SoftWrapper - Cracking Windows Calculator?
(how to reverse engineer a simple "anti-Winice" protection scheme)
by +Sync, 14 August 1997
Courtesy of Fravia's page
of reverse engineering
Well, this is indeed another confirmation
of the old saying: "who will protect the shareware programmers from their
commercial protectors?" Only correct answer: the sublime
cracker's community (of course :-)
SoftWrapper - Cracking Windows Calculator?
I came across a very interesting target recently, and I thought that
this info might interest some of the other +HCU students. While the cracking
techniques I used in this crack are not special in any way, I think that the
company's attempt to assure it's clients that their software is secure, when
in reality it's extremely vulnerable via a few simple tricks deserves an essay.
The program is called SoftWrapper and it is made by Seven Locks software,
This is another one of those "registration systems" whichbelieve to be
the panacea for the world's problems.
What I found very interesting about this program is that, unlike most I have
seen, the protective encryption is applied after your program is compiled.
It adds an envelope to an already existing windows executable (Greythorne,
I thought of you and your Windows Symbiote), and it actually does it quite
cleanly. So, I read the manual, as usual, and came across some surprising
stuff. Read my excerpts below:
--------------------------From SoftWrapper Manual-----------------------
-Encrypts your file to protect against modification.
-Uses an advanced polymorphic engine to create completely different decryptors
for each installation. This prevents any "hack one, hack them all" approach
to removing WRAP-EXE/WRAP-COM from protected files.
-Uses dual encryption loops laced with advanced anti-debugging code which
deters all debugging attempts.
-Contains code to specifically target Soft-ICE, a protected mode 32-bit
debugger which bypasses many other wrapper's anti-debugging code with ease.
-There are no tools on the market that will take a wrapped program apart - not
DEBUG, not Sourcer, not Soft-Ice.
Well, this one certainly sounds like a challenge. It apparently cannot
be traced with our beloved Soft-Ice, dissassembled with *anything*, or patched
in any way because it *detects* alterations to itself. When I read this I first
thought that maybe it was uncrackable. But did not +Orc say that nothing was
uncrackable? So I thought, maybe I can get a valid registration number, and
then no patch would be necessary. The best thing for this (In my opinion) is
a live approach using Soft-Ice. So where to start? First, go to your WINDOWS
directory and copy CALC.EXE, the windows calculator, to your SoftWrapper
directory. Now, experiment a bit with SoftWrapper. Unfortunately the demo
version only produces one valid code, and it never changes. But wrap up CALC
anyway, and run it a few times to get the feel for how Softwrapper has changed
it. Be sure that the 'Enable Registration' option is checked when you wrap
up the program. As you might have guessed, SoftWrapper appends some code to
the end of the target, and relocates and modifies a little bit at the beginning
of the program, so that program execution jumps immediately to the new code,
then is returned to where it should have started once the protection code has
executed. Many of you will say to yourselves, "Hey, doesn't that sound just
like a Virus?". And you will be correct - this program, as has been discussed
in other essays is one of the money-driven parasites on our society.
We decided to start with Soft-Ice. So fire up Symbol loader and load
the program. What, you say? You can't load the Symbol loader? Ah yes, the tricky
'Anti Soft-Ice Code' they have placed in their program fools the symbol loader
into thinking that Soft-Ice is not loaded (even if it is) and it will not load.
I'm sure someone out there may be able to explain to us how this is done, however
for now we do not care in the slightest. Hit Ctrl-D and you will be in Soft-Ice
just as normal with no problems at all. Run the program from Explorer or
however you wish, and we will target as has been explained in earlier essays.
Enter an invalid code, and when the message pops up telling you that your code
is incorrect (the exact content of this message is up to you, you enter it
when you wrap the program) break into Soft-Ice with a Ctrl-D. Check out the
current window handles owned by CALC.EXE by typing HWND CALC. The first one
listed will be the nag window. In my case it was 59C, however it will be
different for everyone. So BMSG 59C WM_COMMAND, and then Ctrl-D to return to
the Calculator. Click on either the 'Yes' or 'No' buttons in the nag dialog
and Soft-Ice will break out into (probably) the middle of nowhere. So P RET
(press F12) a few times until you get back to the CALC code. You should land
on the last line of the code below. Carefully examine the code above this CALL
you just returned from (which displayed the nag dialog).
:00414698 E8B4010000 call 00414851
:0041469D 6683F801 cmp ax, 0001 ;Check Flag here (should be 1)
:004146A1 742A je 004146CD ;Jump over nag if 1
* Possible Reference to String Resource ID=00064: "Deg"
:004146A3 6A40 push 00000040
:004146A5 E8B1030000 call 00414A5B
* Possible Reference to String Resource ID=00068: "Invalid input for function."
:004146AA 6A44 push 00000044
:004146AC 8D85DD0D0000 lea eax, dword ptr [ebp+0DDD]
:004146B2 50 push eax
:004146B3 8B9D170F0000 mov ebx, dword ptr [ebp+0F17]
:004146B9 8D042B lea eax, dword ptr [ebx + ebp]
:004146BC 50 push eax
:004146BD 6A00 push 00000000
:004146BF E891030000 call 00414A55 ;Display wrong number box
:004146C4 83F806 cmp eax, 00000006 ;You should land HERE!
So, if you cheated and looked at the comments you should see that the first
call in that section should return a 1 in ax in order to signal a correct
registration number. If you have been paying close attention, you will say
to yourself, "hey where did that dead listing come from? I thought this program
could not be dissassembled with *anything* ". If you caught this error, I
salute you. The answer to that question is simple: they lied.
WDASM 8.7 (and 8.5 too for that matter) works quite well on it.
Once again we owe Urbanik (my registration is in the mail ;) quite a lot for his
Looking at the dead-listing you will notice that all of the text you entered
into SoftWrapper to be used in the various dialogs is encrypted, and cannot be
located with a simple text search.
So, I guess they did not lie about the encryption.
However, once again we do not care in the slightest.
We know a Call to 00414851 should return a 1, but it is unfortunately returning
0 for us. Lets look at it, it's a rather large chunk of code to look at at
once, but most of it is not important.
* Referenced by a CALL at Addresses: ;This is the call which sets the flag
|:004140E2 , :00414698 ;Notice it is called 2x
* Possible Reference to String Resource ID=00012: "x^y" ;Some encrypted data?
:00414851 B90C000000 mov ecx, 0000000C
:00414856 56 push esi
:00414857 57 push edi
:00414858 8DB5CB0B0000 lea esi, dword ptr [ebp+0BCB] ;ESI points to 'real' code
:0041485E 8DBDDE0A0000 lea edi, dword ptr [ebp+0ADE] ;EDI points to our code
:00414864 33C0 xor eax, eax
:00414866 33D2 xor edx, edx
:00414868 8A1E mov bl, byte ptr [esi]
:0041486A 8A07 mov al, byte ptr [edi]
:0041486C 3C2D cmp al, 2D
:0041486E 7503 jne 00414873
:00414870 47 inc edi
:00414871 8A07 mov al, byte ptr [edi]
* Referenced by a Jump at Address :0041486E(C)
:00414873 32C3 xor al, bl
:00414875 0BD0 or edx, eax
:00414877 46 inc esi
:00414878 47 inc edi
:00414879 E2ED loop 00414868
:0041487B 33C0 xor eax, eax ;Zero in AX
:0041487D 0BD2 or edx, edx
:0041487F 7505 jne 00414886 ;Beggar off if edx <> 0
* Possible Reference to String Resource ID=00001: "Ave"
:00414881 B801000000 mov eax, 00000001 ;Put in Good Guy Value
* Referenced by a Jump at Address: 0041487F(C)
:00414886 5F pop edi
:00414887 5E pop esi
:00414888 C3 ret
The above code is easy enough to patch in any of a number of ways in order to
prevent the Beggar Off jump. Below is how I did it:
:0041487F 7505 jne 00414886 ;Beggar off if edx <> 0
:0041487F 7500 jne 00414881 ;jmp to next line
That's all there is to cracking Calculator. What about 'our' code and the 'real'
code's mentioned in the code comments above. Well, you can double check them
if you like. The code pointed to by ESI will be YLJY-Y1HB-TH2P which is the
only code the 'Register' option of the demo SoftWrapper will give. While this
is not very useful now, it does tell us that the 'memory echo' technique will
probably work for any SoftWrapped products. This brings up another question.
What software is currently protected by SoftWrapper? Well, that's a good
question, one I am working on right now. If and when I find some, I will
write a brief follow-up to this essay. It is interesting that Seven Locks
Software praises this product so highly, but does not use it to protect any
of their own products. How much confidence do they really have that this is
-----------------------More From The SoftWrapper Manual------------------
At the present time, it is unknown how a hacker would attack the SOFTWrapper
to defeat its protection. But the requirement of monitoring the underground
for such information is a good idea, and the developer of the wrapping
technology should alert all users of the wrapping product when such a breach
becomes known, and should develop fixes as needed.
I guess they know how SoftWrapper would be attacked now, but why should a hacker?
attack software? They are dealing with software protection and do not know that
there is a difference between hackers and crackers?
I am insulted.
I would hope they are monitoring our discussion, so they can correct and improve
their protection from any "low" pirates who might use this to steal software, but
I don't think that there is any SoftWrapped software out there to steal anyway,
so I guess it does not matter much.
Is it possible that the fact that there are almost no Shareware authors dumb
enough to use this kind of 'cookie cutter' protector is a sign that they are
ebentally beginning to learn something from us?
It would be nice, yet I doubt it, considering how close the race is
for the new 'Most stupid Protection' Award.
A message to Seven Locks Software now, from me:
I salute your attempt. You did encrypt the data, you did include Soft-Ice
hostile and anti-dissassembling code, however why did you spend all that
time and efforts to install 'Seven Locks' when the window has been left
If anyone has more info, keep me posted.
(c) +Sync 1997. All rights reserved
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Project 7 (Most stupid protections)
Is reverse engineering illegal?