<html>
<head>
<title>template</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#000000">
<table width="75%" border="0" cellpadding="0" cellspacing="0">
  <tr> 
    <td height="9"><IMG height=14 src="../../../headertutinfo.gif" width=200></td>
  </tr>
</table>
<table width="75%" border="1" bordercolor="#ff6600" bordercolorlight="#ff6600" bordercolordark="#ff6600">
  <tr bgcolor="#ffffff"> 
    <td height="81">
      <table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tr>
          <td>Program</td>
          <td>---4Safe StrongDisk v.2.7 ---</td>
        </tr>
        <tr>
          <td height="18">Where to get it</td>
          <td height="18">http://<A 
            href="http://www.PhisTechSoft.com">www.PhisTechSoft.com</A>  </td>
        </tr>
        <tr>
          <td>Coded in</td>
          <td>C++</td>
        </tr>
        <tr>
          <td>Protection Rating</td>
          <td>[XXXX------]</td>
        </tr>
        <tr>
          <td>Tools used</td>
          <td>SoftICE v.4.0,&nbsp;  IDA v4.04, HIEW 
            v.5.50&nbsp;&nbsp;,PpocDump&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
        </tr>
      </table>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
    </td>
  </tr>
</table>
<p>&nbsp;</p>
<p>&nbsp;</p>
<table width="100%" border="1" bgcolor="#000000" bordercolorlight="#ff6633" bordercolordark="#ff6600" bordercolor="#ff6600">
  <tr bgcolor="#ffffff"> 
    <td height="98"> 
      <pre> <BR>Hi reader <BR>Today i'm trying to teach you how to crack '4Safe StrongDisk v.2.7' and also how to patch <BR>files, packed with the UPX. I assume  knowledge of softice, asm, and knowledge of cracking </pre> 
      <pre>--------------------------------Blah Blah Blah------------------------------------------- </pre> 
      <pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I wrote this tutorial  ONLY for education purpose.Not for something else . </pre> 
      <pre>----------------------------------Our target---------------------------------------------<BR>          Registration of course:)&nbsp; Run regwiz.exe.&nbsp; </pre><PRE>  <BR>----------------------------------Lets start...------------------------------------------<BR>Can you click 'Next' when you enter the serial? No. But why?&nbsp; <BR>Start regwiz.exe and enter the serial 'qwer11112222333'. 15 chars!<BR>Then set:&nbsp; bpx GetDlgItemTextA<BR>F5<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR>Now enter '3', our last char. Booom! You inside SI. F11.</PRE><PRE>00401350:&nbsp; call&nbsp;&nbsp; ESI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; GetDlgItemTextA <BR>bc 0<BR>bpx 401350</PRE><PRE>..skipped 5 lines<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call&nbsp;&nbsp; ESI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; GetDlgItemTextA&nbsp;&nbsp;&nbsp; <BR>..skipped 5 lines<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call&nbsp;&nbsp; ESI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; GetDlgItemTextA<BR>..skipped 5 lines<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call&nbsp;&nbsp; ESI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; GetDlgItemTextA<BR>..skipped 6 lines<BR>0040138D: CMP&nbsp; ECX,10<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jnz&nbsp; 004013FA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp if length of my Serial&lt;&gt;16 sumbols <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xor&nbsp; ECX,ECX&nbsp; <BR>00401392: mov&nbsp; DL,[ESP+12]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; move third char-'E' into DL<BR>00401398: mov&nbsp; AL,[ECX+ESP+10]&nbsp; ; move 1-st&nbsp; char-'Q' into AL<BR>...not intresting<BR>004013B2: mov&nbsp; AL,[ESP+10]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; move 1-st&nbsp; char-'Q' into AL<BR>004013B6: cmp&nbsp; AL, 53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'S'<BR>004013B8: jz&nbsp;&nbsp; 004013F2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp if AL&lt;&gt;53<BR>004013BA: cmp&nbsp; AL, 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'W'<BR>004013BC: jz&nbsp;&nbsp; 004013F2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp if AL&lt;&gt;57<BR>004013BE: cmp&nbsp; AL, 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'P'<BR>004013C0: jz&nbsp;&nbsp; 004013F2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp if AL&lt;&gt;50<BR>004013C2: jmp&nbsp; 004013F0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; <BR>lets look at 004013F0:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov&nbsp; BL,01&nbsp; ; this is 'ERROR-message' for program<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; if BL=1 you cant click 'Next'<BR>OK. Lets write down '1-st char must be 'S' or'W' or 'P' '.<BR>Replace 'Q' with 'P' in our serial. </PRE><PRE>SI breaks here<BR>00401350&nbsp; call ESI<BR>Start tracing the code with F10 until you see</PRE><PRE>004013C4&nbsp; cmp ECX,01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; is it 2-nd char?<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jnz 004013D2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp if NO<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp byte ptr[ESI+11],4E&nbsp; ; ok. 2-nd char must be 'N'<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp; 004013F2<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp 004013F0 <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp ECX,02&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; is it 3-d char?<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jnz 004013F2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp if NO<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp DL,45&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'E'<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp; 004013F2 <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp DL,46&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'F'<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp; 004013F2 <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp DL,47&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'G'<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp; 004013F2 <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp DL,50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'P'<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp; 004013F2 <BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp DL,52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; 'R'<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp; 004013F2 </PRE><PRE>3-d char must be 'E' or 'F' or 'G' or 'P' or 'R'.<BR>&nbsp;<BR>What for all these chars ? Read the help-files always before cracking.</PRE><PRE><BR>1-st char:<BR>'S' - Server Editiond<BR>'W' - Workstation Edition<BR>'P' - Personal Edition<BR>2-nd char:<BR>'N' - i don't know<BR>3-d char: <BR>'E' - 'English'<BR>'F' - 'France' or 'Finland' ? <BR>'G' - 'Germany' ?<BR>'P' - 'Polish'&nbsp; ?<BR>'R' - 'Russia' </PRE><PRE>If your country is Russia you must use 'R'. 'E' for English-language countries.<BR>I try only 'R' and 'E'.<BR>  If i'm russian i should type 'PNR'.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </PRE><PRE>Wow! Now i can click 'Next'.<BR>set bpx GetDlgItemTextA , then click 'Next'. Boom!<BR>F11<BR>Start tracing the code. Try to understand whats happend.<BR>........<BR>0040169E: jnz&nbsp; 00406CE&nbsp;&nbsp; ;&nbsp;&nbsp; our target. Lets crack it.<BR>a 40169e<BR>cs:0040199e&nbsp; jz 00406ce<BR>F5.&nbsp; Great! It works.</PRE><PRE>I also found a limitation for russian users at 004012A2: Call XXXXXXXX<BR>If i replace byte at 004012a2 with 'E8' i kill this CALL.</PRE><PRE>------------------------------------Patching-------------------------------------------&nbsp; </PRE><PRE>Ok. You cracked this proggy. But it's packed with UPX 0.94 :(. No problem at all. </PRE><PRE>First, lets disassemble it. W32Dasm produce a lot of garbage from packed files. <BR>IDA disassemble only&nbsp; not packed code. Its cool for us.<BR>&nbsp;&nbsp;&nbsp; We can use UPX own unpacking code, use the jump to the start of the original code to<BR>jump to our patch, patch the code in memory, then return execution to the original program.<BR>Try put in regwiz.exe into Symbol Loader. SI not breaking.<BR>          Start ProcDump--&gt;PE Editor--&gt;regwiz.exe--&gt;Sectoins. Characteristics for UPX0 is </PRE><PRE> E0000080.<BR>Replace it with E000020. Ok, now SI will break.<BR>Start tracing the code with F10 until you find the jmp to Depacker Exit Point (DEP).<BR>I spend 1 hour for it. For UPX DEP is near the end of file. <BR>Lets disassemble regwiz.exe with IDA. <BR>00433EC0&nbsp;&nbsp; pusha&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; Depacker Start Point&nbsp; <BR>...skipped <BR>0043400E&nbsp;&nbsp; popa<BR>0043400F&nbsp;&nbsp; jmp&nbsp; XXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp; ; Depacker Exit&nbsp; Point&nbsp; , offset 0x1340F</PRE><PRE>Load rewiz.exe to HIEW. Jump to 1340F. You need to redirect this JMP and add some code. </PRE><PRE>0001340F: E902000000&nbsp;&nbsp;&nbsp;&nbsp; JMP 000013416&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ;jmp to our memopy patch<BR>00013414: 0000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADD [EAX],AL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR>00013416: C6059E16400074 MOV B,[00040169E],074&nbsp;&nbsp;&nbsp; ; replace JNZ with JZ<BR>0001341D: C605A2124000B8 MOV B,[0004012A2],0B8&nbsp;&nbsp;&nbsp; ; kill CALL<BR>00013424: E910F4FCFF&nbsp;&nbsp;&nbsp;&nbsp; JMP 0FFFE2839&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; jmp to Program Entry Point</PRE><PRE>That's all. </PRE><PRE>I hope you understand my terrible english :)</PRE><PRE><BR>Regards,&nbsp; Corbio.</PRE><PRE>====================================(c) Corbio /CFF=====   ============================</PRE> 
      <pre>&nbsp;    </pre>
      </td>
  </tr>
</table>
<p>&nbsp;</p>
</body>
</html>


<SCRIPT LANGUAGE="JavaScript">
<!-- hide
function AppendFooter() {
if(parent.frames.length==0)
document.write("<BR><DIV ALIGN=\"RIGHT\"><A HREF=\"http://www.dencity.com/\"><IMG SRC=\"http://members.dencity.com/smlogo.gif\" BORDER=\"0\"></A></DIV>")
}
AppendFooter();
// done -->
</SCRIPT>
