(by +RoXrOb, slightly edited by fravia+)
June 1999
It's fantastic how it is possible to reverse programs' code even if
there are no available
informations , but only some feeling, some dreaming and then the ability to
find the solution (Zen, probably).
When I tried to crack this program, I did know nothing about InstallSHIELD
nor did I knew much how to crack an installation process.
Then, thanks to Fravia's page (and to the whole +HCU) I started
to find good informations,
which are the base to be able
to solve the problems time after time
LEVEL: I think that also the beginners
can understand this tutorial, because it's no necessary to attempt
with hard techniques that go into the operative system and it's not to
use tools how softice
which enter in the hearth of the code. I explain every procedures with
whom I arrived to the
solution of this crack:
TOOLS : 1) I5Comp -----> compression
utility for InstallSHIELD ver. 5
2) IsDcc v. 1.22 -----> installSHIELD Decompiler
supports installshield till ver 5.5
3) UltraEdit 32 v. 5.21 -----> Hex Editor or others
one.
TARGET : MATHCAD 8, a program for mathematic projects, functions
studies etc.
I don't know where found it. However, I think this tutorial is not important
to crack
Mathcad 8 only, but somewhat it could be useful to understand a cracking
system for others
programs with similar protection, therefore also who don't have Mathcad
8 (which could be
very hard to download from the web as it's approximately 128 MB included
doc), can use
this procedure for similar ones.
INFO
During the installation it needs the serial number, then it's possible
to install only in U.S.A. and Canada.
Therefore, there are 2 protections: 1) SERIAL
2) COUNTRY CODE VERIFICATION.
When I start to crack the MathCad 8 installation, I try immediately
to use Softice, however after few
time I get weary to control some code lines and breakpoints on nag
screen looking for the right flag.
I begun to inquire about InstallSHIELD and I discover some useful informations.
Naturally there are two
fundamental fils: SETUP.EXE the executable which
load the process, but the most important is SETUP.INS,
the script that manage all the installation parameters of InstallSHIELD.
LET'S START
When SETUP.EXE is launched, it's creates a directory "_istmp0.dir"
into the system temp directory
(Es: C:\Windows\temp), where are decompress all the files required
to the setup for the installation.
NOTE: I used the tool I5COMP only to verify in which compress
file (own compression system InstallSHIELD)
there reside the decompress files in this directory. This is the structure:
_DATA.CAB = file containig all the files that will be install into the system for MathCad 8 functioning.
_USER1.CAB = part of the files will be copy into the temporary directory for the installation:
_SYS1.CAB
= other files copy into the temporary directory.
1ST PART : Tricking the COUNTRY CODE
At the beginning of this crack, I had a valid (serial) for Mathcad 8,
but unfortunately when I introduced it, I saw the
Nag Screen with this message: "This product version is only for sale
in the U.S. and Canada. Setup will exit now." (COUNTRY CODE).
The message is readable in no installation files (research with windows),
obvious sign it was included in any
compress files inside of these files _USER1.CAB or _SYS1.CAB. To verify
it there are two methods:
1) It's possible to launch the installation and, when required informations,
to open the temporary directory
"_istmp0.dir" , mentioned before, and execute
with the research into file (of windows) on all the files (*:*)
the strings included into Nag Screen "This
product version is only.....".
2) _USER1.CAB and _SYS1.CAB filse have to be decompress with I5COMP
into a directory, then, as before,
it needs to execute the research of
the Nag Screen string.
Both methods allow to discover a file containing all the messages of
MessageBox showed during the installation -
the file is (VALUE.SHL):
-[Date]
-STATUS_HBK=Copying Practical Statistics Electronic Book files...
-STATUS_IMPROC=Copying Image Processing patch files...
-MSG_DELETING_OLD=Cleaning up old Mathcad program files...
-MAX_MCAD_FOR_UPGRADE=8.0.2.0
-ZEOS=kbdru441.kbd
-MSG_INVALID_OLD_MEDIA=The media you inserted is not a valid Mathcad
disk. Please enter a valid
-
Mathcad disk or cancel the installation.
-KEYBIND_MSG=Select your initial key bindings. You can change them
later in the View Preferences dialog.
-.
-. other lines
-.
-MSG_DOMESTIC_SCARE=This product version is only for sale in the <-----
(THIS IS THE COUNTRY
U.S. and Canada.\n\nSetup will exit now. <-----
CODE STRING)
-.
-. other lines
-.
-MSG_INVALID_SERIAL=Invalid serial number. Please check your serial
<-----(THIS
MSG WILL BE USED
number and enter it again.
<----- INTO
THE 2ND PART)
-.
-. other lines
-.
-MSG_INFO2a=this CD. Each book can be installed on your
-MSG_INFO3b=install Acrobat Reader from there if you need it.
-MSG_INFO2b= Practical Statistics
-.
-.
-etc
-[General]
-Language=0009
-Type=STRINGTABLESPECIFIC
-Version=1.00.000
If now, with an Hexeditor, you open the file (SETUP.INS) you will note
that there isn't the string "This product version is only....."
but it's easy to search the label of this string, that is "MSG_DOMESTIC_SCARE",
thus the file (SETUP.INS) print a MessageBox which is really the
Country Code's Nag Screen.
Now that we know the Nag Screen's liable, we have to find the method
to try to understand something more about it.
Right in this moment we use the tool "IsDcc" to decompile the
file (SETUP.INS). It needs to write, from the dos prompt:
isdcc setup.ins > setup.lis (where > is useful to redirect the output of the command isdcc on a file setup.lis)
Well, now that we have the decompiling list (SETUP.LIS) let's
analyze it:
after some labels there is:
- label130:
- lNumber4 = number50 = 68; <--
lNumber4 = 0 or 1
- if (lNumber4 = 0) then <-----
PROT1
- goto label132;
<-- if lNumber4 = 0 !!! GOOD
GUY !!!
- endif;
- function174();
<-- if lNumber4 = 1
- lNumber4 = LAST_RESULT;
- lNumber4 = lNumber4 < 0;
<--
lNumber4 = 0 or 1
- if (lNumber4 = 0) then <-----
PROT2
- goto label132;
<-- if lNumber4 = 0 !!! GOOD
GUY !!!
- endif;
- StrLoadString("", "MSG_DOMESTIC_SCARE",
lString2)<-- if lNumber4 = 1 !!! BAD GUY !!!
- MessageBox(lString2, -65535); <--
"This product version is only....."
- abort;
this is the part we are interesting in for the control on COUNTRY CODE.Nag
Screen.
You may see the routine launching out the Nag Screen. Unluckily I don't
know yet enough the structure and the
language of the file (SETUP.INS) (script) just decompiled to go up,
with certainty, to the parameters and functions
used (I'd like to have more documentations about them), but I note
something (ZEN):
let's open the file (SETUP.INS) and (SETUP.LIS) with "UltraEdit 32",
here follows there is the part of the file
(SETUP.INS) hexadecimal listing around the string "MSG_DOMESTIC_SCARE"
:
It's notice, looking at two files (SETUP.LIS in
text format) and (SETUP.INS in hexadecimal format)
that the constants (both strings and numerical)
appears in (SETUP.INS) in order like (SETUP.LIS),
namely going to the high from string
"MSG_DOMESTIC_SCARE"
you meet a DWORD
00 00 00 00 which is the first zero into the listing of code in (SETUP.LIS)
at the line
"if (lNumber4 = 0) then <-----
PROT2", then there is a DWORD 00 00 00 00 which is the zero
of the line
"lNumber4 = lNumber4 < 0;" and then the DWORD 00 00 00 00
which is the zero of the line
"if (lNumber4 = 0) then
<----- PROT1". We have 2 possibilities
to modify the flow of the program
through these flags. The most effective is the
first above as it avoid completely the execution of the
function which derives the COUNTRY CODE "function
174 ()" and jump over Nag Screen (PROT 1).
Changing the DWORD in PROT1
da 00 00 00 00 in 01 00 00 00 I change
the control on the flag
which starts the nag screen.
Now we may launch it (SETUP.EXE), but an instant,
appears a message saying the file (SETUP.INS)
is damaged. At once I think to a check-sum on
the file. To make up for the sum, I try the easier matter,
I reduce of 1 a letter of the string "MSG_DOMESTIC_SCARE"
(that after the crack will be never used)
in "MSG_DOMESSIC_SCARE" namely "S" in place of "T" (53h in place
of 54h). Well Done.
Everything works correctly. (Naturally this modifications works only
for the countries different from U.SA.. & Canada)!!
2ND PART : SERIAL NUMBER
I also asked myself, if I never have had the serial number?
View my intuition about the position of the constants into the file
(SETUP.INS) worked, well I followed the same
reasoning for the serial number. There is this message:
"Invalid serial number. Please check your serial number and enter it
again."
which appeares only if put the wrong serial number,this string, how
you can see above, is existing into the file
(VALUE.SHL) as text of the label "MSG_INVALID_SERIAL", thus let's go
into the file (SETUP.LIS) to look
for this string:
-label126:
- lNumber4 = lNumber0
= 0; <-- lNumber4 = 0
or 1(=1 if lNumber0=0)<-- PROT3
- if (lNumber4 = 0) then
<---
PROT4
-
goto label131; <--
if lNumber4 = 0 !!! GOOD GUY !!!
- endif;
- function182(lString0,
lString1, string5, string6, string7, lNumber1);
- lNumber0 = LAST_RESULT;
- lNumber4 = lNumber0
= 12; <--
lNumber4 = 0 or 1
- if (lNumber4 = 0) then
<---
PROT5
-
goto label128; <--
if lNumber4 = 0 !!! BAD GUY !!!
- endif;
- return(lNumber0);
<-- if lNumber4 = 1 !!! GOOD GUY
!!!
-
-label127:
- function171(string7);
- lNumber4 = LAST_RESULT;
- lNumber4 = lNumber4
= 1;
- if (lNumber4 = 0) then
-
goto label129;
- endif;
- function3("", string5,
string6, string7, 0);
- lNumber0 = LAST_RESULT;
- lNumber1 = 0;
- goto label130;
-
-label128:
- StrLoadString("", "MSG_INVALID_SERIAL",
lString2); <-- !!!
BAD GUY !!!
- MessageBox(lString2,
-65535);
- lNumber1 = 1;
- lNumber0 = 0;
-
-label129:
- goto label127;
This is the part we are most interesting in for the control on
the SERIAL NUMBER.
You may see the routine that ask for the function which shows the message
the serial number is not valid.
Let's open the files (SETUP.INS) and (SETUP.LIS) with "UltraEdit 32",
here follows there is the part of the file
(SETUP.INS) hexadecimal listing near the string "MSG_INVALID_SERIAL"
:
45 52 49 41 4C 5F 50 52 4F 4D 50 54 52 9A FF 21 ERIAL_PROMPTR..!
00 32 9A FF 41 00 00 00 00 00 00 01 00 21 00 32 .2..A........!.2
9B FF 41 00 00 00 00 00 00 09 00 29 01 28 01 32 ..A........).(.2
97 FF 42 9B FF 41 05 00 00 00 41 00 00 00
00 22 ..B..A....A...." <---- dword
(0) PROT3
00 70 83 00 95 42 97 FF 41 00 00 00 00
B5 00 80 .p...B..A....... <---- dword (0)
PROT4
B6 00 70 41 01 62 9B FF 62 9A FF 52 1E 00 52 1F ..pA.b..b..R..R.
00 52 20 00 42 9A FF 21 00 32 9B FF 42 00 00 28 .R .B..!.2..B..(
01 32 97 FF 42 9B FF 41 05 00 00 00 41 0C
00 00 .2..B..A....A... <---- ref. constant
00 22 00 70 80 00 95 42 97 FF 41 00 00 00
00 2F .".p...B..A..../ <---- dword
(0) PROT5
01 B7 00 42 9B FF 00 00 08 00 B5 00 80 AB 00 70 ...B...........p
87 00 62 20 00 21 00 32 97 FF 42 00 00 28 01 32 ..b .!.2..B..(.2
97 FF 42 97 FF 41 05 00 00 00 41 01 00 00 00 22 ..B..A....A...."
00 70 81 00 95 42 97 FF 41 00 00 00 00 B5 00 80 .p...B..A.......
03 00 70 77 01 61 00 00 62 1E 00 62 1F 00 62 20 ..pw.a..b..b..b
00 41 00 00 00 00 21 00 32 9B FF 42 00 00 21 00 .A....!.2..B..!.
32 9A FF 41 00 00 00 00 2C 00 70 82 00 00 00 04 2..A....,.p.....
00 12 01 61 00 00 61 12 00 4D 53 47 5F 49
4E 56 ...a..a..MSG_INV <-- String
41 4C 49 44 5F 53 45 52 49 41 4C 52
99 FF 2A 00 ALID_SERIALR..*.
You note, looking at 2 files (SETUP.LIS) and (SETUP.INS)
and how made for the Country Code
namely going to top of the file from the string
"MSG_INVALID_SERIAL",
but here seeing the flags
which call for the message invalid serial number are most at the top
from the string; as reference point we
will examine (12d) = (0ch) of the line "lNumber4 = lNumber0 = 12;".
Starting from this value, we may find, near the bottom, the first DWORD
00 00 00 00
which correnspond to zero in the listing of code in (SETUP.LIS) at
the line
"if (lNumber4 = 0) then <--- PROT5".
Instead from (0Ch) going toward the top, there is a DWORD 00 00 00
00 which is the zero of the line
"if (lNumber4 = 0) then <--- PROT4"
and then the DWORD 00 00 00 00 which is the zero of the line
"lNumber4 = lNumber0 = 0; <--
lNumber4 = 0 or 1(=1 if lNumber0=0)<--
PROT3".
We have 3 possibilities to modify the flow of
the program through these flags.
Particularly:
1) AVOIDS DEMANDS SERIAL NUMBER and NO COUNTRY
CODE:
the modifications on PROT3 oPROT4 (either)
Changing
DWORD 00 00 00 00 in
01 00 00 00.
2) ACCEPTS WHATEVER SERIAL NUMBER and NO COUNTRY
CODE:
the modifications on PROT5 Changing
DWORD 00 00 00 00 in 01 00 00 00.
Always never forget Check-Sum (like above). All Done!!
How you may see, different types of crack are possible with or without
serial number,the choice is by you, also
the possibilities to crack, with another approach, the installation
of Mathcad 8. I think this is the quicker once understood
the procedure, on the contraty I'm amaze about the ease and the stupidity
of this protection, in spite of my partial ignorance about the structure
of the scripts), especially of the check-sum on (SETUP.INS), it would be
better to put none check-sum.
But how I learned from +ORC, there really exist something that we will call
"Zen cracking" for lack of a better definition, it means among other things
to try, first of all,
the easy solutions that could take you away, far above the code, on their wings of facility.
(Thanks to my girlfriend for translation assistance)
(by +RoXrOb)