installshield 6.0 scripting trouble [Archive] - RCE Messageboard's Regroupment

View Full Version : installshield 6.0 scripting trouble

archmage

December 15th, 2002, 10:00

hello all

i am reversing an installshield 6.0 compiled installer, i have read many tutorials, but i am having a bit of difficulty, it seems that the protection for the serial is in the script itself -- but i really dont understand what is going on, can anyone clarify me what this code does?

/* 00004DD0: 0006 */ n0007 = 0x00015601; //a standard value?
/* 00004DDC: 0006 */ n0008 = 0x00000040;
/* 00004DE8: 0006 */ n0009 = 0x00000051;
/* 00004DF4: 0006 */ n000A = 0x0000007D;
/* 00004E00: 0029 */ StrSub(s0009, s0006, 0x00000000, 0x00000003);
/* 00004E14: 002C */ StrToNum(n0004, s0009);
/* 00004E1E: 0029 */ StrSub(s0009, s0006, 0x00000004, 0x00000001);
/* 00004E32: 0006 */ s000A = s0009;
/* 00004E3C: 0029 */ StrSub(s0009, s0006, 0x00000006, 0x00000001);
/* 00004E50: 0007 */ s000A = s000A + s0009;
/* 00004E5D: 0029 */ StrSub(s0009, s0006, 0x00000008, 0x00000001);
/* 00004E71: 0007 */ s000A = s000A + s0009;
/* 00004E7E: 0029 */ StrSub(s0009, s0006, 0x0000000A, 0x00000001);
/* 00004E92: 0007 */ s000A = s000A + s0009;
/* 00004E9F: 0029 */ StrSub(s0009, s0006, 0x0000000C, 0x00000001);
/* 00004EB3: 0007 */ s000A = s000A + s0009;
/* 00004EC0: 002C */ StrToNum(n0005, s000A);
/* 00004ECA: 0029 */ StrSub(s0009, s0006, 0x00000005, 0x00000001);
/* 00004EDE: 0006 */ s000A = s0009;
/* 00004EE8: 0029 */ StrSub(s0009, s0006, 0x00000007, 0x00000001);
/* 00004EFC: 0007 */ s000A = s000A + s0009;
/* 00004F09: 0029 */ StrSub(s0009, s0006, 0x00000009, 0x00000001);
/* 00004F1D: 0007 */ s000A = s000A + s0009;
/* 00004F2A: 0029 */ StrSub(s0009, s0006, 0x0000000B, 0x00000001);
/* 00004F3E: 0007 */ s000A = s000A + s0009;
/* 00004F4B: 0029 */ StrSub(s0009, s0006, 0x0000000D, 0x00000001);
/* 00004F5F: 0007 */ s000A = s000A + s0009;
/* 00004F6C: 002C */ StrToNum(n0006, s000A);
/* 00004F76: 0010 */ n000B = n0008 * n0004;
/* 00004F83: 0010 */ n000C = n0009 * n0005;
/* 00004F90: 0007 */ n000B = n000B + n000C;
/* 00004F9D: 0007 */ n000B = n000B + n000A;
/* 00004FAA: 0008 */ n000B = n000B % n0007;
/* 00004FB7: 000F */ n000B = n0006 - n000B;
/* 00004FC4: 000F */ n0000 = n000B - 0x00002710;
/* 00004FD3: 000D */ n000B = n0000 == 0x00000000;
/* 00004FE2: 0004 */ if(! n000B) goto label_0008; // normal if also, this is the bad boy jump
/* 00004FEE: 0005 */ goto label_0009; //good cracker!

thank you!

Solomon

December 15th, 2002, 10:22

My suggestion is :
get an InstallShield package from google and install it, then read its help for its API references such as StrSub/StrToNum ...

archmage

December 15th, 2002, 12:32

hey, thanks for your quick reply!

but, i already figured it out and i have found its similar to vb, so i coded a vb program to try it, but i guess this would be a bit of a brute force program am i right?

i dont know how to brute force it though.. any suggestions?

(please dont make comments on vb, i know more languages but vb seems to do the job well)

squidge

December 15th, 2002, 14:25

What you have there seems to be some kind of serial CHECKING algorithm. You'll need to reverse it to create a generator instead. With what you have that's not too hard to do - just think about math's class and rearranging equations to find the missing numbers/etc and it'll come out quite easy. Then you can use the checking algorithm to verify your code works. No need for brute force.

archmage

December 15th, 2002, 15:00

look at this before the serial label

it does this then it goes ahead and jumps to the algorithm, under on econdition, it checks for the n000B to equal 12 if(!n000B)
or otherwise if FALSE, then jump to checking algorithm or am i right?? im really confused..heh...any clarifications would be appreciated

// : Jump Referenced(3):
// : 00004D46, 0000505F, 000050C1,
label_0006:
/* 00004D5D: 0006 */ s0000 = "";
/* 00004D67: 0021 */ function_00DC("ASK_SERIAL_NUMBER"

;
/* 00004D81: 0006 */ s0001 = LAST_RESULT;
/* 00004D8B: 0021 */ function_0157(s0000, s0001, s0004, s0005, s0006);
/* 00004DA0: 0006 */ n0000 = LAST_RESULT;
/* 00004DAA: 000D */ n000B = n0000 == 0x0000000C;
/* 00004DB9: 0004 */ if(! n000B) goto label_0007; // normal if
/* 00004DC5: 0005 */ goto label_0005;

plus, the serial would have to be 14+ digits
since later on u can see above, the code checks for StrSub(C,1) and StrSub(D,1) or for the 13th and 14th digit

so it can't be less than 12, right?

thank you!

[edit begin]

30931804804051

that serial would then make that same code i posted 2 posts above true right? lets look at the math

309 3 1 8 0 4 8 0 4 0 5 1
1 0 8 4 5 <= this is the 5th,7th,9th,11th,and 13th
8 4 0 0 1 <= this is the 6th,8th,10th,12th,and 14th

ok, so now, we see that the serial calculates like this

n000B = 64 * n0004;
64 * (first 3 characters)

64 * 309

n000C = n0009 * n0005;
= (last digit) * (5th, 7th, 9th, 11th, and 13th digit)

5 * 10845

n000B = n000B + n000C;

54225 + 19776

n000B = n000B % 87553;
74001 % 87553

n000B = n0006 - n000B;
(6th,8th,10th,12th,and 14th digit) - n000B

84001 - 74001 //the result here has to be 10000

n0000 = n000B - 10000 (decimal);
10000 - 10000

if(n0000 == 0)
n000B = true;
else
n000B = false;

except that serial gives me "wrong serial, try again" why?