Cracking all nag-screen and time-trial protections (Aerial32 as example)

Cracking Installshield serials:
EASY or TOUGH protection

I know that Fravia asked for no more banal essays, but
I must write this because we crackers have overlooked
something with Installshield many many times.
Tools:
Any version of Soft Ice that supports BPX and Windows
Any Installshield serial number protected program

If you go back to my first essay on cracking Numega
Smartcheck, you will notice that I say something among
the lines of "I tried to crack the serial protection
but failed, but dont worry we will still be able to
crack this program."  Apparently though, the serial
number is used throughout the program as well as the
unlock code I describe.  But what mainly made me go
back to this was NatzGul’s essay when he said he could
not crack the serial.  I was begining to write my own
Installshield Script decompiler, starting to look
through the INSHELP setup file for the compare code for
the tokens.  The thing about Smartcheck is that you can
get a trial if you leave the field blank, but we want
to register not get a trial!  This is why Natzgul found
it acceptable to only crack the script.
I could not find the code I was looking for and so I
started looking at the imported dll functions.  There I
saw a lot of strange calls among a StrCmpiA.  I had
checked StrCmp[][A][W] a lot but never StrCmpi[][A][W].
Maybe I found something here after all.  So load up
your debugger and get to the serial nag screen of your
installation program.  Set a bpx strcmpia.  Now click
the next button.
By the way, I looked up StrCmpi but could not find it,
but it seems like a normal string comparison function.
The debugger should pop up in the routine.  If you
press F12, to leave, and then look above the call, you
will see the two addresses pushed.  Dump whats there.
It seems to be comparing ‘BUTTON’ to ‘BUTTON’.  Well
this is weird maybe this is not what we want after all.
Try again and it compares ‘EDIT’ to ‘BUTTON’.  Try
again and it compares ‘BUTTON’ to ‘BUTTON’ again.  This
seems to be some sort of dialog ID being copied.  Maybe
we should give up?  Dont.
Now repeat the process one more time maybe more
depending on what the OS is up to but you should see a
‘-‘ compared with a ‘-‘ and one of the ‘-‘s should have
part of your serial number, the one you typed
following.  Hmmmm.  Seems like we have found some sort
of general data area on the stack.  We must be getting
somewhere now.  Try one more time now and guess what?
You see two numbers being compared.  The strange one
couldn’t happen to be your serial number without dashes
could it?  It is though.
Who would have thought this protection would have been
so easy.  It is so easy, it constitutes a tough
protection because we would never even think it to be
this easy to try it!  Note you might have trouble if
you dont put the dashes in in the right place or fake
the serial with one with the wrong length, but when you
bypass the serial by leaving it blank, the splash
screen thankfully say serial number: xxxx-xxxxxx-xx.
Numega use your brains.
Sorry this essay does not solve how the key maker
works, but why clutter your mind with that when you can
generate them so easily by just setting a breakpoint.

Snatch ’98

Kaynak: www.woodmann.com/fravia
belgesi-1092

Belgeci , 2422 belge yazmış

Cevap Gönderin