snatch_22.htm: Cracking Installshield serials EASY or TOUGH protection
snippets
Back to the Snippets
Cracking Installshield serials EASY or TOUGH protection
by Snatch
10 February 1998

Cracking Installshield serials: EASY or TOUGH protection I know that Reverser asked for no more banal essays, but I must write this because we crackers have overlooked something with Installshield many many times. Tools: Any version of Soft Ice that supports BPX and Windows Any Installshield serial number protected program If you go back to my first essay on cracking Numega Smartcheck, you will notice that I say something among the lines of "I tried to crack the serial protection but failed, but dont worry we will still be able to crack this program." Apparently though, the serial number is used throughout the program as well as the unlock code I describe. But what mainly made me go back to this was NatzGul's essay when he said he could not crack the serial. I was begining to write my own Installshield Script decompiler, starting to look through the INSHELP setup file for the compare code for the tokens. The thing about Smartcheck is that you can get a trial if you leave the field blank, but we want to register not get a trial! This is why Natzgul found it acceptable to only crack the script. I could not find the code I was looking for and so I started looking at the imported dll functions. There I saw a lot of strange calls among a StrCmpiA. I had checked StrCmp[][A][W] a lot but never StrCmpi[][A][W]. Maybe I found something here after all. So load up your debugger and get to the serial nag screen of your installation program. Set a bpx strcmpia. Now click the next button. By the way, I looked up StrCmpi but could not find it, but it seems like a normal string comparison function. The debugger should pop up in the routine. If you press F12, to leave, and then look above the call, you will see the two addresses pushed. Dump whats there. It seems to be comparing 'BUTTON' to 'BUTTON'. Well this is weird maybe this is not what we want after all. Try again and it compares 'EDIT' to 'BUTTON'. Try again and it compares 'BUTTON' to 'BUTTON' again. This seems to be some sort of dialog ID being copied. Maybe we should give up? Dont. Now repeat the process one more time maybe more depending on what the OS is up to but you should see a '-' compared with a '-' and one of the '-'s should have part of your serial number, the one you typed following. Hmmmm. Seems like we have found some sort of general data area on the stack. We must be getting somewhere now. Try one more time now and guess what? You see two numbers being compared. The strange one couldn't happen to be your serial number without dashes could it? It is though. Who would have thought this protection would have been so easy. It is so easy, it constitutes a tough protection because we would never even think it to be this easy to try it! Note you might have trouble if you dont put the dashes in in the right place or fake the serial with one with the wrong length, but when you bypass the serial by leaving it blank, the splash screen thankfully say serial number: xxxx-xxxxxx-xx. Numega use your brains. Sorry this essay does not solve how the key maker works, but why clutter your mind with that when you can generate them so easily by just setting a breakpoint. Snatch '98
snippets
Back to the Snippets