Installshield express 3.01

Damaging netquartz net based protection.

Sept 2000
by Tsehp
Courtesy of Fravia's page of reverse engineering
slightly edited
by tsehp
There is a crack, a crack in everything That's how the light gets in
( )Beginner (x)Intermediate ( )Advanced ( )Expert

Net based protection are the future, first it was a kind of password checking, easily crackable. Now part of your code is
downloaded and executed on eval apps, I just hope that my small contribution will help to finish them.

Installshield express 3.01

Damaging netquartz net based protection.
Written by Tsehp

I will not explain in this essay what's a pe structure and app dumping procedures, everything
was already explained before.
All we have to do is to apply this small technique to get a fresh app, without net checks
Tools required
A packet sniffer

Target's URL/FTP  the target is installshield express 3.01 the protector
Launch your packet sniffer and start iside.exe, lots of packets. Look at them :
code requests, mem registers, values, all kind of stuff necessary for ntqz0.exe to initialize
and start.
Tracing into iside.exe, I found a loadlibrarya that inits the client dll : el32.dll.
While looking at my modem, I saw some activity starting here :

100054c2		 call    sub_10008360 <-netquartz nag and inits
100054C7                 test    eax, eax
100054C9                 jz      short loc_1000553F
100054CB                 mov     dword_1007F94C, 0
100054D5                 mov     ecx, offset unk_1007F778
100054DA                 call    sub_1000C750
100054DF                 mov     dword_1007F41C, offset unk_1007F428
100054E9                 mov     edx, dword_1007F45C
100054EF                 add     edx, 3FFFCh
100054F5                 mov     dword_1007F388, edx
100054FB                 mov     eax, dword_1007F4A0
10005500                 add     eax, 3FFFCh
10005505                 mov     dword_1007F4B4, eax
1000550A                 mov     esp, dword_1007F4B4
10005510                 mov     ebp, esp
10005512                 call    sub_10006920 <- the code inits starts here
10005517                 push    ebp
10005518                 mov     dword_1007F32C, esp
1000551E                 mov     esp, dword_1007F390
10005524                 mov     ebp, esp
10005526                 mov     esp, dword_1007F32C
1000552C                 pop     ebp
1000552D                 push    98765432h
10005532                 call    sub_100065C0 <- puts some flags in mem (8 x FF in 47f360)
10005537                 jmp     dword_1007F378 <-this jumps to ntqz0.exe
When the net exchange stops, el32.exe creates a process with ntqz0.exe and starts installshield.
All we have to do is to dump ntqz0.exe and fix the sections.

Let me help a a little :
starting point: 414da4
fix the data section size to 4000
fix the resource section : raw offset = 8000 size = 11b60
Start your dump, it does nothing.

Look at this snippet :
00414E69                 push    eax             ; lpStartupInfo
00414E6A                 call    ds:GetStartupInfoA
00414E70                 test    byte ptr [ebp-30h], 1
00414E74                 jz      short loc_414E87
00414E76                 movzx   eax, word ptr [ebp-2Ch]
00414E7A                 jmp     short loc_414E8A
The call to getstartupinfoA does nothing, just because the createprocess from el32.exe was not
executed, so your dump doesn't have some startup info.
We also have this little problem :

00414E8A                 push    eax
00414E8B                 push    esi
00414E8C                 push    ebx
00414E8D                 push    ebx             ; lpModuleName
00414E8E                 call    ds:GetModuleHandleA
00414E94                 push    eax
00414E95                 call    sub_45AF08
00414E9A                 mov     [ebp-68h], eax
00414E9D                 push    eax
00414E9E                 call    ds:exit
The ebx pushed before getmodulehandle is equal to 0 when you start the real eval, in your dump
ebx contains another value, a dll module adress. If we dont fix it, the dump will crash later,
trying to access some resources with a invalid handle. We have to zero ebx just before the call.
The patch looks like this :

00414E69                 push    eax
00414E6A                 xor     ebx, ebx
00414E6C                 jmp     short loc_414E87
And everything works fine now, without the netquartz link...Sooo easy ;-)


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?