Thread: Unpacking Softwrap with .locked and .sw2

    Unpacking Softwrap with .locked and .sw2

    Hi Guys,

    Yes ive used the search function and as i figured out unpacking this kind of Softwrap Versions seems to be quite easy.

    I also found out that the .locked file is basically the original file missing some Instructions, the .sw2 is the Softwrap License File (How often does app start? etc.) and the Main Exe is the Softwrap Loader packed with Xlok.

    Still i dont really get started with that protector, i think i found the OEP but i cant really put a HW Breakpoint on it, i tried breaking on GetModuleHandleA which breaks twice after clicking "Start Trial", although the .locked file is not yet loaded into memory here.

    Any suggestions for a noob on how to start with that wrapper? I think it shouldnt be too hard if you know how. I just dont really know how to start with it.

    Am i right that Xlok doesnt need to be unpacked because only the loader is protected with it?

    One interesting method for dealing with this protection is to just let it unwrap itself and run as a process, then simply dump the process and rebuild using LordPE. I've used Windbg (.writemem command) or a program called CProcess to do the memory dump. This assumes that you know the OEP so you can change the EP on your newly dumped and fixed file.

    I have a soft called NAMEDELETED, and it is protected with Xtreamlok. It has no option for trial on the nag screen. How could I manage to work with it? Please help. I am a newbie so I do not know sı much.

    You obviously did NOT READ THE FAQ or you would know both about not listing commercial products names and would know that if you want help here you are REQUIRED to start off telling us what YOU have done to try to help yourself, other than just asking for help "cracking" whatever your target program may be. If you actually want to receive some help, you need to actually READ THE FAQ and follow its directions.


    I am sorry JMI.
    I have encountered this software in the newer version (7.x?) using xlok trial. I found it is very similiar to 6.x which have tuts on the inet(3 .swf movies tuts), has it; very useful. However, it has a different iat procedure and steals some values now as well by converting the stolen data into a new jump table. I simply dump the engines memory patched out its antidebug (crc, and real time check for 0xCC if you are tracing). I let it resolve itself. However, I ran into one small problem, if the table is based on memory address of runtime and recalculated everytime the .exe is run. So, a bit harder to just dump that table memory. For now I will rip out the function that creates the table, and let it load first, then execute the app with the added engine stubs. Also I am writing a script as a seperate solution that should* go through all the stolen calls/values and replace them to their original state. The newer version is a little bit stonger then the 6.x since it doesnt resolve the imports to addr value for every iat entry like it did in the past. Now it does 80% the remaining are hardcoded as a table which hav eto be manually extracted. Ill post my results/solution next week when i get time.

