|
Installshield
express 3.01
Damaging netquartz net based protection.
|
|
Sept
2000 |
by
Tsehp |
|
 |
Courtesy of Fravia's page of reverse
engineering |
slightly edited
by tsehp |
|
There is a crack, a crack in everything
That's how the light gets in
|
|
Rating |
( )Beginner (x)Intermediate ( )Advanced ( )Expert |
|
Net based protection are the future, first it was a kind of password checking,
easily crackable. Now part of your code is
downloaded and executed on eval apps, I just hope that my small contribution
will help to finish them.
Installshield express
3.01
Damaging netquartz net based protection.
Written by Tsehp
I will not explain in this essay what's a pe structure and app dumping procedures, everything
was already explained before.
All we have to do is to apply this small technique to get a fresh app, without net checks
Icedump
Ida
Hexeditor
A packet sniffer
www.installshield.com
the target is installshield express 3.01
www.netquartz.com the protector
Launch your packet sniffer and start iside.exe, lots of packets. Look at them :
code requests, mem registers, values, all kind of stuff necessary for ntqz0.exe to initialize
and start.
Tracing into iside.exe, I found a loadlibrarya that inits the client dll : el32.dll.
While looking at my modem, I saw some activity starting here :
100054c2 call sub_10008360 <-netquartz nag and inits
100054C7 test eax, eax
100054C9 jz short loc_1000553F
100054CB mov dword_1007F94C, 0
100054D5 mov ecx, offset unk_1007F778
100054DA call sub_1000C750
100054DF mov dword_1007F41C, offset unk_1007F428
100054E9 mov edx, dword_1007F45C
100054EF add edx, 3FFFCh
100054F5 mov dword_1007F388, edx
100054FB mov eax, dword_1007F4A0
10005500 add eax, 3FFFCh
10005505 mov dword_1007F4B4, eax
1000550A mov esp, dword_1007F4B4
10005510 mov ebp, esp
10005512 call sub_10006920 <- the code inits starts here
10005517 push ebp
10005518 mov dword_1007F32C, esp
1000551E mov esp, dword_1007F390
10005524 mov ebp, esp
10005526 mov esp, dword_1007F32C
1000552C pop ebp
1000552D push 98765432h
10005532 call sub_100065C0 <- puts some flags in mem (8 x FF in 47f360)
10005537 jmp dword_1007F378 <-this jumps to ntqz0.exe
When the net exchange stops, el32.exe creates a process with ntqz0.exe and starts installshield.
All we have to do is to dump ntqz0.exe and fix the sections.
Let me help a a little :
starting point: 414da4
fix the data section size to 4000
fix the resource section : raw offset = 8000 size = 11b60
Start your dump, it does nothing.
Look at this snippet :
00414E69 push eax ; lpStartupInfo
00414E6A call ds:GetStartupInfoA
00414E70 test byte ptr [ebp-30h], 1
00414E74 jz short loc_414E87
00414E76 movzx eax, word ptr [ebp-2Ch]
00414E7A jmp short loc_414E8A
The call to getstartupinfoA does nothing, just because the createprocess from el32.exe was not
executed, so your dump doesn't have some startup info.
We also have this little problem :
00414E8A push eax
00414E8B push esi
00414E8C push ebx
00414E8D push ebx ; lpModuleName
00414E8E call ds:GetModuleHandleA
00414E94 push eax
00414E95 call sub_45AF08
00414E9A mov [ebp-68h], eax
00414E9D push eax
00414E9E call ds:exit
The ebx pushed before getmodulehandle is equal to 0 when you start the real eval, in your dump
ebx contains another value, a dll module adress. If we dont fix it, the dump will crash later,
trying to access some resources with a invalid handle. We have to zero ebx just before the call.
The patch looks like this :
00414E69 push eax
00414E6A xor ebx, ebx
00414E6C jmp short loc_414E87
And everything works fine now, without the netquartz link...Sooo easy ;-)
I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed one. Should
you want to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.
You are deep inside Fravia's page of reverse engineering, choose
your way out:
homepage
links
search_forms
+ORC
how
to protect
academy
database
reality
cracking
how
to search
javascript
wars
tools
anonymity
academy
cocktails
antismut
CGI-scripts
mail_Fravia
Is
reverse engineering legal?