EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-08-2006, 03:41
cnbragon/iPB
Guest
 
Posts: n/a
Smile Answered: Sth. about InnoSetup's passwords

the apps' setup program which use InnoSetup, set a password protection.
when install the apps,they will display a Password Dialog which need u to input the correct password which was set by the apps' author.
The setup program will create two folder named just like is-*****.tmp
at "%Temp%\Local Settings\Temp", in which there is a is-*****.tmp file,
it is the CheckPassword routine in.
Innosetup will use MD5 Algorithm to hash the password as follows:
pad the message first with "PasswordCheckHash" , then with
PHP Code:
"0x91,0xA1,0x 96,0xDC,0x8C,0x56,0x98"
the last is the password which we input.
After been hashed, it will compare the hash string with a const string which is the correct password's hash string.
It seems that the correct password's hash string was set by Innosetup when make install program.
So the problem is that can we get the correct password except for brute force?
anyone get an idea?
sorry for my poor English.

regards

Last edited by cnbragon/iPB; 02-08-2006 at 14:39.
Reply With Quote
Best Answer - Posted by cnbragon/iPB
thx to all of u
I've got an idea to defeat the InnoSetup's password protection.
Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this.
Get address of the const MD5 hashstring in is-*****.tmp first.
In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp.
Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring.
It seems that it works in my some test setup programs

First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash"
then will find the code which is just like these:

Code:
mov     edx, 0046E51C                    ; ASCII "PasswordCheckHash"
mov     eax, esp                            // This is MD5 Context
mov     ecx, 11
call    00430048
mov     edx, 004AE160        // this is the const pad message  
mov     eax, esp
mov     ecx, 8
call    00430048
mov     eax, ebx
call    0040358C
mov     ecx, eax
mov     edx, ebx
mov     eax, esp        
call    00430048
lea     edx, [esp+58]
mov     eax, esp
call    004300F8
mov     edx, 004AE150       // this is the const hashstring's base address
lea     eax, [esp+58]  // this is our own password hashstring
call    00430AB0
the const pad message varies from different apps.
Code:
#include <windows.h>
#include "psapi.h"
#include <tchar.h>

#pragma comment (lib,"psapi.lib")

void PrintProcessNameAndID(DWORD processID)
{
	TCHAR szProcessName[MAX_PATH]=TEXT("<unknown>");
	HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID);
	if(hProcess!=NULL)
	{
		HMODULE hMod;
		DWORD cbNeeded;
		if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&cbNeeded))
		{
			GetModuleBaseName(hProcess,hMod,szProcessName,sizeof(szProcessName)/sizeof(TCHAR));
		}
		if(lstrlen(szProcessName)==12)
		{
			TCHAR innosetup[4];
			TCHAR szConst[]=TEXT("is-");
			memset(innosetup,0,4);
			memcpy(innosetup,szProcessName,3);
			if(lstrcmp(innosetup,szConst)==0)
			{
				CloseHandle(hProcess);
				hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
				if(hProcess)
				{
					_tprintf(TEXT("%s PID: %u\n"),szProcessName,processID);
					MODULEINFO ModInfo;
					if(GetModuleInformation(hProcess,hMod,&ModInfo,sizeof(MODULEINFO)))
					{
						if(ModInfo.SizeOfImage==0x000C0000) 
						{
							DWORD BaseAddress=0x00482143;
							BYTE szBuffer[16];SIZE_T cbRead;
WriteProcessMemory(hProcess,LPVOID(BaseAddress),szBuffer,16,&cbRead)
	}					}
					}
				}
			}
		}
	    CloseHandle(hProcess);
	}
	else
	{
		_tprintf(TEXT("Error\n"));
	}
}

void main()
{
	DWORD aProcesses[1024], cbNeeded, cProcesses,i;
	if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
		return;
	cProcesses=cbNeeded/sizeof(DWORD);
	for(i=0;i<cProcesses;i++)
	{
		PrintProcessNameAndID(aProcesses[i]);
	}
}
When the password dialog displays, we can use the code up to patch the tmp file, then use our own password to go on the installation.

thx again to all of u

Good Luck & Regards.
  #2  
Old 02-08-2006, 15:24
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 541
Thanks: 24
Thanked 14 Times in 5 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
taos is an unknown quantity at this point
Provided Answers: 5
You must patch MD5 comparison, it's the only way.
Reply With Quote
  #3  
Old 02-08-2006, 16:42
DARKER DARKER is offline
VIP
 
Join Date: Jul 2004
Location: EU
Posts: 165
Thanks: 21
Thanked 71 Times in 26 Posts
Groans: 1
Groaned at 0 Times in 0 Posts
Reputation: 0
DARKER is an unknown quantity at this point
Provided Answers: 2
Or you can try calculate your own passwd and patch PasswdHashString with your values. Then just put to Passwd Dialog your own passwd :-)
Reply With Quote
  #4  
Old 02-08-2006, 19:05
cnbragon/iPB
Guest
 
Posts: n/a
thanks for your replies.
yes,we can patch the internal set const PasswordHashString with our values.
we can find that in the is-*****.tmp file and patch the tmp file,this way we can pass the install process.
But can we patch the setup.exe other than the tmp file ??
If searches the const hashstring in the setup.exe, the result Ofcourse is null,because the file is compressed.
I have traced the setup.exe to find the decompress procedure,it seems the decompress algorithm make sb. crazy.
So another problem is how to find the const hashstring in the setup.exe ? In other words is that how the innosetup compress and decompress the file ?
Reply With Quote
  #5  
Old 02-08-2006, 20:04
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 541
Thanks: 24
Thanked 14 Times in 5 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
taos is an unknown quantity at this point
Provided Answers: 5
you can pause setup.exe JUST when createfilea (or others) is called (with olly) and then patch tmp file and continue setup.exe execution.
Reply With Quote
  #6  
Old 02-08-2006, 22:33
NeOXOeN NeOXOeN is online now
VIP
 
Join Date: Jan 2005
Posts: 258
Thanks: 0
Thanked 2 Times in 1 Post
Groans: 0
Groaned at 3 Times in 2 Posts
Reputation: 0
NeOXOeN is an unknown quantity at this point
Provided Answers: 2
I still think that best and easyest way is to patch cmp jmp.. you cant be passoword word out..

bye
Reply With Quote
  #7  
Old 02-08-2006, 23:41
Asus Asus is offline
VIP
 
Join Date: Feb 2005
Posts: 463
Thanks: 66
Thanked 16 Times in 11 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
Asus is an unknown quantity at this point
Provided Answers: 3
TSRh released last month a tool to catch pwd for Inno Setup. You should check from them for easy way:-)
Reply With Quote
  #8  
Old 02-10-2006, 02:02
cnbragon/iPB
Guest
 
Posts: n/a
thx to all of u
I've got an idea to defeat the InnoSetup's password protection.
Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this.
Get address of the const MD5 hashstring in is-*****.tmp first.
In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp.
Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring.
It seems that it works in my some test setup programs

First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash"
then will find the code which is just like these:

Code:
mov     edx, 0046E51C                    ; ASCII "PasswordCheckHash"
mov     eax, esp                            // This is MD5 Context
mov     ecx, 11
call    00430048
mov     edx, 004AE160        // this is the const pad message  
mov     eax, esp
mov     ecx, 8
call    00430048
mov     eax, ebx
call    0040358C
mov     ecx, eax
mov     edx, ebx
mov     eax, esp        
call    00430048
lea     edx, [esp+58]
mov     eax, esp
call    004300F8
mov     edx, 004AE150       // this is the const hashstring's base address
lea     eax, [esp+58]  // this is our own password hashstring
call    00430AB0
the const pad message varies from different apps.
Code:
#include <windows.h>
#include "psapi.h"
#include <tchar.h>

#pragma comment (lib,"psapi.lib")

void PrintProcessNameAndID(DWORD processID)
{
	TCHAR szProcessName[MAX_PATH]=TEXT("<unknown>");
	HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID);
	if(hProcess!=NULL)
	{
		HMODULE hMod;
		DWORD cbNeeded;
		if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&cbNeeded))
		{
			GetModuleBaseName(hProcess,hMod,szProcessName,sizeof(szProcessName)/sizeof(TCHAR));
		}
		if(lstrlen(szProcessName)==12)
		{
			TCHAR innosetup[4];
			TCHAR szConst[]=TEXT("is-");
			memset(innosetup,0,4);
			memcpy(innosetup,szProcessName,3);
			if(lstrcmp(innosetup,szConst)==0)
			{
				CloseHandle(hProcess);
				hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
				if(hProcess)
				{
					_tprintf(TEXT("%s PID: %u\n"),szProcessName,processID);
					MODULEINFO ModInfo;
					if(GetModuleInformation(hProcess,hMod,&ModInfo,sizeof(MODULEINFO)))
					{
						if(ModInfo.SizeOfImage==0x000C0000) 
						{
							DWORD BaseAddress=0x00482143;
							BYTE szBuffer[16];SIZE_T cbRead;
WriteProcessMemory(hProcess,LPVOID(BaseAddress),szBuffer,16,&cbRead)
	}					}
					}
				}
			}
		}
	    CloseHandle(hProcess);
	}
	else
	{
		_tprintf(TEXT("Error\n"));
	}
}

void main()
{
	DWORD aProcesses[1024], cbNeeded, cProcesses,i;
	if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded))
		return;
	cProcesses=cbNeeded/sizeof(DWORD);
	for(i=0;i<cProcesses;i++)
	{
		PrintProcessNameAndID(aProcesses[i]);
	}
}
When the password dialog displays, we can use the code up to patch the tmp file, then use our own password to go on the installation.

thx again to all of u

Good Luck & Regards.

Last edited by cnbragon/iPB; 02-10-2006 at 09:23.
Reply With Quote
  #9  
Old 02-10-2006, 03:41
NeOXOeN NeOXOeN is online now
VIP
 
Join Date: Jan 2005
Posts: 258
Thanks: 0
Thanked 2 Times in 1 Post
Groans: 0
Groaned at 3 Times in 2 Posts
Reputation: 0
NeOXOeN is an unknown quantity at this point
Provided Answers: 2
Asus can you tell me where to get this tool i was looking on their site and with google i cant find it..

here is nice unpacker http://innounp.sourceforge.net/


bye

Last edited by NeOXOeN; 02-10-2006 at 03:49.
Reply With Quote
  #10  
Old 02-10-2006, 06:10
cnbragon/iPB
Guest
 
Posts: n/a
to NeOXOeN:
I think the tool which Asus suggests is setup.factory.password.recovery.1.1.tool-tsrh, am I right ? but that's for setup factory, not for InnoSetup.

I've been writed a tool to defeat Innosetup's Password protection,the source code is just like those I've posted.
I've tested several apps and it works perfectly

regards

Last edited by cnbragon/iPB; 02-10-2006 at 09:25.
Reply With Quote
  #11  
Old 02-10-2006, 08:17
crackerabc
Guest
 
Posts: n/a
Nice work cnbragon/iPB!

[EDIT JMI] You don't need to quote a very long Post, just to say "nice work cnbragon/iPB." Just "Nice Work cnbragon/iPB" (if one is already a Junior Member) works just as well and doesn't take up as much room in the database. Just use the "Quick Reply Button in the far Right Bottom Corner of the Post and there is no Quote repeated!]
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
search method passwords goku General Discussion 7 07-14-2010 02:15
Some equation for a hasp passwords BOPOH General Discussion 2 08-26-2006 15:25
question about winrar passwords abccc General Discussion 11 04-27-2005 17:02
Bypassing rar passwords? Rhodium General Discussion 2 11-04-2003 21:34
Encpyted passwords SLIM SLIM General Discussion 5 12-17-2002 23:28


All times are GMT +8. The time now is 16:01.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX