InstallShield Pro 5 Build 221 for Win95
Crack InstallShield International East build 224
1. Execute the package (about 20MB) downloaded from InstallShield ftp:
ftp://ftp.installshield.com/is5/intl/east/pftw/is5east.exe
2. At password-input screen, launch soft-ice. Clear all the other
breakpoints and then bpx USER32!GetWindowTextA
3. Quit soft-ice. Press a key in the password editbox.
4. Soft-ice will be triggered at GetWindowTextA
5. Issue "p ret" to get out of this procedure. You should then stop at
00403719 mov
edx, [0040ef90] ; edx->input buffer
push edx ; PARAMETER_1
call 00401090 ; checksum procedure
mov edx, [0040ea88] ; ideal value of return
add esp, 4 ; stack fixup
... late
xor ecx, ecx ; zero ecx
cmp eax, edx ; eax = edx?
setz cl
; yes, cl = 1; no, cl = 0
mov eax, ecx
pop ebp ; stack
frame
ret
; return in eax
while the previous instruction is to call GetWindowTextA
6. As you can see in the above, the procedure at 00401090 is the one we
are looking for. It takes one parameter: the address of the password
string. After some processing, it will return a value in eax
calculated from the string. In order to ease the reading, following
shows a psuedo-code of the procedure rather than assembly.
accumulation = 0xf143ac
do
ch = *lpPassword++;
if (ch == '\0') break;
accumulation += 2 * ch;
loop
accumulation xor 0x51993;
return accumulation;
7. After the accumulation value is returned, the program than compares
with the ideal value, which is 0xF44F75 stored in address 0040ea88
in
this case.
8. So that we can calculate the accumulation before xor, which is F156E6.
Subtract this value by the initial value F143AC will get whatever
is
added in loop. From the psuedo-code, the value added is two times
the
checksum of the password string, which is 0x133a.
9. Since each character is added up by two times of value, therefore the
actual checksum of the password is 0x133a / 2 = 0x99d.
10. By using a basic program to count up a checksum, I decided to use
"asdfasdfasdfasdfasdfasdO" (5 times 'asdf' plus 'asd' and 'O',
case
sensitive) as the password. The final 'O' is just a fixup. Nothing
special. You may use any similar method to add-up to your own
favorite
password for InstallShield International East 5 build 224.
*. The above cracking technique can be applied on PackageForTheWeb
2.00.200 packages.