Im attempting to bypass a password check on an installer. This one seems to be doing some strange things, namely:
a) creating two .tmp files, namely GLC***.tmp and GLK***.tmp, which are actually Dlls, which then get imported by the installer and used for the actual install
b) hiding the strings somehow. I can see the 'incorrect password' string when it is added to the stack, but im unable to locate it in the actual exe or the temp files. ive tried using both w32dasm and Ollydbg with no luck.


As far as I can tell one of the .tmp files contains the routine which checks the serial number for validity, but Ive not been able to localise it further. Using Puntos Magicos in Olly (h-point), ive been able to spot where the Serial i have typed in is captured, but ive got difficulties determining what is occuring afterwards.

Does anybody have any suggestions or prior experience with an installer that behaves in the manner I have described?
I'll name the type of installer if someone posts to let me know if i'm allowed (everyone seems concerned about not naming the targets).


Stephen

I had faced similare serial checking routine some years ago in a software, installer creates a temp dll and loads it, then it passes serial to an exported function and gets the test results; at that time I used SIce to break on the serial checking routine, I think it will work for you too;

...
I'll name the type of installer if someone posts to let me know if i'm allowed (everyone seems concerned about not naming the targets).


Stephen

you better read the FAQ ;)