Help with Self-modifying code unpacker

0xcore · September 30, 2020, 5:30pm

Hello everyone,

Please, i need help for delphi self-modifying code.
Serial Registration part listed below:

umain::Tfmain.RzBitBtn3Click
00641AF4 push ebp
00641AF5 mov ebp,esp
00641AF7 mov ecx,0B
00641AFC push 0
00641AFE push 0
00641B00 dec ecx
<00641B01 jne 00641AFC
00641B03 push ecx
00641B04 push ebx
00641B05 push esi
00641B06 push edi
00641B07 mov dword ptr [ebp-4],eax
00641B0A xor eax,eax
00641B0C push ebp
00641B0D push 641EBB
00641B12 push dword ptr fs:[eax]
00641B15 mov dword ptr fs:[eax],esp
00641B18 lea edx,[ebp-8]
00641B1B mov eax,dword ptr [ebp-4]
00641B1E mov eax,dword ptr [eax+388]; Tfmain.cx29100:TRzEdit
00641B24 call TRzEdit.GetText
00641B29 cmp dword ptr [ebp-8],0

00641B2D jne 00641B6B
00641B2F lea edx,[ebp-0C]
00641B32 mov eax,dword ptr [ebp-4]
00641B35 mov eax,dword ptr [eax+38C]; Tfmain.kp39299:TRzEdit
00641B3B call TRzEdit.GetText
00641B40 cmp dword ptr [ebp-0C],0
00641B44 jne 00641B6B
00641B46 push 0
00641B48 lea edx,[ebp-10]
00641B4B mov eax,641ED4; ‘656D70747920656D61696C20616E642073657269616C2072656769737465726564’
00641B50 call 0063F858
00641B55 mov eax,dword ptr [ebp-10]
00641B58 mov cx,word ptr ds:[641F18]; 0x4
00641B5F mov dl,2
00641B61 call MessageDlg
00641B66 jmp 00641E56
00641B6B mov eax,dword ptr [ebp-4]
00641B6E mov eax,dword ptr [eax+32C]; Tfmain.IdHTTP1:TIdHTTP
00641B74 mov edx,641F24; ‘google.com’
00641B79 mov ecx,dword ptr [eax]
00641B7B call dword ptr [ecx+88]; TIdCustomHTTP.SetHost
00641B81 mov eax,dword ptr [ebp-4]
00641B84 mov ebx,dword ptr [eax+32C]; Tfmain.IdHTTP1:TIdHTTP
00641B8A cmp dword ptr [ebx+0C8],0; TIdHTTP.Host:String
00641B91 je 00641E56
00641B97 xor eax,eax
00641B99 push ebp
00641B9A push 641E2C
00641B9F push dword ptr fs:[eax]
00641BA2 mov dword ptr fs:[eax],esp
00641BA5 mov eax,ebx
00641BA7 mov edx,dword ptr [eax]
00641BA9 call dword ptr [edx+58]; TIdTCPConnection.Disconnect
00641BAC mov eax,dword ptr [ebp-4]
00641BAF mov eax,dword ptr [eax+32C]; Tfmain.IdHTTP1:TIdHTTP
00641BB5 or edx,0FFFFFFFF
00641BB8 mov ecx,dword ptr [eax]
00641BBA call dword ptr [ecx+94]; TIdTCPClient.Connect
00641BC0 mov eax,dword ptr [ebp-4]
00641BC3 mov eax,dword ptr [eax+32C]; Tfmain.IdHTTP1:TIdHTTP
00641BC9 mov edx,dword ptr [eax]
00641BCB call dword ptr [edx+54]; TIdTCPConnection.Connected
00641BCE test al,al
00641BD0 je 00641E22
00641BD6 xor eax,eax
00641BD8 push ebp
00641BD9 push 641D2D
00641BDE push dword ptr fs:[eax]
00641BE1 mov dword ptr fs:[eax],esp
00641BE4 mov eax,dword ptr [ebp-4]
00641BE7 mov ebx,dword ptr [eax+3A8]; Tfmain.ZSQL:TMyQuery
00641BED mov eax,ebx
00641BEF call TDataSet.Close
00641BF4 mov eax,ebx
00641BF6 call TMyQuery.GetSQL
00641BFB mov edx,dword ptr [eax]
00641BFD call dword ptr [edx+44]; TStringList.Clear
00641C00 mov eax,ebx
00641C02 call TMyQuery.GetSQL
00641C07 mov edx,641F38; ‘SELECT * FROM tb_thedon where id_software=:id_soft and email_reg=:em_reg’
00641C0C mov ecx,dword ptr [eax]
00641C0E call dword ptr [ecx+2C]; TStrings.SetTextStr
00641C11 mov edx,641F8C; ‘id_soft’
00641C16 mov eax,ebx
00641C18 call 005E2CF8
00641C1D push eax
00641C1E lea eax,[ebp-20]
00641C21 mov edx,641F9C; ‘donpm12’
00641C26 call @VarFromLStr
00641C2B lea edx,[ebp-20]
00641C2E pop eax
00641C2F mov ecx,dword ptr [eax]
00641C31 call dword ptr [ecx+98]
00641C37 lea edx,[ebp-34]
00641C3A mov eax,dword ptr [ebp-4]
00641C3D mov eax,dword ptr [eax+388]; Tfmain.cx29100:TRzEdit
00641C43 call TRzEdit.GetText
00641C48 mov edx,dword ptr [ebp-34]
00641C4B lea eax,[ebp-30]
00641C4E call @VarFromLStr
00641C53 lea eax,[ebp-30]
00641C56 push eax
00641C57 mov edx,641FAC; ‘em_reg’
00641C5C mov eax,ebx
00641C5E call 005E2CF8
00641C63 pop edx
00641C64 mov ecx,dword ptr [eax]
00641C66 call dword ptr [ecx+98]
00641C6C mov eax,ebx
00641C6E call TDataSet.Open
00641C73 mov edx,641FBC; ‘email_reg’
00641C78 mov eax,ebx
00641C7A call TDataSet.FieldByName
00641C7F lea edx,[ebp-38]
00641C82 mov ecx,dword ptr [eax]
00641C84 call dword ptr [ecx+60]; TField.GetAsString
00641C87 mov edx,dword ptr [ebp-38]
00641C8A mov eax,651620
00641C8F call @LStrAsg
00641C94 mov edx,641FD0; ‘serial’
00641C99 mov eax,ebx
00641C9B call TDataSet.FieldByName
00641CA0 lea edx,[ebp-40]
00641CA3 mov ecx,dword ptr [eax]
00641CA5 call dword ptr [ecx+60]; TField.GetAsString
00641CA8 mov eax,dword ptr [ebp-40]
00641CAB lea edx,[ebp-3C]
00641CAE call 0063F470
00641CB3 mov edx,dword ptr [ebp-3C]
00641CB6 mov eax,651624
00641CBB call @LStrAsg
00641CC0 mov edx,641FE0; ‘status’
00641CC5 mov eax,ebx
00641CC7 call TDataSet.FieldByName
00641CCC lea edx,[ebp-44]
00641CCF mov ecx,dword ptr [eax]
00641CD1 call dword ptr [ecx+60]; TField.GetAsString
00641CD4 mov edx,dword ptr [ebp-44]
00641CD7 mov eax,651628
00641CDC call @LStrAsg
00641CE1 mov edx,641FF0; ‘status_msg’
00641CE6 mov eax,ebx
00641CE8 call TDataSet.FieldByName
00641CED lea edx,[ebp-48]
00641CF0 mov ecx,dword ptr [eax]
00641CF2 call dword ptr [ecx+60]; TField.GetAsString
00641CF5 mov edx,dword ptr [ebp-48]
00641CF8 mov eax,65162C
00641CFD call @LStrAsg
00641D02 mov edx,642004; ‘message’
00641D07 mov eax,ebx
00641D09 call TDataSet.FieldByName
00641D0E lea edx,[ebp-4C]
00641D11 mov ecx,dword ptr [eax]
00641D13 call dword ptr [ecx+60]; TField.GetAsString
00641D16 mov edx,dword ptr [ebp-4C]
00641D19 mov eax,651630
00641D1E call @LStrAsg
00641D23 xor eax,eax
00641D25 pop edx
00641D26 pop ecx
00641D27 pop ecx
00641D28 mov dword ptr fs:[eax],edx
00641D2B jmp 00641D37
<00641D2D jmp @HandleAnyException
00641D32 call @DoneExcept
00641D37 mov eax,[0065162C]; 0x0
00641D3C mov edx,642014; ‘information’
00641D41 call @LStrCmp
00641D46 jne 00641D4C
00641D48 mov bl,2
00641D4A jmp 00641D78
00641D4C mov eax,[0065162C]; 0x0
00641D51 mov edx,642028; ‘error’
00641D56 call @LStrCmp
00641D5B jne 00641D61
00641D5D mov bl,1
00641D5F jmp 00641D78
00641D61 mov eax,[0065162C]; 0x0
00641D66 mov edx,642038; ‘warning’
00641D6B call @LStrCmp
00641D70 jne 00641D76
00641D72 xor ebx,ebx
00641D74 jmp 00641D78
00641D76 mov bl,1
00641D78 lea edx,[ebp-50]
00641D7B mov eax,dword ptr [ebp-4]
00641D7E mov eax,dword ptr [eax+388]; Tfmain.cx29100:TRzEdit
00641D84 call TRzEdit.GetText
00641D89 mov eax,dword ptr [ebp-50]
00641D8C mov edx,dword ptr ds:[651620]; 0x0
00641D92 call @LStrCmp
00641D97 jne 00641E02
00641D99 lea edx,[ebp-54]
00641D9C mov eax,dword ptr [ebp-4]
00641D9F mov eax,dword ptr [eax+38C]; Tfmain.kp39299:TRzEdit
00641DA5 call TRzEdit.GetText
00641DAA mov eax,dword ptr [ebp-54]
00641DAD mov edx,dword ptr ds:[651624]; 0x0
00641DB3 call @LStrCmp
00641DB8 jne 00641E02
00641DBA mov eax,[00651628]; 0x0
00641DBF mov edx,642048; ‘1’
00641DC4 call @LStrCmp
00641DC9 jne 00641E02
00641DCB push 0
00641DCD mov cx,word ptr ds:[641F18]; 0x4
00641DD4 mov edx,ebx
00641DD6 mov eax,[00651630]; 0x0
00641DDB call MessageDlg
00641DE0 mov eax,dword ptr [ebp-4]
00641DE3 mov eax,dword ptr [eax+388]; Tfmain.cx29100:TRzEdit
00641DE9 xor edx,edx
00641DEB call TRzEdit.SetText
00641DF0 mov eax,dword ptr [ebp-4]
00641DF3 mov eax,dword ptr [eax+38C]; Tfmain.kp39299:TRzEdit
00641DF9 xor edx,edx
00641DFB call TRzEdit.SetText
00641E00 jmp 00641E22
00641E02 push 0
00641E04 lea edx,[ebp-58]
00641E07 mov eax,642054; ‘696E76616C696420656D61696C207265676973746572656420616E642073657269616C206C6963656E7365’
00641E0C call 0063F858
00641E11 mov eax,dword ptr [ebp-58]
00641E14 mov cx,word ptr ds:[641F18]; 0x4
00641E1B mov dl,1
00641E1D call MessageDlg
00641E22 xor eax,eax
00641E24 pop edx
00641E25 pop ecx
00641E26 pop ecx
00641E27 mov dword ptr fs:[eax],edx
00641E2A jmp 00641E56
<00641E2C jmp @HandleAnyException
00641E31 push 0
00641E33 lea edx,[ebp-5C]
00641E36 mov eax,6420B4; ‘6E6F7420636F6E6E656374656420746F207265676973746572207365727665722E20506C656173652072652D436865636B20596F757220496E7465726E657420436F6E6E656374696F6E’
00641E3B call 0063F858
00641E40 mov eax,dword ptr [ebp-5C]
00641E43 mov cx,word ptr ds:[641F18]; 0x4
00641E4A mov dl,1
00641E4C call MessageDlg
00641E51 call @DoneExcept
00641E56 xor eax,eax
00641E58 pop edx
00641E59 pop ecx
00641E5A pop ecx
00641E5B mov dword ptr fs:[eax],edx
00641E5E push 641EC2
00641E63 lea eax,[ebp-5C]
00641E66 mov edx,2
00641E6B call @LStrArrayClr
00641E70 lea eax,[ebp-54]
00641E73 mov edx,2
00641E78 call @LStrArrayClr
00641E7D lea eax,[ebp-4C]
00641E80 mov edx,6
00641E85 call @LStrArrayClr
00641E8A lea eax,[ebp-34]
00641E8D call @LStrClr
00641E92 lea eax,[ebp-30]
00641E95 mov edx,dword ptr ds:[401144]; Variant
00641E9B mov ecx,2
00641EA0 call @FinalizeArray
00641EA5 lea eax,[ebp-10]
00641EA8 call @LStrClr
00641EAD lea eax,[ebp-0C]
00641EB0 mov edx,2
00641EB5 call @LStrArrayClr
00641EBA ret
<00641EBB jmp @HandleFinally
<00641EC0 jmp 00641E63
00641EC2 pop edi
00641EC3 pop esi
00641EC4 pop ebx
00641EC5 mov esp,ebp
00641EC7 pop ebp
00641EC8 ret

Protection: Yoda Crypter

Danus · October 1, 2020, 10:51am

I’d help you but I don’t understand anything.

Are you stuck? What is causing you to be stuck?
What are you trying to unpack?
Do you have experience with crypters?

system · January 30, 2021, 9:30am

This topic was automatically closed after 121 days. New replies are no longer allowed.