aitor_45.htm - Reverse Engineering MATLAB 5 - Part II: InstallShield Packages Encryption

	Reverse Engineering MATLAB 5 Part II: InstallShield Packages Encryption	Packers & Unpackers
19 January 1998	by +Aitor
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 980119 +Aitor 0100 NA PC	InstallShield Packages Encryption... the sound of these words is so... how can I explain it... tasty? Luscious? Juicy? Well, you understand what I mean, don't you? Our friend +Aitor has already given us his first essay about Matlab: Simple dongle reversing: the 'alien dll date' trick, which was part of our "How to undongle" section. Now he 'deepens' our knowledge of Installshield protections, and therefore this essay will be catalogued inside a new "Objected Oriented Cracking" section if we ever start it... for the moment I have put this among the "packers and unpackers" essays. Enjoy this essay, a little jewel that without much ado teaches you 'on the fly', inter alia, how to code a 'little tool of the trade' to decode the xored-encrypted files that ARE on the CD-ROM you bought (or got) and that you ARE NOT supposed even to see or use...
	There is a crack, a crack in everything That's how the light gets in
Rating	( )Beginner (x)Intermediate ( )Advanced ( )Expert

"A little essay to show beginners and intermediate reversers / programmers how NOT to encrypt their own programs ..."

Reverse Engineering MATLAB 5
Part II: InstallShield Packages Encryption
Written by +Aitor

Introduction


Second part of this series about reverse engineering MATLAB 5.


Once we have MATLAB 5 running (with or without the dongle ;) we take a
look to the list of installation packages, and something bring us
suspicions about the *real* contents of our CD.  Let's take the
InstallShield (un)compressor and search inside the packages ...


"Hey!" -You'll think- "Hey, that's not possible, mate!" ... 
... because all the *.Z InstallShield packages in the MATLAB 5 CD-ROM are
encrypted ...  therefore ...


No, dear readers: Encryption is indeed one of the most powerful ways to
protect software, but if you're a lazy programmer, even the best
protection techniques will turn stale in your hands, because your mind
won't be merrily pursuing the beauty of a well programmed piece of code,
but it will instead be obsessed by the money you'll earn if you finish
quickly the job ...  You don't believe me? Read the following...

Tools required

Your favourite hex editor
Your favourite assembler / compiler (I'll use Borland Pascal v7.0)
InstallShield File Compressor

Target's URL/FTP

The program *iS NOT REQUiRED* to follow the essays. Remember, we are mainly reverse engineers, not only crackers ... this series will teach you generic protection schemes, it's not my intention to write one more how-to-crack to an specific application. Anyway, it's commercial software, but (hardly) available in the net if you do know how to search.

Program History

Not too much to say. A classic among the maths/programming applications, available for different systems. In my personal software archives (for educational purposes only :) I've got version 3.5f for DOS dated from 1989, then was a package including PC-Matlab and AT-Matlab, with only a serial number. Latest version I know is the target of this essay, a CD-ROM including version 5.0 for Win95/NT and version 4.2c.1 for Win32s, both serial number + dongle protected.
If you want to know more about this product contact with the The MathWorks Web site or connect to one of the hundreds of Matlab related sites across the net.

Essay

Aurrera with it!


As you have read in the intro, this is our situation:  we have a series of
*.Z files that cannot be decompressed with the InstallShield Compressor ...
... aren't they true InstallShield files?  are they compressed with a new
unknown version of iS?  what the hell is happening here? ... yes, you're
right, they're encrypted !


When a true +reverse engineer finds this kind of protection he thinks "hey,
and what if I try to find the encryption code to rip/reverse the process?"
or even better, taking into consideration the first thing he learnt at
+ORC's School ... "protectionists are stupid!" (OK, some of them are
pretty competent but they are the exception ...).


When you go to your 'Encryption School',  the first lesson (OK, may be the
second :) you are teached is probably the lesson about XOR encryption,
that is,


A XOR B = C
C XOR B = A
simple to understand, simple to code ... and simple to decode !


Just before install every *.Z file, our target decodes it in memory and
stores it in the iS temporal directory ...  we can change to another task
while installing and copy one of the *.Z *decrypted* files from the
temporary dir to a secure place.  Now we have two copies, coded and decoded,
of a package, let's check them ... take your hex editor and compare both
files XORing one with the other (I'll do it with NCD.Z, 'Nonlinear Control
Design Blockset'):


  Encrypted : 0e 47 7e 90 27 1b 19 1c 1d 1a 1b 1c 5f 1a 2d 3e
  Decrypted : 13 5d 65 8c 3a 01 02 00 00 00 00 00 42 00 34 22
              -----------------------------------------------
  XOR Table : 1d 1a 1b 1c 1d 1a 1b 1c 1d 1a 1b 1c 1d 1a 1b 1c


you can't believe your eyes, eh?  Beginning with $1d each byte is XORed
using a single four bytes table, [$1a,$1b,$1c,$1d], until the end of the
file ...  You can try it with any other *.Z file on the CD, you'll get the
same results ...


It's time to take your favourite assembler/compiler and put in practice
your programming knowledge to code a little tool of the trade.  Here you
got ready-to-be-compiled BP7 code to decrypt all the *.Z files found in
the current directory (kontuz!, no error checking at all ...):


{------- cut here --------------- cut here --------------------}

Program Matlab_5__InstallShield_Encrypted_Files_Decoder;

Uses
  DOS;

Type
  TBufferPtr = ^TBuffer;
  TBuffer    = Array [1..32*1024] of Byte;

Var
  EncFile,DecFile        : File;
  BytesRead,BytesWritten : Word;
  Buffer                 : TBufferPtr;
  DirInfo                : SearchRec;
  i                      : Word;
  XorKey                 : Byte;

Begin
  Asm
    mov ax,3
    int 10h
  End;
  WriteLn('+--------------------------------------------------+');
  WriteLn('+  MATLAB 5 InstallShield Encrypted Files Decoder  +');
  WriteLn('+               by Aitor, +HCU 1998                +');
  WriteLn('+--------------------------------------------------+',#13#10);
  FindFirst('*.z',Archive,DirInfo);
  If DosError<>0 Then
    Begin
      WriteLn(' * ERROR: Files not found ...  agur !');
      Halt(1);
    End;
  New(Buffer);
  While DosError=0 Do
    Begin
      Assign(EncFile,DirInfo.Name);
      Assign(DecFile,'deleteme.~$$');
      Reset(EncFile,1);
      ReWrite(DecFile,1);
      XorKey:=29;
      Write(' * Decrypting ',DirInfo.Name, ' ... ');
      Repeat
        BlockRead(EncFile,Buffer^,SizeOf(Buffer^),BytesRead);
        For i:=1 to SizeOf(Buffer^) do
          Begin
            Buffer^[i]:=Buffer^[i] XOR XorKey;
            Inc(XorKey);
            If XorKey>29 Then
              Dec(XorKey,4);
          End;
        BlockWrite(DecFile,Buffer^,BytesRead,BytesWritten);
      Until (BytesRead=0);
      Close(EncFile);
      Close(DecFile);
      Erase(EncFile);
      Rename(DecFile,DirInfo.Name);
      WriteLn('OK !');
      FindNext(DirInfo);
    End;
  Dispose(Buffer);
End.

{------- cut here --------------- cut here --------------------}


With our new decryptor, we're ready to decode and install *all* (note I'm
saying iNSTALL and NOT USE) the crippled modules included in the CD:


   COMM     Z  3.267.584  Communications Toolbox
   FINANCE  Z    755.779  Financial Toolbox
   FUZZY    Z    490.750  Fuzzy Logic Toolbox
   HOSA     Z  1.398.899  Higher-Order Spectral Analysis Toolbox
   IMAGES   Z  3.058.232  Image Processing Toolbox
   LMI      Z    413.974  LMI Control Toolbox
   MUTOOLS  Z    606.983  Mu-Analysis and Synthesis Toolbox
   NNET     Z    346.529  Neural Network Toolbox
   OPTIM    Z     71.431  Optimization Toolbox
   PDE      Z    281.449  Partial Differential Equation Toolbox
   QFT      Z    743.068  QFT Control Design Toolbox
   SPLINES  Z    112.109  Splines Toolbox
   STATS    Z    284.214  Statistics Toolbox
   SYMBOLIC Z  5.636.086  Extended Symbolic Toolbox
   WAVELET  Z  1.363.772  Wavelet Toolbox


and we'll be able to check the contents of files like these:


   HARDWARE Z    207.281
   LICENSE  Z    332.036


with *very interesting material* inside them, but that goes beyond the
purpose and level of this essay ...

Final Notes


Like many other contributors to this pages English is not my mothertongue ...
... sorry for any inconvenience, be patient ;).


Greetings to all the reverse engineers from Euskal Herria (Basque Country) ...
... jotake irabazi arte !


(c) 1998 by +Aitor and the +HCU. All rights reserved.

Ob Duh

I won't even bother explaining you that you should BUY this target program if you intend to use it ... this is not shareware ;-). If you own a legal copy of the program, take into consideration your country's laws about reverse engineering. Here you got an extract from the LiCENSE.TXT file included in the CD (read it, this is valid for any other commercial software you own in the EU):
"In relation to the Programs which Licensee is entitled to use, Licensee shall not decompile, disassemble or otherwise reverse engineer the Programs except with respect to European Union Licensees whose rights are as follows:

EUROPEAN UNION: Licensee may only decompile, disassemble or otherwise reverse engineer the Programs where any such act is necessary to create an independent program which is interoperable with the Programs or with another program or to observe, study, or test the functioning of the Programs solely in order to understand the ideas and principles which underlie any element of the Programs ("the Permitted Objective") and provided that:

(a) this may only be done if the information necessary to achieve the Permitted Objective has not already been made available or has not been provided by TMW within a reasonable time of a written request to TMW to provide such information;

(b) the compilation, disassembly or reverse-engineering is confined to those parts of the Programs necessary to achieve the Permitted Objective;

(c) the information gained is not used for anything other than the Permitted Objective and is not disclosed to any other person except as may be necessary to achieve the Permitted Objective; and

(d) the information obtained is not used to create a program substantially similar in its expression to the Programs including, but not limited to, expressions of the Programs in other computer languages, or for any other act restricted by copyright in the Programs.

You are deep inside fravia's page of reverse engineering, choose your way out:

homepage

links

search_forms

+ORC

students' essays

academy database

reality cracking

how to search

javascript wars

tools

anonymity academy

cocktails

antismut CGI-scripts

mail_fravia+

Is reverse engineering legal?