SoftThinks

SoftThinks is a privately-held company that provided deployment solutions to OEMs, businesses, and consumers. Before renaming themselves in early 2000 and localizing themselves within the United States, they were founded during the mid-to-late 90s under the name of AS Media which was based within Marseille, France; experimenting with the United Kingdom market while under this name, as both countries reside on the European continent. Their recovery software, PC Angel, was very popularly used by many well-known OEMs by the likes of HP (and therefore Compaq), Gateway, and eMachines to name a few within later years.

Security Pre-XP
The PC Angel software has existed for as long as the company itself, first taking on the look of the Windows 98 setup as seen in an archive of Softthinks' website in 2001. The version on the image was shortly before their rename, as seen by the  on the bottom left corner. More interestingly however, it was most commonly referred to as "QuickRestore" during this time, a name frequently associated with Compaq before HP's acquiring of the company. Unlike the real Windows 98 setup, it runs on it's own shell instead of a minimized Windows 3.1 environment. These types of discs were created through a tool, briefly shown in another page of SoftThinks' under the program title of.

The protection of these discs rely on a file named BIOS.DAT within the boot image, which compares it's value against the manufacturer or model information as reported by the Desktop Management Interface (DMI). This value is encrypted with a variant Beaufort cipher, using a key of. The alphabet it uses for deciphering first begins with  and may either end with   or   depending which worked better with the value. It does have a bug where some values may be read as, with such a reading oddly allowing for recovery to be begun no matter the deciphered value. This cipher repeats the key for it's algorithm, and a space will count in it's repetition unlike most readily-available decoders for this particular cipher. An example of this using the key, presuming the value is  (which'll just display the key as-is) would be   instead of. The images that they restore in chunks has an extension of  which seems to be in actuality Cabinet files but with an altered header,   instead of.

Security In XP-Era
SoftThinks, at some point in time (possibly between late-2001 and mid-2002), released a new variant of their PC Angel software while retiring the alternative "QuickRestore" name. There was a section on their site devoted for this new variant on their site, and the many new differences it'd bring. The most notable was the software being run under a Preinstallation Environment (PE, for short) of the operating system of their respective era that were typically issued to OEMs by Microsoft. However, in most cases, the only protection was a basic BIOS-lock in the El Torito boot sector of the CD, that can be easily bypassed by replacing it with a stock Windows XP boot-sector.

A page on the SoftThinks website back in 2002 stated that "Any O/S recovery CD (except for Windows XP) has to be protected by BIOS lock technology," likely as Windows XP introduced Windows Product Activation (WPA) which wouldn’t allow the system to activate and in turn be used with the pre-configured key under the wrong machine in ideal cases. This had made it reliant on the OEM’s to provide their own protection, with the most common course of action being previously described already with the bootloader. Seemingly recovery discs originating from Gateway and also several from eMachines during this era are deprived of any kind of bootloader protection.

Around this time period, the INP files switched to using a proprietary format that was repurposed from their Casper HDD cloning software. The file structure of each of these files goes as follows: 8 bytes | 0x00 - 0x08 | 4353504C49474854   | Header bytes "CSPLIGHT" 4 bytes | 0x08 - 0x0C | 01000000           | Version (known: 1, 2, 5) 4 bytes | 0x0C - 0x10 | 9E7EEFCF           | Likely unused, functions seem to skip right over it 8 bytes | 0x10 - 0x18 | 2800000000000000    | Offset to raw data (0x28 on v1/v5, 0x30 on v2) 8 bytes | 0x18 - 0x20 | A5543B0400000000   | Offset to file attributes 8 bytes | 0x20 - 0x28 | C0EE000000000000   | File attributes table size -- V2 -- 8 bytes | 0x28 - 0x30 | 0000401F00000000   | Maximum size -- File Entry -- 4 bytes | X - X+4    | 1D000000            | Length of compressed data N bytes | X+4 - X+4+N | 78DA3330D13734D0... | Compressed data Sample of a compressed ZLIB blob: 00000000 | 78da 3330 d137 34d0 3732 57d0 5530 b4b4 00000010 | 3231 b132 31e3 e502 002b 4703 c1 Sample of a ZLIB blob after decompression (zlib.decompress in Python): 00000000 | 3034 2f31 302f 3237 202d 2031 393a 3434 | 04/10/27 - 19:44 00000010 | 3a34 360d 0a                           | :47.. There was a Lite Edition (LE) introduced during this time, which was a condensed down version of the software meant for easy deployment for businesses.

Security In Vista/7-Era
By the time Vista came around, SoftThinks had created yet another new PC Angel interface that reintroduced BIOS-locking mechanisms back into the software after previously being removed due to Microsoft's new activation scheme that was introduced with the previous system.

In all known cases, the checking functions are under CSTRecovery::SysLockSSRD and CSTRecovery::SyslockCheck in STRecovery.dll (or in 64-bit systems, STRecovery64.dll). To crack these discs, you will have to find cross-references to these functions and redirect the code execution to the correct path.

The way in which Lite Edition was planned to work would evolve close to Windows 7's release. It could be purchased one-time for $350, and brought customizability features like being able to add unique branding. There was a Demo Mode that allowed for use of the program for up to 3 years before disallowing it's use afterwards. A USB dongle could have been bought for $10 per computer to allow use of the software within that particular machine.