Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Sth. about InnoSetup's passwords (https://forum.exetools.com/showthread.php?t=9137)

cnbragon/iPB 02-08-2006 03:41

Sth. about InnoSetup's passwords
 
the apps' setup program which use InnoSetup, set a password protection.
when install the apps,they will display a Password Dialog which need u to input the correct password which was set by the apps' author.
The setup program will create two folder named just like is-*****.tmp
at "%Temp%\Local Settings\Temp", in which there is a is-*****.tmp file,
it is the CheckPassword routine in.
Innosetup will use MD5 Algorithm to hash the password as follows:
pad the message first with "PasswordCheckHash" , then with
PHP Code:

"0x91,0xA1,0x 96,0xDC,0x8C,0x56,0x98"

the last is the password which we input.
After been hashed, it will compare the hash string with a const string which is the correct password's hash string.
It seems that the correct password's hash string was set by Innosetup when make install program.
So the problem is that can we get the correct password except for brute force?
anyone get an idea?
sorry for my poor English.

regards

taos 02-08-2006 15:24

You must patch MD5 comparison, it's the only way.

DARKER 02-08-2006 16:42

Or you can try calculate your own passwd and patch PasswdHashString with your values. Then just put to Passwd Dialog your own passwd :-)

cnbragon/iPB 02-08-2006 19:05

thanks for your replies.
yes,we can patch the internal set const PasswordHashString with our values.
we can find that in the is-*****.tmp file and patch the tmp file,this way we can pass the install process.
But can we patch the setup.exe other than the tmp file ??
If searches the const hashstring in the setup.exe, the result Ofcourse is null,because the file is compressed.
I have traced the setup.exe to find the decompress procedure,it seems the decompress algorithm make sb. crazy.
So another problem is how to find the const hashstring in the setup.exe ? In other words is that how the innosetup compress and decompress the file ?

taos 02-08-2006 20:04

you can pause setup.exe JUST when createfilea (or others) is called (with olly) and then patch tmp file and continue setup.exe execution.

NeOXOeN 02-08-2006 22:33

I still think that best and easyest way is to patch cmp jmp.. you cant be passoword word out..

bye

Asus 02-08-2006 23:41

TSRh released last month a tool to catch pwd for Inno Setup. You should check from them for easy way:-)

cnbragon/iPB 02-10-2006 02:02

thx to all of u :)
I've got an idea to defeat the InnoSetup's password protection.
Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this.
Get address of the const MD5 hashstring in is-*****.tmp first.
In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp.
Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring.
It seems that it works in my some test setup programs :)

First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash"
then will find the code which is just like these:

Code:

mov    edx, 0046E51C                    ; ASCII "PasswordCheckHash"
mov    eax, esp                            // This is MD5 Context
mov    ecx, 11
call    00430048
mov    edx, 004AE160        // this is the const pad message
mov    eax, esp
mov    ecx, 8
call    00430048
mov    eax, ebx
call    0040358C
mov    ecx, eax
mov    edx, ebx
mov    eax, esp       
call    00430048
lea    edx, [esp+58]
mov    eax, esp
call    004300F8
mov    edx, 004AE150      // this is the const hashstring's base address
lea    eax, [esp+58]  // this is our own password hashstring
call    00430AB0

the const pad message varies from different apps.
Code:

#include <windows.h>
#include "psapi.h"
#include <tchar.h>

#pragma comment (lib,"psapi.lib")

void PrintProcessNameAndID(DWORD processID)
{
        TCHAR szProcessName[MAX_PATH]=TEXT("<unknown>");
        HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID);
        if(hProcess!=NULL)
        {
                HMODULE hMod;
                DWORD cbNeeded;
                if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&cbNeeded))
                {
                        GetModuleBaseName(hProcess,hMod,szProcessName,sizeof(szProcessName)/sizeof(TCHAR));
                }
                if(lstrlen(szProcessName)==12)
                {
                        TCHAR innosetup[4];
                        TCHAR szConst[]=TEXT("is-");
                        memset(innosetup,0,4);
                        memcpy(innosetup,szProcessName,3);
                        if(lstrcmp(innosetup,szConst)==0)
                        {
                                CloseHandle(hProcess);
                                hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
                                if(hProcess)
                                {
                                        _tprintf(TEXT("%s PID: %u\n"),szProcessName,processID);
                                        MODULEINFO ModInfo;
                                        if(GetModuleInformation(hProcess,hMod,&ModInfo,sizeof(MODULEINFO)))
                                        {
                                                if(ModInfo.SizeOfImage==0x000C0000)
                                                {
                                                        DWORD BaseAddress=0x00482143;
                                                        BYTE szBuffer[16];SIZE_T cbRead;
WriteProcessMemory(hProcess,LPVOID(BaseAddress),szBuffer,16,&cbRead)
        }                                        }
                                        }
                                }
                        }
                }
            CloseHandle(hProcess);
        }
        else
        {
                _tprintf(TEXT("Error\n"));
        }
}

void main()
{
        DWORD aProcesses[1024], cbNeeded, cProcesses,i;
        if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
                return;
        cProcesses=cbNeeded/sizeof(DWORD);
        for(i=0;i<cProcesses;i++)
        {
                PrintProcessNameAndID(aProcesses[i]);
        }
}

When the password dialog displays, we can use the code up to patch the tmp file, then use our own password to go on the installation.

thx again to all of u

Good Luck & Regards.

NeOXOeN 02-10-2006 03:41

Asus can you tell me where to get this tool i was looking on their site and with google i cant find it..

here is nice unpacker http://innounp.sourceforge.net/


bye

cnbragon/iPB 02-10-2006 06:10

to NeOXOeN:
I think the tool which Asus suggests is setup.factory.password.recovery.1.1.tool-tsrh, am I right ? but that's for setup factory, not for InnoSetup.

I've been writed a tool to defeat Innosetup's Password protection,the source code is just like those I've posted.
I've tested several apps and it works perfectly :)

regards

crackerabc 02-10-2006 08:17

Nice work cnbragon/iPB!

[EDIT JMI] You don't need to quote a very long Post, just to say "nice work cnbragon/iPB." Just "Nice Work cnbragon/iPB" (if one is already a Junior Member) works just as well and doesn't take up as much room in the database. Just use the "Quick Reply Button in the far Right Bottom Corner of the Post and there is no Quote repeated!]


All times are GMT +8. The time now is 15:22.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX