Log in

View Full Version : Looking for some help with softice and installshield methods

kittmaster
February 6th, 2005, 09:57
I'm looking to find the highest level of access to my target, I have access to the demo versions and edu version available, but I'd like to find the top tier key that unlocks the entire program (I've been told directly by support that the iso I have will turn into the top tier program with the correct serial). I'd like my own personal copy of the top tier version. I've never attempted a compressed installation attack before, I've been through all the crackmes, but none address how to handle compressed comparison of the strings.

The one thing I don't understand is how to get from script decompilation to the actual breakpoints under ice to verify the number routines, most of the tuts make a lot of assumptions and I don't have enough information get from one point to the next and could use some guidance.

This is all part of the compressed installer that I'm trying to i figure to get the right password. The latest tuturials are dated 2001 and the ones that are out there make a lot of assumptions.

If someone is willing to take a look, I'll send the links to the isos if it can be done.

Can anyone help? What do the Lnumbers mean, the place holder?

The serials look like

L=letters
X=Numbers

LL-XXXX-XXXXX-XXXX-XXXXX

but from what i've seen, it will take the code without the - so it will look like

LLXXXXXXXXXXXXXXXXXX

Anyone?

This is the setup.ins file, below is the value.shl which contains the locator variables, and belwo that is the hex infomation

Code:


        lNumber6 = LAST_RESULT = 0;

        lNumber5 = lNumber5 && lNumber6;

        lNumber6 = lNumber2 = 116;

        lNumber7 = lNumber2 >= 136;

        lNumber8 = lNumber2 <= 145;

        lNumber7 = lNumber7 && lNumber8;

        lNumber6 = lNumber6 || lNumber7;

        lNumber5 = lNumber5 && lNumber6;

        if (lNumber5 = 0) then

            goto label197;

        endif;

        lNumber2 = lNumber2 - 100;

        NumToStr(lString2, lNumber2);

        NumToStr(lString3, lNumber3);

        SetByte(string14, lNumber2, 49);

        lNumber5 = lNumber3 = 0;

        if (lNumber5 = 0) then

            goto label196;

        endif;

        lNumber5 = lNumber2 = 16;

        if (lNumber5 = 0) then

            goto label182;

        endif;

        lString6 = "Gerbtool";



label182: //Ref: 005C3E

        lNumber4 = 1;

        lNumber5 = lNumber2 = 36;

        if (lNumber5 = 0) then

            goto label183;

        endif;

        lNumber4 = 5;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "5" + lString7;

        goto label192;



label183: //Ref: 005C7C

        lNumber5 = lNumber2 = 37;

        if (lNumber5 = 0) then

            goto label184;

        endif;

        lNumber4 = 10;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "10" + lString7;

        goto label192;



label184: //Ref: 005CD3

        lNumber5 = lNumber2 = 38;

        if (lNumber5 = 0) then

            goto label185;

        endif;

        lNumber4 = 15;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "15" + lString7;

        goto label192;



label185: //Ref: 005D2B

        lNumber5 = lNumber2 = 39;

        if (lNumber5 = 0) then

            goto label186;

        endif;

        lNumber4 = 20;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "20" + lString7;

        goto label192;



label186: //Ref: 005D83

        lNumber5 = lNumber2 = 40;

        if (lNumber5 = 0) then

            goto label187;

        endif;

        lNumber4 = 25;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "25" + lString7;

        goto label192;



label187: //Ref: 005DDB

        lNumber5 = lNumber2 = 41;

        if (lNumber5 = 0) then

            goto label188;

        endif;

        lNumber4 = 35;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "35" + lString7;

        goto label192;



label188: //Ref: 005E33

        lNumber5 = lNumber2 = 42;

        if (lNumber5 = 0) then

            goto label189;

        endif;

        lNumber4 = 50;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "50" + lString7;

        goto label192;



label189: //Ref: 005E8B

        lNumber5 = lNumber2 = 43;

        if (lNumber5 = 0) then

            goto label190;

        endif;

        lNumber4 = 75;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "75" + lString7;

        goto label192;



label190: //Ref: 005EE3

        lNumber5 = lNumber2 = 44;

        if (lNumber5 = 0) then

            goto label191;

        endif;

        lNumber4 = 100;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "100" + lString7;

        goto label192;



label191: //Ref: 005F3B

        lNumber5 = lNumber2 = 45;

        if (lNumber5 = 0) then

            goto label192;

        endif;

        lNumber4 = 250;

        StrLoadString("", "NUM_NET_USERS", lString7);

        lString6 = "250" + lString7;



label192: //Ref: 005CB8  005D10  005D68  005DC0  005E18  005E70  005EC8  005F20 005F79  005F94

        lNumber5 = lNumber4 > number46;

        if (lNumber5 = 0) then

            goto label193;

        endif;

        number46 = lNumber4;



label193: //Ref: 005FE6

        StrFind(string13, lString0);

        lNumber5 = LAST_RESULT;

        lNumber5 = lNumber5 < 0;

        if (lNumber5 = 0) then

            goto label195;

        endif;

        StrCompare(string13, "";

        lNumber5 = LAST_RESULT = 0;

        if (lNumber5 = 0) then

            goto label194;

        endif;

        string13 = lString0;

        goto label195;



label194: //Ref: 00604A

        lString7 = string13 + ":";

        string13 = lString7 + lString0;



label195: //Ref: 006022  006060

        goto label196;



label196: //Ref: 005C1E  006084

        StrLoadString("", "FEATURE_VALID", lString7);

        Sprintf(lString5, lString7, lString6);

        AskYesNo(lString5, 1);

        lNumber0 = LAST_RESULT;

        lString0 = "";

        goto label198;



label197: //Ref: 005BD4

        Delay(2);

        StrLoadString("", "FEATURE_INVALID", lString7);

        AskYesNo(lString7, 1);

        lNumber0 = LAST_RESULT;



label198: //Ref: 0060CD

        goto label178;



label199: //Ref: 0059C0

        lNumber5 = number46 <= 2;

        lNumber5 = number45 && lNumber5;

        if (lNumber5 = 0) then

            goto label200;

        endif;

        StrLoadString("", "NET_USERS", lString7);

        MessageBox(lString7, -65534);



label200: //Ref: 006133

        return(lNumber0);

        return;

    end;





    // ------------- FUNCTION function119 --------------

    function function119()

        number lNumber0;

        number lNumber1;

        number lNumber2;

        number lNumber3;

        number lNumber4;

        number lNumber5;

        number lNumber6;

        number lNumber7;

        number lNumber8;

        number lNumber9;

        string lString0;

        string lString1;

        string lString2;

        string lString3;

        string lString4;

        string lString5;

        string lString6;

        string lString7;

        string lString8;

        string lString9;

        string lString10;

        string lString11;

        string lString12;

    begin

        RegDBSetDefaultRoot(-2147483646);

        lString5 = "";

        lString6 = "\\Software\\"TARGET NAME REMOVED"\\"TARGET NAME REMOVED"\\Install";

        RegDBCreateKeyEx(lString6, lString5);

        RegDBSetKeyValueEx(lString6, "Link", 1, "0", -1);

        OpenFileMode(2);

        lString11 = SRCDIR ^ "..\\";

        OpenFile(lNumber4, lString11, "netreg.ini";

        lNumber9 = LAST_RESULT;

        lNumber9 = lNumber9 < 0;

        if (lNumber9 = 0) then

            goto label47;

        endif;

        return(-1);



label47: //Ref: 001FF1

        CloseFile(lNumber4);

        lString11 = SRCDIR ^ "..\\";

        lString11 = lString11 + "Netreg.ini";

        GetProfString(lString11, "install", "Serial", string7);

        lString11 = SRCDIR ^ "..\\";

        lString11 = lString11 + "Netreg.ini";

        GetProfString(lString11, "install", "FC", string13);

        lString1 = SRCDIR;

        StrFind(lString1, "setup";

        lNumber0 = LAST_RESULT;

        lNumber9 = lNumber0 >= 0;

        if (lNumber9 = 0) then

            goto label48;

        endif;

        SetByte(lString1, lNumber0, 0);

        goto label49;



label48: //Ref: 0020B8

        lString1 = SRCDIR ^ "..\\";



label49: //Ref: 0020D3

        Ishield5.CheckSerialNumber(string7, lString10, lNumber6, number44);

        lNumber5 = 0;



label50: //Ref: 0021D6

        lNumber9 = lNumber5 <= 46;

        if (lNumber9 = 0) then

            goto label53;

        endif;

        NumToStr(lString9, lNumber5);

        lString11 = SRCDIR ^ "..\\";

        lString11 = lString11 + "Netreg.ini";

        lString12 = "F" + lString9;

        GetProfString(lString11, "install", lString12, lString8);

        StrCompare(lString8, "1";

        lNumber9 = LAST_RESULT = 0;

        if (lNumber9 = 0) then

            goto label51;

        endif;

        SetByte(string14, lNumber5, 49);

        goto label52;



label51: //Ref: 002194

        SetByte(string14, lNumber5, 48);



label52: //Ref: 0021AF

        lNumber5 = lNumber5 + 1;

        goto label50;



label53: //Ref: 00211F

        TARGETDIR = lString1;

        string4 = TARGETDIR;

        number48 = 1;

        number47 = 0;

        lString5 = "";

        lString0 = "0";

        lString6 = "\\Software\\"TARGET NAME REMOVED"\\"TARGET NAME REMOVED"\\Install";

        RegDBCreateKeyEx(lString6, lString5);

        RegDBSetDefaultRoot(-2147483646);

        RegDBSetKeyValueEx(lString6, "Link", 1, "1", -1);

        number45 = 1;

        StrLoadString("", "PRODUCT_NAME", SHELL_OBJECT_FOLDER);

        return(0);

        return;

    end;







C:\1>


This is the value.shl file

Code:


[Data]

FINISHED=Setup has finished installing %P on your computer.

PRODUCT_NAME_DEMO= "TARGET NAME REMOVED"

TITLE_MAIN="TARGET NAME REMOVED"

DISK_SPACE_REQUIREMENTS=Drive requirements:

DISK_SPACE3=%s requires approximately %dMb of free disk\nspace on drive %s.

ACROBAT_ERROR=Unable to find Adobe Acrobat. You will not be able to view the User Guide.

ERROR_SVGARESOLUTION=This program requires VGA or better resolution.

DONGLE_INCORRECT=The serial number you entered does not match the one in your Dongle.

FEATURE_VALID=Valid Feature Code for %s.\n\nDo you wish to enter another Feature Code?

PRODUCT_REG="TARGET NAME REMOVED"

COMPANY_NAME="TARGET NAME REMOVED"

ERROR_COMPONENT=Component:

DB_MISSING=Unable to convert database.

ICON_COMPONENT_HELP=Component Help

COMPANY_NAME16=Company

FEATURE_INVALID=This is not a valid Feature Code. Would you like to try again?

ERROR_SPACE_PATHNAME=Spaces in pathnames are not supported. Please use a pathname without spaces.

FOLDER_NAME_DEMO="TARGET NAME REMOVED"

OVERWRITE_FILES_OLD=Setup has found a copy of "TARGET NAME REMOVED" in the selected destination directory and will overwrite the files.\nAll changes made to your User Library will be copied into the new "TARGET NAME REMOVED" Library.\n\nDo you wish to overwrite the files?

DB_CONVERT1="TARGET NAME REMOVED" Setup has located an earlier version of the User Database on this computer.

LAUNCH_NEW_SETUP=Launching Setup for %s...

ICON_APPEND=User Guide Appendices

PRODUCT_VERSION=7

ERROR_MOVEDATA=An error occurred during the move data process: %d

ERROR_FILEGROUP=File Group:

DONGLE_INSERT=This version of %s requires a Dongle. Please make sure it is firmly inserted into a parallel port.

OVERWRITE_FILES=Setup has found a copy of  “TARGET NAME REMOVED” in the selected destination directory and will overwrite the files.\n\nDo you wish to overwrite the files?

DB_CONVERT2=Would you like to copy this database into your new User Database in "TARGET NAME REMOVED"?

INSTALL_ABORT=Setup will now terminate.

DISK_SPACE="TARGET NAME REMOVED" requires %dMB of free disk space on drive %s.\nYou only have %dMB available.\nChoose the 'Back' button and select anoother drive or\nchoose 'Cancel' to quit.

UNINST_KEY_DEMO="TARGET NAME REMOVED"

DB_CONVERT3=This procedure will not affect the existing database. If you choose not to proceed with this conversion at this time you may convert later from within "TARGET NAME REMOVED".

ICON_HELP="TARGET NAME REMOVED" Help

UNINST_KEY="TARGET NAME REMOVED"

TITLE_MAIN_DEMO="TARGET NAME REMOVED"

UPGRADE_PROMPT3=Unable to find "TARGET NAME REMOVED" on your system.\n\nPlease install a previous version of "TARGET NAME REMOVED" before installing this update.

TITLE_CAPTIONBAR="TARGET NAME REMOVED"

UPDATE_USER_DATABASE_FAILED=Library update failed.The parts in your User Library were not merged into the new "TARGET NAME REMOVED"Library.

UPGRADE_PROMPT4=Unable to find the correct version of  “TARGET NAME REMOVED” on your system.\n\nThis update can only be used with %s.

ICON_GET_START="TARGET NAME REMOVED" Getting Started

SERIAL_VERIFY=Verifying serial number ...

FEATURE_TEXT=Some versions of "TARGET NAME REMOVED" require a code to enable certain features of the software.\nIf you were supplied with a Feature Code, type it in now. Otherwise, click Next to continue.

ICON_README=Read Me

ICON_USER_GUIDE="TARGET NAME REMOVED"User Guide

INSTALL_ACROBAT=The online User Guide requires Adobe Acrobat.\nIf you do not have it installed on your computer, you may install it now.\nAt the end of the Acrobat install, if you are prompted to re-boot your computer, please select No.\n\nInstall Adobe Acrobat?

SERIAL_OK=Valid serial number for %s.

PRODUCT_NAME16=Product

ERROR_FILE=File:

FOLDER_NAME="TARGET NAME REMOVED"

SERIAL_INVALID=Incorrect serial number.

DONGLE_INSERT_TITLE=Insert Dongle

CONGRAT1=Congratulations on successfully installing "TARGET NAME REMOVED".\n\n "TARGET NAME REMOVED" has been shipped with a number of sample designs so you can explore all its functionality.\nThey are located in a "Samples" directory inside the "TARGET NAME REMOVED" main directory.\n\n

UPDATE_USER_DATABASE=Merging User Library into new "TARGET NAME REMOVED" Library...

CONGRAT2=NOTE: This software requires a Release Code to be inserted within 15 days of installation.\nTo obtain the Release Code, you should contact "TARGET NAME REMOVED" or your local distributor.\n\nWeb: "TARGET NAME REMOVED" (preferred method)\n

TITLE_CAPTIONBAR_DEMO="TARGET NAME REMOVED"

UNINST_DISPLAY_NAME_DEMO="TARGET NAME REMOVED"

UNINST_DISPLAY_NAME="TARGET NAME REMOVED"

PRODUCT_KEY="TARGET NAME REMOVED"

CONGRAT3=Phone: xxxxxxxxxxxxxxxxxx (North America Only)

NUM_NET_USERS= user Network Version

NT_MSG1=This installation requires Administrator Privileges.

PRODUCT_NAME="TARGET NAME REMOVED"

ERROR_UNINSTSETUP=unInstaller setup failed to initialize.  You may not be able to uninstall this product.

NET_USERS=You did not enter a feature code which determines the maximum number of users able to run  “TARGET NAME REMOVED” on a network.\n"TARGET NAME REMOVED" will now install as a single user version.

UPDATE_VERSION=This will update your version of "TARGET NAME REMOVED"program files to %s. Do you wish to continue?

NT_MSG2=Setup needs to make changes to your system configuration and cannot proceed without Administrator Privileges.\n



[General]

Language=0009

Type=STRINGTABLESPECIFIC

Version=1.00.000
FrankRizzo
February 8th, 2005, 00:51
I've done some installshield work before, so I can help some.

the lnumbers are just temp variables from all I have been able to gather. The usage is what makes them look strange. For instance in normal C "lNumber6 = LAST_RESULT = 0;" would translate to "set both lNumber6 AND LAST_RESULT to 0". Not so in IS code. What it does here, is store the result of a boolean test, which, in C, would look more like lNumber6 = (LAST_RESULT == 0) ? 1:0;

So, as you now see, that whole block of code at the top is nothing more than a bunch of boolean tests, and a couple of "JUMP if 0"s. As for debugging it, the first thing that I determined was that it wasn't very debuggable with SI. BUT, It IS very close, code-wise, to VB. So, I took the code that I was working on, and just rewrote small bits in VB, and made a keygen that way.

Now, it looks like you found the RIGHT code, but the important stuff appears to be right ABOVE the sample you included. For instance, we have no way to know where the value for lNumber2 comes from. I would assume that it MIGHT be from the text that you enter, but I can't be sure.
kittmaster
February 22nd, 2005, 21:31
FrankRizzo

Thank you for the response, it makes a lot of sense. What is the best way to pass these arguement test into vb? I keep getting errors like variable not defined and the whole gammot. The script file is totally incomplete. It exceeds the forums maximum character counts.

What is the success rate for finding the right serial for the install? All these numbers have to be discovered easily. I also found the serial check export routine in a temp file called ishield5.org but can seem to find where in the exe it is called.

I've read every tut I can get my hands on.......still can't seem to put it together.

Any other insite that you might be able to pass along?

thanks again

Chris
FrankRizzo
February 22nd, 2005, 21:57
Well, what I did on my target, was just rewrite the code from the point where it gets the input data from the dialog box fields, up to the point where it called the bad-boy message box. It's not really hard at all. You just paste the code in, and convert those stupid formatted compares that we spoke of earlier, into IF THENs. Most of the math stuff worked as is. (IIRC). So, the first 2 steps that you should do if you haven't. Find the place where it gets the values from the dialog box. Number 2, find the place where it complains about your number being invalid. Now, you have a start, and an end. With the code being relatively simple as it is, you should be able to "run" the code with calc.exe, and maybe a sheet of paper. (Talk about feeling the zen of the code!). MOST of the time, the calcs aren't super complicated, just tedious.

Once you understand the PATH it takes to get to the message box, you can figure out how it got there, and further decrease the amount of code between your start, and end. Once you get it to THIS point, you can put THAT code into VB, and make it run.
Then, you can single step it, watch variables, etc.

Sometimes you have to do THIS kinda stuff. I was working on a PowerBuilder app, and I had to download a trial version of PB to be able to clarify what this REALLY BIZARRE block of code did, but I ended up making it work, and wrote a keygen in VB.net.

More than anything else, reversing is all about thinking outside the box. The more unconventional your approach, the less likely it is that the programmer of the protection thought of it!
kittmaster
February 22nd, 2005, 22:03
This target is very confusing. What you said makes perfect sense, this target actually is tier level controlled based upon the number entered and its allllllways complaining about an invalid number..........LOL. The script decompilation seems to be massive and I'm unable to follow the entry point of the script sequencing because of the tier option controls. Do you think you could contact me via email or maybe a one on one direct chat via IM? If not I understand. You can send me an email or pm via my profile of this board?

Thanks again for the fast response

Chris
JMI
February 22nd, 2005, 23:16
Kittmaster:

When you respond, try to use the small button on the far right or the Quick Reply feature at the bottom, rather the Quote Button.

Using the Quote Button, when "quoting" some part of the previous post is not actually required to may the follow-up, simply doubles up the storage load of the previous post. You quoted FrankRizzo's entire post, without any need to do so. If some part relates, specifically to your response, just quote that part. This saves room in the database for new information.

Regards,
kittmaster
February 22nd, 2005, 23:18
No problem, I'll edit my post after I submit this one.

EDIT: Looks like you already did it for me.......LOL...thanks

Regards,
Chris
JMI
February 22nd, 2005, 23:26
No big deal. Just an attempt to remind everyone who may read my response of some general considerations for assisting the proper maintenance of the database load. You did notice to remove the target identifying information, and that was a GOOD thing.

Regards,
kittmaster
February 22nd, 2005, 23:28
Not to make this thread any longer than necessary..................<but I think I had a little help with that one...........LMAO>

I love this sight.......I missed it while it was "gone"

Chris