Log in

View Full Version : Installshield 9 - S/N Protection


lordbyte
June 12th, 2004, 06:10
I have a program, which is packed in an Installshield 9(I think?) single .exe file. When Setup is launched, after a few steps, you get the usual S/N box.

1) From what I've been able to tell, the new installshield setups, extract only the first part of the .cab files into the temporary directory. The main .cab file seems to get extracted only after the Sn is entered.

2) The new .inx files seem to be different from the 6.x & 7 versions. Thus all current inx decompilers do nothing.

3) I tried using SICE to bpx a few calls (for the S/N) but nothing is triggered (I've used the addr to set the correct process).

Is there anyone with any ideas on how I could proceed with this one? Please not that I'm relatively new to this.

Cheers,
lordb

evlncrn8
June 12th, 2004, 06:47
if you're lucky the s/n scheme might be in a dll loaded runtime, usually sitting in the temp dir, i used to always wait for the serial window to pop up, then kicked in sice and did a bpx loadlibrarya, then entered a bogus serial, clicked ok or whatever, then reenter the serial, it then usually always broke loading the dll, then it went through a getprocaddress and called the serial routine, 9/10 times setting eax = 1 on the return from the proc worked you could try that

Solomon
June 12th, 2004, 07:45
BTW: If it's an installshield password, it's often checked with FeatureValidate()/ComponentValidate() API, which is only a MD5 hash comparison.

lordbyte
June 12th, 2004, 16:39
Hi again,

Tried both your suggestions, but SICE never fires up. Regarding the external DLL, everything it extracts in the temp directory looks to me like a standard IS DLL. There is a custom .EXE file named DBUpdate (written in Delphi 7). I couldn't get DeDe's decompiler to dump everything (would crash towards the end), but from what I saw, it goes on their website and gets updates to their DB. Now, why it needs to be extracted first thing in the installation, is quite interesting.

One more thing. When doing proc from SICE, I see several processes with 'Deleting' as their status. What does 'deleting' mean? And how long do they stay in this state for? They were there 10 minutes later. (Asking because one of them was DBUpdater).

Any other ideas?

Thanks,
lordb