racasan
November 2nd, 2001, 08:20
has anyone any advice on the password system used in installshield
View Full Version : passwords used in installshield
Aimless
November 2nd, 2001, 08:58
Are you asking for information on the conversion of evaluation version of Installshield to full passwords?...or...
.... the passwords asked ~during~ installations of software by Installshield, like NuMega softwares...??
Specify the same please.
...Have Phun
.... the passwords asked ~during~ installations of software by Installshield, like NuMega softwares...??
Specify the same please.
...Have Phun
racasan
November 2nd, 2001, 13:07
sorry my question is in regard to the password
racasan
November 2nd, 2001, 13:13
sorry try again
sorry my question is in regard to the password asked for during installation
sorry my question is in regard to the password asked for during installation
Aimless
November 3rd, 2001, 00:39
Understand that the passwords asked ~during~ installations of the scripts can be done in any way that you program natural applications.
For example, the passwords asked during NuMega installations are actually numega validation routines that they themselves have built.
Perhaps a more detailed explanation is in order...
(1)
Installshield is actually an executable file installer. This installer can be PROGRAMMED using VC++ (try using the Enterprise version of VC++)
(OR)
it can be use to run an application.
(2)
Alternatively, as a part of its installation procedure, it can run an executable.
Now, if I were NuMega, what I would do is, use my own algorithms to create and validate the password. Use this source code (probably written in VC++) and incorporate it as part of the Installshield script, so that when Installshield begins setup, it asks for this password.
Or, as Numega, I could ALSO write an exe, pack it as a part of the setup, uncompress it temporarily and run it to ask me the password, it OK then proceed or else exit setup (a very rare method, but.)
Therefore, to crack passwords asked DURING an installshield setup:
Step 1: Need an installshield decompresser. www.programmerstools.org -> Utilities section
Step 2: Need to run the program, to break the CAB files into its individual files.
Step 3: Figure out where the protection is, using the usual sniffing techniques...
Step 4: Do what is necessary.
...Have Phun
For example, the passwords asked during NuMega installations are actually numega validation routines that they themselves have built.
Perhaps a more detailed explanation is in order...
(1)
Installshield is actually an executable file installer. This installer can be PROGRAMMED using VC++ (try using the Enterprise version of VC++)
(OR)
it can be use to run an application.
(2)
Alternatively, as a part of its installation procedure, it can run an executable.
Now, if I were NuMega, what I would do is, use my own algorithms to create and validate the password. Use this source code (probably written in VC++) and incorporate it as part of the Installshield script, so that when Installshield begins setup, it asks for this password.
Or, as Numega, I could ALSO write an exe, pack it as a part of the setup, uncompress it temporarily and run it to ask me the password, it OK then proceed or else exit setup (a very rare method, but.)
Therefore, to crack passwords asked DURING an installshield setup:
Step 1: Need an installshield decompresser. www.programmerstools.org -> Utilities section
Step 2: Need to run the program, to break the CAB files into its individual files.
Step 3: Figure out where the protection is, using the usual sniffing techniques...
Step 4: Do what is necessary.
...Have Phun
racasan
November 3rd, 2001, 07:26
ok well I looked at some de-compactors, but non would work on the exe I whish to look at (the packer used is "PackageForTheWeb 4"
so I have now downloaded this packer program and I am packing my own files to see what I can find?
so I have now downloaded this packer program and I am packing my own files to see what I can find?DakienDX
November 4th, 2001, 14:52
Hello racasan !
The password system in PackageForTheWeb is not very difficult to crack. There are many password crackers for PFTW before 2.03, but after that the password is not used any more to protect the installer, but to protect the data.
The cipher used is a very simple xor stream-cipher. If you can't find it out, I could post the cipher and how to reverse it in the RCE Cryptographics.
The password system in PackageForTheWeb is not very difficult to crack. There are many password crackers for PFTW before 2.03, but after that the password is not used any more to protect the installer, but to protect the data.
The cipher used is a very simple xor stream-cipher. If you can't find it out, I could post the cipher and how to reverse it in the RCE Cryptographics.
Unregistered
November 5th, 2001, 08:48
Hi DakienDX
Thanks for the information; any help would be appreciated, as I am very stuck with this project at the moment
Thanks for the information; any help would be appreciated, as I am very stuck with this project at the moment
DakienDX
November 5th, 2001, 12:55
Hello everybody !
I decided to post how to reverse the PFTW cipher here. Let's start.
1. Take the password-protected .EXE
2. Seek to the end of the .rdata section
3. Take the DWord there as the length of the following block
4. We don't need the block so go to it's end
5. Copy the data from there until the end of the file to a file (be sure to strip any VerySign signatures if present)
Now you've the encrypted file. It's a encrypted Windows .CAB file.
The decryption goes the following way:
1. Exchange the higher four bits of each byte with the lower four bits
2. Do a "NOT" on each byte
3. Xor each DWord with 13358607h
Now you've unprotected the password-independent part.
You need to Xor the whole file with the password now. Read LengthOfPassword bytes, Xor them with the Password and save them again.
The problem: We don't have the password !
The solution: We know the structure of .CAB files
"MSCF", 00h, 00h, 00h, 00h, DWord_LenOfCAB, 00h, 00h, 00h, 00h, xxh, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 03h, 01h, yyh, 00h
xxh = I don't know
yyh = 01h, 02h, 03h (I don't know)
So we can recover 30 characters from passwords up to 32 characters.
Now you should have the password (or can guess it very easy or bruteforce it).
Enter it in the PFTW archive and PFTW will do the rest.
I decided to post how to reverse the PFTW cipher here. Let's start.
1. Take the password-protected .EXE
2. Seek to the end of the .rdata section
3. Take the DWord there as the length of the following block
4. We don't need the block so go to it's end
5. Copy the data from there until the end of the file to a file (be sure to strip any VerySign signatures if present)
Now you've the encrypted file. It's a encrypted Windows .CAB file.
The decryption goes the following way:
1. Exchange the higher four bits of each byte with the lower four bits
2. Do a "NOT" on each byte
3. Xor each DWord with 13358607h
Now you've unprotected the password-independent part.
You need to Xor the whole file with the password now. Read LengthOfPassword bytes, Xor them with the Password and save them again.
The problem: We don't have the password !
The solution: We know the structure of .CAB files
"MSCF", 00h, 00h, 00h, 00h, DWord_LenOfCAB, 00h, 00h, 00h, 00h, xxh, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 03h, 01h, yyh, 00h
xxh = I don't know
yyh = 01h, 02h, 03h (I don't know)
So we can recover 30 characters from passwords up to 32 characters.
Now you should have the password (or can guess it very easy or bruteforce it).
Enter it in the PFTW archive and PFTW will do the rest.
decx
November 5th, 2001, 14:55
If you mean the *OLD* install shield passwords, and non PFTW, its kinda simple, just disassemble the setup file (even if 60mb+ it will only disassemble the exe wrapper (in w32dasm) dident try in ida) Looking around you will notice a stringcompare, being lazy inverting it will make it unpack and install as the password is not actually used to decrypt anything. Atleast not on the installshield passwords common before PFTW and still used in some packaged installs (ie one file only setups).
Unregistered
November 5th, 2001, 15:31
Hi DakienDX
Well your information did the trick. I feel very pleased to have finally solved this problem (although the password was that obvious I could have cried)
Anyway thanks
Well your information did the trick. I feel very pleased to have finally solved this problem (although the password was that obvious I could have cried)
Anyway thanks
Unregistered
November 6th, 2001, 14:00
Hi DakienDK.
Let me begin by saying I am impressed by your post. Quick, simple and robust.
I only have one question, and you may opt not to answer (Magicians never reveal their secrets?)
Did you deduce the stream crypto out of the dissasembled program or did you dig some documentation somewhere in the net?. Thanks
Let me begin by saying I am impressed by your post. Quick, simple and robust.
I only have one question, and you may opt not to answer (Magicians never reveal their secrets?)
Did you deduce the stream crypto out of the dissasembled program or did you dig some documentation somewhere in the net?. Thanks
DakienDX
November 6th, 2001, 15:09
Hello Unregistered (rascan?) !
I found out the crypto algorithm some years ago myself. I had no internet access at that moment, but had to do some work at a company with a fast (2GBit) internet connection. I downloaded some programs protected by PFTW. When I saw the password dialog, I searched for a deprotector, found one and tested it on one archive. Because it worked I did not do more research.
Some days later I decided to use the programs I had downloaded, but I also noticed that only two of them where protected by PFTW 2.02 and the other five by PFTW 2.04.
Because versions starting with 2.03 encrypt the data in the archive, I got a "disc full, 4096MB free disc space, free some more space" after using the deprotector I had downloaded on a 100MB PFTW file.
This made me use Turbo Debugger on the PFTW archive, and four hours later...
Generic PFTW password deprotector working with all version of PFTW (especially >=2.03
)
I found out the crypto algorithm some years ago myself. I had no internet access at that moment, but had to do some work at a company with a fast (2GBit) internet connection. I downloaded some programs protected by PFTW. When I saw the password dialog, I searched for a deprotector, found one and tested it on one archive. Because it worked I did not do more research.
Some days later I decided to use the programs I had downloaded, but I also noticed that only two of them where protected by PFTW 2.02 and the other five by PFTW 2.04.
Because versions starting with 2.03 encrypt the data in the archive, I got a "disc full, 4096MB free disc space, free some more space" after using the deprotector I had downloaded on a 100MB PFTW file.
This made me use Turbo Debugger on the PFTW archive, and four hours later...
Generic PFTW password deprotector working with all version of PFTW (especially >=2.03
)Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.