Part II: InstallShield Packages Encryption |
Packers & Unpackers | |
by Fravia+ |
||
fra_00xx 980119 +Aitor 0100 NA PC | Our friend +Aitor has already given us his first essay about Matlab: Simple dongle reversing: the 'alien dll date' trick, which was part of our "How to undongle" section. Now he 'deepens' our knowledge of Installshield protections, and therefore this essay will be catalogued inside a new "Objected Oriented Cracking" section if we ever start it... for the moment I have put this among the "packers and unpackers" essays. Enjoy this essay, a little jewel that without much ado teaches you 'on the fly', inter alia, how to code a 'little tool of the trade' to decode the xored-encrypted files that ARE on the CD-ROM you bought (or got) and that you ARE NOT supposed even to see or use... |
|
That's how the light gets in | ||
Second part of this series about reverse engineering MATLAB 5.
Once we have MATLAB 5 running (with or without the dongle ;) we take a look to the list of installation packages, and something bring us suspicions about the *real* contents of our CD. Let's take the InstallShield (un)compressor and search inside the packages ...
"Hey!" -You'll think- "Hey, that's not possible, mate!" ... ... because all the *.Z InstallShield packages in the MATLAB 5 CD-ROM are encrypted ... therefore ...
No, dear readers: Encryption is indeed one of the most powerful ways to protect software, but if you're a lazy programmer, even the best protection techniques will turn stale in your hands, because your mind won't be merrily pursuing the beauty of a well programmed piece of code, but it will instead be obsessed by the money you'll earn if you finish quickly the job ... You don't believe me? Read the following...
Aurrera with it!
As you have read in the intro, this is our situation: we have a series of *.Z files that cannot be decompressed with the InstallShield Compressor ... ... aren't they true InstallShield files? are they compressed with a new unknown version of iS? what the hell is happening here? ... yes, you're right, they're encrypted !
When a true +reverse engineer finds this kind of protection he thinks "hey, and what if I try to find the encryption code to rip/reverse the process?" or even better, taking into consideration the first thing he learnt at +ORC's School ... "protectionists are stupid!" (OK, some of them are pretty competent but they are the exception ...).
When you go to your 'Encryption School', the first lesson (OK, may be the second :) you are teached is probably the lesson about XOR encryption, that is,
A XOR B = C C XOR B = A simple to understand, simple to code ... and simple to decode !
Just before install every *.Z file, our target decodes it in memory and stores it in the iS temporal directory ... we can change to another task while installing and copy one of the *.Z *decrypted* files from the temporary dir to a secure place. Now we have two copies, coded and decoded, of a package, let's check them ... take your hex editor and compare both files XORing one with the other (I'll do it with NCD.Z, 'Nonlinear Control Design Blockset'):
Encrypted : 0e 47 7e 90 27 1b 19 1c 1d 1a 1b 1c 5f 1a 2d 3e Decrypted : 13 5d 65 8c 3a 01 02 00 00 00 00 00 42 00 34 22 ----------------------------------------------- XOR Table : 1d 1a 1b 1c 1d 1a 1b 1c 1d 1a 1b 1c 1d 1a 1b 1c
you can't believe your eyes, eh? Beginning with $1d each byte is XORed using a single four bytes table, [$1a,$1b,$1c,$1d], until the end of the file ... You can try it with any other *.Z file on the CD, you'll get the same results ...
It's time to take your favourite assembler/compiler and put in practice your programming knowledge to code a little tool of the trade. Here you got ready-to-be-compiled BP7 code to decrypt all the *.Z files found in the current directory (kontuz!, no error checking at all ...):
{------- cut here --------------- cut here --------------------} Program Matlab_5__InstallShield_Encrypted_Files_Decoder; Uses DOS; Type TBufferPtr = ^TBuffer; TBuffer = Array [1..32*1024] of Byte; Var EncFile,DecFile : File; BytesRead,BytesWritten : Word; Buffer : TBufferPtr; DirInfo : SearchRec; i : Word; XorKey : Byte; Begin Asm mov ax,3 int 10h End; WriteLn('+--------------------------------------------------+'); WriteLn('+ MATLAB 5 InstallShield Encrypted Files Decoder +'); WriteLn('+ by Aitor, +HCU 1998 +'); WriteLn('+--------------------------------------------------+',#13#10); FindFirst('*.z',Archive,DirInfo); If DosError<>0 Then Begin WriteLn(' * ERROR: Files not found ... agur !'); Halt(1); End; New(Buffer); While DosError=0 Do Begin Assign(EncFile,DirInfo.Name); Assign(DecFile,'deleteme.~$$'); Reset(EncFile,1); ReWrite(DecFile,1); XorKey:=29; Write(' * Decrypting ',DirInfo.Name, ' ... '); Repeat BlockRead(EncFile,Buffer^,SizeOf(Buffer^),BytesRead); For i:=1 to SizeOf(Buffer^) do Begin Buffer^[i]:=Buffer^[i] XOR XorKey; Inc(XorKey); If XorKey>29 Then Dec(XorKey,4); End; BlockWrite(DecFile,Buffer^,BytesRead,BytesWritten); Until (BytesRead=0); Close(EncFile); Close(DecFile); Erase(EncFile); Rename(DecFile,DirInfo.Name); WriteLn('OK !'); FindNext(DirInfo); End; Dispose(Buffer); End. {------- cut here --------------- cut here --------------------}
With our new decryptor, we're ready to decode and install *all* (note I'm saying iNSTALL and NOT USE) the crippled modules included in the CD:
COMM Z 3.267.584 Communications Toolbox FINANCE Z 755.779 Financial Toolbox FUZZY Z 490.750 Fuzzy Logic Toolbox HOSA Z 1.398.899 Higher-Order Spectral Analysis Toolbox IMAGES Z 3.058.232 Image Processing Toolbox LMI Z 413.974 LMI Control Toolbox MUTOOLS Z 606.983 Mu-Analysis and Synthesis Toolbox NNET Z 346.529 Neural Network Toolbox OPTIM Z 71.431 Optimization Toolbox PDE Z 281.449 Partial Differential Equation Toolbox QFT Z 743.068 QFT Control Design Toolbox SPLINES Z 112.109 Splines Toolbox STATS Z 284.214 Statistics Toolbox SYMBOLIC Z 5.636.086 Extended Symbolic Toolbox WAVELET Z 1.363.772 Wavelet Toolbox
and we'll be able to check the contents of files like these:
HARDWARE Z 207.281 LICENSE Z 332.036
with *very interesting material* inside them, but that goes beyond the purpose and level of this essay ...
Like many other contributors to this pages English is not my mothertongue ... ... sorry for any inconvenience, be patient ;).
Greetings to all the reverse engineers from Euskal Herria (Basque Country) ... ... jotake irabazi arte !
(c) 1998 by +Aitor and the +HCU. All rights reserved.