Installshield express 3.01


Damaging netquartz net based protection.

Sept 2000
by Tsehp
Courtesy of Reverser's page of reverse engineering
slightly edited
by tsehp
 
There is a crack, a crack in everything That's how the light gets in
 
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert
 

Net based protection are the future, first it was a kind of password checking, easily crackable. Now part of your code is
downloaded and executed on eval apps, I just hope that my small contribution will help to finish them.

Installshield express 3.01

Damaging netquartz net based protection.
Written by Tsehp


Introduction
I will not explain in this essay what's a pe structure and app dumping procedures, everything
was already explained before.
All we have to do is to apply this small technique to get a fresh app, without net checks
Tools required
Icedump
Ida
Hexeditor
A packet sniffer

Target's URL/FTP
www.installshield.com  the target is installshield express 3.01
www.netquartz.com the protector
Essay
Launch your packet sniffer and start iside.exe, lots of packets. Look at them :
code requests, mem registers, values, all kind of stuff necessary for ntqz0.exe to initialize
and start.
Tracing into iside.exe, I found a loadlibrarya that inits the client dll : el32.dll.
While looking at my modem, I saw some activity starting here :

100054c2		 call    sub_10008360 <-netquartz nag and inits
100054C7                 test    eax, eax
100054C9                 jz      short loc_1000553F
100054CB                 mov     dword_1007F94C, 0
100054D5                 mov     ecx, offset unk_1007F778
100054DA                 call    sub_1000C750
100054DF                 mov     dword_1007F41C, offset unk_1007F428
100054E9                 mov     edx, dword_1007F45C
100054EF                 add     edx, 3FFFCh
100054F5                 mov     dword_1007F388, edx
100054FB                 mov     eax, dword_1007F4A0
10005500                 add     eax, 3FFFCh
10005505                 mov     dword_1007F4B4, eax
1000550A                 mov     esp, dword_1007F4B4
10005510                 mov     ebp, esp
10005512                 call    sub_10006920 <- the code inits starts here
10005517                 push    ebp
10005518                 mov     dword_1007F32C, esp
1000551E                 mov     esp, dword_1007F390
10005524                 mov     ebp, esp
10005526                 mov     esp, dword_1007F32C
1000552C                 pop     ebp
1000552D                 push    98765432h
10005532                 call    sub_100065C0 <- puts some flags in mem (8 x FF in 47f360)
10005537                 jmp     dword_1007F378 <-this jumps to ntqz0.exe
When the net exchange stops, el32.exe creates a process with ntqz0.exe and starts installshield.
All we have to do is to dump ntqz0.exe and fix the sections.

Let me help a a little :
starting point: 414da4
fix the data section size to 4000
fix the resource section : raw offset = 8000 size = 11b60
Start your dump, it does nothing.

Look at this snippet :
00414E69                 push    eax             ; lpStartupInfo
00414E6A                 call    ds:GetStartupInfoA
00414E70                 test    byte ptr [ebp-30h], 1
00414E74                 jz      short loc_414E87
00414E76                 movzx   eax, word ptr [ebp-2Ch]
00414E7A                 jmp     short loc_414E8A
The call to getstartupinfoA does nothing, just because the createprocess from el32.exe was not
executed, so your dump doesn't have some startup info.
We also have this little problem :

00414E8A                 push    eax
00414E8B                 push    esi
00414E8C                 push    ebx
00414E8D                 push    ebx             ; lpModuleName
00414E8E                 call    ds:GetModuleHandleA
00414E94                 push    eax
00414E95                 call    sub_45AF08
00414E9A                 mov     [ebp-68h], eax
00414E9D                 push    eax
00414E9E                 call    ds:exit
The ebx pushed before getmodulehandle is equal to 0 when you start the real eval, in your dump
ebx contains another value, a dll module adress. If we dont fix it, the dump will crash later,
trying to access some resources with a invalid handle. We have to zero ebx just before the call.
The patch looks like this :

00414E69                 push    eax
00414E6A                 xor     ebx, ebx
00414E6C                 jmp     short loc_414E87
And everything works fine now, without the netquartz link...Sooo easy ;-)
 
Tsehp


 



Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside reverser's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?

br>
Hmm... looks familiar, doesn't it? Well, since we already know that the return value is non-zero for a valid serial, we know that we do NOT want to take any jump that would result from the call returning zero (and hence a "equal" test result). So, we will patch this location as well, again ridding ourselves of the je instruction. Don't jump over to HIEW just yet though, because we have another location to do. For now, just note the address (004A30FE) and that we need to nop two bytes.

On to the other location, 004A31CA:

:004A31CA E8CDFDFFFF call 004A2F9C
:004A31CF 85C0 test eax, eax
:004A31D1 743F je 004A3212

Damn... this really gets repetitive. :-). We can assume exactly the same as we did at the last location. We note down the address, and that the je instruction is two bytes long.

Now go over into HIEW (or your alternate hex editor) and nop (90) out two bytes at each of the noted locations. Save, then exit. Run the program and enter any name (of at least 5 characters, because we didn't patch the length check, and I didn't deal with it here) and any serial. There is a check for a - (dash) in the serial, and I don't remember whether this was inside or out of the routine we patched, so if it doesn't take without it, just put a dash somewhere in the serial you use.

Congratulations! You just patched a program that checked the reg info in multiple places, and made it take your serial! (That wasn't so hard, now was it?)

Contact Info:
-------------
Find this tutorial helpful? Too long? Too little info explained? Find a mistake? Feel free to drop me a line at Rith@rith.cjb.net. Note that I will not crack requests nor will I send cracks. Only contact me about tutorials I have written.

Greetz:
-------
Greetings go out to all those who have helped me along my way over the past couple of years. You know who you are, and I don't want to embarass myself (or upset anyone) by forgetting to mention someone, so I will not try to list you all here. Thank you for taking the time to help.


Serious Remonstration:
----------------------
mIRC is a beautiful work of art. I love it and Khaled Mardam-Bey (the author, whom I have communicated with personally about bugs/updates) has done a very good job on it, and put in a LOT of work. If you like the program you should BUY it.


-Rith
July 15, 2000 ematical procedures.