Main | Index

SoftWrap

Type : Packer
Protection : Regkey ... exe packer
Tech : Dumping

Crack :

I got a program protected with SoftWrap ... CompuChess ver 1.5 -- 7 day trial.
SoftWrap use MeltIce to detect SICE.So in SICE BPX CREATEFILEA and run ...when we break inside program module .. search for string ..SICE i.e
s -a 0 l ffffff 'SICE' .... if you are in WinNT look fo NTICE.
We can see that other strings like ... REGMON ...FILEMON ...seems it is also looking if we are running Regmon or FileMon ... hee..
Change every string to some other like 'SXCE' and also make return value after API CALL CREATEFILEA to -1 that is EAX=-1....

Now we can see SoftWrap TRY ... BUY .. Dialog.

Now BPX GETSTARTUPINFOA and click Try button ... trace till we break in to program module.. now just look few lines up we can see the real program entry point.

0x4315D0 PUSH EBP = 55 --- real EIP--- dumping point
0x4315D1 MOV EBP,ESP = 8B EC
0x4315D3 PUSH FF = 6A FF

Now put BPMB CS:4315D0 X and restart the app and escape from MeltIce ...click Try button as soon as we break at EIP ... dump using JMP EIP = EB FE trick.

We can see that in windows explorer the dumped file has a different icon .. because it is virgin.Now use WinHex and change EBFE ---> 558B

We can see that there is no need to change the EIP of dumped file.Softwrap does it and also it haven't touched IAT either .... so we get real unpacked program.