Tutorial for hacking QSetup Composer 7

Tutorial on hacking QSetup Composer 7 (by rel4nium)


First, we will determine what our victim is packed, for this we run PEiD:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
Now we need UPK for UPX, it's too tough for us, so we'll use Upx_mod, for unpacking we just need to run Upx_mod like this:
Unp1_24.exe -d QSetup.exe
So the program is unpacked, we will conduct all other operations on the unpacked exe-shnik, the size of 1.69. Now we need to see what kinds of protection are used in the program:

So we have 3 ways to protect, now we need to find these phrases / words in the disassembler, run KWdsm. Let's define, that we will search:
1) Illegal Registration Code!
2) Unregistered Copy (DEMO)
3) QSetup Composer (DEMO)
So after these phrases are found, and near functions are found (I'm always looking for near-passing functions, ie je, jne, jmp;):
Illegal Registration Code! - jne 0051D4FB
Unregistered Copy - jmp 0051D369
QSetup Composer - jne 0051DBA8
Once again I will explain, we were looking for support points for hacking, ie if we can not find an error on the function, then we will use the ones found using DASM'a.Tantuem further, we launch the ally. Just for fun try to find by function:
Bpx MessageBoxA
And there is nothing to find, therefore, knowingly we were looking for phrases in the dasma). The phrase number one:
0051D4DF |. 75 1A JNZ SHORT QSetup.0051D4FB
This function is not interesting to us because its purpose is to deduce:
0051D510 |. BA 70D65100 MOV EDX, QSetup.0051D670; ASCII "You must have ADMINISTRATOR rights to Register!"
=> We'll examine the code above:
  0051D47A |.  84DB TEST BL, BL
 0051D47C 74 57 JE SHORT QSetup.0051D4D5 0051D47E |.  E8 25B2FBFF CALL QSetup.004D86A8
 0051D483 |.  84C0 TEST AL, AL
 0051D485 74 0D JE SHORT QSetup.0051D494 0051D487 |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D48A |.  BA 80D55100 MOV EDX, QSetup.0051D580;  ASCII "QSetup PRO Registered OK!"
 0051D48F |.  E8 0077EEFF CALL QSetup.00404B94
 0051D494 |> E8 A7B1FBFF CALL QSetup.004D8640
 0051D499 |.  84C0 TEST AL, AL
 0051D49B |.  74 0D JE SHORT QSetup.0051D4AA
 0051D49D |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D4A0 |.  BA A4D55100 MOV EDX, QSetup.0051D5A4;  ASCII "QSetup LITE Registered OK!"
 0051D4A5 |.  E8 EA76EEFF CALL QSetup.00404B94
 0051D4AA |> 68 C8D55100 PUSH QSetup.0051D5C8;  ASCII "| & OK | & Cancel | & Yes | & No | & Abort | & Retry | & Ignore |"
 0051D4AF |.  6A 00 PUSH 0
 0051D4B1 |.  8D45 F8 LEA EAX, DWORD PTR SS: [EBP-8]
 0051D4B4 |.  8B4D FC MOV ECX, DWORD PTR SS: [EBP-4]
 0051D4B7 |.  BA 00D65100 MOV EDX, QSetup.0051D600;  ASCII " Congratulations

" 0051D4BC |. E8 4779EEFF CALL QSetup.00404E08 0051D4C1 |. 8B55 F8 MOV EDX, DWORD PTR SS: [EBP-8] 0051D4C4 |. B9 28D65100 MOV ECX, QSetup.0051D628; ASCII "Attention" 0051D4C9 |. B8 01000000 MOV EAX, 1 0051D4CE |. E8 39B1F7FF CALL QSetup.0049860C 0051D4D3 |. EB 61 JMP SHORT QSetup.0051D536 0051D4D5 |> 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4] 0051D4D8 |. E8 2BACFBFF CALL QSetup.004D8108 0051D4DD |. 84C0 TEST AL, AL 0051D4DF 75 1A JNZ SHORT QSetup.0051D4FB 0051D4E1 |. 68 C8D55100 PUSH QSetup.0051D5C8; ASCII "| & OK | & Cancel | & Yes | & No | & Abort | & Retry | & Ignore |" 0051D4E6 |. 6A 00 PUSH 0 0051D4E8 |. B9 3CD65100 MOV ECX; QSetup.0051D63C; ASCII "Error" 0051D4ED |. BA 4CD65100 MOV EDX, QSetup.0051D64C; ASCII "Illegal Registration Code!"

I do not know about you, but I was interested in the lines:
 0051D47C 74 57 JE SHORT QSetup.0051D4D5
 0051D485 74 0D JE SHORT QSetup.0051D494
We'll figure out where they lead, as you see, that in 1 place, namely:
 0051D4D5 |> 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4]
You can understand that this transition goes to the phrase Illegal Registration Code!
We will change at once 2 transitions, since if we change 1, then there will be no effect:
 0051D47C 74 57 JNE SHORT QSetup.0051D4D5
 0051D485 74 0D JNE SHORT QSetup.0051D494
So, changing the conclusions of functions, we get:
QSetup PRO Registered OK!
But it's too early to rejoice, because 2 other protections are not hacked, and even if we see a cheerful window that the program is registered, it will not be so, since there are 2 other inscriptions on the site.
Let's turn to them, on jmp 0051D369, we will not hesitate and immediately pay attention to the code above this function:
  0051D2F3 |.  84C0 TEST AL, AL
 0051D2F5 |.
  74 4F JE SHORT QSetup.0051D346 0051D2F7 |.  E8 ACB3FBFF CALL QSetup.004D86A8
 0051D2FC |.  84C0 TEST AL, AL
 0051D2FE |.
  74 0D JE SHORT QSetup.0051D30D

 0051D300 |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D303 |.  BA 94D35100 MOV EDX, QSetup.0051D394;  ASCII "Registered Copy (PRO)"
 0051D308 |.  E8 8778EEFF CALL QSetup.00404B94
 0051D30D |> E8 2EB3FBFF CALL QSetup.004D8640
 0051D312 |.  84C0 TEST AL, AL
 0051D314 |.  74 0D JE SHORT QSetup.0051D323
 0051D316 |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D319 |.  BA B4D35100 MOV EDX, QSetup.0051D3B4;  ASCII "Registered Copy (LITE)"
 0051D31E |.  E8 7178EEFF CALL QSetup.00404B94
 0051D323 |> 8B55 FC MOV EDX, DWORD PTR SS: [EBP-4]
 0051D326 |.  8B83 DC060000 MOV EAX, DWORD PTR DS: [EBX + 6DC]
 0051D32C |.  E8 6379F5FF CALL QSetup.00474C94
 0051D331 |.  8B83 DC060000 MOV EAX, DWORD PTR DS: [EBX + 6DC]
 0051D337 |.  8B40 68 MOV EAX, DWORD PTR DS: [EAX + 68]
 0051D33A |.  BA 180000FF MOV EDX, FF000018
 0051D33F |.  E8 989CF0FF CALL QSetup.00426FDC
 0051D344 |.  EB 23 JMP SHORT QSetup.0051D369
 0051D346 |> BA D4D35100 MOV EDX, QSetup.0051D3D4;  ASCII "Unregistered Copy (DEMO)"
We see the typical protection, but it's simpler, this function JE SHORT QSetup.0051D346, if the entered CH is not correct, will display a window: Unregistered Copy (DEMO), etc. Therefore, we change the functions to:
 0051D2F5 75 4F JNZ SHORT QSetup.0051D346
 0051D2FE 75 0D JNZ SHORT QSetup.0051D30D
Now 2 simple algorithms for the protection of the program have been hacked, left alone. We go to the found function in the dasme: jne 0051DBA8.We look at the code in the aggregate, it is responsible for displaying in the DEMO window:
 0051DBCB |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051DBCE |.  BA C4DC5100 MOV EDX, QSetup.0051DCC4;  ASCII "QSetup Composer"
 0051DBD3 |.  E8 3072EEFF CALL QSetup.00404E08
 0051DBD8 |.  8B55 FC MOV EDX, DWORD PTR SS: [EBP-4]
 0051DBDB |.  A1 40E25400 MOV EAX, DWORD PTR DS: [54E240]
 0051DBE0 |.  8B00 MOV EAX, DWORD PTR DS: [EAX]
And she does not care about the loop before:
 0051DBA8 |> 6A 00 / PUSH 0
 0051DBAA |.  6A 00 | PUSH 0
 0051DBAC |.  49 | DEC ECX
 0051DBAD |. ^ 75 F9 \ JNZ SHORT QSetup.0051DBA8
Everything goes to the fact that there is still some sort of checking algorithm that we did not notice. Now we need to open the program again in the dasme. After opening, we again look for the phrase QSetup Composer and immediately catches our eye:
0051DBC3 |. E8 48ABFBFF CALL QSetup.004D8710
We will execute this call, simply by pressing the button call in the toolbar.
We appear here:
  004D8710 / $ 53 PUSH EBX
 004D8711 |.  8BD8 MOV EBX, EAX
 004D8713 |.  8BC3 MOV EAX, EBX
 004D8715 |.  BA 54874D00 MOV EDX, QSetup.004D8754;  ASCII "DEMO"
 004D871A |.  E8 31C4F2FF CALL QSetup.00404B50
 004D871F |.  E8 84FFFFFF CALL QSetup.004D86A8
 004D8724 |.  84C0 TEST AL, AL
 004D8726 |.
  74 0C JE SHORT QSetup.004D8734

 004D8728 |.  8BC3 MOV EAX, EBX
 004D872A |.  BA 64874D00 MOV EDX, QSetup.004D8764;  ASCII "PRO"
 004D872F |.  E8 1CC4F2FF CALL QSetup.00404B50
 004D8734 |> E8 07FFFFFF CALL QSetup.004D8640
 004D8739 |.  84C0 TEST AL, AL
 004D873B |.  74 0C JE SHORT QSetup.004D8749
 004D873D |.  8BC3 MOV EAX, EBX
 004D873F |.  BA 70874D00 MOV EDX, QSetup.004D8770;  ASCII "LITE"
 004D8744 |.  E8 07C4F2FF CALL QSetup.00404B50
 004D8749 |> 5B POP EBX
 004D874A \.  C3 RETN
Again, the familiar design of protection, and now it only remains to change JE 004D8734 to JNE 004D8734 and the program in the top window writes PRO). Here and all the simple protection. Now we only need to patch the program, you can use hiew 'a. You need to send functions to addresses:
0051D47C, 0051D485, 0051D2F5, 0051D2FE, 004D8726 all je need to be changed to jne and the program will forever consider itself to be registered.
After patching the program, you can make a patch using mpe (I told about this in previous articles so I will not repeat it)
The program is hacked, the patch is created ...