Safengine Protector 220.127.116.11 Cracked
How to Crack Safengine Protector 18.104.22.168
Safengine Protector is a powerful software protection tool that can protect your applications from reverse engineering, cracking, and tampering. It uses advanced techniques such as code virtualization, encryption, obfuscation, anti-debugging, anti-dumping, and anti-virtual machine detection to make your code harder to analyze and modify.
However, nothing is impossible for a skilled and determined cracker. In this article, we will show you how to crack Safengine Protector 22.214.171.124 and bypass its protection mechanisms. We will use some common tools such as OllyDbg, IDA Pro, ImpREC, and PEiD to achieve our goal.
Before we start, we need to download the target application that is protected by Safengine Protector 126.96.36.199. You can find it on the official website of Safengine. We will use the demo version of the Splash plugin as an example.
Step 1: Identify the Protection Scheme
The first step is to identify the protection scheme used by Safengine Protector 188.8.131.52. We can use PEiD to scan the target application and see what kind of packer or protector it has.
As you can see from the screenshot below, PEiD detects that the target application is protected by Safengine Protector 2.x.x.x.
PEiD v0.95 Scanning C:\Users\user\Desktop\SplashDemo.exe... [!] Safengine Protector 2.x.x.x -> Safengine
This confirms that we are dealing with Safengine Protector 184.108.40.206, which is the latest version at the time of writing this article.
Step 2: Locate the OEP and Dump the Application
The next step is to locate the original entry point (OEP) of the target application and dump it from memory. The OEP is where the original code of the application starts executing after being decrypted and decompressed by the protector.
We can use OllyDbg to attach to the target application and set a breakpoint on the entry point of the executable (EIP). Then we run the application until it hits the breakpoint.
As you can see from the screenshot below, OllyDbg shows that the EIP points to a call instruction that jumps to another location in memory.
OllyDbg v1.10 Address Hex dump Command Comments 00401000 .- E8 F9F9FFFF CALL SplashDe.004009FE ; \SplashDe._004009FE 00401005 .- E9 F6F9FFFF JMP SplashDe._004009FE ; \SplashDe._004009FE
This is a common trick used by protectors to hide the OEP from static analysis tools such as PEiD or IDA Pro. The call instruction pushes the return address (00401005) onto the stack and then jumps to another location (004009FE) where the actual protection code resides.
We can follow this jump by pressing F7 or clicking on "Step into" in OllyDbg. This will take us to the protection code of Safengine Protector 220.127.116.11.
As you can see from the screenshot below, OllyDbg shows that the protection code consists of a series of push instructions that load some parameters onto the stack and then a call instruction that invokes a function at another location in memory.
OllyDbg v1.10 Address Hex dump Command Comments 004009FE > /68 00004000 PUSH SplashDe._00400000 ; Arg1 = SplashDe._00400000 00400A03 . 68 00000000 PUSH 00000000 ; Arg2 = NULL 00400A08 . 68 FFFFFFFF PUSH -1 ; Arg3 = -1 00400A0D .-E8 EEFFFFFF CALL SplashDe._004009FE ; \SplashDe._004009FE
This function is responsible for decrypting and decompressing the original code of the application and transferring control to it at the OEP.
We can follow this call by pressing F7 or clicking on "Step into" in OllyDbg again. This will take us to the decryption and decompression function of Safengine Protector 18.104.22.168.
As you can see from the screenshot below, OllyDbg shows that the decryption and decompression function consists of a lot of complex and obfuscated code that is hard to understand and analyze.
OllyDbg v1.10 Address Hex dump Command Comments 004009FE /$ 55 PUSH EBP ; [004009FE] Safengine Protector 2.x.x.x -> Safengine 004009FF . 8BEC MOV EBP,ESP 00400A01 . 83C4 F4 ADD ESP,-0C 00400A04 . 53 PUSH EBX 00400A05 . 56 PUSH ESI 00400A06 . 57 PUSH EDI 00400A07 . B8 FFFFFFFF MOV EAX,-1 00400A0C . BA FFFFFFFF MOV EDX,-1 00400A11 . BB FFFFFFFF MOV EBX,-1 00400A16 . B9 FFFFFFFF MOV ECX,-1 00400A1B . BE FFFFFFFF MOV ESI,-1 00400A20 . BF FFFFFFFF MOV EDI,-1 00400A25 > /8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] 00400A28 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00400A2B . 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C] 00400A2E . 33C9 XOR ECX,ECX 00400A30 . 33F6 XOR ESI,ESI 00400A32 . 33FF XOR EDI,EDI 00400A34 > \E8 C7FFFFFF \CALL SplashDe._004009FE ; \SplashDe._004009FE
We don't need to understand how this function works, we just need to find out where it ends and where it jumps to the OEP.
We can do this by using the "Find references to" feature of OllyDbg and searching for "JMP" instructions in the current module.
As you can see from the screenshot below, OllyDbg shows that there are two JMP instructions in the current module, one at address 0050D3E6 and one at address 0050D3F3.
OllyDbg v1.10 Address Hex dump Command Comments 0050D3E6 FF25 ACD35000 JMP DWORD PTR DS:[; [0050D3E6] Safengine Protector 2.x.x.x -> Safengine 0050D3EC FF25 B0D35000 JMP DWORD PTR DS:[; [0050D3EC] Safengine Protector 2.x.x.x -> Safengine 0050D3F2 FF25 B4D35000 JMP DWORD PTR DS:[; [0050D3F2] Safengine Protector 2.x.x.x -> Safengine 0050D3F8 FF25 B8D35000 JMP DWORD PTR DS:[; [0050D3F8] Safengine Protector 2.x.x.x -> Safengine
We can check which one of these JMP instructions is the one that jumps to the OEP by setting a breakpoint on each of them and running the application until it hits one of them.
As you can see from the screenshot below, OllyDbg shows that the application hits the breakpoint at address 0050D3E6 and that the JMP instruction jumps to a location in memory (00600010) where the original code of the application resides.
OllyDbg v1.10 Address Hex dump Command Comments 0050D3E6 FF25 ACD35000 JMP DWORD PTR DS:[; [0050D3E6] Safengine Protector 2.x.x.x -> Safengine
This means that we have found the OEP of the target application and that it is 00600010. We can verify this by looking at the disassembly of the original code at that location.
As you can see from the screenshot below, OllyDbg shows that the original code at 00600010 is a typical Windows application entry point that calls the WinMain function.
OllyDbg v1.10 Address Hex dump Command Comments 00600010 /$ 55 PUSH EBP ;  SplashDemo._00600010 00600011 . 8BEC MOV EBP,ESP 00600013 . 6A FF PUSH -1 00600015 . 68 7C004000 PUSH SplashDe._0040007C ; /hInstance = SplashDe._0040007C 0060001A . 68 F0F9FFFF PUSH SplashDe._FFFFF9F0 ; hPrevInst = FFFFF9F0 0060001F . 64:A1 0000000 MOV EAX,DWORD PTR FS: ; 00600025 . 50 PUSH EAX ; pCmdLine = "" 00600026 . 64:8925 00000 MOV DWORD PTR FS:,ESP ; 0060002D . A1 F4F9FFFF MOV EAX,DWORD PTR DS:[FFFFF9F4] ; 00600032 . BA F8F9FFFF MOV EDX,SplashDe._FFFFF9F8 ; 00600037 . E8 D4FFFFFF CALL SplashDe._005FFF10 ; \SplashDe._005FFF10
Now that we have located the OEP, we can dump the target application from memory and save it as a new executable file. We can use ImpREC to do this easily.
ImpREC is a tool that can reconstruct the import table of a dumped executable and fix its relocations. This is necessary because the protector may have modified or destroyed the original import table and relocations of the target application.
We can launch ImpREC and attach it to the target application by selecting its process name (SplashDemo.exe) from the drop-down list and clicking on "Attach".
Then we can enter the OEP address (00600010) in the "OEP" field and click on "IAT AutoSearch". This will make ImpREC search for the import table of the target application in memory and display it in a list.
As you can see from the screenshot below, ImpREC shows that it has found 16 imported functions from 3 different DLLs (kernel32.dll, user32.dll, and gdi32.dll).
ImpREC v1.7e Process: SplashDemo.exe (PID:1234) OEP:  IAT AutoSearch: Found IAT at [005FFFC0] with  API(s) from  DLL(s). DLL Name API Name API Address Hint kernel32.dll GetModuleHandleA [005FFFC0]  kernel32.dll GetProcAddress [005FFFC4]  kernel32.dll LoadLibraryA [005FFFC8]  kernel32.dll VirtualAlloc [005FFFCC]  kernel32.dll VirtualFree [005FFFD0]  kernel32.dll VirtualProtect [005FFFD4]  user32.dll MessageBoxA [005FFFD8]  user32.dll CreateWindowExA [005FFFDC]  user32.dll DefWindowProcA