Installshield express 3.01
Damaging netquartz net based protection.
I will not explain in this essay what's a pe structure and app dumping procedures, everything was already explained before. All we have to do is to apply this small technique to get a fresh app, without net checks
Launch your packet sniffer and start iside.exe, lots of packets. Look at them : code requests, mem registers, values, all kind of stuff necessary for ntqz0.exe to initialize and start. Tracing into iside.exe, I found a loadlibrarya that inits the client dll : el32.dll. While looking at my modem, I saw some activity starting here : 100054c2 call sub_10008360 <-netquartz nag and inits 100054C7 test eax, eax 100054C9 jz short loc_1000553F 100054CB mov dword_1007F94C, 0 100054D5 mov ecx, offset unk_1007F778 100054DA call sub_1000C750 100054DF mov dword_1007F41C, offset unk_1007F428 100054E9 mov edx, dword_1007F45C 100054EF add edx, 3FFFCh 100054F5 mov dword_1007F388, edx 100054FB mov eax, dword_1007F4A0 10005500 add eax, 3FFFCh 10005505 mov dword_1007F4B4, eax 1000550A mov esp, dword_1007F4B4 10005510 mov ebp, esp 10005512 call sub_10006920 <- the code inits starts here 10005517 push ebp 10005518 mov dword_1007F32C, esp 1000551E mov esp, dword_1007F390 10005524 mov ebp, esp 10005526 mov esp, dword_1007F32C 1000552C pop ebp 1000552D push 98765432h 10005532 call sub_100065C0 <- puts some flags in mem (8 x FF in 47f360) 10005537 jmp dword_1007F378 <-this jumps to ntqz0.exe
When the net exchange stops, el32.exe creates a process with ntqz0.exe and starts installshield. All we have to do is to dump ntqz0.exe and fix the sections. Let me help a a little : starting point: 414da4
fix the data section size to 4000
fix the resource section : raw offset = 8000 size = 11b60
Start your dump, it does nothing. Look at this snippet :
00414E69 push eax ; lpStartupInfo 00414E6A call ds:GetStartupInfoA 00414E70 test byte ptr [ebp-30h], 1 00414E74 jz short loc_414E87 00414E76 movzx eax, word ptr [ebp-2Ch] 00414E7A jmp short loc_414E8A
The call to getstartupinfoA does nothing, just because the createprocess from el32.exe was not executed, so your dump doesn't have some startup info. We also have this little problem : 00414E8A push eax 00414E8B push esi 00414E8C push ebx 00414E8D push ebx ; lpModuleName 00414E8E call ds:GetModuleHandleA 00414E94 push eax 00414E95 call sub_45AF08 00414E9A mov [ebp-68h], eax 00414E9D push eax 00414E9E call ds:exit
The ebx pushed before getmodulehandle is equal to 0 when you start the real eval, in your dump ebx contains another value, a dll module adress. If we dont fix it, the dump will crash later, trying to access some resources with a invalid handle. We have to zero ebx just before the call.
The patch looks like this : 00414E69 push eax 00414E6A xor ebx, ebx 00414E6C jmp short loc_414E87
And everything works fine now, without the netquartz link...Sooo easy ;-)
Hmm... looks familiar, doesn't it? Well, since we already know that the return value is non-zero for a valid serial, we know that we do NOT want to take any jump that would result from the call returning zero (and hence a "equal" test result). So, we will patch this location as well, again ridding ourselves of the je instruction. Don't jump over to HIEW just yet though, because we have another location to do. For now, just note the address (004A30FE) and that we need to nop two bytes.
On to the other location, 004A31CA:
:004A31CA E8CDFDFFFF call 004A2F9C
:004A31CF 85C0 test eax, eax
:004A31D1 743F je 004A3212
Damn... this really gets repetitive. :-). We can assume exactly the same as we did at the last location. We note down the address, and that the je instruction is two bytes long.
Now go over into HIEW (or your alternate hex editor) and nop (90) out two bytes at each of the noted locations. Save, then exit. Run the program and enter any name (of at least 5 characters, because we didn't patch the length check, and I didn't deal with it here) and any serial. There is a check for a - (dash) in the serial, and I don't remember whether this was inside or out of the routine we patched, so if it doesn't take without it, just put a dash somewhere in the serial you use.
Congratulations! You just patched a program that checked the reg info in multiple places, and made it take your serial! (That wasn't so hard, now was it?)
Find this tutorial helpful? Too long? Too little info explained? Find a mistake? Feel free to drop me a line at Rith@rith.cjb.net. Note that I will not crack requests nor will I send cracks. Only contact me about tutorials I have written.
Greetings go out to all those who have helped me along my way over the past couple of years. You know who you are, and I don't want to embarass myself (or upset anyone) by forgetting to mention someone, so I will not try to list you all here. Thank you for taking the time to help.
mIRC is a beautiful work of art. I love it and Khaled Mardam-Bey (the author, whom I have communicated with personally about bugs/updates) has done a very good job on it, and put in a LOT of work. If you like the program you should BUY it.
July 15, 2000