Reverse Engineering MATLAB 5
Part II: InstallShield Packages Encryption
Packers & Unpackers
19 January 1998
by +Aitor
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
InstallShield Packages Encryption... the sound of these words is so... how can I explain it... tasty? Luscious? Juicy? Well, you understand what I mean, don't you?
Our friend +Aitor has already given us his first essay about Matlab: Simple dongle reversing: the 'alien dll date' trick, which was part of our "How to undongle" section. Now he 'deepens' our knowledge of Installshield protections, and therefore this essay will be catalogued inside a new "Objected Oriented Cracking" section if we ever start it... for the moment I have put this among the "packers and unpackers" essays.
Enjoy this essay, a little jewel that without much ado teaches you 'on the fly', inter alia, how to code a 'little tool of the trade' to decode the xored-encrypted files that ARE on the CD-ROM you bought (or got) and that you ARE NOT supposed even to see or use...
There is a crack, a crack in everything
That's how the light gets in
( )Beginner (x)Intermediate ( )Advanced ( )Expert

"A little essay to show beginners and intermediate reversers / programmers how NOT to encrypt their own programs ..."
Reverse Engineering MATLAB 5
Part II: InstallShield Packages Encryption
Written by +Aitor


Second part of this series about reverse engineering MATLAB 5.

Once we have MATLAB 5 running (with or without the dongle ;) we take a look to the list of installation packages, and something bring us suspicions about the *real* contents of our CD. Let's take the InstallShield (un)compressor and search inside the packages ...
"Hey!" -You'll think- "Hey, that's not possible, mate!" ... ... because all the *.Z InstallShield packages in the MATLAB 5 CD-ROM are encrypted ... therefore ...
No, dear readers: Encryption is indeed one of the most powerful ways to protect software, but if you're a lazy programmer, even the best protection techniques will turn stale in your hands, because your mind won't be merrily pursuing the beauty of a well programmed piece of code, but it will instead be obsessed by the money you'll earn if you finish quickly the job ... You don't believe me? Read the following...

Tools required

Your favourite hex editor
Your favourite assembler / compiler (I'll use Borland Pascal v7.0)
InstallShield File Compressor

Target's URL/FTP

The program *iS NOT REQUiRED* to follow the essays. Remember, we are mainly reverse engineers, not only crackers ... this series will teach you generic protection schemes, it's not my intention to write one more how-to-crack to an specific application. Anyway, it's commercial software, but (hardly) available in the net if you do know how to search.

Program History

Not too much to say. A classic among the maths/programming applications, available for different systems. In my personal software archives (for educational purposes only :) I've got version 3.5f for DOS dated from 1989, then was a package including PC-Matlab and AT-Matlab, with only a serial number. Latest version I know is the target of this essay, a CD-ROM including version 5.0 for Win95/NT and version 4.2c.1 for Win32s, both serial number + dongle protected.
If you want to know more about this product contact with the The MathWorks Web site or connect to one of the hundreds of Matlab related sites across the net.

Aurrera with it!

As you have read in the intro, this is our situation: we have a series of *.Z files that cannot be decompressed with the InstallShield Compressor ... ... aren't they true InstallShield files? are they compressed with a new unknown version of iS? what the hell is happening here? ... yes, you're right, they're encrypted !
When a true +reverse engineer finds this kind of protection he thinks "hey, and what if I try to find the encryption code to rip/reverse the process?" or even better, taking into consideration the first thing he learnt at +ORC's School ... "protectionists are stupid!" (OK, some of them are pretty competent but they are the exception ...).
When you go to your 'Encryption School', the first lesson (OK, may be the second :) you are teached is probably the lesson about XOR encryption, that is,
simple to understand, simple to code ... and simple to decode !
Just before install every *.Z file, our target decodes it in memory and stores it in the iS temporal directory ... we can change to another task while installing and copy one of the *.Z *decrypted* files from the temporary dir to a secure place. Now we have two copies, coded and decoded, of a package, let's check them ... take your hex editor and compare both files XORing one with the other (I'll do it with NCD.Z, 'Nonlinear Control Design Blockset'):
Encrypted : 0e 47 7e 90 27 1b 19 1c 1d 1a 1b 1c 5f 1a 2d 3e Decrypted : 13 5d 65 8c 3a 01 02 00 00 00 00 00 42 00 34 22 ----------------------------------------------- XOR Table : 1d 1a 1b 1c 1d 1a 1b 1c 1d 1a 1b 1c 1d 1a 1b 1c
you can't believe your eyes, eh? Beginning with $1d each byte is XORed using a single four bytes table, [$1a,$1b,$1c,$1d], until the end of the file ... You can try it with any other *.Z file on the CD, you'll get the same results ...
It's time to take your favourite assembler/compiler and put in practice your programming knowledge to code a little tool of the trade. Here you got ready-to-be-compiled BP7 code to decrypt all the *.Z files found in the current directory (kontuz!, no error checking at all ...):
{------- cut here --------------- cut here --------------------} Program Matlab_5__InstallShield_Encrypted_Files_Decoder; Uses DOS; Type TBufferPtr = ^TBuffer; TBuffer = Array [1..32*1024] of Byte; Var EncFile,DecFile : File; BytesRead,BytesWritten : Word; Buffer : TBufferPtr; DirInfo : SearchRec; i : Word; XorKey : Byte; Begin Asm mov ax,3 int 10h End; WriteLn('+--------------------------------------------------+'); WriteLn('+ MATLAB 5 InstallShield Encrypted Files Decoder +'); WriteLn('+ by Aitor, +HCU 1998 +'); WriteLn('+--------------------------------------------------+',#13#10); FindFirst('*.z',Archive,DirInfo); If DosError<>0 Then Begin WriteLn(' * ERROR: Files not found ... agur !'); Halt(1); End; New(Buffer); While DosError=0 Do Begin Assign(EncFile,DirInfo.Name); Assign(DecFile,'deleteme.~$$'); Reset(EncFile,1); ReWrite(DecFile,1); XorKey:=29; Write(' * Decrypting ',DirInfo.Name, ' ... '); Repeat BlockRead(EncFile,Buffer^,SizeOf(Buffer^),BytesRead); For i:=1 to SizeOf(Buffer^) do Begin Buffer^[i]:=Buffer^[i] XOR XorKey; Inc(XorKey); If XorKey>29 Then Dec(XorKey,4); End; BlockWrite(DecFile,Buffer^,BytesRead,BytesWritten); Until (BytesRead=0); Close(EncFile); Close(DecFile); Erase(EncFile); Rename(DecFile,DirInfo.Name); WriteLn('OK !'); FindNext(DirInfo); End; Dispose(Buffer); End. {------- cut here --------------- cut here --------------------}
With our new decryptor, we're ready to decode and install *all* (note I'm saying iNSTALL and NOT USE) the crippled modules included in the CD:
COMM Z 3.267.584 Communications Toolbox FINANCE Z 755.779 Financial Toolbox FUZZY Z 490.750 Fuzzy Logic Toolbox HOSA Z 1.398.899 Higher-Order Spectral Analysis Toolbox IMAGES Z 3.058.232 Image Processing Toolbox LMI Z 413.974 LMI Control Toolbox MUTOOLS Z 606.983 Mu-Analysis and Synthesis Toolbox NNET Z 346.529 Neural Network Toolbox OPTIM Z 71.431 Optimization Toolbox PDE Z 281.449 Partial Differential Equation Toolbox QFT Z 743.068 QFT Control Design Toolbox SPLINES Z 112.109 Splines Toolbox STATS Z 284.214 Statistics Toolbox SYMBOLIC Z 5.636.086 Extended Symbolic Toolbox WAVELET Z 1.363.772 Wavelet Toolbox
and we'll be able to check the contents of files like these:
HARDWARE Z 207.281 LICENSE Z 332.036
with *very interesting material* inside them, but that goes beyond the purpose and level of this essay ...

Final Notes

Like many other contributors to this pages English is not my mothertongue ... ... sorry for any inconvenience, be patient ;).
Greetings to all the reverse engineers from Euskal Herria (Basque Country) ... ... jotake irabazi arte !

(c) 1998 by +Aitor and the +HCU. All rights reserved.

Ob Duh

I won't even bother explaining you that you should BUY this target program if you intend to use it ... this is not shareware ;-). If you own a legal copy of the program, take into consideration your country's laws about reverse engineering. Here you got an extract from the LiCENSE.TXT file included in the CD (read it, this is valid for any other commercial software you own in the EU):

"In relation to the Programs which Licensee is entitled to use, Licensee shall not decompile, disassemble or otherwise reverse engineer the Programs except with respect to European Union Licensees whose rights are as follows:

EUROPEAN UNION: Licensee may only decompile, disassemble or otherwise reverse engineer the Programs where any such act is necessary to create an independent program which is interoperable with the Programs or with another program or to observe, study, or test the functioning of the Programs solely in order to understand the ideas and principles which underlie any element of the Programs ("the Permitted Objective") and provided that:

(a) this may only be done if the information necessary to achieve the Permitted Objective has not already been made available or has not been provided by TMW within a reasonable time of a written request to TMW to provide such information;

(b) the compilation, disassembly or reverse-engineering is confined to those parts of the Programs necessary to achieve the Permitted Objective;

(c) the information gained is not used for anything other than the Permitted Objective and is not disclosed to any other person except as may be necessary to achieve the Permitted Objective; and

(d) the information obtained is not used to create a program substantially similar in its expression to the Programs including, but not limited to, expressions of the Programs in other computer languages, or for any other act restricted by copyright in the Programs.

You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?