Hi,

Having a bit of fun with this one...

When running the <App>.exe a single messagebox pops up asking for the password. OK & Cancel buttons but OK is greyed out.

So, typed in random password. All chars appear as ||||| in the window and OK button stays greyed out so no Softice bpx option.

Had a look at the .exe with PiED, says its Installshield 2003 stub [overlay]

Decided to look for strings with WDASM32 which revealed a string "PASSWORD", hmmm promising.

Opened OllyDbg and put a break on the PASSWORD string which broke a few times before loading the password enter messagebox.

Saw that in memory a .tmp file was being written.
Temp file contents:-

[Info]
Name=INTL
Version=1.00.000
DiskSpace=8000 ;DiskSpace requirement in KB

[Startup]
CmdLine=
SuppressWrongOS=N
ScriptDriven=1
ScriptVer=7.4.0.377
DotNetOptionalInstallIfSilent=N
Product=<appz name removed for board>
PackageName=<appz name removed for board>.msi
MsiVersion=2.0.2600.2
EnableLangDlg=N
OnUpgrade=1
DoMaintenance=Y
ProductCode={4CF91139-0FA6-4DC3-B118-6D6F58C0BCDC}
PackageCode={38B5B404-FC8B-4DFC-98AD-1E4DFAA7751E}
SuppressReboot=N

[SupportOS]
Win95=1
Win98=1
WinME=1
WinNT4=1
Win2K=1

[Win95]
MajorVer=4
MinorVer=0
MinorVerMax=1
BuildNo=950
PlatformId=1

[Win98]
MajorVer=4
MinorVer=10
MinorVerMax=11
BuildNo=1998
PlatformId=1

[WinME]
MajorVer=4
MinorVer=90
MinorVerMax=91
BuildNo=3000
PlatformId=1

[WinNT4]
MajorVer=4
MinorVer=0
MinorVerMax=1
BuildNo=1381
PlatformId=2
ServicePack=1536

[Win2K]
MajorVer=5
MinorVer=0
MinorVerMax=1
BuildNo=2195
PlatformId=2

[KEY]
Password=1954169968
[Languages]
count=1
default=409
key0=409
[<appz name removed for board>.msi]
Type=1
Location=<appz name removed for board>.msi
[Setup.bmp]
0=setup.bmp
Type=1
[instmsiw.exe]
Type=1
Location=instmsiw.exe
[instmsia.exe]
Type=1
Location=instmsia.exe
[ISScript.msi]
Type=1
Location=isscript.msi


So there it was!!! Under [Key], Password=1954169968 !!!!!!!

But... entering this password does not enable the OK button so I'm still in the dark..

Tried a few Installshield unpackers but nothing worked.

Any suggestions greately appreciated.

Medic

One suggestion would be that you really didn't need to post all that code just to show that there was s listing for "password" in the strings.

Next, you have not indicated what, if anything you have done to try to solve yourown problem, for example searching here and on the net for information on defeating the protector and/or how such serial protection systems might function. So far, all you've told us you have done is look at the exe in a dissassembler and try the "password" listed in the exe, which didn't work. Were you actually suprised when it didn't?

Did you even try to set a breakpoint when that "password" might be sitting in memory and/or actually examing and try to trace the code where the "password" might be called???

Regards,

Sorry for posting the whole tmp file, thought it might contain info that would help understand the problem.

Yes, searched this forum (and others) for serial protection tuts and tips but all the serial methods rely on entering dud serials and then bpxs on the OK button which is greyed out in this instance.

Yes, put bpm on memory access to the exe and tmp file read/write of the password but nothing doing, and yes am using the addr context correctley.

Yes, searched for Installsheild decrypters, unpackers tips, found a few isextr, isftw, sid Some of these are for isx, ins files which i dont have, just the exe so far.

Will continue to research but just thought that with the vast knowleadge of the forum you could give me some tips to save time.

Thanks,

Medic

My point was that the Rules suggest that you make the statement about the extent of your attempt to help yourself in your "first" post, then I don't have to ask if you did.

You have stated that you have done some searching, but you didn't indicate that you that you have studied the dissassebled "deadlisting" in the procedure which calls the "password" string to see if it contins any information which may be useful or a place which will permit you to place a breakpoint. And I was suggesting that you try breakpoints when one or the other of the registers may actually contain the "password" from the file, not necessarily on "memory access."

I don't know if you can read Russian or have access to a translation program, such as Systran, but there has been some good work done on the Wasm.ru regarding Installshield (although the analysis was of version 6) by Volodya and others. There is an article titled "Study InstallShield 6+ - the survey of the procedures." It's in the Articles section and is number 19 of the top 50. They Systran translator, available in the wild, make it fairly understandable and might give you some insight.

Regards,

Hi Medic.

Run the app under filemon. You may see other temp files being created in weird places. They usually vanish when you close the app, but you can save copies for your self in safe folders.
Pay special attention to files with .dll extentions, or files that despite the name, have PE structure. In my short experience with instshield, that is where the action is. . .

Do not give up with the serial box yet. you can use BMSG <box handle> WM_KEY. . .
to try to catch the program analizing your serial on on the fly, or at least see the mod that does the analisis

Hi JMI and Naides,

Thanks again for your help,

Have been going at this for several days now, learning more but finding it difficult in deciding on the approach as there are clearly several routes and I'm spending time going down dead ends, but learning as well!!

Attempted to unpack the Installshield, so far no tools found help.

Deadlisting studied but the password string relates to the creation of the tmp file which is not what I need.

Used InCrtl5 to find that the installshield generates a RNG key, so am now looking for brute force approach as I think the PASSWORD created in the tmp file might be the seed for the RNG. Will look at the Filemon route next.

The memory address where the password is stored is for the Installsheild password which is different to the real password. Have set breaks on access to this but no joy. Will look at WM_KEY to see if I can discover how the installer is monitoring the entered password, guess it might be using PEEKMESSAGE but that breaks allot so will have to try another route.

Thanks for your thoughts and patience,

Not had any sleep jet so will have to continue tomorrow

Medic

Consider the fact that the OK button is grayed while you key in the serial, and will turn active when you hit gold. . . The serial is not stored in one place, and then analized, it is analized every time you enter a digit.

The Bmsg would break inside the system, when the program gets notified someone entered something. You need to learn a bit about message handling, but it will at least tell you the general area where password validation is taking place. PM the app, I will take a look, but I WILL NOT CRACK IT FOR YOU

I had the same problem with installing another program 'coz there is "Installshield password protection" ; greyed OK button)

Well , I used Ollydbg and M$ Xp Pro

snippet from Ollydbg

Text strings referenced in L***trac:.text, item 64
Address=00405897
Disassembly=PUSH Logitrac.004234E4
Text string=ASCII "Software\InstallShield\ISWI\7.0\SetupExeLog" ( i guess it is "InstallShield v7" setup used too )


Solution (?)
You can use "breakpoint on lstrcmpA" ("bp lstrcmpA" and enter some bogus character , Ollydbg should break , some F8 work untill user code and then just patch some bytes like this:

0040BF78 FF15 CCF14100 CALL NEAR DWORD PTR DS:[<&KERNEL32.lstrcmpA>]
0040BF7E 85C0 TEST EAX,EAX ; patch here 85C0 -> 33C0 XOR EAX,Eax
0040BF80 74 02 JE SHORT LOGITRAC.0040BF84 ; or patch here to JNE

and then it installs OK



The "Password" that i could see in EAX register is 1952762995 (on bp) but suprise it's not working. (on my target)

Thanks!!!

Will explore over the weekend and get back to you

InstallShield Password bruteforcing


tools: ollydbg,radasm+masm for bruter


reference: CRC and how to Reverse it by Anarchriz/DREAD


target: <not published here>

level: bruteforcing/advanced


~~~~~~~~~~~~~~~~~~~~~~~~

1. Password bruteforcing

~~~~~~~~~~~~~~~~~~~~~~~~

first the install package asks for a Pass, well we don't have one!
lets see how to get around. bp GetWindowTextA works, and we land into the simple checking
routine:


0040BFC8 push 64 ; /Count = 64 (100.)
0040BFCA push eax ; |Buffer = 00000009
0040BFCB push 3E8 ; |ControlID = 3E8 (1000.)
0040BFD0 push [arg.1] ; |hWnd = 002300EA ('Please enter the password',class='#32770')
0040BFD3 call [<&USER32.GetDlgItemTextA>] ; \GetDlgItemTextA
0040BFD9 test eax,eax
0040BFDB je short 0040C02B
0040BFDD push 1 ; /ControlID = 1
0040BFDF push [arg.1] ; |hWnd = 002300EA ('Please enter the password',class='#32770')
0040BFE2 call [<&USER32.GetDlgItem>] ; \GetDlgItem
0040BFE8 mov ecx,[428EF0]
0040BFEE mov esi,eax
0040BFF0 lea eax,[local.25]
0040BFF3 push eax ; /Arg1 = 00000009
0040BFF4 call 0040BF49 ; \LOGITR~1.0040BF49
0040BFF9 test esi,esi ; LOGITR~1.0040BF8C
0040BFFB je short 0040C02B
0040BFFD movzx eax,al
0040C000 push eax ; /Enable = TRUE
0040C001 push esi ; |hWnd = 0040BF8C
0040C002 call [<&USER32.EnableWindow>] ; \EnableWindow
0040C008 jmp short 0040C02B



0040BFFB je short 0040C02B ;;;;;;--- PassGood?

but we are not interested in patching if we can reverse it..

0040BFF3 push eax ; /Arg1 = 0012E8E8 ASCII "dummy"
0040BFF4 call 0040BF49 ; \LOGITR~1.0040BF49

investigating the CheckPass routine leads to


0040BF78 call [<&KERNEL32.lstrcmpA>] ; \lstrcmpA

comparing with hardcoded pass 1952629872

-------------------- [FOR CURIOUS]
bp GetTempFileNameA

INI file:

[KEY]
Password=1952629872
-------------------- [/FOR CURIOUS]

blah, but how to get a working pass?

0040C16F push esi
0040C170 push edi
0040C171 mov edi,ecx
0040C173 call 0040C057
0040C178 push -1 ; /Arg3 = FFFFFFFF
0040C17A push dword ptr [esp+10] ; |/String = "..@"
0040C17E call [<&KERNEL32.lstrlenA>] ; |\lstrlenA
0040C184 push eax ; |Arg2 = 0012E8E8 ASCII "dummy"
0040C185 mov ecx,edi ; |
0040C187 push dword ptr [esp+14] ; |Arg1 = 77D48065
0040C18B call 0040C0B0 ; \LOGITR~1.0040C0B0
0040C190 mov ecx,edi
0040C192 mov esi,eax
0040C194 call 0040C099
0040C199 not esi
0040C19B push esi
0040C19C mov ecx,edi
0040C19E call 0040C0F1
0040C1A3 pop edi ; LOGITR~1.0040BF5D
0040C1A4 pop esi ; LOGITR~1.0040BF5D
0040C1A5 retn 4

(if can't recognize it yourself peid->kanal can)
thats a CRC32 routine + this:

0040C111 movzx eax,byte ptr [ebp-4]
0040C115 push 3
0040C117 push eax
0040C118 call 00415846
0040C11D xor al,74
0040C11F push 5
0040C121 mov [ebp-4],al
0040C124 movzx eax,byte ptr [ebp-3]
0040C128 push eax
0040C129 call 0041581D
0040C12E xor al,74
0040C130 push 7
0040C132 mov [ebp-3],al
0040C135 movzx eax,byte ptr [ebp-2]
0040C139 push eax
0040C13A call 00415846
0040C13F xor al,74
0040C141 push 3
0040C143 mov [ebp-2],al
0040C146 movzx eax,byte ptr [ebp-1]
0040C14A push eax
0040C14B call 0041581D

which turn out to be rol&ror routines

- switching to code -

based on the FACT that crc32 is *reversible*


; THE CHECK ROUTINE OPTIMIZED:
edi points to pass string

invoke StrLen,edi ; length of pass
invoke CRC32,0,edi,eax ; crc32(pass) ; 0=init, edi=pass, eax=len
movzx ebx,al
movzx ecx,ah
shr eax,16
movzx edx,al
movzx eax,ah
and eax,0FFh
and ebx,0FFh
and ecx,0FFh
and edx,0FFh
rol ebx,3 ; rol and mix bytes
ror ecx,5
rol edx,7
ror eax,3
xor bl,74h
xor cl,74h
xor dl,74h
xor al,74h
mov ch,bl
mov ah,dl
and ecx,0FFFFh
shl eax,16
or eax,ecx
cmp eax,1952629872 ; Check if install pass matches

; THE REVERSE :

reverse the obvious:
mov eax,1952629872
mov ecx,eax
shr eax,16
and ecx,0FFFFh
mov bl,ch
mov dl,ah
and eax,0FFh
and ebx,0FFh
and ecx,0FFh
and edx,0FFh
xor bl,74h ; first mix & rol
xor cl,74h
xor dl,74h
xor al,74h
rol al,3
ror dl,7
rol cl,5
ror bl,3
shl eax,8
mov al,dl
shl eax,16
mov ah,cl
mov al,bl
mov esi,eax
lea edi,tbuf ; then brute

; bruteforce something nice :

invoke StrCpy,edi,T('OneofZero!0000 ')
leng equ 18
mov ebx,1000
@@:
inc ebx
cmp ebx,9999
jz @F
invoke DwToStr,ebx,addr [edi+10]

; esi=wantedCrc, edi=newPass, leng=length, leng-4= offset where to put RCRC32
invoke RCRC32,esi,edi,leng,leng-4 ; Calculate Reverse CRC32
; coded with the help of Anarchriz's tut.
; just take some implementation of crc32
; and code it yourself!

movzx eax,byte ptr [edi+leng-4]
invoke ChrIsPrint,eax ; Is char printable?
dec eax
js @B
movzx eax,byte ptr [edi+leng-3] ; Is char printable?
invoke ChrIsPrint,eax
dec eax
js @B
movzx eax,byte ptr [edi+leng-2] ; Is char printable?
invoke ChrIsPrint,eax
dec eax
js @B
movzx eax,byte ptr [edi+leng-1] ; Is char printable?
invoke ChrIsPrint,eax
dec eax
js @B
@@:

the routine goes trough (its very fast)
OneofZero!0000xxxx
OneofZero!1001Đ.†p if printable then break else continue
OneofZero!1002aź†.
:::
OneofZero!9999źźźź

edi has a valid pass!

some passwords:
drizz!1007N0<y
OneofZero!1149BwyS

Nice work. Are you sure that the passwords will really work though? Normally, passwords are initially checked with an intentionally weak hash algo, but the whole password is then used for the actual decryption. This way, you get very many passwords that match the a bruteforce hash-check, but only the single real password will work in the end anyway for the decryption.

But then again, of course these guys aren't necessarily that clever, I'm just asking...

I have tested both passwords with my target, and worked with both versions

Hi,

Thanks for the tips. Hosiminhs idea about breaking on lstrcmpA took me striaght into the right code.

Turns out that OK button can be activated by a simple patch which then starts the Install prog proper. It writes isscript.msi and <progname>.msi to the windows temp dir but then must do the serial check again as it fails. It checks for a valid serial (which we've bipassed, then offers a network lic option before exiting...

msi can not be unpacked and if run on it's own pops up a window to say it must be run from setup.exe

Went back to the password bit and the encryption lots strong. HDdrive serial number is combined with a RNG to give a 10 digit key (the one given in my first post). Entered a dummy serial to find what number is produced and tried entering that into the tmp file during run time which allows me to enter "my" password and activate the prog correctely but I still get chucked out after the msi starts working so I guess there is a duplicate check in the msi.

Long night, dont see how the msi route will work so will take another look at bruting the encryption in the morning

Laters,

medic

If you've got an MSI you can too "unpack it". An MSI is just a database. There is a tool called ORCA which can open an MSI and allow you to browse, edit, and whatever, to the database.

Of course you have to understand the structure of an MSI to find the stuff you want, so grab a copy of Installshield for Windows Installer or InstallShield 8.0 or X , and practice making some MSI's you'll get familiar with them that way. The Installshield product allows you to edit the MSI tables directly when building an Installer, if you have to. Installshield works with project files only (ISM).

ORCA opens already compiled MSI files, but the tables you will see will be the same tables as when you design the installer.

Look thru the actions table, and the binary table, etc. If the installer has its own custom action that is not allowing you to run, you can just edit it with ORCA. Sometimes installers unpack a DLL from the binary table, and this DLL does the password check.

But, for example, the not allowing to run other than from setup.exe, you should be able to work around that my editing the MSI with ORCA.

-nt20