Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 09-30-2007, 03:31 PM
sumerboard sumerboard is offline
Junior Member
 
Join Date: Sep 2007
Posts: 2
Lightbulb INX file help

I have a .inx file I have decompiled and believe I have found where the security lies, but I am unsure as to what to look for and change to bypass this. Any help or guidance toward cracking inx files would be greatly appreciated.

@00015096:000E label_15096:
@00015098:001E local_number8 = local_string3[0];
@000150A7:0021 function_941(local_string2, "%d", local_number8);
@000150B8:002C StrToNum(local_number4, local_string2);
@000150C2:000F local_number4 = (local_number4 - 65);
@000150D1:0012 global_number65 = (local_number4 & 3);
@000150E0:000E local_number10 = (global_number65 != 0);
@000150EF:0004 if(local_number10) then // ref index: 2
@000150FB:0021 function_744("Invalid serial number/installation code combination.", -65534);
@0001513D:0007 local_number2 = (local_number2 + 1);
@0001514C:000C local_number10 = (local_number2 >= 3);
@0001515B:0004 if(local_number10) then // ref index: 1
@00015167:0006 local_number7 = 1;
@00015173:003A UnUseDll(global_string70);
@0001517A:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@000151F4:0001 endif;
@000151F4:0001 label_151f4:
@000151F6:0005 goto label_1520d;
@000151FF:0001 endif;
@000151FF:0001 label_151ff:
@00015201:0006 local_number7 = 1;
@0001520D:0001 label_1520d:
@0001520F:0005 goto label_14e92;
@00015218:000D endif;
@00015218:000D label_15218:
@0001521A:0029 StrSub(local_string9, global_string67, 1, 2);
@0001522E:002C StrToNum(global_number64, local_string9);
@00015238:0020 MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006 local_number10 = LASTRESULT;
@00015254:000D local_number10 = (local_number10 = 0);
@00015263:0004 if(local_number10) then // ref index: 2
@0001526F:0021 function_744("Invalid installation code.", -65534);
@00015297:0007 local_number1 = (local_number1 + 1);
@000152A6:000C local_number10 = (local_number1 >= 3);
@000152B5:0004 if(local_number10) then // ref index: 1
@000152C1:0006 local_number6 = 1;
@000152CD:003A UnUseDll(global_string70);
@000152D4:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@0001534E:0001 endif;
@0001534E:0001 label_1534e:
@00015350:0005 goto label_1547a;
@00015359:0009 endif;
@00015359:0009 label_15359:
@0001535B:000D local_number10 = (global_number64 = 6);
@0001536A:0004 if(local_number10) then // ref index: 2
@00015376:0021 function_744("Invalid installation code.", -65534);
@0001539E:0007 local_number1 = (local_number1 + 1);
@000153AD:000C local_number10 = (local_number1 >= 3);
@000153BC:0004 if(local_number10) then // ref index: 1
@000153C8:0006 local_number6 = 1;
@000153D4:003A UnUseDll(global_string70);
@000153DB:0021 function_7("You have entered an incorrect serial number/installation code combination. Please contact technical support", -65533);
@00015455:0001 endif;
@00015455:0001 label_15455:
@00015457:0005 goto label_1547a;
@00015460:0002 endif;
@00015460:0002 label_15460:
@00015462:0006 local_number6 = 1;
@0001546E:0006 global_number40 = 1;
@0001547A:0006 label_1547a:
@0001547C:000D local_number10 = (global_number59 = 1);
@0001548B:0004 if(local_number10) then // ref index: 1
@00015497:001E local_number10 = local_string6[0];
@000154A6:000D local_number10 = (local_number10 = 78);
@000154B5:0004 if(local_number10) then // ref index: 1
@000154C1:001D local_string6[0] = 88;
@000154D2:0001 endif;
@000154D2:0001 endif;
@000154D2:0001 label_154d2:
@000154D4:0005 goto label_14e59;
@000154DD:0004 endif;
@000154DD:0004 label_154dd:
@000154DF:0006 global_string66 = local_string6;
@000154E9:003A UnUseDll(global_string70);
@000154F0:0029 StrSub(local_string9, global_string67, 1, 2);
@00015504:002C StrToNum(global_number64, local_string9);
@0001550E:0002 endif;
@0001550E:0002 label_1550e:
@00015510:0024 return;
@00015514:0026 end; // checksum: 931f36d6
Reply With Quote
  #2  
Old 09-30-2007, 05:53 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

I won't give you complete walkthrough - that won't make you think and learn. But here is little sample that should get you started:
Code:
@00015238:0020            MovingToMinneapolis15(local_string6, global_string67, global_number69, global_number70); // dll: ISOLS32.dll
@0001524A:0006            local_number10 = LASTRESULT;
@00015254:000D            local_number10 = (local_number10 = 0);
@00015263:0004            if(local_number10) then // ref index: 2
@0001526F:0021               function_744("Invalid installation code.", -65534);
@00015297:0007               local_number1 = (local_number1 + 1);
@000152A6:000C               local_number10 = (local_number1 >= 3);
@000152B5:0004               if(local_number10) then // ref index: 1
@000152C1:0006                  local_number6 = 1;
@000152CD:003A                  UnUseDll(global_string70);
@000152D4:0021                  function_7("You have entered an incorrect serial number/installation code combination.  Please contact technical support", -65533);
@0001534E:0001               endif;
@00015350:0005               goto label_1547a;
@00015359:0009            endif;
@0001535B:000D            local_number10 = (global_number64 = 6);
Line 15238-1524A: We call function with 4 arguments. Function is named "MovingToMinneapolis15" and located in ISOLS32.DLL. You can see what arguments are passed and what is does using your favorite debugger. Upon return we get dword in LASTRESULT, we store that in local_number10.
Line 15254: figure out yourself. If you know C, this is no-brainer.
Line 15263: if (badboy) {
Line 1526F-15350: make_badboy_suffer
Line 15359: }
Line 1535B: goodboy code continues...

Other checks are similar but don't use external DLL.

How to bypass these checks? Depends on what you want to achieve..
a) one time installation?
Patch DLL to always return 'good boy' value. Input values that satisfy remaining checks. Or you can try extracting all files from setup package and "install" them manually.
b) patch this setup package?
sid has "patch changes" menu item (never tried using it, though..). If it works, I'd patch line 15254 and maybe few more..
c) make keygen?
Analyze code, try to produce values that satisfy checks in this script and in that DLL.

Cheers,
kao.
Reply With Quote
  #3  
Old 10-02-2007, 05:23 PM
foffa foffa is offline
Senior Member
 
Join Date: Jul 2007
Location: %TEMP%
Posts: 344
Default

@000152D4:0021 function_7("You have entered an incorrect serial number/installation code


you have to jump this one i think
i am newbie in this sorry
Reply With Quote
  #4  
Old 04-17-2015, 04:03 AM
ektwr ektwr is offline
Member
 
Join Date: Jan 2011
Location: hellas
Posts: 11
Default How can we found the references from inx calls in DLL?

Hi all,
looking forward to this thread i found many commons with my problem. How can we find which calls in DLL refered to inx referenced numbers?
A small example would be appreciated.
I mean, what must i do in ollydbg to break into DLL serial functions? Does these numbers refers to memory addresses in DLL or what?

Thanks in advanced
Reply With Quote
  #5  
Old 04-17-2015, 12:48 PM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,251
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

Use orca to see inside .msi
__________________
... Either you work well or you work much ....
Reply With Quote
  #6  
Old 04-18-2015, 07:04 AM
ektwr ektwr is offline
Member
 
Join Date: Jan 2011
Location: hellas
Posts: 11
Default orca is good for msi files, i need another approach

dear friend i look for more. As i said, i need to know the connection beetween pseudocode calls from inx file and real calls from DLL files. Here is an example:

code from inx file:
Code:
NAME = \"Description\"\r\n                                         //-001-/ 0002FF65,
        NAME = \"Installation\"\r\n                                        //-001-/ 0002FC69,
        NAME = \"Locale\"\r\n                                              //-001-/ 0002FA06,
        NAME = \"Manufacturer\"\r\n                                        //-001-/ 0002F674,
        NAME = \"Product\"\r\n                                             //-001-/ 0002F7A8,
        NAME = \"Serial Number\"\r\n                                       //-001-/ 0002FB34,

................................
// : Jump Referenced(1):
// :  0000D1FB, 
label_00AF:
/* 0000D21E: 000D */	n0015 = n000C == 0xFFFFFFFE;
/* 0000D22D: 0004 */	if(! n0015) goto label_00B2;                        // normal if
/* 0000D239: 000D */	n0015 = g_number000F == 0x00000002;
/* 0000D248: 0004 */	if(! n0015) goto label_00B0;                        // normal if
/* 0000D254: 0021 */	ret_g_str008C_031D();
/* 0000D25A: 0006 */	s001C = LAST_RESULT;
/* 0000D264: 0014 */	s001C = s001C ^ g_str0063;
/* 0000D271: 0021 */	function_0229("INVALID_HACKED_SERIAL_NUMBER");
/* 0000D296: 0006 */	s001D = LAST_RESULT;
/* 0000D2A0: 0021 */	function_0268(s001C, g_str0062, "Status", s001D);
/* 0000D2B8: 0005 */	goto label_00B1;
My question is: How can i found those calls into DLL files?
what is the reference -for example -0000D254?
I think that all these calls happen into ISRT.DLL file. I 've put some BP's into olly and braked in some API calls but i can't find the connection among them.
Here is the total setup file for reference.
HTML Code:
http://ul.to/nu6pym89
TIA
Reply With Quote
  #7  
Old 04-18-2015, 10:19 AM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,251
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

your requested dll files here
__________________
... Either you work well or you work much ....
Reply With Quote
  #8  
Old 04-18-2015, 02:29 PM
ektwr ektwr is offline
Member
 
Join Date: Jan 2011
Location: hellas
Posts: 11
Default

Quote:
Originally Posted by BfoX View Post
your requested dll files here
Thank you for your effort but can you be more specific how to use them? As i noticed, when setup file is opened, it extracts two random name directories into /userAppdata/temp path with full dll's included also those you mention. How can i use them to find the serial number request and bypass it?
PM me also (if you like) to give me more details.
TIA
Reply With Quote
  #9  
Old 04-19-2015, 01:13 AM
BfoX BfoX is offline
Senior Member
 
Join Date: Aug 2007
Posts: 2,251
Send a message via ICQ to BfoX Send a message via MSN to BfoX Send a message via Yahoo to BfoX
Default

dont lazzy,

RLSetupValidate.dll have export RLSetupValidate,
PhysicPass.dll heve export PASSGetID,
RLProtection.dll have export RLGenKeyCode and RLValidate,
RLGenUUID.dll have export RLGenUUID_GetUUID and RLGenUUID_EncodeTool,
ProductPassLite.dll have export PASSCheckCode.

///////////////////////////////////////////////////////////////////////////////////
///[ sexy installshield decompiler for is6/is7 ]////////
///[ (c) sn00pee 2002 ]////////
///////////////////////////////////////////////////////////////////////////////////
///[ starting decompilation ]////////
///////////////////////////////////////////////////////////////////////////////////

......
///////////////////////////////////////////////////////////////////////////////////
// prototypes (total: 880)

// dll-imports (total: 291)
.....
prototype INT ProductPassLite.PASSCheckCode(BYREF STRING, BYREF STRING, POINTER);
prototype NUMBER RLProtection.RLGenKeyCode(BYREF STRING, BYREF STRING, BYREF STRING);
prototype NUMBER RLProtection.RLValidate(BYREF STRING, BYREF STRING, BYREF STRING);
prototype void PhysicPass.PASSGetID(BYREF STRING, NUMBER);
.....
prototype void RLSetupValidate.RLParameterEncode(BYREF STRING, BYREF STRING);
prototype INT RLSetupValidate.GetURLResponse(BYREF STRING, BYREF STRING, INT, INT, BOOL);
prototype void RLSetupValidate.RLSetProxyInfo(BYREF STRING, BYREF STRING);
prototype INT RLGenUUID.RLGenUUID_EncodeTool(BYREF STRING, BYREF STRING, BYREF STRING);
prototype NUMBER RLGenUUID.RLGenUUID_GetUUID(BYREF STRING);
prototype NUMBER RLGenUUID.RLGenUUID_GetIPAddress(BYREF STRING);
......
__________________
... Either you work well or you work much ....

Last edited by BfoX : 04-19-2015 at 01:56 AM.
Reply With Quote
  #10  
Old 04-19-2015, 05:28 AM
ektwr ektwr is offline
Member
 
Join Date: Jan 2011
Location: hellas
Posts: 11
Default

It seems that we have different results because i have the nekosuki decompiler. I will try with the sexy intallshield decomp and i will post my results later.
EDIT: I've tried to decompile it with SID ver 1.0 in 3 machines with win8, win7 and xp pro OS but it crashes during process.
Can you send me the decompiler you used and if possible the decompiled inx.txt file too?
TIA

Last edited by ektwr : 04-19-2015 at 07:24 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.