SoftWrapper - Cracking Windows Calculator?
(how to reverse engineer a simple "anti-Winice" protection scheme)


by +Sync, 14 August 1997


SoftWrapper - Cracking Windows Calculator?

By +Sync

	I came across a very interesting target recently, and I thought that

this info might interest some of the other +HCU students.  While the cracking

techniques I used in this crack are not special in any way, I think that the

company's attempt to assure it's clients that their software is secure, when

in reality it's extremely vulnerable via a few simple tricks deserves an essay. 

The program is called SoftWrapper and it is made by Seven Locks software, 

http://www.sevenlocks.com. 



	This is another one of those "registration systems" whichbelieve to be 

the panacea for the world's problems.  

What I found very interesting about this program is that, unlike most I have 

seen, the protective encryption is applied after your program is compiled.  

It adds an envelope to an already existing windows executable (Greythorne, 

I thought of you and your Windows Symbiote), and it actually does it quite 

cleanly.  So, I read the manual, as usual, and came across some surprising 

stuff.  Read my excerpts below:

 

--------------------------From SoftWrapper Manual-----------------------

Anti-Hacking:

-Encrypts your file to protect against modification.



-Uses an advanced polymorphic engine to create completely different decryptors

   for each installation. This prevents any "hack one, hack them all" approach

   to removing WRAP-EXE/WRAP-COM from protected files.

-Uses dual encryption loops laced with advanced anti-debugging code which 

   deters all debugging attempts.

-Contains code to specifically target Soft-ICE, a protected mode 32-bit 

   debugger which bypasses many other wrapper's anti-debugging code with ease.



Disassembly Resistance

-There are no tools on the market that will take a wrapped program apart - not

   DEBUG, not Sourcer, not Soft-Ice.



-----------------------------------------------------------------------



	Well, this one certainly sounds like a challenge.  It apparently cannot

be traced with our beloved Soft-Ice, dissassembled with *anything*, or patched

in any way because it *detects* alterations to itself.  When I read this I first

thought that maybe it was uncrackable.  But did not +Orc say that nothing was 

uncrackable?  So I thought, maybe I can get a valid registration number, and

then no patch would be necessary.  The best thing for this (In my opinion) is

a live approach using Soft-Ice.  So where to start?  First, go to your WINDOWS

directory and copy CALC.EXE, the windows calculator, to your SoftWrapper 

directory.  Now, experiment a bit with SoftWrapper.  Unfortunately the demo

version only produces one valid code, and it never changes.  But wrap up CALC

anyway, and run it a few times to get the feel for how Softwrapper has changed

it.  Be sure that the 'Enable Registration' option is checked when you wrap

up the program.  As you might have guessed, SoftWrapper appends some code to 

the end of the target, and relocates and modifies a little bit at the beginning

of the program, so that program execution jumps immediately to the new code, 

then is returned to where it should have started once the protection code has

executed.  Many of you will say to yourselves, "Hey, doesn't that sound just 

like a Virus?".  And you will be correct - this program, as has been discussed

in other essays is one of the money-driven parasites on our society. 

	We decided to start with Soft-Ice. So fire up Symbol loader and load 

the program. What, you say? You can't load the Symbol loader?  Ah yes, the tricky

'Anti Soft-Ice Code' they have placed in their program fools the symbol loader 

into thinking that Soft-Ice is not loaded (even if it is) and it will not load. 

I'm sure someone out there may be able to explain to us how this is done, however

for now we do not care in the slightest.  Hit Ctrl-D and you will be in Soft-Ice

just as normal with no problems at all.  Run the program from Explorer or 

however you wish, and we will target as has been explained in earlier essays.

Enter an invalid code, and when the message pops up telling you that your code

is incorrect (the exact content of this message is up to you, you enter it 

when you wrap the program) break into Soft-Ice with a Ctrl-D.  Check out the

current window handles owned by CALC.EXE by typing HWND CALC.  The first one

listed will be the nag window.  In my case it was 59C, however it will be 

different for everyone.  So BMSG 59C WM_COMMAND, and then Ctrl-D to return to

the Calculator.  Click on either the 'Yes' or 'No' buttons in the nag dialog

and Soft-Ice will break out into (probably) the middle of nowhere.  So P RET

(press F12) a few times until you get back to the CALC code.  You should land

on the last line of the code below.  Carefully examine the code above this CALL

you just returned from (which displayed the nag dialog).



:00414698 E8B4010000              call 00414851

:0041469D 6683F801                cmp ax, 0001		;Check Flag here (should be 1)

:004146A1 742A                    je 004146CD		;Jump over nag if 1



* Possible Reference to String Resource ID=00064: "Deg"

                                  |

:004146A3 6A40                    push 00000040

:004146A5 E8B1030000              call 00414A5B



* Possible Reference to String Resource ID=00068: "Invalid input for function."

                                  |

:004146AA 6A44                    push 00000044

:004146AC 8D85DD0D0000            lea eax, dword ptr [ebp+0DDD]

:004146B2 50                      push eax

:004146B3 8B9D170F0000            mov ebx, dword ptr [ebp+0F17]

:004146B9 8D042B                  lea eax, dword ptr [ebx + ebp]

:004146BC 50                      push eax

:004146BD 6A00                    push 00000000

:004146BF E891030000              call 00414A55		;Display wrong number box

:004146C4 83F806                  cmp eax, 00000006	;You should land HERE!



So, if you cheated and looked at the comments you should see that the first

call in that section should return a 1 in ax in order to signal a correct

registration number.  If you have been paying close attention, you will say

to yourself, "hey where did that dead listing come from? I thought this program

could not be dissassembled with *anything* ".  If you caught this error, I 

salute you.  The answer to that question is simple: they lied.  

WDASM 8.7 (and 8.5 too for that matter) works quite well on it.  

Once again we owe Urbanik (my registration is in the mail ;) quite a lot for his 

wonderful tool.  

Looking at the dead-listing you will notice that all of the text you entered 

into SoftWrapper to be used in the various dialogs is encrypted, and cannot be 

located with a simple text search.  

So, I guess they did not lie about the encryption.  

However, once again we do not care in the slightest.  

We know a Call to 00414851 should return a 1, but it is unfortunately returning 

0 for us.  Lets look at it, it's a rather large chunk of code to look at at 

once, but most of it is not important.



* Referenced by a CALL at Addresses:		;This is the call which sets the flag

|:004140E2   , :00414698   			;Notice it is called 2x



* Possible Reference to String Resource ID=00012: "x^y"		;Some encrypted data?

                                  |

:00414851 B90C000000              mov ecx, 0000000C

:00414856 56                      push esi

:00414857 57                      push edi

:00414858 8DB5CB0B0000            lea esi, dword ptr [ebp+0BCB]	;ESI points to 'real' code

:0041485E 8DBDDE0A0000            lea edi, dword ptr [ebp+0ADE] ;EDI points to our code

:00414864 33C0                    xor eax, eax

:00414866 33D2                    xor edx, edx

:00414868 8A1E                    mov bl, byte ptr [esi]

:0041486A 8A07                    mov al, byte ptr [edi]

:0041486C 3C2D                    cmp al, 2D

:0041486E 7503                    jne 00414873		

:00414870 47                      inc edi

:00414871 8A07                    mov al, byte ptr [edi]



* Referenced by a Jump at Address :0041486E(C)

|

:00414873 32C3                    xor al, bl

:00414875 0BD0                    or edx, eax

:00414877 46                      inc esi

:00414878 47                      inc edi

:00414879 E2ED                    loop 00414868

:0041487B 33C0                    xor eax, eax		;Zero in AX

:0041487D 0BD2                    or edx, edx

:0041487F 7505                    jne 00414886	        ;Beggar off if edx <> 0



* Possible Reference to String Resource ID=00001: "Ave"

                                  |

:00414881 B801000000              mov eax, 00000001     ;Put in Good Guy Value



* Referenced by a Jump at Address: 0041487F(C)

|

:00414886 5F                      pop edi

:00414887 5E                      pop esi

:00414888 C3                      ret



 

The above code is easy enough to patch in any of a number of ways in order to

prevent the Beggar Off jump.  Below is how I did it:



Change: 

:0041487F 7505                    jne 00414886	        ;Beggar off if edx <> 0

To:

:0041487F 7500                    jne 00414881	        ;jmp to next line



That's all there is to cracking Calculator.  What about 'our' code and the 'real'

code's mentioned in the code comments above.  Well, you can double check them

if you like.  The code pointed to by ESI will be YLJY-Y1HB-TH2P which is the

only code the 'Register' option of the demo SoftWrapper will give.  While this

is not very useful now, it does tell us that the 'memory echo' technique will

probably work for any SoftWrapped products.  This brings up another question.

What software is currently protected by SoftWrapper?  Well, that's a good 

question, one I am working on right now.  If and when I find some, I will

write a brief follow-up to this essay.  It is interesting that Seven Locks

Software praises this product so highly, but does not use it to protect any

of their own products.  How much confidence do they really have that this is

hack-proof?

					  

-----------------------More From The SoftWrapper Manual------------------

At the present time, it is unknown how a hacker would attack the SOFTWrapper

to defeat its protection.  But the requirement of monitoring the underground

for such information is a good idea, and the developer of the wrapping 

technology should alert all users of the wrapping product when such a breach 

becomes known, and should develop fixes as needed.

--------------------------------------------------------------------



I guess they know how SoftWrapper would be attacked now, but why should a hacker? 

attack software? They are dealing with software protection and do not know that 

there is a difference between hackers and crackers?

I am insulted.  

I would hope they are monitoring our discussion, so they can correct and improve 

their protection from any "low" pirates who might use this to steal software, but 

I don't think that there is any SoftWrapped software out there to steal anyway, 

so I guess it does not matter much.  

Is it possible that the fact that there are almost no Shareware authors dumb 

enough to use this kind of 'cookie cutter' protector is a sign that they are 

ebentally beginning to learn something from us?  

It would be nice, yet I doubt it, considering how close the race is

for the new 'Most stupid Protection' Award.  

A message to Seven Locks Software now, from me: 

I salute your attempt.  You did encrypt the data, you did include Soft-Ice

hostile and anti-dissassembling code, however why did you spend all that 

time and efforts to install 'Seven Locks' when the window has been left 

wide open?



If anyone has more info, keep me posted.

+Sync

(c) +Sync 1997. All rights reserved