InstallShield Pro 5 Build 221 for Win95
Crack InstallShield International East build 224

1. Execute the package (about 20MB) downloaded from InstallShield ftp:
        ftp://ftp.installshield.com/is5/intl/east/pftw/is5east.exe
2. At password-input screen, launch soft-ice. Clear all the other
    breakpoints and then bpx USER32!GetWindowTextA
3. Quit soft-ice. Press a key in the password editbox.
4. Soft-ice will be triggered at GetWindowTextA
5. Issue "p ret" to get out of this procedure. You should then stop at

        00403719        mov    edx, [0040ef90] ; edx->input buffer
                        push    edx            ; PARAMETER_1
                        call    00401090        ; checksum procedure
                        mov    edx, [0040ea88] ; ideal value of return
                        add    esp, 4          ; stack fixup ... late
                        xor    ecx, ecx        ; zero ecx
                        cmp    eax, edx        ; eax = edx?
                        setz    cl              ; yes, cl = 1; no, cl = 0
                        mov    eax, ecx
                        pop    ebp            ; stack frame
                        ret                    ; return in eax

    while the previous instruction is to call GetWindowTextA

6. As you can see in the above, the procedure at 00401090 is the one we
    are looking for. It takes one parameter: the address of the password
    string. After some processing, it will return a value in eax
    calculated from the string. In order to ease the reading, following
    shows a psuedo-code of the procedure rather than assembly.

        accumulation = 0xf143ac
        do
            ch = *lpPassword++;
            if (ch == '\0') break;
            accumulation += 2 * ch;
        loop
        accumulation xor 0x51993;
        return accumulation;

7. After the accumulation value is returned, the program than compares
    with the ideal value, which is 0xF44F75 stored in address 0040ea88 in
    this case.
8. So that we can calculate the accumulation before xor, which is F156E6.
    Subtract this value by the initial value F143AC will get whatever is
    added in loop. From the psuedo-code, the value added is two times the
    checksum of the password string, which is 0x133a.
9. Since each character is added up by two times of value, therefore the
    actual checksum of the password is 0x133a / 2 = 0x99d.
10. By using a basic program to count up a checksum, I decided to use
    "asdfasdfasdfasdfasdfasdO" (5 times 'asdf' plus 'asd' and 'O', case
    sensitive) as the password. The final 'O' is just a fixup. Nothing
    special. You may use any similar method to add-up to your own favorite
    password for InstallShield International East 5 build 224.

*. The above cracking technique can be applied on PackageForTheWeb
    2.00.200 packages.

66、InstallShield Pro 5 Build 221 for Win95 =======================================================

  How to find the password of IS5P221.exe(InstallShield PrfessionalEdition 5.0, build 221)
    ========================================================================================

Tools that I used:
      1. SoftIce for NT.
      2. Windows NT Workstation 4.0 (english version, build 1381 with service pack 3)

Let's go:
        Run the Is5P221.exe, after the about screen, it will ask you to type
  the password to continue, below the Password dialog, you will not get a enabled
  'Finish' button until you have entered the correct password.

        So, Let us think how to find the correct pasword. After we type a character
  the package must compare the characters we  have entered with the correct password.

        So let's begin:
  First, just type anay number of characters, for example, '121212', to the pasword
  field, press Ctrl-D to switch to softice, type

  :bpx getwindowtexta
  :Ctrl-D

        Now we are back to the password dialog, enter another '1' to password field,
  softice will pop up at User32!GetWindowTextA, hit F12 to return to is5p221,
  now we try to serach the stack to find the password we have entered,

  :s ss:0 lffffffff '121212'
  Pattern find at xxxx:01800820
 
  We have to set the breakpoints to any code they read this area, so type
  :bpm 018000820 r
 
  Press F5 to continue running, SoftIce will pop up at KERNEL!CompareStringA
  :77f2b318    mov al, [esi]
  :77f2b31a    cmp [ebx], al  <--- softice pop up at here,
                                    ebx equal to '01800820'
  :77f2b31c    jnz 77f2b325    <--- if not equal, incorrect password, jump away
  :77f2b31e    inc esi        <--- if equal, increment index
  :77f2b31f    inc ebx
  :77f2b320    cmp byte ptr[esi], 00  <--- test if this is the last character of
                                            stored password
  :77f2b323    jnz 77f2b318    <--- compare with next character
 
  OK, take a rest, light a cigarette, we have found the stored password, is it so easy ?

  dump the data at [ebx], [esi]
  :d ebx  <--- you will see the password you have entered.
  :d esi  <--- you will see the stored password(I will give you a clue, the stored password is
              "dol???????", just try to find out by yourself) 
 
  Write down the stored password you have found to a paper, then disable any breakpoints,
  :bd *
  :Ctrl-D
 
  We are back to the password dialog again, erase the incorrect password, type the sotred
  password you have found to the password field, you will get a enabled 'Finish' button.



  Now let's think how could we crack this type of application quickly ?
  The answer is :
    1. run this type of program.
    2. type any number of characters to the password field.
    3. switch to the SoftIce.
    4. set a breakpoint to KERNEL32!CompareStringA by
      :bpx CompareStringA
    5. run the program again and type one more character to the password field
    6. softice will pop up at KERNEL32!CompareStringA
    7. step the code until you stop at "jnz 77f2b325"

        :77f2b318      mov al, [esi]
        :77f2b31a      cmp [ebx], al  <--- softice pop up at here,
                                            ebx equal to '01800820'
        :77f2b31c      jnz 77f2b325    <--- if not equal, incorrect password, jump away
        :77f2b31e      inc esi        <--- if equal, increment index
        :77f2b31f      inc ebx
        :77f2b320      cmp byte ptr[esi], 00  <--- test if this is the last character of
                                                    stored password
        :77f2b323      jnz 77f2b318    <--- compare with next character
 
    8. dump the data pointed by [esi], you will get the stored password.

这是很有深度的思考，不过既然要能对所有的密码保护都能所向无敌，应该从密码保护程式设计的角度去
观察。当然在做更深入的探讨之前，我赶忙去下载了一份InstallShield Pro 5 Build 221。我以後的软
体会用得到。

那麽，这类的边输入边查核的密码保护到底还可以用什麽方式作出来呢？有没有办法不透过 GetWindowText
就可以取得使用者在编辑窗的输入呢？答案是肯定的，事实上，有许多方法可以达成。其一，可以以
SendMessage EM_GETLINE拷贝缓冲区。其二，直接利用 SendMessage EM_SETHANDLE 指定缓冲区给编辑
窗，直接从自己的缓冲区读输入。甚或是直接 Subclass 或 Hook编辑窗，直接一个字一个字自己组合起
来。前两种范例，都可以利用 soft-ice search 的功能，再设定 BPR (Breakpoint on Range，中断於一
记忆体范围) 的 breakpoint 达成拦截，唯最後一者比较棘手，可能要找出 subclass 或 hook 的程序才
加以breakpoint，并要过滤出 WM_CHAR 或相关可以取得使用者输入字元的讯息。头皮发麻了吧？

好吧，来谈谈处理输入、判定密码的问题。一个程式，其实要做密码的判断并不难。可是不知道怎麽搞的，
许多程式一窝蜂的使用系统呼叫。其实下列不出32 bytes 的组合语言片段即可做字串比较。

; 假设 ds=es
    mov esi, offset 字串1
    mov edi, offset 字串2
    mov ecx, 字串长度
    repe cmpsb
    jne 字串不相同
; 字串相同

也可以搞得复杂一点，如下所示，既有简易密码保护，也有简易流程保护：

; 假设 ds=es
    xor ecx, ecx    ; ecx=0
    xor ebx, ebx    ; ebx=0
    mov ebp, offset 字串1 ; 密码值
    mov esi, offset 字串2 ; 输入值
fetch_one_dword:
    ; 如果索性跳过这一行，会造成堆叠损毁
    push dword ptr ds:[ebp + cx]    ; 可能也可以用 byte ptr 吧？我不确定。
    pop eax
    xor eax, 55aa55aah    ; 简易编码过的密码值，再 xor 一次以还原
    cmp eax, dword ptr [esi + cx]
    jnz password_error
    add ebx, eax    ; ebx += eax
    add ecx, 4
    cmp ecx, 字串长度
    jnb done
    jmp short fetch_one_dword
done:
    ; 先把使用者的输入字串和计算好，在此略
    call calc_checksum    ; esi = 字串2, 传回: eax = checksum
    cmp eax, ebx            ; 如果你试着要跳过前面的 cmp 的话
    jne password_error    ; ebx 得到的 checksum 在此会不同
    ; 密码答对了，有奖！

流程保护是指，不论如何，一定要完全检查过密码就是了。不然有得瞧！

当然，也有更高段的保护的。这里示范的只是一个概念，并无意要出题考各位破解
的功力。这里我还想得到的保护，还有利用 soft-ice的死角。概念是，因为 soft-ice
只能为单一执行绪除错，其他的不是被终止，就是在你执行系统呼叫时才偷偷执行，
你无法一次除错或确实终止多重执行绪，所以我就想到利用建立另一个执行绪来帮
我比较密码的概念。

嗯，能跟我跟到这里，也要谢谢您的耐心，我希望诸君都一个字一个字地看过一遍，
因为我有些句子浓缩了不少（打完字後才发现）。不过我衷心的希望这多多少少对
您有帮助。

--

Robin Hood
ICQ UIN: 1311717

mailto:robin.hood@ibm.net
-----------------------------------