Results 1 to 13 of 13

Thread: Softwrap - new ver. - man. unpacking?

  1. #1
    MeaCulpa
    Guest

    Softwrap - new ver. - man. unpacking?

    Hi All,
    I'm working on Softwrap v.3.5 - 3.6.1 protected targets, and need some pointers please..... (BlackBird; Eisenbeiss

    Target: anything protected with a new softwrap.

    Problem: the newer softwrap has a funtion to not allow any trial period for evaluation....you have to buy online etc. before the app unlocks...

    Research: There's 2 essays out (both version 1.x related) from Blackbird and Eisenbeiss. In older versions you could deadlist to get string refs and start from there. Alternatively bpx'ing on WritePocessMemory (etc.) APIs would provide a starting point for dumping.....
    NchantA also wrote an essay, does anyone have this one please?

    [The file format stayed largely the same, with license file .sw; loader exe file of +- 360kb (same for all apps) and the .locked file with RSA512, destroyed import table etc..)

    What if the app does not allow evaluation, there is no string/data references, nothing. It does not start the program so we cant get a starting point for unpacking/dumping....


    ( I am thinking along the line of altering the loader exe so that it changes the options with wich the app was packed, so that it changes from no eval/trial to allowing a trial.....just an idea
    Can this still be unpacked manually.
    Any help/suggestions would be welcome please.


    thanks
    MeaCulpa
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    MeaCulpa
    Guest

    more info

    Hi All,
    A possiblle target (v.3.5.0 of softwrap)
    Target: something this company...
    <deleted> (30 megs i think) just go one dir up from the link and get something like the chemistry module for a smaller (16meg) download. All products from this company is packed with v.3.5

    Alternatively, i've already packed notepad.exe with the packed and can upload that also if needed. I've done different packing options on it - but the version is the newest available ie. v3.6.1.
    Perhaps we can start on the older version....

    ( I have wrapped notepads with all the options, please email or PM me if you would like to get these.......)

    A bit more detailed info below....please pardon the few bits that is repeated from post #1.


    First of all there is about 6 protection options available when wrapping,
    an application with Softwrap.

    Briefly listed the allowable protection options available are:
    a) date restrictions - allowing use of x number of days or up to a certain date
    b) usage restrictions - allowing x number of runs
    c) usage and date restrictions - combinations of above
    d) no restrictions - no restrictions (may use updates etc.)
    e) totally restricted - no trial period allowed

    Unfortuneately the option used in the above
    target (or any other programs from the above company) is protected with the
    "Totally protected" option, allowing no trial period.


    I was able to verify the following protection features:


    1. The format/files of a packed application is still largely the same and consists of 3 files...
    app.exe - loader for encrypted app.locked. Aparently this is the same loader used for all softwrapped applications. The filesize is always 368kb.

    app.locked - RSA 512 encrypted, import table destroyed version of original app.exe
    (previously in v.1.x called app.locked.exe)

    app.sw - license file. The filesize is always 3.50kb. As far as i can see the contents
    is 100% different for different wrapping options.


    2. Perhaps the largest difference/update: None of the files are disassembler
    friendly anymore. A messagebox says: "The PE file is not in Standard Windows Format.
    All Data References will be terminated." when disassembling the loader.exe with Wdasm32.
    We therefore can't directly use the CreateProcess and WriteProcessMemory APIs
    from a deadlisting. (Refer to Eisenbeiss' and Blackbird's essays)
    Especially when there is no trial period allowed, in which case there is no "Try me"
    button - so we can't use bpx CreateProcess and hit the button, and unpack from there...


    3. I assume SoftWrap still contains the old CreateFileA API method of checking sice.vxd, ntice.vxd, regmon.vxd and filemon.vxd - which can be easily verified by deadlisting a v.1.x protected application......so we'll just use FrogsIce together with InstallWatch.
    Regmon and filemon keeps running during my installation. Perhaps becuase i've
    renamed the installation dirs....


    4. When i patch/hexedit the .sw file, the program does not complain....
    When the file is deleted it says: replace the file for the process to continue
    (Blackbird reports getting "Hacking attempt" messages upon tampering with the .sw
    file or the registry license. Further tampering renders the software unuseable.)


    5. The following file/folder registry changes are made.
    (Using something like InstallWatch is more convenient in this instance than using
    regmon/filemon)
    C:\Program Files\SoftwrapLicense\ - folder is empty
    C:\Program Files\Global.sw - created after installation
    C:\FONTS\SWFont9.fnt - created after installation
    C:\CONFIG\desktop.idf - created after installation

    HKEY_CLASSES_ROOT\smallfont\shell\open - license added here
    HKEY_LOCAL_MACHINE\SOFTWARE\Softwrap\52C48EF1C3583
    516A831AE2CA6EA651E7DFE6229 - license added here


    Step 1:
    ---------

    Since there's no string/data references, and the loader.exe is wdasm32 unfriendly i really dont have a clue.
    Please help.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Hi,

    I have looked at softwrap... the loader is protected with xlok so you will need to unpack that first... though you can try to crack teh loader in memory and then use a process patcher... unpacking xlok is a very good exercise... make a dump and study it... rebuild import table is the tricky part...

    Have fun,
    crUsAdEr

  4. #4
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    139

    softer wrap

    See the attachment. All credits go to our musician friend.

    After fixing it accordingly, you'll be left with a few instructions which require a little attention. Use BlackB's tut. It's almost the same for this version, just a few more places to patch

    Good luck
    Attached Files Attached Files

  5. #5
    Hi wbe,

    You mean by inserting these import, the dump will work??? I am afraid not... also, the key here is manually ...

  6. #6
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    139
    Hi Crus,

    You mean by inserting these import, the dump will work??? I am afraid not... also, the key here is manually ...
    Of course not. Those were the imports of the working dump built by our musician friend. Just to give one an idea what the final imports should be. In fact, except the Xtreamlock encrypter, there is nothing new in the current version. Once you get the dump working, it serves as a generic loader for each and every softwrapped app. All you need to do is change the name of the .exe.

    I patched the final loader just the remove the limitations and the nag screen. Once the loader is decrypted, you can break on CreateProcessA (provided the trial has not expired) and dump the original exe (.locked) before ResumeThread to completely remove Softwrap without any further work, as pointed out by BlackB in his tut.

    PM me if you'd like to have a look at my "refined" loader. And, again, I didn't dump it. I just polished it. It's evil eval's work. If you need the decrypted generic loader only, a search on "Softwrap" should bring you there

    wbe
    Last edited by wbe; November 26th, 2002 at 20:53.

  7. #7
    Nah, thanx wbe...

    I am not interested in a cracked softwrap or any woftwrapped products... i have done the dumping xlok myself, just wanted to help MeaCulpa to do some unpacking instead of readily using a cracked version... i hope that is not what he is after.. or else he will PM you and this thread will be closed...

    regards,
    crUsAdEr

  8. #8
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    139
    Crus,

    You got me wrong. My intention was not to release a cracked stuff and I have no doubt about your dumping skills either. I've read your previous posts about woftwrap. Just thought you may want to have a readily available dump to ease the process of seeing what's new with the latest one other than the crypter.

    We all copy&paste sometimes, not because that we are not able to complete the missing part but just to speed it up. Don't we?

    Regards

  9. #9
    MeaCulpa
    Guest
    Thanks for all the help so far everyone..
    Yes, Crusader, you are correct...i am NOT interested in getting the
    unpacked loader.exe from you (or anyone - no offence There is nothing to be learned by going that route...and then i would have used #crackz instead of spending my time studying - wouldn't I ?

    What i am however interested in is studying the protection methods, and learning how to do this myself.....

    I will study this further, try and try again, and request the valued and appreciated help from youguys when i'm stuck.

    Again thaks.

    Regards,
    MeaCulpa

    P.S. -> I got NchantA's essay on the old softwrap if anyone is interested.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    To crash or not to crash
    Join Date
    Dec 2001
    Posts
    120
    With ollydbg you don't need to unpack softwrap first. Just put a bp on writeprocessmemory and get the buffer it attempts to write. Most of the time the buffer is 400h bytes long. Olly can copy/paste a memory buffer so if you load a second instance of olly you can paste the correct code into the app. This should fix it....

  11. #11
    budgood
    Guest
    things have changed a little,since2002,now trying to breakpoint & this setup is looping continually back to kernal its of course a virtual breakpoint im dealing w/if i continue w/this is crash inevitable?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    What if you actually READ THE FAQ and follow it's directions and THEN try to ask a proper question.

    Regards,
    JMI

  13. #13
    budgood
    Guest
    sorry for asking what i thought was a legit "Q" ReTards,
    __________________
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Unpacking Softwrap with .locked and .sw2
    By Angstzustand in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: December 19th, 2006, 19:00
  2. Softwrap
    By spiffed in forum The Newbie Forum
    Replies: 16
    Last Post: August 1st, 2005, 16:05
  3. Question about Softwrap
    By cRk in forum The Newbie Forum
    Replies: 15
    Last Post: September 6th, 2004, 09:20
  4. unpacking a dll
    By zyzygy in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: June 21st, 2004, 05:25
  5. Unpacking Softwrap just right click!
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 15
    Last Post: August 6th, 2003, 22:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •