Results 1 to 9 of 9

Thread: Again interesting target: 2findmp3....wrapped with a Asprotect-alike

  1. #1
    BlackB
    Guest

    Again interesting target: 2findmp3....wrapped with a Asprotect-alike

    Well, here we are again....with a new interesting target. Well, actually, I don't know if this protection's already defeated, but I never heard of it.
    It's protected with SoftWrap (http://www.softwrap.com). Site already gives good info on the protection

    Summary: SoftWrap 's a commercial wrapper, that wraps and encrypts the original program. You have two options: 1. buy online, 2. buy by telephone. The first one connects to the net, you have to enter creditcard number, this number gets verified online, if everything's okay, the program gets unlocked.
    In the second one you have to enter a regcode (41 chars long). I tried to fish for a valid serial, but didn't succeeded yet. I could however, make the program believe it was a right one, and was able to run the program. Of course, after exitting and re-running, I got the buy-me dialogbox again :-)

    The "buy online" option may be better to attack...would be a matter of bypassing the server verification of the creditcard number....then probably i valid license is downloaded automatically (but hey, i didn't try this yet)

    I also tried to crack the code itself, here are some things I found out:

    1. anti-sice, anti-regmon, anti-filemon
    ------------------------------------

    anti-sice is easy to bypass with frogsice (uses old createfilea method)
    anti-regmon and anti-filemon is probably executed while installing the shareware product, because you can't run filemon and regmon afterwards. If you move your filemone/regmon files to another place and execute it, it works.
    However, I noticed in the disassembly (IDA) that there are string references "SoftWrap cannot load while Filemon/Regmon running", but in practice they never show up.

    2. Anti-cracking
    ---------------

    Most of your cracking attempts will get logged (no idea where yet), and after 2 attempts, you get "Locked out of using the program". I have no idea where this is stored: i uninstalled the program, deleted all registery keys that remained and license files on the harddrive, but it didn't work.
    Anyway, I was able to nop-out this check and succeeded to make the "buy it" option available again. This "nopping-out" is kinda tricky, as this jump-to-badboy isn't there yet if you look at it with a hex editor. So you have to take the previous instruction and change it in a cmp al, al .... so the next instruction (it's a JZ) will always jump

    3. license
    ---------

    there are 3 licenses: one in the registery, one in the install directory and one in a subdir in c:\program files\SoftWrapLicense. they are .sw files.

    4. last remark
    -------------

    when run, a file 2findmp3.locked.exe is created. This probably contains the unwrapped program, but entry point or IAT may be encrypted or something like that. didn't check this out either :-P

    Well, that's all for now. Feel free to contribute on this one. I 'm sure I can manage alone, but it goes a lot faster if other people help too :-)
    Last but not least: direct download link: http://www.npssoftware.com/2findmp3/retail/2findmp3v50Retailsetup.exe

    enjoy
    greets

    The Blackbird
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Kilby!
    Guest
    The ???????locked.exe file is explained in the softwrap FAQ.

    The .exe you run is a loader, so it's not really a wrapper as softwrap seem to claim.

    Therefore it's looking like safedisc, therefore it may be a good idea to look at the writeprocessmem.

    If I get my copylok business finished at the weekend I may have a look at softwrap.

    Regards,

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    BlackB
    Guest
    New info:

    The main .exe indeed is a loader, with quite some techniques to prevent cracking.....i'm still busy with finding some things out.

    I wrapped notepad.exe with the wrapper (you can d/l it on the mainpage of softwrap) and just dumping the notepad.locked.exe while it is executed was enough to "crack" it. so i suppose that maybe with some slight changes, 2findmp3.locked.exe is also possible to crack that way. very very easy if that works.
    the only problem i have now is that i can't get the loader to run the .locked.exe file no more coz i played too much with it with my hexeditor (it remembers crack attacks). i succeeded to disable that check, but there must be a silent second check which i can't find for now.......continuing searching

    greets

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    BlackB
    Guest
    A mail a wrote concerning new things I found out to analyst:

    hi,

    i managed to crack the loader so it always loads the program. actually
    it wasn't that hard. the only thing important is to make sure the
    "did-you-crack-me?" and "how-many-tries-left?" - memory locations are
    set to the correct value, and not only reversing the jumps.

    well anyway, there are a lot a lot of checks

    good point about his loader is that the maincode is exactly the same
    with ANY program, and also its locations. that means that one crack is
    enough to crack ANY program, hehe.

    next step now is to remove the nag from the loader and i'm done.
    well, not done completely because I want to work on several other
    things too:

    -unwrapping the main program
    -finding out how in-the-name-of-satan/god softwrap stores how many
    times you used it, or where it remembers you cracked it
    -finding out how it encrypts/decrypts

    and some other minor things

    well, greets and cya

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    DaV
    Guest
    hi,

    I use W32Dasm 8.93 for disasembling the soft and it's OK..and for debuging i have used TRW2000 (Liutaotao)...and i have succeed to patch the soft ..not completely...I try now the elimenate the first window its appear of Sofwrap loader .

    Try with this two Tools...and tell me .

    I tried to patch the 2findmp3.exe.

    DaV.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    SV
    Guest
    Hi reverser

    If you want to have a working exe.
    'bmp resumethread x'
    at break change eip to do only ret
    in the loader now:
    'a eip'
    'jmp eip'
    'x'
    dump locked process and rebuild exe.
    No loader needs

    Regards SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    BlackB
    Guest
    What exactly do you mean by rebuilding the .exe ? Running the rebuild option in procdump? with what options selected?
    or is it manually rebuilding, and if so......what and how?

    "rebuilding a .exe" is pretty vague you know

    greets

    BlackB
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    BlackB
    Guest
    Well...I just managed to make a valid dump myself....without the need of rebuilding the exe

    greets

    B.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    SV
    Guest
    Hi BlackB

    I use my own tool to dump & rebuild.
    I imagine you can use Procdump or others realigners to do !
    Of course you can adjust manually raw offsets and sizes to correct sections values.

    SV
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Unable to unpack a file wrapped by Bit-arts
    By paco in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: May 3rd, 2004, 13:13
  2. Hmm interesting new protection....
    By Test2000 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: February 22nd, 2004, 18:36
  3. interesting target(s)?
    By Rackmount in forum The Newbie Forum
    Replies: 3
    Last Post: May 22nd, 2003, 13:12
  4. Very interesting target: AdSubtract Pro
    By BlackB in forum Advanced Reversing and Programming
    Replies: 16
    Last Post: February 12th, 2001, 11:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •