Sth. about InnoSetup's passwords
the apps' setup program which use InnoSetup, set a password protection.
when install the apps,they will display a Password Dialog which need u to input the correct password which was set by the apps' author. The setup program will create two folder named just like is-*****.tmp at "%Temp%\Local Settings\Temp", in which there is a is-*****.tmp file, it is the CheckPassword routine in. Innosetup will use MD5 Algorithm to hash the password as follows: pad the message first with "PasswordCheckHash" , then with PHP Code:
After been hashed, it will compare the hash string with a const string which is the correct password's hash string. It seems that the correct password's hash string was set by Innosetup when make install program. So the problem is that can we get the correct password except for brute force? anyone get an idea? sorry for my poor English. regards |
You must patch MD5 comparison, it's the only way.
|
Or you can try calculate your own passwd and patch PasswdHashString with your values. Then just put to Passwd Dialog your own passwd :-)
|
thanks for your replies.
yes,we can patch the internal set const PasswordHashString with our values. we can find that in the is-*****.tmp file and patch the tmp file,this way we can pass the install process. But can we patch the setup.exe other than the tmp file ?? If searches the const hashstring in the setup.exe, the result Ofcourse is null,because the file is compressed. I have traced the setup.exe to find the decompress procedure,it seems the decompress algorithm make sb. crazy. So another problem is how to find the const hashstring in the setup.exe ? In other words is that how the innosetup compress and decompress the file ? |
you can pause setup.exe JUST when createfilea (or others) is called (with olly) and then patch tmp file and continue setup.exe execution.
|
I still think that best and easyest way is to patch cmp jmp.. you cant be passoword word out..
bye |
TSRh released last month a tool to catch pwd for Inno Setup. You should check from them for easy way:-)
|
thx to all of u :)
I've got an idea to defeat the InnoSetup's password protection. Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this. Get address of the const MD5 hashstring in is-*****.tmp first. In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp. Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring. It seems that it works in my some test setup programs :) First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash" then will find the code which is just like these: Code:
mov edx, 0046E51C ; ASCII "PasswordCheckHash" Code:
#include <windows.h> thx again to all of u Good Luck & Regards. |
Asus can you tell me where to get this tool i was looking on their site and with google i cant find it..
here is nice unpacker http://innounp.sourceforge.net/ bye |
to NeOXOeN:
I think the tool which Asus suggests is setup.factory.password.recovery.1.1.tool-tsrh, am I right ? but that's for setup factory, not for InnoSetup. I've been writed a tool to defeat Innosetup's Password protection,the source code is just like those I've posted. I've tested several apps and it works perfectly :) regards |
Nice work cnbragon/iPB!
[EDIT JMI] You don't need to quote a very long Post, just to say "nice work cnbragon/iPB." Just "Nice Work cnbragon/iPB" (if one is already a Junior Member) works just as well and doesn't take up as much room in the database. Just use the "Quick Reply Button in the far Right Bottom Corner of the Post and there is no Quote repeated!] |
All times are GMT +8. The time now is 14:21. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX