View Single Post
  #8  
Old 02-10-2006, 02:02
cnbragon/iPB
 
Posts: n/a
thx to all of u
I've got an idea to defeat the InnoSetup's password protection.
Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this.
Get address of the const MD5 hashstring in is-*****.tmp first.
In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp.
Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring.
It seems that it works in my some test setup programs

First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash"
then will find the code which is just like these:

Code:
mov     edx, 0046E51C                    ; ASCII "PasswordCheckHash"
mov     eax, esp                            // This is MD5 Context
mov     ecx, 11
call    00430048
mov     edx, 004AE160        // this is the const pad message  
mov     eax, esp
mov     ecx, 8
call    00430048
mov     eax, ebx
call    0040358C
mov     ecx, eax
mov     edx, ebx
mov     eax, esp        
call    00430048
lea     edx, [esp+58]
mov     eax, esp
call    004300F8
mov     edx, 004AE150       // this is the const hashstring's base address
lea     eax, [esp+58]  // this is our own password hashstring
call    00430AB0
the const pad message varies from different apps.
Code:
#include <windows.h>
#include "psapi.h"
#include <tchar.h>

#pragma comment (lib,"psapi.lib")

void PrintProcessNameAndID(DWORD processID)
{
	TCHAR szProcessName[MAX_PATH]=TEXT("<unknown>");
	HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID);
	if(hProcess!=NULL)
	{
		HMODULE hMod;
		DWORD cbNeeded;
		if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&cbNeeded))
		{
			GetModuleBaseName(hProcess,hMod,szProcessName,sizeof(szProcessName)/sizeof(TCHAR));
		}
		if(lstrlen(szProcessName)==12)
		{
			TCHAR innosetup[4];
			TCHAR szConst[]=TEXT("is-");
			memset(innosetup,0,4);
			memcpy(innosetup,szProcessName,3);
			if(lstrcmp(innosetup,szConst)==0)
			{
				CloseHandle(hProcess);
				hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
				if(hProcess)
				{
					_tprintf(TEXT("%s PID: %u\n"),szProcessName,processID);
					MODULEINFO ModInfo;
					if(GetModuleInformation(hProcess,hMod,&ModInfo,sizeof(MODULEINFO)))
					{
						if(ModInfo.SizeOfImage==0x000C0000) 
						{
							DWORD BaseAddress=0x00482143;
							BYTE szBuffer[16];SIZE_T cbRead;
WriteProcessMemory(hProcess,LPVOID(BaseAddress),szBuffer,16,&cbRead)
	}					}
					}
				}
			}
		}
	    CloseHandle(hProcess);
	}
	else
	{
		_tprintf(TEXT("Error\n"));
	}
}

void main()
{
	DWORD aProcesses[1024], cbNeeded, cProcesses,i;
	if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
		return;
	cProcesses=cbNeeded/sizeof(DWORD);
	for(i=0;i<cProcesses;i++)
	{
		PrintProcessNameAndID(aProcesses[i]);
	}
}
When the password dialog displays, we can use the code up to patch the tmp file, then use our own password to go on the installation.

thx again to all of u

Good Luck & Regards.

Last edited by cnbragon/iPB; 02-10-2006 at 09:23.
Reply With Quote