 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
09-30-2007, 03:31 PM
|
|||
|
|||
INX file help
I have a .inx file I have decompiled and believe I have found where the security lies, but I am unsure as to what to look for and change to bypass this. Any help or guidance toward cracking inx files would be greatly appreciated.
@00015096:000E label_15096: @00015098:001E local_number8 = local_string3[0]; @000150A7:0021 function_941(local_string2, "%d", local_number8); @000150B8:002C StrToNum(local_number4, local_string2); @000150C2:000F local_number4 = (local_number4 - 65); @000150D1:0012 global_number65 = (local_number4 & 3); @000150E0:000E local_number10 = (global_number65 != 0); @000150EF:0004 if(local_number10) then // ref index: 2 @000150FB:0021 function_744("Invalid serial number/installation code combination.", -65534); @0001513D:0007 local_number2 = (local_number2 + 1); @0001514C:000C local_number10 = (local_number2 >= 3); @0001515B:0004 if(local_number10) then // ref index: 1 @00015167:0006 local_number7 = 1; @00015173:003A UnUseDll(global_string70); @0001517A:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533); @000151F4:0001 endif; @000151F4:0001 label_151f4: @000151F6:0005 goto label_1520d; @000151FF:0001 endif; @000151FF:0001 label_151ff: @00015201:0006 local_number7 = 1; @0001520D:0001 label_1520d: @0001520F:0005 goto label_14e92; @00015218:000D endif; @00015218:000D label_15218: @0001521A:0029 StrSub(local_string9, global_string67, 1, 2); @0001522E:002C StrToNum(global_number64, local_string9); @00015238:0020 MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll @0001524A:0006 local_number10 = LASTRESULT; @00015254:000D local_number10 = (local_number10 = 0); @00015263:0004 if(local_number10) then // ref index: 2 @0001526F:0021 function_744("Invalid installation code.", -65534); @00015297:0007 local_number1 = (local_number1 + 1); @000152A6:000C local_number10 = (local_number1 >= 3); @000152B5:0004 if(local_number10) then // ref index: 1 @000152C1:0006 local_number6 = 1; @000152CD:003A UnUseDll(global_string70); @000152D4:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533); @0001534E:0001 endif; @0001534E:0001 label_1534e: @00015350:0005 goto label_1547a; @00015359:0009 endif; @00015359:0009 label_15359: @0001535B:000D local_number10 = (global_number64 = 6); @0001536A:0004 if(local_number10) then // ref index: 2 @00015376:0021 function_744("Invalid installation code.", -65534); @0001539E:0007 local_number1 = (local_number1 + 1); @000153AD:000C local_number10 = (local_number1 >= 3); @000153BC:0004 if(local_number10) then // ref index: 1 @000153C8:0006 local_number6 = 1; @000153D4:003A UnUseDll(global_string70); @000153DB:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533); @00015455:0001 endif; @00015455:0001 label_15455: @00015457:0005 goto label_1547a; @00015460:0002 endif; @00015460:0002 label_15460: @00015462:0006 local_number6 = 1; @0001546E:0006 global_number40 = 1; @0001547A:0006 label_1547a: @0001547C:000D local_number10 = (global_number59 = 1); @0001548B:0004 if(local_number10) then // ref index: 1 @00015497:001E local_number10 = local_string6[0]; @000154A6:000D local_number10 = (local_number10 = 78); @000154B5:0004 if(local_number10) then // ref index: 1 @000154C1:001D local_string6[0] = 88; @000154D2:0001 endif; @000154D2:0001 endif; @000154D2:0001 label_154d2: @000154D4:0005 goto label_14e59; @000154DD:0004 endif; @000154DD:0004 label_154dd: @000154DF:0006 global_string66 = local_string6; @000154E9:003A UnUseDll(global_string70); @000154F0:0029 StrSub(local_string9, global_string67, 1, 2); @00015504:002C StrToNum(global_number64, local_string9); @0001550E:0002 endif; @0001550E:0002 label_1550e: @00015510:0024 return; @00015514:0026 end; // checksum: 931f36d6 
|
|
#2
09-30-2007, 05:53 PM
|
|||
|
|||
I won't give you complete walkthrough - that won't make you think and learn. But here is little sample that should get you started:
Code:
@00015238:0020 MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006 local_number10 = LASTRESULT;
@00015254:000D local_number10 = (local_number10 = 0);
@00015263:0004 if(local_number10) then // ref index: 2
@0001526F:0021 function_744("Invalid installation code.", -65534);
@00015297:0007 local_number1 = (local_number1 + 1);
@000152A6:000C local_number10 = (local_number1 >= 3);
@000152B5:0004 if(local_number10) then // ref index: 1
@000152C1:0006 local_number6 = 1;
@000152CD:003A UnUseDll(global_string70);
@000152D4:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@0001534E:0001 endif;
@00015350:0005 goto label_1547a;
@00015359:0009 endif;
@0001535B:000D local_number10 = (global_number64 = 6);
Line 15254: figure out yourself. If you know C, this is no-brainer. Line 15263: if (badboy) { Line 1526F-15350: make_badboy_suffer Line 15359: } Line 1535B: goodboy code continues... Other checks are similar but don't use external DLL. How to bypass these checks? Depends on what you want to achieve.. a) one time installation? Patch DLL to always return 'good boy' value. Input values that satisfy remaining checks. Or you can try extracting all files from setup package and "install" them manually. b) patch this setup package? sid has "patch changes" menu item (never tried using it, though..). If it works, I'd patch line 15254 and maybe few more.. c) make keygen? Analyze code, try to produce values that satisfy checks in this script and in that DLL. Cheers, kao.
|
|
#4
04-17-2015, 04:03 AM
|
|||
|
|||
|
How can we found the references from inx calls in DLL?
Hi all,
looking forward to this thread i found many commons with my problem. How can we find which calls in DLL refered to inx referenced numbers? A small example would be appreciated. I mean, what must i do in ollydbg to break into DLL serial functions? Does these numbers refers to memory addresses in DLL or what? Thanks in advanced
|
|
#6
04-18-2015, 07:04 AM
|
|||
|
|||
|
orca is good for msi files, i need another approach
dear friend i look for more. As i said, i need to know the connection beetween pseudocode calls from inx file and real calls from DLL files. Here is an example:
code from inx file: Code:
NAME = \"Description\"\r\n //-001-/ 0002FF65,
NAME = \"Installation\"\r\n //-001-/ 0002FC69,
NAME = \"Locale\"\r\n //-001-/ 0002FA06,
NAME = \"Manufacturer\"\r\n //-001-/ 0002F674,
NAME = \"Product\"\r\n //-001-/ 0002F7A8,
NAME = \"Serial Number\"\r\n //-001-/ 0002FB34,
................................
// : Jump Referenced(1):
// : 0000D1FB,
label_00AF:
/* 0000D21E: 000D */ n0015 = n000C == 0xFFFFFFFE;
/* 0000D22D: 0004 */ if(! n0015) goto label_00B2; // normal if
/* 0000D239: 000D */ n0015 = g_number000F == 0x00000002;
/* 0000D248: 0004 */ if(! n0015) goto label_00B0; // normal if
/* 0000D254: 0021 */ ret_g_str008C_031D();
/* 0000D25A: 0006 */ s001C = LAST_RESULT;
/* 0000D264: 0014 */ s001C = s001C ^ g_str0063;
/* 0000D271: 0021 */ function_0229("INVALID_HACKED_SERIAL_NUMBER");
/* 0000D296: 0006 */ s001D = LAST_RESULT;
/* 0000D2A0: 0021 */ function_0268(s001C, g_str0062, "Status", s001D);
/* 0000D2B8: 0005 */ goto label_00B1;
what is the reference -for example -0000D254? I think that all these calls happen into ISRT.DLL file. I 've put some BP's into olly and braked in some API calls but i can't find the connection among them. Here is the total setup file for reference. HTML Code:
http://ul.to/nu6pym89
|
|
#8
04-18-2015, 02:29 PM
|
|||
|
|||
|
Quote:
PM me also (if you like) to give me more details. TIA
|
|
#9
04-19-2015, 01:13 AM
|
|||
|
|||
|
dont lazzy,
RLSetupValidate.dll have export RLSetupValidate, PhysicPass.dll heve export PASSGetID, RLProtection.dll have export RLGenKeyCode and RLValidate, RLGenUUID.dll have export RLGenUUID_GetUUID and RLGenUUID_EncodeTool, ProductPassLite.dll have export PASSCheckCode. /////////////////////////////////////////////////////////////////////////////////// ///[ sexy installshield decompiler for is6/is7 ]//////// ///[ (c) sn00pee 2002 ]//////// /////////////////////////////////////////////////////////////////////////////////// ///[ starting decompilation ]//////// /////////////////////////////////////////////////////////////////////////////////// ...... /////////////////////////////////////////////////////////////////////////////////// // prototypes (total: 880) // dll-imports (total: 291) ..... prototype INT ProductPassLite.PASSCheckCode(BYREF STRING, BYREF STRING, POINTER); prototype NUMBER RLProtection.RLGenKeyCode(BYREF STRING, BYREF STRING, BYREF STRING); prototype NUMBER RLProtection.RLValidate(BYREF STRING, BYREF STRING, BYREF STRING); prototype void PhysicPass.PASSGetID(BYREF STRING, NUMBER); ..... prototype void RLSetupValidate.RLParameterEncode(BYREF STRING, BYREF STRING); prototype INT RLSetupValidate.GetURLResponse(BYREF STRING, BYREF STRING, INT, INT, BOOL); prototype void RLSetupValidate.RLSetProxyInfo(BYREF STRING, BYREF STRING); prototype INT RLGenUUID.RLGenUUID_EncodeTool(BYREF STRING, BYREF STRING, BYREF STRING); prototype NUMBER RLGenUUID.RLGenUUID_GetUUID(BYREF STRING); prototype NUMBER RLGenUUID.RLGenUUID_GetIPAddress(BYREF STRING); ......
__________________
... Either you work well or you work much .... Last edited by BfoX : 04-19-2015 at 01:56 AM.
|
|
#10
04-19-2015, 05:28 AM
|
|||
|
|||
|
It seems that we have different results because i have the nekosuki decompiler. I will try with the sexy intallshield decomp and i will post my results later.
EDIT: I've tried to decompile it with SID ver 1.0 in 3 machines with win8, win7 and xp pro OS but it crashes during process. Can you send me the decompiler you used and if possible the decompiled inx.txt file too? TIA Last edited by ektwr : 04-19-2015 at 07:24 AM.
|
Linear Mode
