Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-17-2005, 04:00
MrHalo
 
Posts: n/a
New InstallShield script format?

Hi,

I've tried to decompile an InstallShield installation script file (setup.inx) with isdcc and sid. Both attempts failed.

Is Installshield using a new script format in there latest products and are there tools to decompile those scripts?


MrHalo
Reply With Quote
  #2  
Old 01-17-2005, 15:01
Dmit
 
Posts: n/a
AFAIR "isdcc" supports scripts for IS v5.5 and below (setup.ins). "sid" and "isd" supports v6+, but starting from v8 additional mangling is applied to the setup.inx. Try de-mangle it with the following code:
Code:
#include <stdio.h>
#include <fcntl.h>
#include <io.h>
#define XOR_VAL 0xF1
void main (void) {
int i, c;
unsigned char b;
// Set "stdin" and "stdout" to have binary mode
_setmode (_fileno (stdin), _O_BINARY);
_setmode (_fileno (stdout), _O_BINARY);
// Decrypt INX
for (i = 0; (c = getchar ()) != EOF; i++) {
c ^= XOR_VAL;
b = (unsigned char)((c >> 2) | (c << 6)) - (i % 71);
putchar (b);
}
}
and feed result to sid/isd
Reply With Quote
  #3  
Old 01-17-2005, 16:21
Kerlingen
 
Posts: n/a
Thank you for the code Dmit.

But the code like you posted it here doesn't correctly work for me and perhaps for others neither. I compiled it with VC++ ("ISDHelper.exe") and tried it with some encrypted SETUP.INX files.

I tried the following commands:

"ISDHelper < SETUP.INX > NewSETUP.INX"
and
"Type SETUP.INX | ISDHelper > NewSetup.INX"

But both commands truncated the output file at different locations and didn't fully decrypt it. The same result with DMC. Then I used BC++ to compile (I had to rename "_setmode" to "setmode" and it worked fine.

What could be the reason for this?
Reply With Quote
  #4  
Old 01-25-2005, 01:22
wasq
 
Posts: n/a
XOR_VAL must be 0x0E (or not(0xF1))
Reply With Quote
  #5  
Old 01-25-2005, 16:59
Dmit
 
Posts: n/a
Quote:
Originally Posted by Kerlingen
I tried the following commands:

"ISDHelper < SETUP.INX > NewSETUP.INX"
and
"Type SETUP.INX | ISDHelper > NewSetup.INX"
Using "Type ..." may produce truncated result because "type" considered EOF if character with code 0x1A is encountered.
Quote:
Originally Posted by Kerlingen
Then I used BC++ to compile (I had to rename "_setmode" to "setmode" and it worked fine.
What could be the reason for this?
I have no idea. I've compiled code with "cl" from MS VC++ v6 and uses input/output redirection like in your first command. All works fine...
Reply With Quote
  #6  
Old 01-26-2005, 10:40
NimDa2k's Avatar
NimDa2k NimDa2k is offline
Friend
 
Join Date: Jan 2005
Posts: 124
Rept. Given: 3
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 1
Thanks Rcvd at 8 Times in 5 Posts
NimDa2k Reputation: 3
Lightbulb Installshield 6/7 script decompiler

You can Use Installshield 6/7 script decompiler for decompile InstallShield 6/7 Script
Attached Files
File Type: zip sid.zip (46.6 KB, 124 views)
Reply With Quote
  #7  
Old 01-26-2005, 12:17
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
for binary files, use feof() function, don't use EOF macro.
__________________
AKA Solomon/blowfish.
Reply With Quote
  #8  
Old 01-26-2005, 15:13
Dmit
 
Posts: n/a
Quote:
Originally Posted by WhoCares
for binary files, use feof() function, don't use EOF macro.
What the reason for such recommendation? According to MSDN
Quote:
To indicate a read error or end-of-file condition, getc and getchar return EOF
I've used EOF for more that 10 years in multiple progs, and never encountered any problem.
Reply With Quote
  #9  
Old 01-26-2005, 17:01
Kerlingen
 
Posts: n/a
@Dmit:
For me TYPE only truncates the output if it is directed to the console. As soon as it is redirected to any other file or any other program, it fully copies the filecontents. My BC++ compiled copy worked with the TYPE command just like the other way.

The VC++ and DMC copies truncated the file somewhere after 100kb or something (each one at the different position), so I guess (and tested) that there was at least one 0x1A before that file position.

@wasq:
For me it works with 0xF1 as XOR value. Using 0x0E gives me the wrong output.
Reply With Quote
  #10  
Old 01-27-2005, 03:39
sackpower sackpower is offline
Friend
 
Join Date: Jan 2003
Location: Europe
Posts: 26
Rept. Given: 5
Rept. Rcvd 3 Times in 1 Post
Thanks Given: 14
Thanks Rcvd at 13 Times in 6 Posts
sackpower Reputation: 3
@ wasq: 0xF1 is the right XOR value.

I started a small project and decrypted a setup.inx with ISDHelper,
then I worked on it with SID (Sexy InstallShield Decompiler) and
rebuild the original crypted setup.inx. All worked fine.

Here is my solution for rebuilding the crypted INX:

Code:
//Usage: ISDGoBack.exe <newsetup.inx> setup.inx

#include <stdio.h>
#include <fcntl.h>
#include <io.h>
#define XOR_VAL 0xF1

void main (void) 
{
	int i, c;
	unsigned char b;
	// Set "stdin" and "stdout" to have binary mode
	setmode (_fileno (stdin), _O_BINARY);
	setmode (_fileno (stdout), _O_BINARY);
	// Rebuild the crypted INX
	for (i = 0; (c = getchar ()) != EOF; i++)
	{
            int d, e;

            d = 0x00;

            do
            {
                e = d;
	        e ^= XOR_VAL;
		b = (unsigned char)((e >> 2) | (e << 6)) - (i % 71);
                if (b == c)
                {
		    putchar (d);
                }
                else d++;
            } while (b != c && d <= 0xFF);
	}
}
I don't know if there is a better solution, but it works.
Reply With Quote
  #11  
Old 01-27-2005, 18:09
wasq
 
Posts: n/a
@sackpower

sorry. the original IS decrypting algorithm in isscript.dll uses (not(char)) xor (not (0xF1)) and this is realy equal to char xor 0xF1. i forgot about the second not().
Reply With Quote
  #12  
Old 02-03-2005, 12:36
xtx
 
Posts: n/a
@Dmit

Worked fine when compiled with VC++ 6.0 as a W32 Console App. Thanks, I thought they had done something totally new but all it good again.

@sackpower

Couldn't get yours to work for some reason

xtx
Reply With Quote
  #13  
Old 02-03-2005, 17:43
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
Quote:
Originally Posted by Dmit
What the reason for such recommendation? According to MSDN

I've used EOF for more that 10 years in multiple progs, and never encountered any problem.
You are right. sorry
__________________
AKA Solomon/blowfish.
Reply With Quote
  #14  
Old 02-07-2005, 02:43
Janus68
 
Posts: n/a
IMHO reading crypted *.inx into memory buffer, then xor this buffer, and write back xored buffer into second file would be better.

regards.
Reply With Quote
  #15  
Old 02-07-2005, 22:06
sackpower sackpower is offline
Friend
 
Join Date: Jan 2003
Location: Europe
Posts: 26
Rept. Given: 5
Rept. Rcvd 3 Times in 1 Post
Thanks Given: 14
Thanks Rcvd at 13 Times in 6 Posts
sackpower Reputation: 3
@xtx:

I'm using VC++ 7 (VS 2003) and for me everything works fine.

Maybe the attached sample project will help you (please change the path in the .bat file or use the current directory instruction: set APP_PATH=%CD%).

Sackpower
Attached Files
File Type: rar ISDGoBack.rar (18.3 KB, 127 views)

Last edited by sackpower; 02-08-2005 at 15:09.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
InstallShield 12 Script decompiler ? DARKER General Discussion 27 02-04-2024 00:40
packing-format MaRKuS-DJM General Discussion 4 11-11-2004 03:05
If anybody know this format... qaz_qaz General Discussion 4 07-15-2002 04:51


All times are GMT +8. The time now is 19:08.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )