PDA

View Full Version : Install Shield 6... + Dongle Protection


Georges Coolio
December 4th, 2000, 16:36
Hi,
Here is the target : LightWave 6.5 Update ( http://www.newtek.com/lightwave/downloads/patches/intel/lw65_intel.html )

1. What is exactly "Severe" ( "No Dongle detected, ..." message box title )? Is is proprietary to InstallShield or is it the dongle protection's name?
2. Could someone help me to reverse this protection ( If a tutorial exists, please link it )
3. Can I find the answer to my question on the +fravia's REWebSite? If yes, which tutorial.
4. Do you know a good tutorial on Reversing installations made with the latest version of InstallShield (6.*)? I would like to know how to reverse the installation listing (like with isdcc for versions <5) if it is possible of course(Encrypted???)?
5. Afterwards there will be dongle protection in the program itself, so how to reverse it ?
6. I thanks all people who'd answer these questions

tsehp
December 4th, 2000, 19:50
Quote:
Georges Coolio (12-04-2000 05:36):
Hi,
Here is the target : LightWave 6.5 Update ( http://www.newtek.com/lightwave/downloads/patches/intel/lw65_intel.html )

1. What is exactly "Severe" ( "No Dongle detected, ..." message box title )? Is is proprietary to InstallShield or is it the dongle protection's name?

Installshield can call the protection's dll, it is most probably the case here, did you try to trace back the messagebox ?

2. Could someone help me to reverse this protection ( If a tutorial exists, please link it )

If you're speaking about the dongle protection, you can start with a dongle search here, or consult the crackz site, it's all dongle oriented.

3. Can I find the answer to my question on the +fravia's REWebSite? If yes, which tutorial.

Again, you could have a good start trying to look where this messagebox comes from. Try those different bpx with softice :
-messageboxa
-createwindowexa
-showwindow
Locate the code that call this nag and the file where it comes from, surely the messagebox could come from installshield but the vendor's dll is certainly called before, you can also try to see all the modules currently loaded while the message is displayed.


4. Do you know a good tutorial on Reversing installations made with the latest version of InstallShield (6.*)? I would like to know how to reverse the installation listing (like with isdcc for versions <5) if it is possible of course(Encrypted???)?

Not to my knowledge, installshield 6 uses m$ msi installer now, they surely had to change a lot of things, you'll have to use softice a lot

5. Afterwards there will be dongle protection in the program itself, so how to reverse it ?

Just consider the dongle to be a call in the program, it returns parameters, it's up to you to use the right breakpoints in sice, bpio for example freezes the program if some data goes thru the io ports.


6. I thanks all people who'd answer these questions

Maldoror
December 5th, 2000, 07:26
Quote:
Georges Coolio (12-04-2000 05:36):
Hi,
Here is the target : LightWave 6.5 Update ( http://www.newtek.com/lightwave/downloads/patches/intel/lw65_intel.html )

1. What is exactly "Severe" ( "No Dongle detected, ..." message box title )? Is is proprietary to InstallShield or is it the dongle protection's name?

As you probably know when you write an IS installation you use the InstallScript language. You create a setup script(.rul file) which is then compiled to .inx file. This is something like exe which is executed by the IS engine during the setup process.
IS script language provides a MessageBox function(MessageBox(szMsg, nType). The nType param can have the following predefinded values: INFORMATION, WARNING and SEVERE. So the "Severe" caption means that you see a message box called IN the compiled script. The message is : "No Dongle detected, ...". This means that a function in a custom dll is called(just before the MessageBox) in order to check the dongle presence.
Where is that dll?
In most cases when the setup engine initializes, it decompress the custom dlls in a temporary folder(i.e. d:\temp\{f51d162e-c20e-11d4-9228-004854519651}). So after you see the first setup screen such a folder should be created in your temp foledr. I suppose you will find there the suspect dll. You could copy the dll(s) in a different foler and reverse it. You could patch the check for dongle presence. But the most difficult part of the task begins here.
The question is "How to force IS engine to use the patched DLL?".
Unfotunately I don't know the answer of this question at the moment. A stupid idea is to trace the setup with a debugger and to copy the patched dll in the appropriate folder.(This should be perfomed when the protection dll first appears in the folder, but before the call to UseDLL - the IS version of LoadLibrary).

2. Could someone help me to reverse this protection ( If a tutorial exists, please link it )
Refer to +Tsehp's message
(I colud try it if I have time for it...)

3. Can I find the answer to my question on the +fravia's REWebSite? If yes, which tutorial.
4. Do you know a good tutorial on Reversing installations made with the latest version of InstallShield (6.*)? I would like to know how to reverse the installation listing (like with isdcc for versions <5) if it is possible of course(Encrypted???)?

Well, there are two products by InstallShield Corp.: "InstallShield for Windows Installer" and "InstallShield Professional" - the first uses the MSI and the second don't.
IS Proffesional v6.22 is very different from IS5.5.
So I don't think there are any reversing tools or tuts concerning this version.

5. Afterwards there will be dongle protection in the program itself, so how to reverse it ?

Refer to +Tsehp's message

Maldoror
December 6th, 2000, 12:03
Hi again
I downloaded the setup and started the self-extracting exe.
The "No dongle ..." message appeared. In this moment I found the following new folders in my temp folder: "{f6ad52ed-b954-4bb6-8144-6648da3839ea}" and "pftAA~tmp\Disk1". The first one contains the dlls:_IsRes.dll, _IsUser.dll, isrt.dll(these are the IS dlls) and a dll named: tkey.dll(Nice name :-)). The folder "pftAA~tmp\Disk1" contains the decompressed setup. So I saved the setup files and the tkey.dll in different location and exit the setup. The tkey.dll contains two exported functions: TestHWLock ;-) and TimedKey. So I patched the function TestHWLock to return "appropriate" value. The next task was to force the setup to use my dll. Fortunatelly the IS Corp. provides two very usefull utilities: iscab.exe and iscabvu.exe which IMHO are very good reverse tool(thanx guys :-)).
Iscab.exe is a command line tool for exploring the IS .cab files(these are different from these of M$). It allows deleting, listing the contents, adding, and (NB) replacing of arbitrary files in the setup's cab files.
According to doccumentation: "The InstallShield Cabinet File Viewer (ISCabVu.exe) lets you select an InstallShield cabinet file and view its compressed files, file groups, components, and setup types and the properties of those items. It also lets you extract files from the cabinet file."(Note the last sentence!!!).
OK, using iscab.exe I replaced the original tkey.dll with the patched one.
Then I started the setup again. There was no "No dongle ..." message :-)
Everything was OK but when I had to select the dest location I got the message: "LightWave 6.0 or higer is not installed in this directory".
That's right - I don't have the version 6...:-)
Hope this helps!

Maldoror
(mmaldoror@hotmail.com)

Georges Coolio
December 6th, 2000, 15:09
Thanks a lot

I can get the *.cab files (u can unzip the .exe), I'm now trying to remove the dongle check but I haven't got your IS utils.

I've got i5comp & i6comp but they don't run so I don't tried to remove the dongle check in the dll's but by tracing the dongle protection (it's a little hard) and remove it in memory only. Now I know it's possible so I'll do this in that way but would you feel free to send your utils to me

And again, thanks a lot

[georges.coolio@usa.net]

goatass
December 6th, 2000, 15:36
Hey guys,
Do you have any idea of what dongle it uses ?
HASP, Sentinel ? that will narrow down your points of attack by a great deal. Many times it's as easy as opening the file in a Hex editor and doing a text search for HASP or RNBO (sentinel). I suggest you patch the dongle dll that you found in the setup folder it will most likely be used by the program later on so you won't have to do the work twice.

goatass

Anticode
December 7th, 2000, 05:37
there is a utility in installshield 6 that can extract the new .cab files, can't remember the name though.

Maldoror
December 7th, 2000, 07:31
Hi,

Georges Coolio > "Now I know it's possible so I'll do this in that way but would you feel free to send your utils to me"

There is a way to find them for free here:
www.installshield.com

goatass > "Do you have any idea of what dongle it uses ? HASP, Sentinel ? that will narrow down your points of attack by a great deal. Many times it's as easy as opening the file in a Hex editor and doing a text search for HASP or RNBO (sentinel). I suggest you patch the dongle dll that you found in the setup folder it will most likely be used by the program later on so you won't have to do the work twice."

Well, I took a look at the dissasembly listing of tkey.dll(and my cup of vodka :-)) and I felt there was a statically linked spromeps.lib. This means that they use SentinelSuperPro(IMHO).
I don't believe they use the same dll(tkey.dll) for the setup protection and the protection of the final product.
I don't know...I don't have the product itself...

Greetings!
Maldoror
(mmaldoror@hotmail.com)

·TeKiN [ēK]
December 7th, 2000, 16:46
Hi,

Maldodor> How did you manage to get the "appropriate" value. I mean by that where does the TestHWLock return his value(s). When I disassembled tkey.dll (W32Dasm) I get this code for the TestHWLock Exported function :

Code:

Exported fn(): TestHWLock - Ord:0001h
:10001000 83EC04 sub esp, 00000004
:10001003 6804040000 push 00000404
:10001008 6890520110 push 10015290
:1000100D E89E010100 call 100111B0 ---> Test I ???
:10001012 6685C0 test ax, ax ---> Okay?
:10001015 7409 je 10001020
:10001017 B89BFFFFFF mov eax, FFFFFF9B # Retuned values if test failed ???
:1000101C 83C404 add esp, 00000004 #
:1000101F C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001015(C)
|
:10001020 6890520110 push 10015290
:10001025 E8E6010100 call 10011210 ---> Test II ???
:1000102A 6685C0 test ax, ax ---> Okay? So...
:1000102D 7409 je 10001038
:1000102F B89AFFFFFF mov eax, FFFFFF9A
:10001034 83C404 add esp, 00000004
:10001037 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000102D(C)
|
:10001038 6889C80000 push 0000C889
:1000103D 6890520110 push 10015290
:10001042 E819040100 call 10011460 ---> Test III ???
:10001047 6685C0 test ax, ax ---> Okay?
:1000104A 7409 je 10001055
:1000104C B899FFFFFF mov eax, FFFFFF99
:10001051 83C404 add esp, 00000004
:10001054 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000104A(C)
|
:10001055 8D442402 lea eax, dword ptr [esp+02]
:10001059 50 push eax
:1000105A 6A00 push 00000000
:1000105C 6890520110 push 10015290
:10001061 E81A060100 call 10011680 ---> Test IV ???
:10001066 6685C0 test ax, ax ---> Okay?
:10001069 7427 je 10001092
:1000106B 6A64 push 00000064

* Reference To: KERNEL32.Sleep, Ord:023Ah
|
:1000106D FF15EC710110 Call dword ptr [100171EC]
:10001073 8D442402 lea eax, dword ptr [esp+02]
:10001077 50 push eax
:10001078 6A00 push 00000000
:1000107A 6890520110 push 10015290
:1000107F E8FC050100 call 10011680
:10001084 6685C0 test ax, ax
:10001087 7409 je 10001092
:10001089 B898FFFFFF mov eax, FFFFFF98
:1000108E 83C404 add esp, 00000004
:10001091 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001069(C), :10001087(C)
|
:10001092 8B442402 mov eax, dword ptr [esp+02] # Returned values if tests passed ???
:10001096 83C404 add esp, 00000004 #
:10001099 25FFFF0000 and eax, 0000FFFF #
:1000109E C3 ret


So am I right??? If yes the only thing to done is to reverse the jumps (je > jne) to get the good returned values or have I to analyse it more?

Just a little help will be welcomed.

Oh, also, do you have another place to get the iscab & iscabvu files because ~100Mb to download to get these files takes me a lot of time (56k)?

Maldoror
December 8th, 2000, 08:00
·TeKiN [ēK] > "So am I right??? If yes the only thing to done is to reverse the jumps (je > jne) to get the good returned values or have I to analyse it more?
Just a little help will be welcomed."

Yes you are right :-)

>Oh, also, do you have another place to get >the iscab & iscabvu files because ~100Mb to >download to get these files takes me a lot >of time (56k)?

You don't need to download these 100MB.
There are 2 options for downloading on the site, so you can choose to download only the utilities...
It doesn't matter.
I could send these utilities to someone who will upload them somewhere in order to be available to everyone who need them.
Any ideas?

Maldoror

·TeKiN [ēK]
December 8th, 2000, 20:58
Thanks Maldoror. Now I'm doing my website on RE, 3D Graphics, and a lot of my stuffs. It will be ready just after the new year I hope

I'd like to do something between protools for tools and the EXCELLENT +Tsehp mirror for the tut's but with a hard selection of them. I don't want to do the same, you see. So could you send me the files? I've not found them yet but when my website will be ready, there will be there

Greetings
·TeKiN[ēK]

klojo
December 9th, 2000, 05:56
[1. What is exactly "Severe" ( "No Dongle detected, ..." message box title )? Is is proprietary to InstallShield or is it the dongle protection's name?

Installshield can call the protection's dll, it is most probably the case here, did you try to trace back the messagebox ?

you have to start your package from the web install and after that it runs the installshield.
when it does look in your windows temp dir.
there are the files and dll it uses during installation.
now there's one dll wich is called tkey.dll this contains an export function
testhwlock set a bpx in softice and the rest is up to you.

sure after you cracked the installshield, you have to crack the program itself.

If you have the version of 6.0 without the update cracked you can search with w32dsm for the differenties.

i am in the process of hacking it myself did the dongle crack and cracked the program it starts and then .... there is some other check else where the license.key file.


can anyone help me out here?

·TeKiN [ēK]
December 11th, 2000, 18:00
Well, I found the Utils and I "installed" it. Not with InstallShield Setup because I was not able to use my patched tkey.dll file (when I used iscab.exe, it told me that it couldn't decompress files compressed with older versions ??? ) but anyway you can use iscabvu.exe to extract them all and why it runs with this one, don't ask me ???

(Here is the link where I found them : http://playtools.cjb.net)

Well as Lightwave doesn't need a lot of files like 3DS Max, you are normally able to run the software just by extracting all program files from the update (with dll's, don't need plugins now).

So let's begin, if you disassemble modeler.exe you find a string reference to "Hardware Key Not Found" but when you try this with Lightwave.exe...nothing and the error is not the same. If we look in the program dir, we see *_err.enu files. I'm sure that these files contain ASCII Strings for the error messages but they are crypted or compressed?

1. Will dead listing help me to find the code to decrypt/unpack them ???

I know the code used to check if the hardware key was present from tkey.dll, if we suppose the soft use the same protection routine, we must find something.

2. I would like to compare the tkey.dll code and to try to find a part of it in both .exe's. Is it possible to do this with IDA ??? If not is it the same to do this with a hex editor? I thinks yes but is it that sure to find them correct code?

3. What are the API usally used for a dongle protection? They must deal with COM ports but, new since LW[6] I think, with USB ports too.

4. If you put a bpx on MessageBoxA, ...(See +TSehp Message) will it be easier to get the dongle routine or not?

5. This is the best site on the WEB Enjoy it

·TeKiN[ēK] - tekin.2k@usa.net

molac
December 11th, 2000, 18:32
Ok, Lw6 again.

I have cacked this programme since version 4.
Every time i search for
push 0404
in IDA, as you might know if you read Sentinel Dev docs, this is the packet size that gets sent to to sentinel driver.
Anyway, only two global routines to check the dongle are present in lightwave ( havent check v6.5 but 6.0b has only those two)
The first, initializes the donlge.
The second reads different cell fom the dongle.
There is another potection which relies on a license key.
If you locate the routine that does the cell reading in IDA, follow the coross references and you will find.
Another way:
Search for license.key in lightwave.exe and follow the cross refences and at the top just before calling the lic.kay check routine, the dongle read cell routine is directly above it.
also you can search fo "R/0" and "R/1" and similar ones. Those are cells to be read. If i remember, thos are referenced where lightwave is checking the dongle.

Hopefully this will fix your problem

Morlac

·TeKiN [ēK]
December 12th, 2000, 17:05
Hi, Morlac, it's the first time I deal with a dongle protection so I don't know much about it. Well I tried what you said, search push 0404 but without succes but the second way is OK, now some questions...

1. There are a lot of R/0, R/1, ... Have I to check them all to find the main call?

I found this code for R/0 :

Code:

loc_42964D: ; CODE XREF: sub_429070+4E2j
0042964D ; sub_429070+513j ...
0042964D cmp dword_4BA69C, ebx
00429653 jge short loc_4296C7
00429655 push offset aR0_0 ; "R/0"
0042965A call sub_496D40 - Call the following part
0042965F movsx eax, ax
00429662 push eax
00429663 call sub_497950 - Call Licence.key check
00429668 add esp, 8
0042966B cmp eax, ebx
0042966D mov dword_4BA69C, eax
00429672 jge short loc_42967E
00429674 mov dword_56D8C4, 1


And I think it's this code the real check (the calls in bold call some checks who look like familiar with tkey.dll code and they return eax, 0000FFFF both so ???) and this call is called twice.

Code:

00496D40 sub_496D40 proc near ; CODE XREF: sub_4102D0+8p
00496D40 ; sub_429070+5EAp ...
00496D40
00496D40 arg_0 = dword ptr 8
00496D40
00496D40 push ecx
00496D41 mov eax, [esp+arg_0]
00496D45 cmp byte ptr [eax], 52h
00496D48 jnz short loc_496DBA
00496D4A cmp byte ptr [eax+1], 2Fh
00496D4E jnz short loc_496DBA
00496D50 lea ecx, [esp+arg_0]
00496D54 add eax, 2
00496D57 push ecx
00496D58 push offset aHd_16 ; "%hd"
00496D5D push eax
00496D5E call _sscanf
00496D63 mov eax, [esp+0Ch+arg_0]
00496D67 add esp, 0Ch
00496D6A cmp ax, 4
00496D6E jnz short loc_496D79
00496D70 mov eax, 3Ch
00496D75 mov [esp+arg_0], eax
00496D79
00496D79 loc_496D79: ; CODE XREF: sub_496D40+2Ej
00496D79 lea edx, [esp+0]
00496D7D push edx
00496D7E push eax
00496D7F push offset dword_5388C0
00496D84 call sub_49E780
00496D89 test ax, ax
00496D8C jz short loc_496DAF
00496D8E push 64h
00496D90 call ds:Sleep
00496D96 mov ecx, [esp+arg_0]
00496D9A lea eax, [esp+0]
00496D9E push eax
00496D9F push ecx
00496DA0 push offset dword_5388C0
00496DA5 call sub_49E780
00496DAA test ax, ax
00496DAD jnz short loc_496DBA


2. If I'm right, have I to reverse some jnz, je or have I to nop the 00429655 call ???

Sincerely,

·TeKiN[ēK]

PS: I've downloaded Sentinel Dev Docs, I'll read them and maybe all will bright in my head, I hope ...

·TeKiN [ēK]
December 15th, 2000, 19:03
I'm wondering about my docs, I'm not so far, but when I looked for "push", it was only referenced once, just saying me that it's better to use push instruction instead of call instruction to make reverser's life harder. I've donwloaded a .pdf file, about 6.5M long and called "SentinelSuperPro 6.0 Developer's Guide". Is it the good one? Or have I to order that docs (See Sentinel LM message)? I would prefer to download them so could anyone give me an address if I don't have the good docs?

>Morlac, could you give me your e-mail, I would like you to help me ( If you want of course ,)

Sincerely,

·TeKiN[ēK] - tekin.2k@usa.net

Morlac
December 19th, 2000, 14:31
Tekin.2k, check your email.

·TeKiN [ēK]
December 24th, 2000, 15:51
Hi you lot!
Especially Morlac & Maldoror who helped me a lot. Thanks guys

I've done it so if anyone need me

Merry XMas to everyone

x30n-
December 24th, 2000, 17:46
hm... can't get this iscab.exe to work.. it says something about a ini file.. other than this.. i dont need any help

thanks,
x30n-

x30n-
December 24th, 2000, 17:48
opps, main question though was, what are the commands to add and remove the file tkey.dll

?

thanks

x30n-
December 24th, 2000, 23:51
doesnt anyone know? :P

x30n-
December 25th, 2000, 19:26
just moving it to the top. hoping someone can help me with ISCAB.exe commands

i wanted make this subject into a essay and put it in a project i am going to release to the scene soon. but i cant put a incomplete essay out

/x30n-

·TeKiN [ēK]
December 26th, 2000, 15:26
Hi x30n-,
>opps, main question though was, what are the commands to add and remove the file tkey.dll ?

1. You must create a listing of all files in the data*.cab, so 'iscab cabfile options' becomes 'iscab data1.hdr -i"Listing.ini" -lx'. And in Listing.ini are all referenced files in the archive.

2. Locate the file(s) you want to patch in Listing.ini (Make a copy of it before). In our case : tkey.dll. Keep only this in WhatNameYouWant.ini :
Code:

[<Support>English Intel 32 Files]
File1="tkey.dll"



3. Replace the file in .cab archive with yours (put the patched tkey.dll in the same dir with .cab files): 'iscab data1.hdr -i"WhatNameYouWant.ini" -a'

4. Enjoy

Sincerely,

x30n-
December 26th, 2000, 19:44
Thannnnnnk Youuuuuu!

slidingpenguins
March 17th, 2003, 04:23
Well, let me revive this thread.

I have been playing with L**htw*ve and IDA, but I have a dongle for it. I was thinking if there is a way to get a valid license.key for this combination. I am trying to know how does this serial is obtained. The license.key file contains a number like this: 1234-1234-1234-1234.

You can get the demo from www.newtek.com and install it by following the tkey.dll modification method. Since 7.5, they modified the program so that it will run without dongle, but will run in a demo mode.

I was thinking on tracing a ReadFile or searching for license.key, and then try to catch the routine where they compare this license with something I believe they calculate with the dongle and some other keys (like vendor or machine ones). Is this the right way to make it?