I have a program that uses a setup program that starts up, creates a temporary file called c:\temp\nlsxx.tmp, then loads the nlsxx.temp file as a process. The process in the installer program which will then prompt the user for the password. Once the next button is pressed the program will install.

I am using wdasm to attach to the process space of the nlsxx.tmp process but the code is tool complex for me to figure out.


The setup program presents the user with a dialog box with one entry field a cancel button and a next button. Once the password is entered into the entry field and the next button is pressed the program will install.

I own the program and know the serial number but cannot crack the algorithm.

Any suggestions?

Here is a code snippet.
* Reference To: user32.PeekMessageA, Ord:0000h
|
:0042201A E83D35FEFF Call 0040555C
:0042201F 85C0 test eax, eax
:00422021 0F8485000000 je 004220AC
:00422027 B301 mov bl, 01
:00422029 837C240812 cmp dword ptr [esp+08], 00000012
:0042202E 7478 je 004220A8
:00422030 C6042400 mov byte ptr [esp], 00
:00422034 6683BE9600000000 cmp word ptr [esi+00000096], 0000
:0042203C 7412 je 00422050
:0042203E 8BCC mov ecx, esp
:00422040 8D542404 lea edx, dword ptr [esp+04]
:00422044 8B8698000000 mov eax, dword ptr [esi+00000098]
:0042204A FF9694000000 call dword ptr [esi+00000094]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042203C(C)
|
:00422050 8D542404 lea edx, dword ptr [esp+04]
:00422054 8BC6 mov eax, esi
:00422056 E879FFFFFF call 00421FD4
:0042205B 84C0 test al, al
:0042205D 754D jne 004220AC
:0042205F 803C2400 cmp byte ptr [esp], 00
:00422063 7547 jne 004220AC
:00422065 8D542404 lea edx, dword ptr [esp+04]
:00422069 8BC6 mov eax, esi
:0042206B E8B0FEFFFF call 00421F20
:00422070 84C0 test al, al
:00422072 7538 jne 004220AC
:00422074 8D542404 lea edx, dword ptr [esp+04]
:00422078 8BC6 mov eax, esi
:0042207A E8F1FEFFFF call 00421F70
:0042207F 84C0 test al, al
:00422081 7529 jne 004220AC
:00422083 8D542404 lea edx, dword ptr [esp+04]
:00422087 8BC6 mov eax, esi
:00422089 E86EFEFFFF call 00421EFC
:0042208E 84C0 test al, al
:00422090 751A jne 004220AC
:00422092 8D442404 lea eax, dword ptr [esp+04]
:00422096 50 push eax

* Reference To: user32.TranslateMessage, Ord:0000h
|
:00422097 E8E835FEFF Call 00405684
:0042209C 8D442404 lea eax, dword ptr [esp+04]
:004220A0 50 push eax

Hey john whitt, the code you posted is inside a message loop and really doesn't tell us anything without what variables are coming into this routine. I suggest you run the setup program and when it asks for a password enter anything and break on GetWindowTextA or DlgItemTextA and start tracing. It's most likely that the length of the password will be checked, and then some other calculations will be done to it. If you can find that piece of code it would be a good start, locate it then in W32DAsm and start labeling the code for easier reading. Then if you still don't understand post the code snippet and we will try to help.

This line does look like it's checking the length of the password but it could be anything for all I know.
:00422029 837C240812 cmp dword ptr [esp+08], 00000012

goatass

it might be worth you telling us what the program is, so at least we know the target; a dump of disassembled code isn't very useful.

thewd

I am having problems using Softcie or Wdasm on this program since the main program starts the setup program as a seperate process. I cannot cannot catch the program as it is starting up.

If I use Wdasm and hit the pause button is stop in the midst of a peekmessage
translate message loop and it has already run the startup code.

When the correct password is entered it is still running in the same area.

The program does not use GetWindowTexta. of GetDlgItemTexta so SoftIce does not help.

The program is using peekmessage to look in the event stream for keyboard events then writes * to the text field of the dialog box each time a character is entered.

I cannot find out where the valid code is being checked.

I will starting labelling the code and get back in touch.

The program is a not so popular compiler program.

Can Wdasm of Softice be set to break on a specific event in specific program.

For instance if the program is doing the serial number checking after the operator hits the Next button on a dialog box it would be useful to trap the event the pressing of the Next button triggered.

Hello Magnum Johnson !

Yes, SoftICE can be set to break on specified events.

BMSG window-handle [L] [begin-msg [end-msg ]] [IF expression [DO "command1;command2;..."]]

(SoftICE command reference will help you with the parameters)

The message you need is probably WM_COMMAND, then you can trace the program until it checks for the "Next" button. (You have to use a resource editor to find the Resource-ID for the next button.) Then you should come along the routine verifying the password.

It might be usefull if you could somehow make the DLL (nlsxx.tmp) available for download. So other people could take a look at it and help you further. You can (should) still keep your passsword private.

When the main program runs it will create a file called c:\temp\insx.tmp. This file in an executable that is later loaded as a process. The program calls the CreateProcessa with the following command line.

c:\temp\insx.tmp /SL3 $b60410 D:\programname.exe


I can send the insx.tmp file but it is too big to send back as an attachment.
The file is 180375 bytes.

now we are getting somewhere, the setup installer appears to be inno setup (hxxp://www.jrsoftware.org) - it's open source so you can look at the algorithm in its original form.

1) search for the hex string - 68 EE 02 00 00 (~Sleep function)
2) about 50 bytes before, there will be code similar to...
call AA
cmp eax, [BB]
sete bl
test bl, bl
je CC
mov [DD], 00

AA - function call to password algorithm
BB - compare correct crc value with crc value of the entered password
CC - jmp if incorrect
DD - otherwise, set password dialog flag, to ignore dialog in the future

3) solution...
- remove incorrect jump, je XX => je 00 (will accept any password), or
- alter password dialog flag before password is requested, so that the dialog is never displayed

regards
thewd

Hello Magnum Johnson !

I looked at the source code and found out that the password CRC is calculated as a standard CRC32 (Poly: EDB88320h) which became famous in PKZip. There are many implementation for most (If not for all ) programming languages available.

You can't recover the password originally used by the author, but bruteforcing should give you many valid passwords in a very short time. Just take a number, convert it to a string, use CRC32 on it and if the CRC doesn't match with the ones used in the setup program, simply increment the number and start at the beginning.

I'm not sure about this, but you should find a valid serial in less than an hour on a Pentium-200.

You may also use a custom password, use CRC32 on it and save the value in the Setup program so your password is always valid.

Your a genius! That did it.

I patched the code with Wdasm and got it to install but I cannot patch the original exe. It must be compressed.

Hello Magnum Johnson !

You can decompress the program or bruteforce the password.
I wouldn't prefer the first method in this case, since we know that it would be easier to bruteforce in this way.

Source code of CRC-32 implementations is as common as sand at the sea.
And if you're not sure if you've implemented it right, simply check with any ZIP program. Just compress your string and see if the CRC-32 in the ZIP is equal to your calculated value.

How on earth does one unzip a file contained within another exe?

I trying looking through the exe with a hex editor and found some inno stuff but I am not sure what to do from their. Gues I could get the inno source code and figure it out.

Hello Magnunm Johnson !

You need to use an implementation of CRC32 in a program you write, else (with an external .EXE) there will be a big speed loss.

To test your program, think of a text string, use your CRC32 on it, keep the return value in mind, put the string with notepad and no final return key into a text file, compress it with ZIP and open the ZIP file. Then you'll see a CRC somewhere. If this one matches your calculated CRC, you're done and can start bruteforcing.