hello, i have a program.msi which when launched seems to be a install shield protection, but when i reach the serial part and enter
name/comp/serial and search all HD for *.ins and *.inx nothing is found, can it be the MSI protection instead of the install shield one ? if so any hints, any hints at all is appreciated.

thanks in advance
The Keeper

My guess is it's a real life red blooded msi package, which uses the windows installer service.

What I have seen done in MSI installers with reg code entry is a DLL that is in the binary table in the MSI, which gets extracted into memory and run, and the reg code is passed to it to determine valid or not. So you would have to extract the DLL and then you could reverse that to determine how to get a good code.

You can use a tool called "Orca" from the microsoft website to open MSI file databases and modify / whatever you wish to them. Theoretically, you could make it skip over the reg dialog, but this would only work if the program never checks later again.

In numerous books and readings, this is why it is a BAD IDEA to have the installer take care of reg codes or anything like that. BAD !


-nt20

hello

i have extracted the content of the msi file with msiexec /a file.msi
i have the program and i can install it manually if i want but then it wouldnt be cracking, im thinking now, to be sure if its the msi protection or the install shield, i just need to see a pic of how a regbox of a install shield is, this one asks for

Name
Organization
Serial number (format 1111-111111-11)

doesnt this look like install shield ? if anyone got pics of the reg screen of both i'd like to see it =)

there is a data.cab in the same dir as the msi too, i opened it and it has some long name files with hex digits at the end.
btw, i tried to get orca but it is inclkuded in sdk only could u upload somewhere if u have it standalone ?

anything that helps is welcome
thanks in advance

Hello The Keeper !

If you have a .MSI file as setup executable, it's Windows Installer for sure.

All dialogs are completely customizable, so how it asks for the serial number is not the point here to identify it.
(In InstallShield "normal" you can also customize all dialogs)

InstallShield can produce two output formats, the "normal" InstallShield and the .MSI. So two installation can look the same but are still different.

If you can read the .CAB file, it's a Windows .CAB file, so it's Windows Installer again. (InstallShield "normal" uses .CAB files too, but they have nothing in common expect the extension)

The MSI SDK is about 7MB and Orca is about 2MB, so why should anybody download it, unpack it and upload Orca somewhere seperatly?

Hello Dakien,

i've clicked to download the sdk and it tells me

Confirm Install Selections

--------------------------------------------------------------------------------

Download size: 43.4 MB
Install size required: 92.4 MB

Drive space available: 0 KB Download Time: @56.6 1 hr 46 min
@256 23 min
@1536 4 min

where can i get this small one ? thanks again, so its msi, anyone ever reversed the serial scheme of a msi installer ? any hints are appreciated now, all my bp are failing but i dont think i should debug the msi virtual machine and yes the "place"(dll?) which generates the serial

thanks in advance
Keeper

Hello The Keeper !

Here's the direct download link to the file.

http://msdn.microsoft.com/msdn-files/027/001/457/IntelSDK.msi (8670KB)

Maybe you found the wrong SDK with the search function.

actually as soon as the sdk is installed orca.msi is laying around on your harddrive... unless you remove it of course... if anybody feels more like grabbing orca at 2.4MB the the full SDK at 8.6MB (atleast the one i have... you can grab it from http://nervgaz.ath.cx/Orca.msi

hello,

thanks dakien, nerz, niko

any of u guys know how to identify where a dll ends ? i found where it starts by the MZ but not where it ends..i believe that its with 00's but if any of u know a way that i can be 100% sure that i reached the end of a dll

regards
keeper

how do you mean when does it end... is it inside something else?... in that case just grab everything after the MZ and the take a look at it in LordPE or something else to get the imagesize... and just delete everything after that... bah. too tired to give a really good explanation right now... hope you know what i mean

hello nerz, yes its inside something else, yes understood what u mean, i did that before posting, but before i opened the procs.dll in lordpe dir to check if the imagesize was == dll size but it isnt

see: size of image 00005000 (20480d)
file attributes: size: 8,5kb, 8,704 bytes 65.536 bytes used

am i doing something wrong ?

Keeper

Hello The Keeper !

The DLLs are stored in the .MSI file. They're extracted and loaded when they're need and unloaded and deleted after they've been used.

You can be lucky and the DLL shows you an "invalid serial" message. If this happens, you can find the DLL file in your Windows TEMP directory.

But this wouldn't be Win2000 compatible as defined by Microsoft. So the installer loads the DLL, gets the return value, deletes it again and shows the message according the the return value in normal Windows Installer dialogs without help of the DLL.

So the best would be run the installation, get to the serial check, set a breakpoint on DeleteFile (both A and W depeding on OS) and enter a false serial number. You should break then. Modify the filename to be deleted so the DeleteFile function will fail. (give it a good return value so everything seems fine to the installer)

Now you've the DLL verifying the serial.