Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   Reverse Code Engineering (http://www.reteam.org/board/forumdisplay.php?f=23)
-   -   INX file help (http://www.reteam.org/board/showthread.php?t=508)

sumerboard 09-30-2007 03:31 PM

INX file help
 
I have a .inx file I have decompiled and believe I have found where the security lies, but I am unsure as to what to look for and change to bypass this. Any help or guidance toward cracking inx files would be greatly appreciated.

@00015096:000E label_15096:
@00015098:001E local_number8 = local_string3[0];
@000150A7:0021 function_941(local_string2, "%d", local_number8);
@000150B8:002C StrToNum(local_number4, local_string2);
@000150C2:000F local_number4 = (local_number4 - 65);
@000150D1:0012 global_number65 = (local_number4 & 3);
@000150E0:000E local_number10 = (global_number65 != 0);
@000150EF:0004 if(local_number10) then // ref index: 2
@000150FB:0021 function_744("Invalid serial number/installation code combination.", -65534);
@0001513D:0007 local_number2 = (local_number2 + 1);
@0001514C:000C local_number10 = (local_number2 >= 3);
@0001515B:0004 if(local_number10) then // ref index: 1
@00015167:0006 local_number7 = 1;
@00015173:003A UnUseDll(global_string70);
@0001517A:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@000151F4:0001 endif;
@000151F4:0001 label_151f4:
@000151F6:0005 goto label_1520d;
@000151FF:0001 endif;
@000151FF:0001 label_151ff:
@00015201:0006 local_number7 = 1;
@0001520D:0001 label_1520d:
@0001520F:0005 goto label_14e92;
@00015218:000D endif;
@00015218:000D label_15218:
@0001521A:0029 StrSub(local_string9, global_string67, 1, 2);
@0001522E:002C StrToNum(global_number64, local_string9);
@00015238:0020 MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006 local_number10 = LASTRESULT;
@00015254:000D local_number10 = (local_number10 = 0);
@00015263:0004 if(local_number10) then // ref index: 2
@0001526F:0021 function_744("Invalid installation code.", -65534);
@00015297:0007 local_number1 = (local_number1 + 1);
@000152A6:000C local_number10 = (local_number1 >= 3);
@000152B5:0004 if(local_number10) then // ref index: 1
@000152C1:0006 local_number6 = 1;
@000152CD:003A UnUseDll(global_string70);
@000152D4:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@0001534E:0001 endif;
@0001534E:0001 label_1534e:
@00015350:0005 goto label_1547a;
@00015359:0009 endif;
@00015359:0009 label_15359:
@0001535B:000D local_number10 = (global_number64 = 6);
@0001536A:0004 if(local_number10) then // ref index: 2
@00015376:0021 function_744("Invalid installation code.", -65534);
@0001539E:0007 local_number1 = (local_number1 + 1);
@000153AD:000C local_number10 = (local_number1 >= 3);
@000153BC:0004 if(local_number10) then // ref index: 1
@000153C8:0006 local_number6 = 1;
@000153D4:003A UnUseDll(global_string70);
@000153DB:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@00015455:0001 endif;
@00015455:0001 label_15455:
@00015457:0005 goto label_1547a;
@00015460:0002 endif;
@00015460:0002 label_15460:
@00015462:0006 local_number6 = 1;
@0001546E:0006 global_number40 = 1;
@0001547A:0006 label_1547a:
@0001547C:000D local_number10 = (global_number59 = 1);
@0001548B:0004 if(local_number10) then // ref index: 1
@00015497:001E local_number10 = local_string6[0];
@000154A6:000D local_number10 = (local_number10 = 78);
@000154B5:0004 if(local_number10) then // ref index: 1
@000154C1:001D local_string6[0] = 88;
@000154D2:0001 endif;
@000154D2:0001 endif;
@000154D2:0001 label_154d2:
@000154D4:0005 goto label_14e59;
@000154DD:0004 endif;
@000154DD:0004 label_154dd:
@000154DF:0006 global_string66 = local_string6;
@000154E9:003A UnUseDll(global_string70);
@000154F0:0029 StrSub(local_string9, global_string67, 1, 2);
@00015504:002C StrToNum(global_number64, local_string9);
@0001550E:0002 endif;
@0001550E:0002 label_1550e:
@00015510:0024 return;
@00015514:0026 end; // checksum: 931f36d6

kao 09-30-2007 05:53 PM

I won't give you complete walkthrough - that won't make you think and learn. But here is little sample that should get you started:
Code:

@00015238:0020            MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006            local_number10 = LASTRESULT;
@00015254:000D            local_number10 = (local_number10 = 0);
@00015263:0004            if(local_number10) then // ref index: 2
@0001526F:0021              function_744("Invalid installation code.", -65534);
@00015297:0007              local_number1 = (local_number1 + 1);
@000152A6:000C              local_number10 = (local_number1 >= 3);
@000152B5:0004              if(local_number10) then // ref index: 1
@000152C1:0006                  local_number6 = 1;
@000152CD:003A                  UnUseDll(global_string70);
@000152D4:0021                  function_7("You have entered an incorrect serial number/installation code combination.  Please contact technical support", -65533);
@0001534E:0001              endif;
@00015350:0005              goto label_1547a;
@00015359:0009            endif;
@0001535B:000D            local_number10 = (global_number64 = 6);

Line 15238-1524A: We call function with 4 arguments. Function is named "MovingToMinneapolis15" and located in ISOLS32.DLL. You can see what arguments are passed and what is does using your favorite debugger. Upon return we get dword in LASTRESULT, we store that in local_number10.
Line 15254: figure out yourself. If you know C, this is no-brainer.
Line 15263: if (badboy) {
Line 1526F-15350: make_badboy_suffer
Line 15359: }
Line 1535B: goodboy code continues...

Other checks are similar but don't use external DLL.

How to bypass these checks? Depends on what you want to achieve..
a) one time installation?
Patch DLL to always return 'good boy' value. Input values that satisfy remaining checks. Or you can try extracting all files from setup package and "install" them manually.
b) patch this setup package?
sid has "patch changes" menu item (never tried using it, though..). If it works, I'd patch line 15254 and maybe few more..
c) make keygen?
Analyze code, try to produce values that satisfy checks in this script and in that DLL.

Cheers,
kao.

foffa 10-02-2007 05:23 PM

@000152D4:0021 function_7("You have entered an incorrect serial number/installation code


you have to jump this one i think
i am newbie in this sorry

ektwr 04-17-2015 04:03 AM

How can we found the references from inx calls in DLL?
 
Hi all,
looking forward to this thread i found many commons with my problem. How can we find which calls in DLL refered to inx referenced numbers?
A small example would be appreciated.
I mean, what must i do in ollydbg to break into DLL serial functions? Does these numbers refers to memory addresses in DLL or what?

Thanks in advanced

BfoX 04-17-2015 12:48 PM

Use orca to see inside .msi

ektwr 04-18-2015 07:04 AM

orca is good for msi files, i need another approach
 
dear friend i look for more. As i said, i need to know the connection beetween pseudocode calls from inx file and real calls from DLL files. Here is an example:

code from inx file:
Code:

NAME = \"Description\"\r\n                                        //-001-/ 0002FF65,
        NAME = \"Installation\"\r\n                                        //-001-/ 0002FC69,
        NAME = \"Locale\"\r\n                                              //-001-/ 0002FA06,
        NAME = \"Manufacturer\"\r\n                                        //-001-/ 0002F674,
        NAME = \"Product\"\r\n                                            //-001-/ 0002F7A8,
        NAME = \"Serial Number\"\r\n                                      //-001-/ 0002FB34,

................................
// : Jump Referenced(1):
// :  0000D1FB,
label_00AF:
/* 0000D21E: 000D */        n0015 = n000C == 0xFFFFFFFE;
/* 0000D22D: 0004 */        if(! n0015) goto label_00B2;                        // normal if
/* 0000D239: 000D */        n0015 = g_number000F == 0x00000002;
/* 0000D248: 0004 */        if(! n0015) goto label_00B0;                        // normal if
/* 0000D254: 0021 */        ret_g_str008C_031D();
/* 0000D25A: 0006 */        s001C = LAST_RESULT;
/* 0000D264: 0014 */        s001C = s001C ^ g_str0063;
/* 0000D271: 0021 */        function_0229("INVALID_HACKED_SERIAL_NUMBER");
/* 0000D296: 0006 */        s001D = LAST_RESULT;
/* 0000D2A0: 0021 */        function_0268(s001C, g_str0062, "Status", s001D);
/* 0000D2B8: 0005 */        goto label_00B1;

My question is: How can i found those calls into DLL files?
what is the reference -for example -0000D254?
I think that all these calls happen into ISRT.DLL file. I 've put some BP's into olly and braked in some API calls but i can't find the connection among them.
Here is the total setup file for reference.
HTML Code:

http://ul.to/nu6pym89
TIA

BfoX 04-18-2015 10:19 AM

your requested dll files here

ektwr 04-18-2015 02:29 PM

Quote:

Originally Posted by BfoX (Post 38442)
your requested dll files here

Thank you for your effort but can you be more specific how to use them? As i noticed, when setup file is opened, it extracts two random name directories into /userAppdata/temp path with full dll's included also those you mention. How can i use them to find the serial number request and bypass it?
PM me also (if you like) to give me more details.
TIA

BfoX 04-19-2015 01:13 AM

dont lazzy,

RLSetupValidate.dll have export RLSetupValidate,
PhysicPass.dll heve export PASSGetID,
RLProtection.dll have export RLGenKeyCode and RLValidate,
RLGenUUID.dll have export RLGenUUID_GetUUID and RLGenUUID_EncodeTool,
ProductPassLite.dll have export PASSCheckCode.

///////////////////////////////////////////////////////////////////////////////////
///[ sexy installshield decompiler for is6/is7 ]////////
///[ (c) sn00pee 2002 ]////////
///////////////////////////////////////////////////////////////////////////////////
///[ starting decompilation ]////////
///////////////////////////////////////////////////////////////////////////////////

......
///////////////////////////////////////////////////////////////////////////////////
// prototypes (total: 880)

// dll-imports (total: 291)
.....
prototype INT ProductPassLite.PASSCheckCode(BYREF STRING, BYREF STRING, POINTER);
prototype NUMBER RLProtection.RLGenKeyCode(BYREF STRING, BYREF STRING, BYREF STRING);
prototype NUMBER RLProtection.RLValidate(BYREF STRING, BYREF STRING, BYREF STRING);
prototype void PhysicPass.PASSGetID(BYREF STRING, NUMBER);
.....
prototype void RLSetupValidate.RLParameterEncode(BYREF STRING, BYREF STRING);
prototype INT RLSetupValidate.GetURLResponse(BYREF STRING, BYREF STRING, INT, INT, BOOL);
prototype void RLSetupValidate.RLSetProxyInfo(BYREF STRING, BYREF STRING);
prototype INT RLGenUUID.RLGenUUID_EncodeTool(BYREF STRING, BYREF STRING, BYREF STRING);
prototype NUMBER RLGenUUID.RLGenUUID_GetUUID(BYREF STRING);
prototype NUMBER RLGenUUID.RLGenUUID_GetIPAddress(BYREF STRING);
......

ektwr 04-19-2015 05:28 AM

It seems that we have different results because i have the nekosuki decompiler. I will try with the sexy intallshield decomp and i will post my results later.
EDIT: I've tried to decompile it with SID ver 1.0 in 3 machines with win8, win7 and xp pro OS but it crashes during process.
Can you send me the decompiler you used and if possible the decompiled inx.txt file too?
TIA


All times are GMT -4. The time now is 02:27 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.