thx to all of u
I've got an idea to defeat the InnoSetup's password protection.
Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this.
Get address of the const MD5 hashstring in is-*****.tmp first.
In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp.
Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring.
It seems that it works in my some test setup programs
First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash"
then will find the code which is just like these:
Code:
mov edx, 0046E51C ; ASCII "PasswordCheckHash"
mov eax, esp // This is MD5 Context
mov ecx, 11
call 00430048
mov edx, 004AE160 // this is the const pad message
mov eax, esp
mov ecx, 8
call 00430048
mov eax, ebx
call 0040358C
mov ecx, eax
mov edx, ebx
mov eax, esp
call 00430048
lea edx, [esp+58]
mov eax, esp
call 004300F8
mov edx, 004AE150 // this is the const hashstring's base address
lea eax, [esp+58] // this is our own password hashstring
call 00430AB0
the const pad message varies from different apps.
Code:
#include <windows.h>
#include "psapi.h"
#include <tchar.h>
#pragma comment (lib,"psapi.lib")
void PrintProcessNameAndID(DWORD processID)
{
TCHAR szProcessName[MAX_PATH]=TEXT("<unknown>");
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID);
if(hProcess!=NULL)
{
HMODULE hMod;
DWORD cbNeeded;
if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&cbNeeded))
{
GetModuleBaseName(hProcess,hMod,szProcessName,sizeof(szProcessName)/sizeof(TCHAR));
}
if(lstrlen(szProcessName)==12)
{
TCHAR innosetup[4];
TCHAR szConst[]=TEXT("is-");
memset(innosetup,0,4);
memcpy(innosetup,szProcessName,3);
if(lstrcmp(innosetup,szConst)==0)
{
CloseHandle(hProcess);
hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
if(hProcess)
{
_tprintf(TEXT("%s PID: %u\n"),szProcessName,processID);
MODULEINFO ModInfo;
if(GetModuleInformation(hProcess,hMod,&ModInfo,sizeof(MODULEINFO)))
{
if(ModInfo.SizeOfImage==0x000C0000)
{
DWORD BaseAddress=0x00482143;
BYTE szBuffer[16];SIZE_T cbRead;
WriteProcessMemory(hProcess,LPVOID(BaseAddress),szBuffer,16,&cbRead)
} }
}
}
}
}
CloseHandle(hProcess);
}
else
{
_tprintf(TEXT("Error\n"));
}
}
void main()
{
DWORD aProcesses[1024], cbNeeded, cProcesses,i;
if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
return;
cProcesses=cbNeeded/sizeof(DWORD);
for(i=0;i<cProcesses;i++)
{
PrintProcessNameAndID(aProcesses[i]);
}
}
When the password dialog displays, we can use the code up to patch the tmp file, then use our own password to go on the installation.
thx again to all of u
Good Luck & Regards.