This page has been robot translated, sorry for typos if any. Original content here.

QSetup Composer 7 Hacking Tutorial

Hacking Tutorial QSetup Composer 7 (by rel4nium)

Instruments:
  PEiD
 
  Upx_mod
 
  Kwdsm
 
  OlyDGB
 
  Hiew
 
  tpe
 

To begin with, we will determine what our victim is packed with; for this, we will run PEiD:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
Now we need an uppacker for UPX, the upix itself is too tough, so we will use Upx_mod, for unpacking we just need to run Upx_mod like this:
unp1_24.exe -d QSetup.exe
So the program is unpacked, we will carry out all other operations on the unpacked exe-shnik, size 1.69. Now we need to see what types of protection are used in the program:


So we have 3 ways of protection, now we need to find these phrases / words in the disassembler, run KWdsm. Decide what we are looking for:
1) Illegal Registration Code!
2) Unregistered Copy (DEMO)
3) QSetup Composer (DEMO)
So, after these phrases are found and near functions are found (I always look for near transitions of a function, i.e. je, jne, jmp;):
Illegal Registration Code! - jne 0051D4FB
Unregistered Copy - jmp 0051D369
QSetup Composer - jne 0051DBA8
I’ll explain again, we were looking for reference points for hacking, that is, if we can’t find the error by function, then we will use the ones found using DASM. Just for fun, let's try to find by function:
bpx MessageBoxA
and we don’t find anything, therefore, it was not in vain that we searched for phrases in dasma). The phrase number one:
0051D4DF |. 75 1A JNZ SHORT QSetup.0051D4FB
This function is not interesting to us since its purpose is to deduce:
0051D510 |. BA 70D65100 MOV EDX, QSetup.0051D670; ASCII "You must have ADMINISTRATOR rights to Register!"
=> we will examine the code above:
  0051D47A |.  84DB TEST BL, BL
 0051D47C 74 57 JE SHORT QSetup.0051D4D5 0051D47E |.  E8 25B2FBFF CALL QSetup.004D86A8
 0051D483 |.  84C0 TEST AL, AL
 0051D485 74 0D JE SHORT QSetup . 0051D494 0051D487 |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D48A |.  BA 80D55100 MOV EDX, QSetup.0051D580;  ASCII "QSetup PRO Registered OK!"
 0051D48F |.  E8 0077EEFF CALL QSetup.00404B94
 0051D494 |> E8 A7B1FBFF CALL QSetup.004D8640
 0051D499 |.  84C0 TEST AL, AL
 0051D49B |.  74 0D JE SHORT QSetup.0051D4AA
 0051D49D |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D4A0 |.  BA A4D55100 MOV EDX, QSetup.0051D5A4;  ASCII "QSetup LITE Registered OK!"
 0051D4A5 |.  E8 EA76EEFF CALL QSetup.00404B94
 0051D4AA |> 68 C8D55100 PUSH QSetup.0051D5C8;  ASCII "| & OK | & Cancel | & Yes | & No | & Abort | & Retry | & Ignore |"
 0051D4AF |.  6A 00 PUSH 0
 0051D4B1 |.  8D45 F8 LEA EAX, DWORD PTR SS: [EBP-8]
 0051D4B4 |.  8B4D FC MOV ECX, DWORD PTR SS: [EBP-4]
 0051D4B7 |.  BA 00D65100 MOV EDX, QSetup.0051D600;  ASCII " Congratulations
 

" 0051D4BC |. E8 4779EEFF CALL QSetup.00404E08 0051D4C1 |. 8B55 F8 MOV EDX, DWORD PTR SS: [EBP-8] 0051D4C4 |. B9 28D65100 MOV ECX, QSetup.0051D628; ASCII "Attention" 0051D4C9 |. B8 01000000 MOV EAX, 1 0051D4CE |. E8 39B1F7FF CALL QSetup.0049860C 0051D4D3 |. EB 61 JMP SHORT QSetup.0051D536 0051D4D5 |> 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4] 0051D4D8 |. E8 2BACFBFF CALL QSetup.004D8108 0051D4DD |. 84C0 TEST AL, AL 0051D4DF 75 1A JNZ SHORT QSetup. 0051D4FB 0051D4E1 |. 68 C8D55100 PUSH QSetup.0051D5C8; ASCII "| & OK | & Cancel | & Yes | & No | & Abort | & Retry | & Ignore |" 0051D4E6 |. 6A 00 PUSH 0 0051D4E8 |. B9 3CD65100 MOV ECX, QSetup.0051D63C; ASCII "Error" 0051D4ED |. BA 4CD65100 MOV EDX, QSetup.0051D64C; ASCII "Illegal Registration Code!"

I don’t know about you, but I was interested in the lines:
 0051D47C 74 57 JE SHORT QSetup. 0051D4D5
 0051D485 74 0D JE SHORT QSetup. 0051D494
Let’s figure out where they lead, as you can see, that in 1 place, namely:
 0051D4D5 |> 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4]
You can understand that this transition goes to the phrase Illegal Registration Code!
We immediately change 2 transitions, since if we change 1, then there will be no effect:
 0051D47C 74 57 JNE SHORT QSetup. 0051D4D5
 0051D485 74 0D JNE SHORT QSetup. 0051D494
So, changing the conclusions of the functions, we get:
QSetup PRO Registered OK!
But it’s too early to rejoice, because 2 other defenses are not hacked, and even if we see a funny window that the program is registered, this will not be so, since 2 other inscriptions are in place.
We will deal with them, on the jmp queue 0051D369, we will not hesitate and immediately pay attention to the code above this function:
  0051D2F3 |.  84C0 TEST AL, AL
 0051D2F5 |.
  74 4F JE SHORT QSetup.0051D346 0051D2F7 |.  E8 ACB3FBFF CALL QSetup.004D86A8
 0051D2FC |.  84C0 TEST AL, AL
 0051D2FE |.
  74 0D JE SHORT QSetup.0051D30D

 0051D300 |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D303 |.  BA 94D35100 MOV EDX, QSetup.0051D394;  ASCII "Registered Copy (PRO)"
 0051D308 |.  E8 8778EEFF CALL QSetup.00404B94
 0051D30D |> E8 2EB3FBFF CALL QSetup.004D8640
 0051D312 |.  84C0 TEST AL, AL
 0051D314 |.  74 0D JE SHORT QSetup.0051D323
 0051D316 |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051D319 |.  BA B4D35100 MOV EDX, QSetup.0051D3B4;  ASCII "Registered Copy (LITE)"
 0051D31E |.  E8 7178EEFF CALL QSetup.00404B94
 0051D323 |> 8B55 FC MOV EDX, DWORD PTR SS: [EBP-4]
 0051D326 |.  8B83 DC060000 MOV EAX, DWORD PTR DS: [EBX + 6DC]
 0051D32C |.  E8 6379F5FF CALL QSetup.00474C94
 0051D331 |.  8B83 DC060000 MOV EAX, DWORD PTR DS: [EBX + 6DC]
 0051D337 |.  8B40 68 MOV EAX, DWORD PTR DS: [EAX + 68]
 0051D33A |.  BA 180000FF MOV EDX, FF000018
 0051D33F |.  E8 989CF0FF CALL QSetup.00426FDC
 0051D344 |.  EB 23 JMP SHORT QSetup.0051D369
 0051D346 |> BA D4D35100 MOV EDX, QSetup.0051D3D4;  ASCII "Unregistered Copy (DEMO)"
We see a typical protection, but it’s already simpler, this function JE SHORT QSetup.0051D346, if the CH entered is not correct, displays a window: Unregistered Copy (DEMO), etc. Therefore, we change the functions to:
 0051D2F5 75 4F JNZ SHORT QSetup. 0051D346
 0051D2FE 75 0D JNZ SHORT QSetup. 0051D30D
Now 2 simple algorithms for protecting the program are hacked, there is only one left. We go to the found function in dasma: jne 0051DBA8. We look at the code in aggregate, it is responsible for displaying the DEMO program window:
 0051DBCB |.  8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
 0051DBCE |.  BA C4DC5100 MOV EDX, QSetup.0051DCC4;  ASCII "QSetup Composer"
 0051DBD3 |.  E8 3072EEFF CALL QSetup.00404E08
 0051DBD8 |.  8B55 FC MOV EDX, DWORD PTR SS: [EBP-4]
 0051DBDB |.  A1 40E25400 MOV EAX, DWORD PTR DS: [54E240]
 0051DBE0 |.  8B00 MOV EAX, DWORD PTR DS: [EAX]
And she doesn’t care about the loop that goes before:
 0051DBA8 |> 6A 00 / PUSH 0
 0051DBAA |.  6A 00 | PUSH 0
 0051DBAC |.  49 | DEC ECX
 0051DBAD |. ^ 75 F9 \ JNZ SHORT QSetup.0051DBA8
Everything goes to the fact that there is still some kind of verification algorithm that we have not noticed. Now we need to open the program again in dasma. After opening, again, we look for the phrase QSetup Composer and immediately catches the eye:
0051DBC3 |. E8 48ABFBFF CALL QSetup.004D8710
We make this call, simply by clicking on the call button in the toolbar.
It turns out here:
  004D8710 / $ 53 PUSH EBX
 004D8711 |.  8BD8 MOV EBX, EAX
 004D8713 |.  8BC3 MOV EAX, EBX
 004D8715 |.  BA 54874D00 MOV EDX, QSetup.004D8754;  ASCII "DEMO"
 004D871A |.  E8 31C4F2FF CALL QSetup.00404B50
 004D871F |.  E8 84FFFFFF CALL QSetup.004D86A8
 004D8724 |.  84C0 TEST AL, AL
 004D8726 |.
  74 0C JE SHORT QSetup.004D8734

 004D8728 |.  8BC3 MOV EAX, EBX
 004D872A |.  BA 64874D00 MOV EDX, QSetup.004D8764;  ASCII "PRO"
 004D872F |.  E8 1CC4F2FF CALL QSetup.00404B50
 004D8734 |> E8 07FFFFFF CALL QSetup.004D8640
 004D8739 |.  84C0 TEST AL, AL
 004D873B |.  74 0C JE SHORT QSetup.004D8749
 004D873D |.  8BC3 MOV EAX, EBX
 004D873F |.  BA 70874D00 MOV EDX, QSetup.004D8770;  ASCII "LITE"
 004D8744 |.  E8 07C4F2FF CALL QSetup.00404B50
 004D8749 |> 5B POP EBX
 004D874A \.  C3 RETN
Again, the familiar construction of protection, and now it remains only to change JE 004D8734 to JNE 004D8734 and the program in the upper window writes PRO). That's all the simple protection. Now we just have to patch the program, you can use hiew 'a. You need to patch the function at the addresses:
0051D47C, 0051D485, 0051D2F5, 0051D2FE, 004D8726 all je needs to be changed to jne and the program will always consider itself registered.
After patching the program, you can make a patch using TPE (I talked about this in previous articles so I won’t repeat it)
The program is hacked, the patch is created ...