Compendium(DEC) to hash a string. It is a little bit difficult to figure out how to use the components since they are poorly documented, but after a few minutes, I came up with this. At first, I tried to use the CalcBinary function, which allows you pass a string to it. It worked fine, but it is limited due to the fact that it would cast all input strings as an ansistring type. As a result, I switched to the CalcStream type to overcome this limitation. Here are two functions which you can use to calculate an MD5 hash for either a UnicodeString or AnsiString. These functions can be easily converted to a different hash type simply by changing the declaration and create type. The available hash types are: 
THash_MD2, THash_MD4, THash_MD5, THash_RipeMD128, THash_RipeMD160, THash_RipeMD256, THash_RipeMD320, THash_SHA, THash_SHA1, THash_SHA256, THash_SHA384, THash_SHA512, THash_Haval128, THash_Haval160, THash_Haval192, THash_Haval224, THash_Haval256, Thash_Tiger, THash_Panama, THash_Whirlpool, THash_Whirlpool1, THash_Square, THash_Snefru128, THash_Snefru256, and THash_Sapphire
You can specify haval rounds like this: hash.rounds:=3; //(3,4,and 5 are valid round types.)

Uses DECHash, DECFmt

Function GetMD5_Unicode(input: UnicodeString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input)*2;
val.Write(input[1], len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));

hash.Free;
val.Free;
End;

Function GetMD5_Ansi(input: AnsiString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input);
val.Write(input[1] ,len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));

hash.Free;
val.Free;
End;


The Delphi Encryption Compendium(DEC) can be downloaded here:
https://github.com/winkelsdorf/DelphiEncryptionCompendium/releases
 
Until next time, happy programming and reversing. :)

14 comments:

  1. Hey bro!!

    Good job Mann,will you help me on reversing engineering a Delphi XE app.
    Here is what it does

    When I run the app it displays a button which opens a webpage on click and a labeled text (Not activated) in the side .
    So all I know is that the button's caption has to change from Activate to Acrivated then the labelled text will disappear.
    I tried to debug and I found these

    Handle = 00020510
    Title = Activate
    Parent = 00020510
    ID = Handle
    Style =54010000
    Class =TButton
    Clasproc=FFFF056D
    Thread =main

    The way you understand programming you understand this more than me.

    Thank you Mann
    Best regards

    ReplyDelete
  2. I will reward your effort please!!
    Here is my email
    Alexiopuk2sefu@yahoo.com

    ReplyDelete
  3. Chester

    I have been trying to reverse copy protection of a game,that is just GUI app for a month, till I had a look on the registered version and notice the difference. I loved the challenge cause I heard that Delphi apps ain't easy to reverse because their copy protection are mostly on buttons, so I noticed the changes to be made to the app to bypass protection is that, the button has to disappear and it's caption has to be there but with a letter "d" at the end. This is what I guessed to be the argument for it.

    If (TButton = Activate ) the do begin; Tlabel = "Not Activated"; end; Else (TButton = Tlabel ); Tlabel = "Activated" end;

    Sorry I am not yet a programmer I am still learning so what I am trying to say is that inside the Call TApplication.run there is an argument that checks the condition or state of TButton(Activate) if it's not changed then it will push the message "Not Activated" to the pump message queue to be displayed on the Tlabel. I have been trying and now what I am really doing is dying to find this argument and all I found is array(101) of applicable components and then a call to application process messages.

    Please help me convert the above statements to assembly, then I will look for them. I even know that the message pump cycles four times before displaying "Not Activated" but I really need to find the origin of that message.

    Any suggestion ya'l welcome

    ReplyDelete
  4. Have you tried searching for those strings/tlabels in the ollydbg and setting a hardware breakpoint on access to see where they are accessed in the program? You can search the entire memory in the memory window.

    ReplyDelete
  5. No luck Mann!!
    I even tried Interactive Delphi Reconstructor and I have found these

    Mov eax,[004A6098]; TButton
    Call TButton.create; TButton.create

    But I know nothing about Delphi and also when I searched for string "Activate" inside the call to Application.run. I found a binary string on

    0043E158 38 DB 38 CHAR '8'
    0043E159 00 DB 00
    0043E15A 34EA4300 DD Acrobyte.0043EA400 Entry address
    0043E15E 08 DB 08
    0043E15F 41 63 74 69 76 61 74 65 ASCII "Activate"

    So here the Character '8' I have seen it through CFF Explorer that it's has something to do with the button, which I have no idea.
    But here is a link for the game, have a look
    https://www.dropbox.com/s/jngpjku93motasg/acrobyte.exe?dl=0

    Thanks for your kindness mann

    ReplyDelete
  6. Please don't hate it's only that I am too seriously about reversing Delphi.
    I played overnight and I found something that may make sense to some Delphi programmers that wish to help
    I opened the file with Hex Editor to see if I can change the assignment of the button but the hell I found the assignment

    Function number:12
    Number of components for this function:1
    Component name:_27
    Number of actions:0
    ActionID:0
    Param1:Please activate the software first!
    NB(--.1..Checkout......_27) that's the detail of the TButton (Checkout)
    I changed actionID:2 and the app minimizes on click,changed actionID:4 it closes on click,I changed again actionID:5 it moves from center to top left

    Any suggestion please I appreciate.

    ReplyDelete
  7. Is this something you are trying to crack or simply retrieve the source code? I am not sure if you can read assembly, but a good approach to something like this is to use a debugger such as ollydbg for x86 and x64dbg for x64 to analyze the button routine. You can easily modify the assembly instructions to get the results you want. Delphi is not difficult to reverse engineer. In my opinion, it is easier than visual basic and about equal to c++.

    ReplyDelete
  8. @Chester

    I have noticed that the executable is packed or crypted using EMS Source Rescuer but I don't know how to indentify the packer or crypted since most Dependency walkers doesn't

    ReplyDelete
  9. They didn't encrypt the whole app but those useful strings are encrypted

    ReplyDelete
  10. Does somebody here free to check copyright protection of an app and tell me please I can't see myself as loser.
    People write essays about cracking password and serial bypassing. What about app with just the Activate button like the one with the above link.
    Please help me finding type of copyright protection that's all.

    ReplyDelete
  11. @Chester

    Oh Mann I did knew!!

    Does DEC encrypt the component library and strings of Delphi Source?
    Maybe that's why I am struggling with this app huh?

    ReplyDelete
  12. puk2sefu! upload again app! it's died!

    ReplyDelete