<html>

<head>
<!--  formamus.htm version 09 January 1999 
      INSTRUCTIONS FOR SUBMITTING: DO NOT USE HTML EDITORS!
      SEARCH THIS TEXT FOR THE STRING "Your_" 
      AND REPLACE WITH WHATEVER YOU WANT TO PUBLISH! 
      THANKS A LOT: this will allow automated retrieval -->

<meta name="VPSiteProject" content="file:///C|/Documents%20and%20Settings/Administrator/My%20Documents/My%20Webs/fravia/Project.vpp">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>installshield express 3.01</title>
</head>

<body bgcolor="#C0C0C0" text="#001010" vlink="#405040">

<table cellpadding="1" cellspacing="2" border="1" width="100%" height="22">
  <tr>
    <td>&nbsp;</td>
    <td>
      <p align="center">
      <!-- Choose  a TITLE and a subtitle, choose well! --><font size="+2">Installshield
      express 3.01</font><center><br>
      <font size="+1">Damaging netquartz net based protection.</font></center></p>
    </td>
    <td>
      <!-- Choose  a PROJECT GIF, leave this if unsure --></td>
  </tr>
  <tr>
    <td bgcolor="#FFFFEA"><center><font color="890000">
      <!-- CHOOSE A DATE (will probably be changed) --></font></center><font color="890000">Sept
      2000</font></td>
    <td bgcolor="#FFFFEA"><center>by <font size="+3">
      <!-- CHOOSE A HANDLE , i.e. your pseudo (wont be changed) -->
      Tsehp</font></center></td>
    <td valign="center" bgcolor="#FFFFEA">
      <!--
<a href="hcu98_3.htm"><IMG SRC="hcu1.gif" ALT="+cracker" ALIGN=BOTTOM 
WIDTH=114 HEIGHT=43 BORDER=0 VSPACE=0 HSPACE=0></a>
-->
    </td>
  </tr>
  <tr>
    <td><center><a href="index.htm"><img src="images/bulletr.gif" align="BOTTOM" border="0" vspace="0" hspace="0" width="13" height="13"></a></center></td>
    <td bgcolor="898030"><center>Courtesy of Reverser's page of reverse
      engineering</center></td>
    <td bgcolor="898030"><center>
      <!-- Your truly+ will edit only if really necessary -->
      slightly edited<br>
      by tsehp</center></td>
  </tr>
  <!-- this is for the data.....fra_00xx....yymmdd....handle..beg+int...not ass... -->
  <tr>
    <td>&nbsp;</td>
    <!-- Leonard Coehn's old song, because we are poets, not only crackers -->
    <td bgcolor="898030"><center><b>There is a crack, a crack in everything
      That's how the light gets in</b></center>
      <!-- Leonard Coehn's old song, because we are poets, not only crackers -->
    </td>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <td valign="MIDDLE" bgcolor="#C6E7C6"><font color="blue"><center>Rating</font></center></td>
    <td valign="MIDDLE" bgcolor="#C6E7C6"><font color="blue"><center>
      <!-- CHOOSE A RATING (may be changed) -->
      ( )<b>Beginner</b> (x)<b>Intermediate</b> ( )<b>Advanced</b> ( )<b>Expert</b></font></center></td>
    <td>&nbsp;</td>
  </tr>
</table>
<!-- END HEAD  --><br>
<!-- CORPUS  -->
<!-- CHOOSE A COMMENT (may be changed)  -->
 Net based protection are the future, first it was a kind of password checking,
easily crackable. Now part of your code is<br>
downloaded and executed on eval apps, I just hope that my small contribution
will help to finish them.<br>
<hr>
<p align="center"><center><font size="+2">
<!-- Repeat your TITLE  --></font></center><font size="+2">Installshield express
3.01</font><center><br>
<font size="+1">Damaging netquartz net based protection.</font><br>
<font color="0B7FC1">
<!-- REPEAT YOUR CHOSEN HANDLE HERE -->Written by Tsehp</font></center><br>
<br>

<!-- INTRO STARTS HERE -->
<table cellpadding="1" cellspacing="2" border="1" width="100%" height="22">
  <tr>
    <td bgcolor="#C6E7C6"><center><font size="+2"><font color="blue">Introduction</font></font></center></td>
  </tr>
</table>
<pre>
I will not explain in this essay what's a pe structure and app dumping procedures, everything
was already explained before.
All we have to do is to apply this small technique to get a fresh app, without net checks
<!-- PASTE HERE YOUR INTRODUCTION --><!-- TOOLS STARTS HERE --></pre>
<table cellpadding="1" cellspacing="2" border="1" width="100%" height="22">
  <tr>
    <td bgcolor="#C6E7C6"><center><font size="+2"><font color="blue">Tools
      required</font></font></center></td>
  </tr>
</table>
Icedump<br>
Ida<br>
Hexeditor<br>
A packet sniffer<br>
<br>

<!-- TARGET URL STARTS HERE -->
<table cellpadding="1" cellspacing="2" border="1" width="100%" height="22">
  <tr>
    <td bgcolor="#C6E7C6"><center><font size="+2"><font color="blue">Target's
      URL/FTP</font></font></center></td>
  </tr>
</table>
<a href="http://www.installshield.com">
<!-- DON'T FORGET TO PASTE HERE THE URL/FTP OF YOUR TARGET(S) -->www.installshield.com</a>&nbsp;
the target is installshield express 3.01<br>
<a href="http://www.netquartz.com">www.netquartz.com</a> the protector<br>

<!-- REAL ESSAY  STARTS HERE -->
<table cellpadding="1" cellspacing="2" border="1" width="100%" height="22">
  <tr>
    <td bgcolor="#C6E7C6"><center><font color="blue" size="+2">Essay</font></center></td>
  </tr>
</table>
<!-- PASTE HERE THE TEXT OF YOUR ESSAY
     THIS IS OF COURSE THE MOST IMPORTANT PART
     PLEASE CHECK THE MARGINS WHEN YOU ARE FINISHED! 
     SHOULD NOT BLAST OPERA'S MARGINS OUT! HAVE A LOOK INSIDE
     YOUR OWN BROWSER WHEN YOU FINISH!  -->
<pre>
Launch your packet sniffer and start iside.exe, lots of packets. Look at them :
code requests, mem registers, values, all kind of stuff necessary for ntqz0.exe to initialize
and start.
Tracing into iside.exe, I found a loadlibrarya that inits the client dll : el32.dll.
While looking at my modem, I saw some activity starting here :

100054c2		 call    sub_10008360 &lt;-netquartz nag and inits
100054C7                 test    eax, eax
100054C9                 jz      short loc_1000553F
100054CB                 mov     dword_1007F94C, 0
100054D5                 mov     ecx, offset unk_1007F778
100054DA                 call    sub_1000C750
100054DF                 mov     dword_1007F41C, offset unk_1007F428
100054E9                 mov     edx, dword_1007F45C
100054EF                 add     edx, 3FFFCh
100054F5                 mov     dword_1007F388, edx
100054FB                 mov     eax, dword_1007F4A0
10005500                 add     eax, 3FFFCh
10005505                 mov     dword_1007F4B4, eax
1000550A                 mov     esp, dword_1007F4B4
10005510                 mov     ebp, esp
10005512                 call    sub_10006920 &lt;- the code inits starts here
10005517                 push    ebp
10005518                 mov     dword_1007F32C, esp
1000551E                 mov     esp, dword_1007F390
10005524                 mov     ebp, esp
10005526                 mov     esp, dword_1007F32C
1000552C                 pop     ebp
1000552D                 push    98765432h
10005532                 call    sub_100065C0 &lt;- puts some flags in mem (8 x FF in 47f360)
10005537                 jmp     dword_1007F378 &lt;-this jumps to ntqz0.exe</pre>
<pre>When the net exchange stops, el32.exe creates a process with ntqz0.exe and starts installshield.
All we have to do is to dump ntqz0.exe and fix the sections.

Let me help a a little :
starting point: 414da4</pre>
<pre>fix the data section size to 4000</pre>
<pre>fix the resource section : raw offset = 8000 size = 11b60</pre>
<pre>Start your dump, it does nothing.

Look at this snippet :</pre>
<pre>00414E69                 push    eax             ; lpStartupInfo
00414E6A                 call    ds:GetStartupInfoA
00414E70                 test    byte ptr [ebp-30h], 1
00414E74                 jz      short loc_414E87
00414E76                 movzx   eax, word ptr [ebp-2Ch]
00414E7A                 jmp     short loc_414E8A
</pre>
<pre>The call to getstartupinfoA does nothing, just because the createprocess from el32.exe was not
executed, so your dump doesn't have some startup info.
We also have this little problem :

00414E8A                 push    eax
00414E8B                 push    esi
00414E8C                 push    ebx
00414E8D                 push    ebx             ; lpModuleName
00414E8E                 call    ds:GetModuleHandleA
00414E94                 push    eax
00414E95                 call    sub_45AF08
00414E9A                 mov     [ebp-68h], eax
00414E9D                 push    eax
00414E9E                 call    ds:exit
</pre>
<pre>The ebx pushed before getmodulehandle is equal to 0 when you start the real eval, in your dump
ebx contains another value, a dll module adress. If we dont fix it, the dump will crash later,
trying to access some resources with a invalid handle. We have to zero ebx just before the call.</pre>
<pre>The patch looks like this :

00414E69                 push    eax
00414E6A                 xor     ebx, ebx
00414E6C                 jmp     short loc_414E87
</pre>
<pre>And everything works fine now, without the netquartz link...Sooo easy ;-)</pre>
<pre>&nbsp;</pre>
<div align="center">
  <center>
  <pre>
Tsehp
</pre>
  </center>
</div>
<br>
<br>

<!-- FINAL NOTES STARTS HERE -->
<pre> 
<!-- PASTE HERE YOUR FINAL NOTES (if any) -->
</pre>
<br>
<br>

<!-- OB DUH STARTS HERE -->
<table cellpadding="1" cellspacing="2" border="1" width="100%" height="22">
  <tr>
    <td bgcolor="#C6E7C6"><center><font size="+2"><font color="blue">Ob Duh</font></font></center></td>
  </tr>
</table>
<center><i>I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed one. Should
you want to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.</i></center>

<!-- WAY OUT STARTS HERE -->
<hr>
<center><i>You are deep inside reverser's page of reverse engineering, choose
your way out:<br>
<br>
</i></center><br>
<center>
<!-- EITHER A NICE GIF LIKE THIS -->
<!-- 
<a href="project3.htm"><IMG SRC="project3.gif" 
ALT="projecT3" ALIGN=CENTER WIDTH=114 HEIGHT=43 BORDER=0 VSPACE=0 HSPACE=0></a>
<br>
<font color=gray>Back to project 3</FonT>
<br><bR>
-->
<!-- OR JUST A LINK LIKE THIS -->

<!--
<IMG SRC="bulletr.gif" ALT="red" ALIGN=BOTTOM WIDTH=13 HEIGHT=13 
BORDER=0 VSPACE=0 HSPACE=0><A HREF="project1.htm">Back to Your_chosen_project</A> 
<hr width=33%>
-->

 <img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="index.htm">homepage</a>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="links.htm">links</a>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="searengi.htm">search_forms</a>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="orc.htm">+ORC</a>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="protec.htm">how
to protect</a> <img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="academy.htm">academy
database</a><br>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="realicra.htm">reality
cracking</a> <img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="howtosea.htm">how
to search</a> <img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="javascri.htm">javascript
wars</a><br>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="tools.htm">tools</a>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="noanon.htm">anonymity
academy</a> <img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="cocktail.htm">cocktails</a>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="ideale.htm">antismut
CGI-scripts</a> <img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="info.htm">mail_reverser</a><br>
<img src="images/bulletr.gif" alt="red" align="BOTTOM" width="13" height="13" border="0" vspace="0" hspace="0"><a href="legal.htm">Is
reverse engineering legal?</a></center>
<hr>
<!-- THAT'S ALL, THANKS A LOT this will allow automated retrieval -->

</body>

</html>
