Results 1 to 9 of 9

Thread: Looking for some help with softice and installshield methods

  1. #1

    Looking for some help with softice and installshield methods

    I'm looking to find the highest level of access to my target, I have access to the demo versions and edu version available, but I'd like to find the top tier key that unlocks the entire program (I've been told directly by support that the iso I have will turn into the top tier program with the correct serial). I'd like my own personal copy of the top tier version. I've never attempted a compressed installation attack before, I've been through all the crackmes, but none address how to handle compressed comparison of the strings.

    The one thing I don't understand is how to get from script decompilation to the actual breakpoints under ice to verify the number routines, most of the tuts make a lot of assumptions and I don't have enough information get from one point to the next and could use some guidance.

    This is all part of the compressed installer that I'm trying to i figure to get the right password. The latest tuturials are dated 2001 and the ones that are out there make a lot of assumptions.

    If someone is willing to take a look, I'll send the links to the isos if it can be done.

    Can anyone help? What do the Lnumbers mean, the place holder?

    The serials look like

    L=letters
    X=Numbers

    LL-XXXX-XXXXX-XXXX-XXXXX

    but from what i've seen, it will take the code without the - so it will look like

    LLXXXXXXXXXXXXXXXXXX

    Anyone?

    This is the setup.ins file, below is the value.shl which contains the locator variables, and belwo that is the hex infomation

    Code:
            lNumber6 = LAST_RESULT = 0;
            lNumber5 = lNumber5 && lNumber6;
            lNumber6 = lNumber2 = 116;
            lNumber7 = lNumber2 >= 136;
            lNumber8 = lNumber2 <= 145;
            lNumber7 = lNumber7 && lNumber8;
            lNumber6 = lNumber6 || lNumber7;
            lNumber5 = lNumber5 && lNumber6;
            if (lNumber5 = 0) then
                goto label197;
            endif;
            lNumber2 = lNumber2 - 100;
            NumToStr(lString2, lNumber2);
            NumToStr(lString3, lNumber3);
            SetByte(string14, lNumber2, 49);
            lNumber5 = lNumber3 = 0;
            if (lNumber5 = 0) then
                goto label196;
            endif;
            lNumber5 = lNumber2 = 16;
            if (lNumber5 = 0) then
                goto label182;
            endif;
            lString6 = "Gerbtool";
    
    label182: //Ref: 005C3E
            lNumber4 = 1;
            lNumber5 = lNumber2 = 36;
            if (lNumber5 = 0) then
                goto label183;
            endif;
            lNumber4 = 5;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "5" + lString7;
            goto label192;
    
    label183: //Ref: 005C7C
            lNumber5 = lNumber2 = 37;
            if (lNumber5 = 0) then
                goto label184;
            endif;
            lNumber4 = 10;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "10" + lString7;
            goto label192;
    
    label184: //Ref: 005CD3
            lNumber5 = lNumber2 = 38;
            if (lNumber5 = 0) then
                goto label185;
            endif;
            lNumber4 = 15;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "15" + lString7;
            goto label192;
    
    label185: //Ref: 005D2B
            lNumber5 = lNumber2 = 39;
            if (lNumber5 = 0) then
                goto label186;
            endif;
            lNumber4 = 20;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "20" + lString7;
            goto label192;
    
    label186: //Ref: 005D83
            lNumber5 = lNumber2 = 40;
            if (lNumber5 = 0) then
                goto label187;
            endif;
            lNumber4 = 25;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "25" + lString7;
            goto label192;
    
    label187: //Ref: 005DDB
            lNumber5 = lNumber2 = 41;
            if (lNumber5 = 0) then
                goto label188;
            endif;
            lNumber4 = 35;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "35" + lString7;
            goto label192;
    
    label188: //Ref: 005E33
            lNumber5 = lNumber2 = 42;
            if (lNumber5 = 0) then
                goto label189;
            endif;
            lNumber4 = 50;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "50" + lString7;
            goto label192;
    
    label189: //Ref: 005E8B
            lNumber5 = lNumber2 = 43;
            if (lNumber5 = 0) then
                goto label190;
            endif;
            lNumber4 = 75;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "75" + lString7;
            goto label192;
    
    label190: //Ref: 005EE3
            lNumber5 = lNumber2 = 44;
            if (lNumber5 = 0) then
                goto label191;
            endif;
            lNumber4 = 100;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "100" + lString7;
            goto label192;
    
    label191: //Ref: 005F3B
            lNumber5 = lNumber2 = 45;
            if (lNumber5 = 0) then
                goto label192;
            endif;
            lNumber4 = 250;
            StrLoadString("", "NUM_NET_USERS", lString7);
            lString6 = "250" + lString7;
    
    label192: //Ref: 005CB8  005D10  005D68  005DC0  005E18  005E70  005EC8  005F20 005F79  005F94
            lNumber5 = lNumber4 > number46;
            if (lNumber5 = 0) then
                goto label193;
            endif;
            number46 = lNumber4;
    
    label193: //Ref: 005FE6
            StrFind(string13, lString0);
            lNumber5 = LAST_RESULT;
            lNumber5 = lNumber5 < 0;
            if (lNumber5 = 0) then
                goto label195;
            endif;
            StrCompare(string13, "");
            lNumber5 = LAST_RESULT = 0;
            if (lNumber5 = 0) then
                goto label194;
            endif;
            string13 = lString0;
            goto label195;
    
    label194: //Ref: 00604A
            lString7 = string13 + ":";
            string13 = lString7 + lString0;
    
    label195: //Ref: 006022  006060
            goto label196;
    
    label196: //Ref: 005C1E  006084
            StrLoadString("", "FEATURE_VALID", lString7);
            Sprintf(lString5, lString7, lString6);
            AskYesNo(lString5, 1);
            lNumber0 = LAST_RESULT;
            lString0 = "";
            goto label198;
    
    label197: //Ref: 005BD4
            Delay(2);
            StrLoadString("", "FEATURE_INVALID", lString7);
            AskYesNo(lString7, 1);
            lNumber0 = LAST_RESULT;
    
    label198: //Ref: 0060CD
            goto label178;
    
    label199: //Ref: 0059C0
            lNumber5 = number46 <= 2;
            lNumber5 = number45 && lNumber5;
            if (lNumber5 = 0) then
                goto label200;
            endif;
            StrLoadString("", "NET_USERS", lString7);
            MessageBox(lString7, -65534);
    
    label200: //Ref: 006133
            return(lNumber0);
            return;
        end;
    
    
        // ------------- FUNCTION function119 --------------
        function function119()
            number lNumber0;
            number lNumber1;
            number lNumber2;
            number lNumber3;
            number lNumber4;
            number lNumber5;
            number lNumber6;
            number lNumber7;
            number lNumber8;
            number lNumber9;
            string lString0;
            string lString1;
            string lString2;
            string lString3;
            string lString4;
            string lString5;
            string lString6;
            string lString7;
            string lString8;
            string lString9;
            string lString10;
            string lString11;
            string lString12;
        begin
            RegDBSetDefaultRoot(-2147483646);
            lString5 = "";
            lString6 = "\\Software\\"TARGET NAME REMOVED"\\"TARGET NAME REMOVED"\\Install";
            RegDBCreateKeyEx(lString6, lString5);
            RegDBSetKeyValueEx(lString6, "Link", 1, "0", -1);
            OpenFileMode(2);
            lString11 = SRCDIR ^ "..\\";
            OpenFile(lNumber4, lString11, "netreg.ini");
            lNumber9 = LAST_RESULT;
            lNumber9 = lNumber9 < 0;
            if (lNumber9 = 0) then
                goto label47;
            endif;
            return(-1);
    
    label47: //Ref: 001FF1
            CloseFile(lNumber4);
            lString11 = SRCDIR ^ "..\\";
            lString11 = lString11 + "Netreg.ini";
            GetProfString(lString11, "install", "Serial", string7);
            lString11 = SRCDIR ^ "..\\";
            lString11 = lString11 + "Netreg.ini";
            GetProfString(lString11, "install", "FC", string13);
            lString1 = SRCDIR;
            StrFind(lString1, "setup");
            lNumber0 = LAST_RESULT;
            lNumber9 = lNumber0 >= 0;
            if (lNumber9 = 0) then
                goto label48;
            endif;
            SetByte(lString1, lNumber0, 0);
            goto label49;
    
    label48: //Ref: 0020B8
            lString1 = SRCDIR ^ "..\\";
    
    label49: //Ref: 0020D3
            Ishield5.CheckSerialNumber(string7, lString10, lNumber6, number44);
            lNumber5 = 0;
    
    label50: //Ref: 0021D6
            lNumber9 = lNumber5 <= 46;
            if (lNumber9 = 0) then
                goto label53;
            endif;
            NumToStr(lString9, lNumber5);
            lString11 = SRCDIR ^ "..\\";
            lString11 = lString11 + "Netreg.ini";
            lString12 = "F" + lString9;
            GetProfString(lString11, "install", lString12, lString8);
            StrCompare(lString8, "1");
            lNumber9 = LAST_RESULT = 0;
            if (lNumber9 = 0) then
                goto label51;
            endif;
            SetByte(string14, lNumber5, 49);
            goto label52;
    
    label51: //Ref: 002194
            SetByte(string14, lNumber5, 48);
    
    label52: //Ref: 0021AF
            lNumber5 = lNumber5 + 1;
            goto label50;
    
    label53: //Ref: 00211F
            TARGETDIR = lString1;
            string4 = TARGETDIR;
            number48 = 1;
            number47 = 0;
            lString5 = "";
            lString0 = "0";
            lString6 = "\\Software\\"TARGET NAME REMOVED"\\"TARGET NAME REMOVED"\\Install";
            RegDBCreateKeyEx(lString6, lString5);
            RegDBSetDefaultRoot(-2147483646);
            RegDBSetKeyValueEx(lString6, "Link", 1, "1", -1);
            number45 = 1;
            StrLoadString("", "PRODUCT_NAME", SHELL_OBJECT_FOLDER);
            return(0);
            return;
        end;
    
    
    
    C:\1>
    This is the value.shl file

    Code:
    [Data]
    FINISHED=Setup has finished installing %P on your computer.
    PRODUCT_NAME_DEMO= "TARGET NAME REMOVED"
    TITLE_MAIN="TARGET NAME REMOVED"
    DISK_SPACE_REQUIREMENTS=Drive requirements:
    DISK_SPACE3=%s requires approximately %dMb of free disk\nspace on drive %s.
    ACROBAT_ERROR=Unable to find Adobe Acrobat. You will not be able to view the User Guide.
    ERROR_SVGARESOLUTION=This program requires VGA or better resolution.
    DONGLE_INCORRECT=The serial number you entered does not match the one in your Dongle.
    FEATURE_VALID=Valid Feature Code for %s.\n\nDo you wish to enter another Feature Code?
    PRODUCT_REG="TARGET NAME REMOVED"
    COMPANY_NAME="TARGET NAME REMOVED"
    ERROR_COMPONENT=Component:
    DB_MISSING=Unable to convert database.
    ICON_COMPONENT_HELP=Component Help
    COMPANY_NAME16=Company
    FEATURE_INVALID=This is not a valid Feature Code. Would you like to try again?
    ERROR_SPACE_PATHNAME=Spaces in pathnames are not supported. Please use a pathname without spaces.
    FOLDER_NAME_DEMO="TARGET NAME REMOVED"
    OVERWRITE_FILES_OLD=Setup has found a copy of "TARGET NAME REMOVED" in the selected destination directory and will overwrite the files.\nAll changes made to your User Library will be copied into the new "TARGET NAME REMOVED" Library.\n\nDo you wish to overwrite the files?
    DB_CONVERT1="TARGET NAME REMOVED" Setup has located an earlier version of the User Database on this computer.
    LAUNCH_NEW_SETUP=Launching Setup for %s...
    ICON_APPEND=User Guide Appendices
    PRODUCT_VERSION=7
    ERROR_MOVEDATA=An error occurred during the move data process: %d
    ERROR_FILEGROUP=File Group:
    DONGLE_INSERT=This version of %s requires a Dongle. Please make sure it is firmly inserted into a parallel port.
    OVERWRITE_FILES=Setup has found a copy of  “TARGET NAME REMOVED” in the selected destination directory and will overwrite the files.\n\nDo you wish to overwrite the files?
    DB_CONVERT2=Would you like to copy this database into your new User Database in "TARGET NAME REMOVED"?
    INSTALL_ABORT=Setup will now terminate.
    DISK_SPACE="TARGET NAME REMOVED" requires %dMB of free disk space on drive %s.\nYou only have %dMB available.\nChoose the 'Back' button and select anoother drive or\nchoose 'Cancel' to quit.
    UNINST_KEY_DEMO="TARGET NAME REMOVED"
    DB_CONVERT3=This procedure will not affect the existing database. If you choose not to proceed with this conversion at this time you may convert later from within "TARGET NAME REMOVED".
    ICON_HELP="TARGET NAME REMOVED" Help
    UNINST_KEY="TARGET NAME REMOVED"
    TITLE_MAIN_DEMO="TARGET NAME REMOVED"
    UPGRADE_PROMPT3=Unable to find "TARGET NAME REMOVED" on your system.\n\nPlease install a previous version of "TARGET NAME REMOVED" before installing this update.
    TITLE_CAPTIONBAR="TARGET NAME REMOVED"
    UPDATE_USER_DATABASE_FAILED=Library update failed.The parts in your User Library were not merged into the new "TARGET NAME REMOVED"Library.
    UPGRADE_PROMPT4=Unable to find the correct version of  “TARGET NAME REMOVED” on your system.\n\nThis update can only be used with %s.
    ICON_GET_START="TARGET NAME REMOVED" Getting Started
    SERIAL_VERIFY=Verifying serial number ...
    FEATURE_TEXT=Some versions of "TARGET NAME REMOVED" require a code to enable certain features of the software.\nIf you were supplied with a Feature Code, type it in now. Otherwise, click Next to continue.
    ICON_README=Read Me
    ICON_USER_GUIDE="TARGET NAME REMOVED"User Guide
    INSTALL_ACROBAT=The online User Guide requires Adobe Acrobat.\nIf you do not have it installed on your computer, you may install it now.\nAt the end of the Acrobat install, if you are prompted to re-boot your computer, please select No.\n\nInstall Adobe Acrobat?
    SERIAL_OK=Valid serial number for %s.
    PRODUCT_NAME16=Product
    ERROR_FILE=File:
    FOLDER_NAME="TARGET NAME REMOVED"
    SERIAL_INVALID=Incorrect serial number.
    DONGLE_INSERT_TITLE=Insert Dongle
    CONGRAT1=Congratulations on successfully installing "TARGET NAME REMOVED".\n\n "TARGET NAME REMOVED" has been shipped with a number of sample designs so you can explore all its functionality.\nThey are located in a "Samples" directory inside the "TARGET NAME REMOVED" main directory.\n\n
    UPDATE_USER_DATABASE=Merging User Library into new "TARGET NAME REMOVED" Library...
    CONGRAT2=NOTE: This software requires a Release Code to be inserted within 15 days of installation.\nTo obtain the Release Code, you should contact "TARGET NAME REMOVED" or your local distributor.\n\nWeb: "TARGET NAME REMOVED" (preferred method)\n
    TITLE_CAPTIONBAR_DEMO="TARGET NAME REMOVED"
    UNINST_DISPLAY_NAME_DEMO="TARGET NAME REMOVED"
    UNINST_DISPLAY_NAME="TARGET NAME REMOVED"
    PRODUCT_KEY="TARGET NAME REMOVED"
    CONGRAT3=Phone: xxxxxxxxxxxxxxxxxx (North America Only)
    NUM_NET_USERS= user Network Version
    NT_MSG1=This installation requires Administrator Privileges.
    PRODUCT_NAME="TARGET NAME REMOVED"
    ERROR_UNINSTSETUP=unInstaller setup failed to initialize.  You may not be able to uninstall this product.
    NET_USERS=You did not enter a feature code which determines the maximum number of users able to run  “TARGET NAME REMOVED” on a network.\n"TARGET NAME REMOVED" will now install as a single user version.
    UPDATE_VERSION=This will update your version of "TARGET NAME REMOVED"program files to %s. Do you wish to continue?
    NT_MSG2=Setup needs to make changes to your system configuration and cannot proceed without Administrator Privileges.\n
    
    [General]
    Language=0009
    Type=STRINGTABLESPECIFIC
    Version=1.00.000
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  2. #2
    I've done some installshield work before, so I can help some.

    the lnumbers are just temp variables from all I have been able to gather. The usage is what makes them look strange. For instance in normal C "lNumber6 = LAST_RESULT = 0;" would translate to "set both lNumber6 AND LAST_RESULT to 0". Not so in IS code. What it does here, is store the result of a boolean test, which, in C, would look more like lNumber6 = (LAST_RESULT == 0) ? 1:0;

    So, as you now see, that whole block of code at the top is nothing more than a bunch of boolean tests, and a couple of "JUMP if 0"s. As for debugging it, the first thing that I determined was that it wasn't very debuggable with SI. BUT, It IS very close, code-wise, to VB. So, I took the code that I was working on, and just rewrote small bits in VB, and made a keygen that way.

    Now, it looks like you found the RIGHT code, but the important stuff appears to be right ABOVE the sample you included. For instance, we have no way to know where the value for lNumber2 comes from. I would assume that it MIGHT be from the text that you enter, but I can't be sure.

  3. #3
    FrankRizzo

    Thank you for the response, it makes a lot of sense. What is the best way to pass these arguement test into vb? I keep getting errors like variable not defined and the whole gammot. The script file is totally incomplete. It exceeds the forums maximum character counts.

    What is the success rate for finding the right serial for the install? All these numbers have to be discovered easily. I also found the serial check export routine in a temp file called ishield5.org but can seem to find where in the exe it is called.

    I've read every tut I can get my hands on.......still can't seem to put it together.

    Any other insite that you might be able to pass along?

    thanks again

    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  4. #4
    Well, what I did on my target, was just rewrite the code from the point where it gets the input data from the dialog box fields, up to the point where it called the bad-boy message box. It's not really hard at all. You just paste the code in, and convert those stupid formatted compares that we spoke of earlier, into IF THENs. Most of the math stuff worked as is. (IIRC). So, the first 2 steps that you should do if you haven't. Find the place where it gets the values from the dialog box. Number 2, find the place where it complains about your number being invalid. Now, you have a start, and an end. With the code being relatively simple as it is, you should be able to "run" the code with calc.exe, and maybe a sheet of paper. (Talk about feeling the zen of the code!). MOST of the time, the calcs aren't super complicated, just tedious.

    Once you understand the PATH it takes to get to the message box, you can figure out how it got there, and further decrease the amount of code between your start, and end. Once you get it to THIS point, you can put THAT code into VB, and make it run.
    Then, you can single step it, watch variables, etc.

    Sometimes you have to do THIS kinda stuff. I was working on a PowerBuilder app, and I had to download a trial version of PB to be able to clarify what this REALLY BIZARRE block of code did, but I ended up making it work, and wrote a keygen in VB.net.

    More than anything else, reversing is all about thinking outside the box. The more unconventional your approach, the less likely it is that the programmer of the protection thought of it!

  5. #5
    This target is very confusing. What you said makes perfect sense, this target actually is tier level controlled based upon the number entered and its allllllways complaining about an invalid number..........LOL. The script decompilation seems to be massive and I'm unable to follow the entry point of the script sequencing because of the tier option controls. Do you think you could contact me via email or maybe a one on one direct chat via IM? If not I understand. You can send me an email or pm via my profile of this board?

    Thanks again for the fast response

    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  6. #6
    Kittmaster:

    When you respond, try to use the small button on the far right or the Quick Reply feature at the bottom, rather the Quote Button.

    Using the Quote Button, when "quoting" some part of the previous post is not actually required to may the follow-up, simply doubles up the storage load of the previous post. You quoted FrankRizzo's entire post, without any need to do so. If some part relates, specifically to your response, just quote that part. This saves room in the database for new information.

    Regards,
    JMI

  7. #7
    No problem, I'll edit my post after I submit this one.

    EDIT: Looks like you already did it for me.......LOL...thanks

    Regards,
    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  8. #8
    No big deal. Just an attempt to remind everyone who may read my response of some general considerations for assisting the proper maintenance of the database load. You did notice to remove the target identifying information, and that was a GOOD thing.

    Regards,
    JMI

  9. #9
    Not to make this thread any longer than necessary..................<but I think I had a little help with that one...........LMAO>

    I love this sight.......I missed it while it was "gone"

    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

Similar Threads

  1. Debugger detection methods... WHEN to call them?
    By kunai in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: December 19th, 2010, 06:24
  2. Two VM detection methods, reported by Sirmabus
    By dELTA in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 17th, 2008, 06:41
  3. other serial input methods to break on?
    By haxran in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: February 16th, 2006, 10:05
  4. Where are the Class methods?
    By 5aLIVE in forum The Newbie Forum
    Replies: 1
    Last Post: July 28th, 2005, 04:25
  5. How to pass the installshield 6 anti-softice tricks?
    By draX in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: June 10th, 2001, 15:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •