I have a .inx file I have decompiled and believe I have found where the security lies, but I am unsure as to what to look for and change to bypass this. Any help or guidance toward cracking inx files would be greatly appreciated.

@00015096:000E label_15096:
@00015098:001E local_number8 = local_string3[0];
@000150A7:0021 function_941(local_string2, "%d", local_number8);
@000150B8:002C StrToNum(local_number4, local_string2);
@000150C2:000F local_number4 = (local_number4 - 65);
@000150D1:0012 global_number65 = (local_number4 & 3);
@000150E0:000E local_number10 = (global_number65 != 0);
@000150EF:0004 if(local_number10) then // ref index: 2
@000150FB:0021 function_744("Invalid serial number/installation code combination.", -65534);
@0001513D:0007 local_number2 = (local_number2 + 1);
@0001514C:000C local_number10 = (local_number2 >= 3);
@0001515B:0004 if(local_number10) then // ref index: 1
@00015167:0006 local_number7 = 1;
@00015173:003A UnUseDll(global_string70);
@0001517A:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@000151F4:0001 endif;
@000151F4:0001 label_151f4:
@000151F6:0005 goto label_1520d;
@000151FF:0001 endif;
@000151FF:0001 label_151ff:
@00015201:0006 local_number7 = 1;
@0001520D:0001 label_1520d:
@0001520F:0005 goto label_14e92;
@00015218:000D endif;
@00015218:000D label_15218:
@0001521A:0029 StrSub(local_string9, global_string67, 1, 2);
@0001522E:002C StrToNum(global_number64, local_string9);
@00015238:0020 MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006 local_number10 = LASTRESULT;
@00015254:000D local_number10 = (local_number10 = 0);
@00015263:0004 if(local_number10) then // ref index: 2
@0001526F:0021 function_744("Invalid installation code.", -65534);
@00015297:0007 local_number1 = (local_number1 + 1);
@000152A6:000C local_number10 = (local_number1 >= 3);
@000152B5:0004 if(local_number10) then // ref index: 1
@000152C1:0006 local_number6 = 1;
@000152CD:003A UnUseDll(global_string70);
@000152D4:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@0001534E:0001 endif;
@0001534E:0001 label_1534e:
@00015350:0005 goto label_1547a;
@00015359:0009 endif;
@00015359:0009 label_15359:
@0001535B:000D local_number10 = (global_number64 = 6);
@0001536A:0004 if(local_number10) then // ref index: 2
@00015376:0021 function_744("Invalid installation code.", -65534);
@0001539E:0007 local_number1 = (local_number1 + 1);
@000153AD:000C local_number10 = (local_number1 >= 3);
@000153BC:0004 if(local_number10) then // ref index: 1
@000153C8:0006 local_number6 = 1;
@000153D4:003A UnUseDll(global_string70);
@000153DB:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@00015455:0001 endif;
@00015455:0001 label_15455:
@00015457:0005 goto label_1547a;
@00015460:0002 endif;
@00015460:0002 label_15460:
@00015462:0006 local_number6 = 1;
@0001546E:0006 global_number40 = 1;
@0001547A:0006 label_1547a:
@0001547C:000D local_number10 = (global_number59 = 1);
@0001548B:0004 if(local_number10) then // ref index: 1
@00015497:001E local_number10 = local_string6[0];
@000154A6:000D local_number10 = (local_number10 = 78);
@000154B5:0004 if(local_number10) then // ref index: 1
@000154C1:001D local_string6[0] = 88;
@000154D2:0001 endif;
@000154D2:0001 endif;
@000154D2:0001 label_154d2:
@000154D4:0005 goto label_14e59;
@000154DD:0004 endif;
@000154DD:0004 label_154dd:
@000154DF:0006 global_string66 = local_string6;
@000154E9:003A UnUseDll(global_string70);
@000154F0:0029 StrSub(local_string9, global_string67, 1, 2);
@00015504:002C StrToNum(global_number64, local_string9);
@0001550E:0002 endif;
@0001550E:0002 label_1550e:
@00015510:0024 return;
@00015514:0026 end; // checksum: 931f36d6

I won't give you complete walkthrough - that won't make you think and learn. But here is little sample that should get you started:

@00015238:0020 MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006 local_number10 = LASTRESULT;
@00015254:000D local_number10 = (local_number10 = 0);
@00015263:0004 if(local_number10) then // ref index: 2
@0001526F:0021 function_744("Invalid installation code.", -65534);
@00015297:0007 local_number1 = (local_number1 + 1);
@000152A6:000C local_number10 = (local_number1 >= 3);
@000152B5:0004 if(local_number10) then // ref index: 1
@000152C1:0006 local_number6 = 1;
@000152CD:003A UnUseDll(global_string70);
@000152D4:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@0001534E:0001 endif;
@00015350:0005 goto label_1547a;
@00015359:0009 endif;
@0001535B:000D local_number10 = (global_number64 = 6);

Line 15238-1524A: We call function with 4 arguments. Function is named "MovingToMinneapolis15" and located in ISOLS32.DLL. You can see what arguments are passed and what is does using your favorite debugger. Upon return we get dword in LASTRESULT, we store that in local_number10.
Line 15254: figure out yourself. If you know C, this is no-brainer.
Line 15263: if (badboy) {
Line 1526F-15350: make_badboy_suffer
Line 15359: }
Line 1535B: goodboy code continues...

Other checks are similar but don't use external DLL.

How to bypass these checks? Depends on what you want to achieve..
a) one time installation?
Patch DLL to always return 'good boy' value. Input values that satisfy remaining checks. Or you can try extracting all files from setup package and "install" them manually.
b) patch this setup package?
sid has "patch changes" menu item (never tried using it, though..). If it works, I'd patch line 15254 and maybe few more..
c) make keygen?
Analyze code, try to produce values that satisfy checks in this script and in that DLL.

Cheers,
kao.

@000152D4:0021 function_7("You have entered an incorrect serial number/installation code


you have to jump this one i think
i am newbie in this sorry

Hi all,
looking forward to this thread i found many commons with my problem. How can we find which calls in DLL refered to inx referenced numbers?
A small example would be appreciated.
I mean, what must i do in ollydbg to break into DLL serial functions? Does these numbers refers to memory addresses in DLL or what?

Thanks in advanced

Use orca to see inside .msi

dear friend i look for more. As i said, i need to know the connection beetween pseudocode calls from inx file and real calls from DLL files. Here is an example:

code from inx file:
NAME = \"Description\"\r\n //-001-/ 0002FF65,
NAME = \"Installation\"\r\n //-001-/ 0002FC69,
NAME = \"Locale\"\r\n //-001-/ 0002FA06,
NAME = \"Manufacturer\"\r\n //-001-/ 0002F674,
NAME = \"Product\"\r\n //-001-/ 0002F7A8,
NAME = \"Serial Number\"\r\n //-001-/ 0002FB34,

................................
// : Jump Referenced(1):
// : 0000D1FB,
label_00AF:
/* 0000D21E: 000D */ n0015 = n000C == 0xFFFFFFFE;
/* 0000D22D: 0004 */ if(! n0015) goto label_00B2; // normal if
/* 0000D239: 000D */ n0015 = g_number000F == 0x00000002;
/* 0000D248: 0004 */ if(! n0015) goto label_00B0; // normal if
/* 0000D254: 0021 */ ret_g_str008C_031D();
/* 0000D25A: 0006 */ s001C = LAST_RESULT;
/* 0000D264: 0014 */ s001C = s001C ^ g_str0063;
/* 0000D271: 0021 */ function_0229("INVALID_HACKED_SERIAL_NUMBER");
/* 0000D296: 0006 */ s001D = LAST_RESULT;
/* 0000D2A0: 0021 */ function_0268(s001C, g_str0062, "Status", s001D);
/* 0000D2B8: 0005 */ goto label_00B1;

My question is: How can i found those calls into DLL files?
what is the reference -for example -0000D254?
I think that all these calls happen into ISRT.DLL file. I 've put some BP's into olly and braked in some API calls but i can't find the connection among them.
Here is the total setup file for reference.
http://ul.to/nu6pym89
TIA

your requested dll files here (http://rghost.net/7jqhMxHkg)

your requested dll files here (http://rghost.net/7jqhMxHkg)
Thank you for your effort but can you be more specific how to use them? As i noticed, when setup file is opened, it extracts two random name directories into /userAppdata/temp path with full dll's included also those you mention. How can i use them to find the serial number request and bypass it?
PM me also (if you like) to give me more details.
TIA

dont lazzy,

RLSetupValidate.dll have export RLSetupValidate,
PhysicPass.dll heve export PASSGetID,
RLProtection.dll have export RLGenKeyCode and RLValidate,
RLGenUUID.dll have export RLGenUUID_GetUUID and RLGenUUID_EncodeTool,
ProductPassLite.dll have export PASSCheckCode.

///////////////////////////////////////////////////////////////////////////////////
///[ sexy installshield decompiler for is6/is7 ]////////
///[ (c) sn00pee 2002 ]////////
///////////////////////////////////////////////////////////////////////////////////
///[ starting decompilation ]////////
///////////////////////////////////////////////////////////////////////////////////

......
///////////////////////////////////////////////////////////////////////////////////
// prototypes (total: 880)

// dll-imports (total: 291)
.....
prototype INT ProductPassLite.PASSCheckCode(BYREF STRING, BYREF STRING, POINTER);
prototype NUMBER RLProtection.RLGenKeyCode(BYREF STRING, BYREF STRING, BYREF STRING);
prototype NUMBER RLProtection.RLValidate(BYREF STRING, BYREF STRING, BYREF STRING);
prototype void PhysicPass.PASSGetID(BYREF STRING, NUMBER);
.....
prototype void RLSetupValidate.RLParameterEncode(BYREF STRING, BYREF STRING);
prototype INT RLSetupValidate.GetURLResponse(BYREF STRING, BYREF STRING, INT, INT, BOOL);
prototype void RLSetupValidate.RLSetProxyInfo(BYREF STRING, BYREF STRING);
prototype INT RLGenUUID.RLGenUUID_EncodeTool(BYREF STRING, BYREF STRING, BYREF STRING);
prototype NUMBER RLGenUUID.RLGenUUID_GetUUID(BYREF STRING);
prototype NUMBER RLGenUUID.RLGenUUID_GetIPAddress(BYREF STRING);
......

It seems that we have different results because i have the nekosuki decompiler. I will try with the sexy intallshield decomp and i will post my results later.
EDIT: I've tried to decompile it with SID ver 1.0 in 3 machines with win8, win7 and xp pro OS but it crashes during process.
Can you send me the decompiler you used and if possible the decompiled inx.txt file too?
TIA

There's a hint at the start :

////////////////////////////////////////////////////
///[ sexy installshield decompiler for is6/is7 ]///
//////////////[ (c) sn00pee 2002 ]///////////////


Git

There's a hint at the start :

////////////////////////////////////////////////////
///[ sexy installshield decompiler for is6/is7 ]///
//////////////[ (c) sn00pee 2002 ]///////////////


Git
Git thank you for reply but i've already mention that i used exactly the same decompiler and it crashes during proccess.
Anyway, let's say that i've managed to do the decompilation. What next?
I mean, how can i use the patched file in setup proccess? The exe file i gave for reference does extract files in /temp dir and used them realtime. The .cab file which produced is encrypted and i couldn't extraced or even view it so far.
The only hope to bypass the serial number proccess is by tweaking the .inx file produced but i don't know how to use it after and do the installation with no serial nags.
TIA

it crashes during process.

same as you

As Bfox says, he used SID also, and it worked fine. Can you go back one step and tell us what youactually want to achieve?

Git

As Bfox says, he used SID also, and it worked fine. Can you go back one step and tell us what youactually want to achieve?

Git
Certainly. I would like to rebuild the setup file with the patch in serial verification proccess and install it with no serial check. The .inx file can be patched but i dont know how to rebuild the unprotected setup.exe file again.

You need to get hold of the installer program that created the .inx, which is Installshield. If you have unpacked to have the orighinal files, you can patch as necessary then recreate the installation package/exe.

Can you link to the setup file/package please?

Git

You need to get hold of the installer program that created the .inx, which is Installshield. If you have unpacked to have the orighinal files, you can patch as necessary then recreate the installation package/exe.

Can you link to the setup file/package please?

Git
Thank you for your concern. You can find the link in post #6 in this thread.

EDIT: OK i thought that it wouldn't be easy, am i right? :)

Does anyone made any progress with it? I'm stacked really bad.