Change a temporary file
InstallShield Demo 5.5
student 
Not Assigned 
27 May 1999
by Archimede
Courtesy of Fravia's pages of reverse engineering
slightly edited
by fravia+
fra_00xx 
980527 
Archimede 
1100 
NA 
PC
Archimede's approach should be of some interest for all protectors and specifically for Bill, Eric and all other Installshield friends... I'm sure that the next "demo" version will be much better protected.
Sorry for the publishing delay, Archimede.
Your 'personal glory' (sort of :-) is assured. Good work: awaiting more. You drink a lot of beer, choose well: I suggest you to try Leffe Blonde, a very good and widespread beer that you should be able to find in Italy as well. I'm drinking one right now, eheh :-)
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert 

Long time since my last essay, but my english did not get better: I hope you'll understand it anywise! I've found this program really interesting for me and for my job, so I've decided to trasform it from a trial copy to a fully functional tool, then, after having done it, I thought that the crack method and approach I used could be very helpfull for the beginners and the protectors who peruse this site and ... here it is!

Reverse engineering
of
InstallShield Eval/DemoVersion 5.5
(Change a temporary file)
Written by Archimede
 

Introduction 
 Hello guys, new (perhaps for me) protection scheme and new crack. The idea of modify the temporary
file, created during setup, 'on fly' was given to me by +Xoanon (we are from the same country) when reading his essay about VBox protection scheme. To obtain the final result you must change a lot of bytes and overwrite an intere function in the original program, but after that you can use the changed file for all the next installations you'll ever want to make.    

Tools required 
WDASM (ver 8.x)
SoftICE (3.x)
Hex editor
Another computer
Brain (a little)
Luck (itÆs never too much)

Target's URL/FTP 
You can find it at http://www.installshield.com

Program History 

I never met this target before and so I don't know anything about its previous protection schemes, anyway I will explain you its features:
InstallShield allow you to create a professional  procedure of setup for your own program, and since it became soon the standard  in the windows software distribution, everyone has seen a program setup, made with it, at least once.
The Eval version (but I think they could call it Demo version) permit to compile the files and to produce a full functional application but any setup built using this edition will only run on the system on which it was developed.
That's why, in order to reverse, you will need two setup programs, one built on your computer and one built on another computer, with the same files but, obviously, not allowed to work correctly.
 
Essay 

You got all with you? I mean: an iced bottle of your preferred beer, a full box of cigarettes -if you smoke- and the tools required as described above? Ok! Follow me!

First of all you have to produce two identical setup procedures (with the same files), one on your computer and one on another one.
So you obtain the same setup files stored in C:\My Installation\(Your App)\Media\Default\Disk Image\Disk1 folder.
Now you have to copy the files built by the second computer on your PC in order to better follow the different behaviour
of the two programs.
If you start the protected copy by doubleclicking on the file SETUP.EXE yuo can see a message box which said more or less : 'You must recompile the file SETUP.INS with the professional edition of the software.'
A MessageBox ?!?!?!?!  Nothing easier than breakpointing this routine with SoftIce and watch in which file this function is called :
                             _INS5576!                     ??
Where is this file ? Use the Windows find tool to see where it's stored. But pay attention: if you push the OK button in the MessageBox the program go on and before quitting delete the file, so perform the search before confirming the message and you'll find our precious file in the _istmp.dir directory in C:\Windows\Temp with other two files created temporary by the setup program.
Save a copy on your hard drive and then let the setup program delete it.

-------------------------    Step One : Crack the program       -----------------

OK ! If the file _ins5576._mp contains an executable code it must be a file exe or a dll so we must try to change the extension
and voila' the file _ins5576.exe is the right one (now you can see the icon).
In order to reach the exact snippet of code where the program execute the protection routine we can use a very simple method: it's a 'dirty' method not stilisticly correct and requires a little bit of  'handwork'. Some +Cracker could twist his face but I often try to walk this street before passing to a harder attack!

Just after SoftIce popping out in the MessageBox API routine press F12 ( execute till first RET instruction ).
Set a breakpoint at the instruction just up (usually the call you are returning from).Do it for three or four times (until you are in the file _ins5576.).
Here the occurence you must find:

Set a BP here ---> 004394A0 call User32!MessageBox
You ret here  --->  004394A6 push 01

then F12

Set a BP here ---> 0043D4FA call 0043920E
You ret here  --->  0043D4FF push 01

then F12

Set a BP here ---> 0043B4B0 call 0043D497
You ret here  --->  0043B4B5 pop ecx

then F12

Set a BP here ---> 00437B99 call 0043B3A2
You ret here  --->  00437B9E mov [0048AAEC], eax
 
Then let the program ends and execute the good version of setup.exe.
It'll break where you have set the BP but obviously not all because somewhere the execution of the program change is course and doesn't pass trought the bad way! Is it all clear ?
If not, take a look at my previos essay where I explain better this method: WindownloadCrack

I'm finishing my cigarettes... and so my beer! ( I'd better correct my english tomorrow morning).

Ok If all were well done the ICE will pop up only one time at:  00437B99 Call 0043B3A2
It means that between this address and the next breakpoint the program should have met there is the protection routine. So reload and run the good version of setup.exe and after the first breakpoint (00437B99) step through the code and take note of every conditional jump you meet (JZ,JE,JNZ...etc.) and what the program does (if he jumps or not). I've found this:

Address:     Instr.       Jump or not
.......
43B3C7          JNZ             Y
43B3F1          JNZ              Y
43B413          JNZ              Y
43B445          JNZ              Y
43B498          JNZ              N
43B4A1         JNZ              Y
43B505          JNZ              Y
..... and more.

Ok repeat the same operation with the bad version and look:

All the same behavior till the address: 0043B4A1 where the program doesn't jump.
Before executing the instruction change the result of the test eax,eax by digit on softice command R FL Z, that change the flag
on which depend the action of the JNZ, and release the program (Ctrl+D).
That's ok! The program works fine even if you use the protected version of it!
Nothing very new in this crack but now we have to keep it permanent.

------------------      Step two : Change a temporary file      -----------------------------

First of all I need another beer (I'm not an alcholist but sometimes I like to spend the night in front of a computer and drink
something tasting bitter.)

Ok! Let's go.We need to know how the setup program (setup.exe is the program is executed for first) call the code in the
file _ins5576._mp after creating it.
Use WDASM to disassemble it and look for some Windows routine a program can use to launch a file or a trhead like
CREATEPROCESS or CREATETHREAD or ...
The WINEXEC function captured my attention (a little luck and a little experience) and so I decided to breakpoint it and ran the program.
When ICE pops up I returned from the routine and set a BP just at the address of the call, in order to stop the program before the call was made and restart the program once again.
I made it in order to know which value is stored in EAX  just before the call, because this register point to the name of the file that will be executed.
Yes ! Here we are ! But now we have another problem because the files aren't load into the memory, yet! So we can't change
a memory location and we must step into the file on the hard drive after his creation and before his execution.
First of all we need to find a snippet of code in the file SETUP.EXE to overwrite and then write the code that opens the file and makes the change.
1.- Look at the imported function called VERSION.VerLanguageNameA and try to breakpoint it, then run the good application
and wait... nothing breaks. That's good. This function can be overwritten without compromising the correct progress of the application.
2.- Here the code:
:004025F0 50                      push eax                             save the value (it point to the file name)
:004025F1 33FF                    xor edi, edi
:004025F3 57                      push edi                             push the parameter for the routine
:004025F4 6880000000              push 00000080                 ""                       ""           open if exist
:004025F9 6A03                    push 00000003                     ""                        ""           file attributes
:004025FB 57                      push edi                                  ""                        ""
:004025FC 57                      push edi                                  ""                        ""
:004025FD 6800000040              push 40000000               ""                        ""           open in GENERIC_WRITE mode
:00402602 50                      push eax                                  ""                         ""        use the filename pointer just ready
* Reference To: KERNEL32.CreateFileA, Ord:0031h
                                  |
:00402603 FF15E4D04000            Call dword ptr [0040D0E4]
:00402609 50                      push eax                                  save the Handle of the file returned from CreateFile
:0040260A 50                      push eax                                 again
:0040260B 57                      push edi                                   push the parameter for the routine
:0040260C 57                      push edi                                     ""                               ""
:0040260D 689FA80300              push 0003A89F              ""                              ""                   this is the file position where you' ll make your change
:00402612 50                      push eax                                     ""                              ""                  the Handle of the file
* Reference To: KERNEL32.SetFilePointer, Ord:0219h
                                  |
:00402613 FF15A4D04000            Call dword ptr [0040D0A4]
:00402619 58                      pop eax                                     retrieve the Hanlde of the file
:0040261A 57                      push edi                                   parameters...
:0040261B BF9C274100              mov edi, 0041279C        ...                 generic pointer in the file data location  (I decided to use this location
                                                                                                                         because all the other WINEXEC function in the Setup.exe file use it)
:00402620 C70700000000            mov dword ptr [edi], 00000000          (better if  zero)
:00402626 57                      push edi                                  ...
:00402627 6A02                    push 00000002                   ...              number of byte to write
:00402629 6842264000              push 00402642               ...             point to the two byte to write
:0040262E 50                      push eax                                ...
* Reference To: KERNEL32.WriteFile, Ord:027Bh
                                  |
:0040262F FF158CD04000            Call dword ptr [0040D08C]
* Reference To: KERNEL32.CloseHandle, Ord:0018h
                                  |
:00402635 FF15F0D04000            Call dword ptr [0040D0F0]
:0040263B 58                      pop eax                 retrive the pointer of the file name we have saved at the begin
:0040263C 6A01                    push 00000001      This istruction was overwritten changing the call to Winexec     ( see below )
:0040263E 50                      push eax                    This istruction was overwritten changing the call to Winexec
:0040263F FFD6                    call esi                     This istruction was overwritten changing the call to Winexec
:00402641 C3                      ret
:00402642 40                      inc eax                         The two value to change into the file
:00402643 90                      nop
:00402644 ??                      ???
:00402645 ??                      ???
:00402646 ??                      ???

This function change the TEST EAX,EAX instruction before the JNZ conditional jump at 43B4A1 like this:
 
                          inc eax
                          nop

That's all! We are at the end of our work!
No sorry, I've forgot a very important thing to do:
We must change the program before it calls the WINEXEC routine in order to execute our own code.
So the following:

* Reference To: KERNEL32.WinExec, Ord:026Fh
                                  |
:00405876 8B350CD14000            mov esi, dword ptr [0040D10C]
:0040587C 8D85F8FEFFFF            lea eax, dword ptr [ebp+FEF8]
:00405882 6A01                             push 00000001
:00405884 50                                   push eax
:00405885 FFD6                             call esi

 must be changed like this:

* Reference To: KERNEL32.WinExec, Ord:026Fh
                                  |
:00405876 8B350CD14000            mov esi, dword ptr [0040D10C]
:0040587C 8D85F8FEFFFF            lea eax, dword ptr [ebp+FEF8]
:00405882 E869CDFFFF              call 004025F0

You must overwrite also the two pushing instruction but it's enaugh to put them at the end of our routine.
Thank for your attention and your patience.
 

Final Notes 
ThatÆs all folks !
This is not a difficult crack but it's very long to do and a little bit boring!
Don't be afraid 'cause once you have prepared a setup file cracked like this you can save it in the
InstallShield\InstallShild 5.5 Professional Edition\Redistributable\Uncompressed Files\Language Indipendent\Intel32      and
InstallShield\InstallShild 5.5 Professional Edition\General Data\Blank Setup\Media\Default\Disk Images\Disk1
directory and the program will put your modified program on every new setup it'll create.

 

Ob Duh 

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjava-script wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?

"Copy-protection schemes": elegant devices for training the next generation of assembly-language programmers