Program ---4Safe StrongDisk v.2.7 ---
Where to get it http://www.PhisTechSoft.com
Coded in C++
Protection Rating [XXXX------]
Tools used SoftICE v.4.0,  IDA v4.04, HIEW v.5.50  ,PpocDump       
                                   

 

 

 
Hi reader 
Today i'm trying to teach you how to crack '4Safe StrongDisk v.2.7' and also how to patch 
files, packed with the UPX. I assume  knowledge of softice, asm, and knowledge of cracking 
--------------------------------Blah Blah Blah------------------------------------------- 
      I wrote this tutorial  ONLY for education purpose.Not for something else . 
----------------------------------Our target---------------------------------------------
          Registration of course:)  Run regwiz.exe.  
  
----------------------------------Lets start...------------------------------------------
Can you click 'Next' when you enter the serial? No. But why?  
Start regwiz.exe and enter the serial 'qwer11112222333'. 15 chars!
Then set:  bpx GetDlgItemTextA
F5
        
Now enter '3', our last char. Booom! You inside SI. F11.
00401350:  call   ESI           ; GetDlgItemTextA 
bc 0
bpx 401350
..skipped 5 lines
           call   ESI           ; GetDlgItemTextA    
..skipped 5 lines
           call   ESI           ; GetDlgItemTextA
..skipped 5 lines
           call   ESI           ; GetDlgItemTextA
..skipped 6 lines
0040138D: CMP  ECX,10
          jnz  004013FA         ; jmp if length of my Serial<>16 sumbols 
          xor  ECX,ECX  
00401392: mov  DL,[ESP+12]      ; move third char-'E' into DL
00401398: mov  AL,[ECX+ESP+10]  ; move 1-st  char-'Q' into AL
...not intresting
004013B2: mov  AL,[ESP+10]      ; move 1-st  char-'Q' into AL
004013B6: cmp  AL, 53           ; 'S'
004013B8: jz   004013F2         ; jmp if AL<>53
004013BA: cmp  AL, 57           ; 'W'
004013BC: jz   004013F2         ; jmp if AL<>57
004013BE: cmp  AL, 50           ; 'P'
004013C0: jz   004013F2         ; jmp if AL<>50
004013C2: jmp  004013F0         ; 
lets look at 004013F0:
           mov  BL,01  ; this is 'ERROR-message' for program
                       ; if BL=1 you cant click 'Next'
OK. Lets write down '1-st char must be 'S' or'W' or 'P' '.
Replace 'Q' with 'P' in our serial. 
SI breaks here
00401350  call ESI
Start tracing the code with F10 until you see
004013C4  cmp ECX,01            ; is it 2-nd char?
          jnz 004013D2          ; jmp if NO
          cmp byte ptr[ESI+11],4E  ; ok. 2-nd char must be 'N'
          jz  004013F2
          jmp 004013F0 
          cmp ECX,02            ; is it 3-d char?
          jnz 004013F2          ; jmp if NO
          cmp DL,45             ; 'E'
          jz  004013F2 
          cmp DL,46             ; 'F'
          jz  004013F2 
          cmp DL,47             ; 'G'
          jz  004013F2 
          cmp DL,50             ; 'P'
          jz  004013F2 
          cmp DL,52             ; 'R'
          jz  004013F2 
3-d char must be 'E' or 'F' or 'G' or 'P' or 'R'.
 
What for all these chars ? Read the help-files always before cracking.

1-st char:
'S' - Server Editiond
'W' - Workstation Edition
'P' - Personal Edition
2-nd char:
'N' - i don't know
3-d char: 
'E' - 'English'
'F' - 'France' or 'Finland' ? 
'G' - 'Germany' ?
'P' - 'Polish'  ?
'R' - 'Russia' 
If your country is Russia you must use 'R'. 'E' for English-language countries.
I try only 'R' and 'E'.
  If i'm russian i should type 'PNR'.       
Wow! Now i can click 'Next'.
set bpx GetDlgItemTextA , then click 'Next'. Boom!
F11
Start tracing the code. Try to understand whats happend.
........
0040169E: jnz  00406CE   ;   our target. Lets crack it.
a 40169e
cs:0040199e  jz 00406ce
F5.  Great! It works.
I also found a limitation for russian users at 004012A2: Call XXXXXXXX
If i replace byte at 004012a2 with 'E8' i kill this CALL.
------------------------------------Patching-------------------------------------------  
Ok. You cracked this proggy. But it's packed with UPX 0.94 :(. No problem at all. 
First, lets disassemble it. W32Dasm produce a lot of garbage from packed files. 
IDA disassemble only  not packed code. Its cool for us.
    We can use UPX own unpacking code, use the jump to the start of the original code to
jump to our patch, patch the code in memory, then return execution to the original program.
Try put in regwiz.exe into Symbol Loader. SI not breaking.
          Start ProcDump-->PE Editor-->regwiz.exe-->Sectoins. Characteristics for UPX0 is 
 E0000080.
Replace it with E000020. Ok, now SI will break.
Start tracing the code with F10 until you find the jmp to Depacker Exit Point (DEP).
I spend 1 hour for it. For UPX DEP is near the end of file. 
Lets disassemble regwiz.exe with IDA. 
00433EC0   pusha             ; Depacker Start Point  
...skipped 
0043400E   popa
0043400F   jmp  XXXXXXXX     ; Depacker Exit  Point  , offset 0x1340F
Load rewiz.exe to HIEW. Jump to 1340F. You need to redirect this JMP and add some code. 
0001340F: E902000000     JMP 000013416            ;jmp to our memopy patch
00013414: 0000           ADD [EAX],AL             
00013416: C6059E16400074 MOV B,[00040169E],074    ; replace JNZ with JZ
0001341D: C605A2124000B8 MOV B,[0004012A2],0B8    ; kill CALL
00013424: E910F4FCFF     JMP 0FFFE2839           ; jmp to Program Entry Point
That's all. 
I hope you understand my terrible english :)

Regards,  Corbio.
====================================(c) Corbio /CFF=====   ============================