Installshield pro 6.2 Eval
Pace's interlok defeated, commercial stupidity again...
student
Not Assigned
Oct 2000
by Tsehp
Courtesy of Fravia's page of reverse engineering
slightly edited
by tsehp+
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Installshield pro 6.2 Eval
Pace's interlok defeated, commercial stupidity again...

Written by Tsehp


Introduction
Commercial software protections are getting worse this time, today we'll talk about interlok's very complicated 
anti softice routines and how easy it is to remove them. Here's what you find on the net concerning their work : ****
Subject: REQ: Installshield 6.2 Date: 07/15/2000 Author: veal chops << previous · next in search >> Application : Installshield Professional 2000 - Installshield 6.2 Website URL : http://www.installshield.com/ispro/ Description : InstallShield Professional 6.2 allows developers to create Windows setups and distribute them over the Web with a new standard for Internet installations. Allow users to experience a seamless download and installation with One-Click Install functionality - all with the familiar, industry-standard InstallShield look and feel. OS Info : Win98/NT Language : English Protection : To install they send you a password to complete/start the process. After installation, you have 15 days to register before the program expires. I attempted to use other Installshield (5.5+) serials with no success. Comments : I tried to unscramble this one as well and quickly found myself over my head. They did a damm good job covering their tracks on this installation package as I could not even get a hint as to the serial validation process. Thanks a bunch for your help. If I can help you, or you have a crack please send me a note-gsr@wolfenet.com Password: 14TheVine **** Sure, let's take the door they open in front of us, trying to find the test to reg it, or to build a keygen while spying
the registration routine and you'll get lost and spend a lot of time, with poor results. There's an much easier way to crack it: just remove the tpkd ! Advanced and moderate Fravias should stop here, the interlok internals are not covered here ;-)
Tools required
Softice 4.05
Procdump
Hexeditor

Target's URL/FTP

www.installshield.com


Essay
First, read the macillaci's excellent essay concerning tpkd.vxd (win 9x) or tpkd.sys (win2000 or nt4), you'll learn about 
cracking the interlok protection , but just for a small part. If you attempt to use sice on the program, it will randomly reboot; just because the driver detects its presence in memory
and mess with the pentium's debug registers. I have to admit that I tried to unprotect tpkd.sys on my win2000 system, and found a lot of interesting stuff but they will
not be covered here, the main purpose is to have a working app, and fast. Installshield pro 6.2 is a 15 day eval, if you go past the date, you can reset the trial easily. Using filemon and regmon, I found that ide.exe looks at the following files (on win 2000) : \\redir.sys \\winnt\page files\maxmem.sys (don't remember the name)
\\winnt\interlok\ and reg entries : hklm\software\pace hklm\software\installshield (never touch this one) hklm\software\microsoft\windows\currentversion\explorer\userassist You just have to delete everything (not the installshield reg), and if you're still under 15 days past the install date,
installshield 6.2 pro starts again to count the days. How to remove this protection : On winnt, it's easy, you just have to start ide.exe (without ntice loaded), wait for the nag to appear and then start ntice. NEVER do a bpmb on this, the tpkd.sys running in mem will detect that you put this debug register on ide.exe address context and reboot your pc. Just do a simple getstartupinfoA, a very well known bpx that is used to freeze apps while they start. wait for the second bpx to occur and then remove this bpx. We just have to put a bpmb on the app's entry point, located at 4bb56c (win2000). I found this address, tracing the program with another debugger, not known by the tpkd.sys ... The tracing was easy, after the second bpx, the program land back on c2xxxx addresses, those addresses are created at runtime in mem and are used to decrypt and decompress installshield, just before starting it. And just like every packer, it MUST reconstruct partially or globally the app in mem to be able to execute it, and we just have to steal this app away when it finishes its work. This is a global method, but successful on asprotect, all vboxed apps , even the net based protection of installshield express 3.0 is defeated by this technique, so... Do a bpmb 1b:4bb56c x return to the app, it could reboot if you forget to do that from the second trigger of the first bpx I told. It freezes at 4bb56c, enter this to freeze the app while you go out of softice : a eip jmp eip remember that the bytes at 4bb56c were 55 8b , you'll have to put them back later. the app is freezed, just at its entry point, launch procdump , remove the procdump option (optimize pe size), make a full dump inside the \\program files\installshield\programs , be patient, this takes some times as your processor is caught on an infinite loop inside ide.exe and that takes a lot of resources. get your hexeditor, open your dumped ide.exe and go to file offset bb56c, the raw offset of the entry point. change the two bytes back to 55 8b and save it. Launch your dumped app, it's working, now you can remove this stupid tpkd.sys (or vxd) from your system and delete all the protection regs and files we saw above. Interlok's protection : days to create it, minutes to remove it... later, tsehp
Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?