Crack InstallShield International East build 224

 1. Execute the package (about 20MB) downloaded from InstallShield ftp:
        ftp://ftp.installshield.com/is5/intl/east/pftw/is5east.exe
 2. At password-input screen, launch soft-ice. Clear all the other
    breakpoints and then bpx USER32!GetWindowTextA
 3. Quit soft-ice. Press a key in the password editbox.
 4. Soft-ice will be triggered at GetWindowTextA
 5. Issue "p ret" to get out of this procedure. You should then stop at

        00403719        mov     edx, [0040ef90] ; edx->input buffer
                        push    edx             ; PARAMETER_1
                        call    00401090        ; checksum procedure
                        mov     edx, [0040ea88] ; ideal value of return
                        add     esp, 4          ; stack fixup ... late
                        xor     ecx, ecx        ; zero ecx
                        cmp     eax, edx        ; eax = edx?
                        setz    cl              ; yes, cl = 1; no, cl = 0
                        mov     eax, ecx
                        pop     ebp             ; stack frame
                        ret                     ; return in eax

    while the previous instruction is to call GetWindowTextA

 6. As you can see in the above, the procedure at 00401090 is the one we
    are looking for. It takes one parameter: the address of the password
    string. After some processing, it will return a value in eax
    calculated from the string. In order to ease the reading, following
    shows a psuedo-code of the procedure rather than assembly.

        accumulation = 0xf143ac
        do
            ch = *lpPassword++;
            if (ch == '\0') break;
            accumulation += 2 * ch;
        loop
        accumulation xor 0x51993;
        return accumulation;

 7. After the accumulation value is returned, the program than compares
    with the ideal value, which is 0xF44F75 stored in address 0040ea88 in
    this case.
 8. So that we can calculate the accumulation before xor, which is F156E6.
    Subtract this value by the initial value F143AC will get whatever is
    added in loop. From the psuedo-code, the value added is two times the
    checksum of the password string, which is 0x133a.
 9. Since each character is added up by two times of value, therefore the
    actual checksum of the password is 0x133a / 2 = 0x99d.
10. By using a basic program to count up a checksum, I decided to use
    "asdfasdfasdfasdfasdfasdO" (5 times 'asdf' plus 'asd' and 'O', case
    sensitive) as the password. The final 'O' is just a fixup. Nothing
    special. You may use any similar method to add-up to your own favorite
    password for InstallShield International East 5 build 224.

 *. The above cracking technique can be applied on PackageForTheWeb
    2.00.200 packages.