Hello people,

first of all let me state that I am a complete newbie to reverse engineering. I can program, some ASM too, but I never tried reverse engineering before. Please don't be angry with me because of my probable stupidity.

That being said, here is my question;

I am trying to follow the following tutorial on bypassing SoftWrap:
http://www.woodmann.net/fravia/blackb_softwrap.html

Since I don't have all (or any) of the tools, I thought it impossible. But then I noted in the bottom of part 1 he states:

"When you made all the changes in Hiew..."

I have Hiew; oh happy, oh joy.

Thus I fire up Hiew, load the exe, set the viewing mode to decode and am completely lost.

I don't know if the code snippets he gives out in the tutorial actually came from Hiew or from a disasm output, but in Hiew I can't seem to find them. Not the texts like '_WinMain@16', which I can more or less understand, but also not the given calls, jumps, etc.

So asuming he DID use Hiew to do it all, how did he do it? And if not (I assume it's a disasm output), how did he use Hiew to work on his disasm output? Or did he just change the asm code and re-asm it?

Thank you,
- Fahr

It is not my intention to sound harsh or harangue a newcomer, so I apologize in advance.

1.Tools: Your cracking is only as good as your tools. Spend time in finding them, learning their use and eventually making them. THEY ARE NOT THAT HARD TO GET. pm and I may give you hints, look down in protools and other sites and get equipped before trying to understand a cracking tutorial .

2. Start simple: the tut you point to is not at newbie level. Cut your teeth in simple, not necessarily trivial tuts and cracks, hot linked in this board by the dozen, then get into more complex stuff.

Hi,

in Hview, the "decode" mode is used to view the disasm of the file. If you want to change one or more instructions you have, firstly, to move to the instruction you want to change. Press F5 and type the offset of the instruction you want to change; remember, the offset and not the Virtual Address! After that, F3 and you can change the instruction working directly on the bytes or specifying the new instruction (F2).

Hiew, imho, is not proper for newbies and I suggest you to start with a simple hex editor.

Regards,
ZaiRoN

actually, if you press f5 and put a . infront of the number you enter, hiew takes your entry as a va.. so the offset -> va and va-> offset is quite simple , also read the hiew manual.. great little tool

Hi evlncrn8,

thx for the info, I don't use too much this tool... I have to read the manual

ZaiRoN

You're right, so no appologies needed.
I know tools are easy to find, since that post (yesterday) I managed to 'obtain' SoftICE and IDA Pro. I guess that'll help a bunch (still gotta try them out, tho, just awake).

As for your note on starting with newbie tuts, I agree. But I would like to think I am not a complete newbie, since I do have basic understanding of ASM and the works of all the stuff. That is; I understand the tutorial, I understand WHAT he does, WHY he does it and WHY it works. I just don't get HOW.

But still, I guess you're right. I'll try to find some tutorials on general use of the tools. But if anyone is still willing to help me on this one (as in: how did he get the ASM dump and how did he translate it into Hiew), please do so.

- Fahr

Sure.

The code you see in the tut with annotations like _WinMain@16 etc is produced by IDA. The disassembly produced by HIEW, while remarkable for such small tool is just a literal byte to ops translation, and will not annotate or de-tangle the code flow as IDA does, that is why the hiew disassembly listing is useful only to find where you are in the raw file and change a byte or two, while looking at the immediate result of your maneuver.

evlncrn8 described a method to FIND a stretch of code inside HIEW. F5 (goto) then . followed by the virtual address that IDA listing provided ie .0045C4D5

Hi ! Fahr

After loading the proggy in Hiew you first hit F4 then F2 and u r in the asm listing.

Then if u want 2 make changes u hit F3 and it is in the edit mode.

after making the changes in the proggy u hit F9 to save ur changes to it.



best of Luck !!!
P0001

OK, thanks for that info. It seems tho that this program is packed with some new version of softpack and is also really 'packed' (IDA says: "The import segment seems to be destroyed, this may mean blah blah blah"

Guess that makes it more or less impossible to crack

Thanks anyway for your help.
- Fahr

Nothing is impossible to crack. The new softwrap versions are BTW protected with xlok. I must say that xlok is protecting well. I ended up with making a debugger loader to do the dumping (for .locked files, it makes a working exe without softwrap) and making a debugger patcher/loader for the new protected softwrap programs (protected with xlok and softwrap.dll). It requires some research but softwrap ends up to be not so protecting at all. It's xlok that makes it harder to crack.

Yeah, I already figured that. And I know everything can be cracked, but not by a newbie like me using a tutorial for an older softwrap version. I'm learning though! (got some good crackme's, reinstalling Win98 to work with hmemcpy etc.)

Thanks,
- Fahr

A good point to start with is a breakpoint on the dialogboxparama function, and putting a breakpoint on the retn. Or on the classic writeprocessmemory api. Be sure not to place the breakpoint straight on the api itself as newer softwraps (with the help of xlok) check for breakpoints on api's. You can then decide to dump (if you breaked on writeprocessmemory) the contents of the buffer (check your api guide here on help on where the buffer is located) and paste this into the .locked file. Another approach is to let softwrap write the contents into memory and dump the program before it's resumed by softwrap.

Sounds good, except for the fact that I can't run it with SoftICE present. It results in some XLok message.

And on top of that; I already started the program too many times, so I can't run it anymore without ordering it (or so says SoftWrap)

So now what?

- Fahr

No sweat, you just need to:

1. get another softwrapped program to test the normal flow with
2. patch your softice to prevent it from being found or/
unload softice and use ollydbg (it not found by xlok)
3. after analysis you'll find that a softwrapped program can be started after trial with ease.

Interesting, I'll get my own copy of SoftWrap then to test with.

As for OllyDBG, I tried it once, but I really don't get it... I can't even make API breakpoints it seems :S

Which leads to another 2 questions;
1) how to use OllyDBG as SoftICE (most ppl say it's easier)
2) how to crack SoftICE so it's not detected

And last but not least; I do want to do this myself, cuz I think I will learn a lot, but I will need some pointers and help here and there, would you be able to provide that?

Thanks,
- Fahr

Hello....

I can see that you are interested in learning so I will offer a few simple responses to your last post...

As for learning olly...go here: http://ollydbg.win32asmcommunity.net/

As for hiding SICE...there are a few approaches...

1.) You can patch your program to not search for IsDebuggerPresent api (winNT api ...not sure if this is in other newer versions i.e XP, ME etc. (prolly so)), or make it think it isn't found even if it is...

2.) You can hide SICE using secondary proggie like Frogsice

And as to offering assistance...I have noticed that if you make an effort to first do it yourself and describe what you have tried...others will be happy to assist and offer helpful hints...but, be careful of not trying it yourself first and lamely asking help...if you make no effort...you will most likely be flamed...this is a newbies forum...it is here to support learning efforts

Have fun in your RE learning adventure...

Rackmount

Good reply rackmount.

Concerning breaking on API's with olly. That's most certainly possible but it requires w2k or higher.

Concerning hiding softice, well that has been discussed here over and over and a search on the board will help you a lot. I would take this as second step and not as required as softwrap can be done complete and solely with ollydbg.

And yes, offcourse you can ask questions. Especially about softwrap. It has been my special interest now for a while and I'am getting good at ripping it apart in thousand several ways

I know the tutorial your on about fahl and ive used it myself..I used W32DASM to follow the code in the tut..surprised no-one mentioned W32DSAM to you ?..thats by far thew best and easiest disassembler of a programs code for a newbie to follow

I found like you because the tutorial was old (but still relevant and a great tutorial..thanks blackbird ) it didnt resemble the Softwrap code i was looking word for word but i still was able to follow it by picking out the main parts

I went straight to the unwrapping part of the tut because i was using frogsice to hide softice i didnt need the tut beginning

Although the code of the app i had was completely diff from the code in the tut i found 3 major similarities and it so happened they where the most important ...These where

call ds:CreateProcessA

call ds:WriteProcessMemory

call ds:ResumeThread

once id located these in my app's code i could begin to notice very small simarities with the tuts code and my current apps code .very very small but nonethe less large enough for me to work out my position

Once i was confident of where i was i bpx'ed on

CreateProcessA

and slowly traced from there keeping a sharp eye out for thew other 2 ie..

call ds:WriteProcessMemory

call ds:ResumeThread

once i finally got to land on

call ds:ResumeThread

i stopped like Blackbird said and froze the program with a

a eip

then

jmp eip

I then ctrl d'd out of softice and ran processdump and dumped the app..it was virgin and ran sweet...lol that was one of the first apps i cracked and got a good buzz out of it

I know your will be slightly different now that softwrap is packed with that packer u mentioned but id still persevere with it and im sure you,ll manage just fine :0

Good luck

paul333

That sounds like a good tip, thanks, Paul 333

The only problem is that I can't actually RUN the program anymore, since the tryout time is over :S

I guess I'll try it on another PC then, thanks a lot

- Fahr

ok, here is the next problem;

As said by Iwarez, I can't bpx on ResumeThread, so I decided to go with OllyDBG. Problem is, I can't even EXECUTE the program with OllyDBG, it keeps giving me errors and never shows the actual screen I get when just running it (the one saying: please reg this software blah blah, only 3 tries blah blah).

I could run it with SoftICE present, using NTAll (FrogsICE clone for NT/2K), but if I bpx the ResumeThread it still wont run...

Any hints as to what to do now?

- Fahr