New InstallShield script format?
 

Hi,

I've tried to decompile an InstallShield installation script file (setup.inx) with isdcc and sid. Both attempts failed.

Is Installshield using a new script format in there latest products and are there tools to decompile those scripts?


MrHalo

AFAIR "isdcc" supports scripts for IS v5.5 and below (setup.ins). "sid" and "isd" supports v6+, but starting from v8 additional mangling is applied to the setup.inx. Try de-mangle it with the following code:and feed result to sid/isd

Thank you for the code Dmit.

But the code like you posted it here doesn't correctly work for me and perhaps for others neither. I compiled it with VC++ ("ISDHelper.exe") and tried it with some encrypted SETUP.INX files.

I tried the following commands:

"ISDHelper < SETUP.INX > NewSETUP.INX"
and
"Type SETUP.INX | ISDHelper > NewSetup.INX"

But both commands truncated the output file at different locations and didn't fully decrypt it. The same result with DMC. Then I used BC++ to compile (I had to rename "_setmode" to "setmode" and it worked fine.

What could be the reason for this?

XOR_VAL must be 0x0E (or not(0xF1))

Using "Type ..." may produce truncated result because "type" considered EOF if character with code 0x1A is encountered.
I have no idea. I've compiled code with "cl" from MS VC++ v6 and uses input/output redirection like in your first command. All works fine...

Installshield 6/7 script decompiler
 

You can Use Installshield 6/7 script decompiler for decompile InstallShield 6/7 Script :)

for binary files, use feof() function, don't use EOF macro.

What the reason for such recommendation? According to MSDNI've used EOF for more that 10 years in multiple progs, and never encountered any problem.

@Dmit:
For me TYPE only truncates the output if it is directed to the console. As soon as it is redirected to any other file or any other program, it fully copies the filecontents. My BC++ compiled copy worked with the TYPE command just like the other way.

The VC++ and DMC copies truncated the file somewhere after 100kb or something (each one at the different position), so I guess (and tested) that there was at least one 0x1A before that file position.

@wasq:
For me it works with 0xF1 as XOR value. Using 0x0E gives me the wrong output.

@ wasq: 0xF1 is the right XOR value.

I started a small project and decrypted a setup.inx with ISDHelper,
then I worked on it with SID (Sexy InstallShield Decompiler) and
rebuild the original crypted setup.inx. All worked fine.

Here is my solution for rebuilding the crypted INX:

I don't know if there is a better solution, but it works.

@sackpower

sorry. the original IS decrypting algorithm in isscript.dll uses (not(char)) xor (not (0xF1)) and this is realy equal to char xor 0xF1. i forgot about the second not().

@Dmit

Worked fine when compiled with VC++ 6.0 as a W32 Console App. Thanks, I thought they had done something totally new but all it good again.

@sackpower

Couldn't get yours to work for some reason :(

xtx

You are right. sorry :D

IMHO reading crypted *.inx into memory buffer, then xor this buffer, and write back xored buffer into second file would be better.

regards.

@xtx:

I'm using VC++ 7 (VS 2003) and for me everything works fine.

Maybe the attached sample project will help you (please change the path in the .bat file or use the current directory instruction: set APP_PATH=%CD%).

Sackpower