Exetools
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Extracting file from MSI package (https://forum.exetools.com/showthread.php?t=13919)

new_profile 12-09-2011 03:31
Extracting file from MSI package
 
Hi,
I'm trying to crack (or keygen) a software where the serial is validated at setup time. I've unpacked the MSI content using the "msiexec /a /pb" command line switches or using lessmsi utility. However, the file used to validate the serial number is missing.
I've looked with ORCA and I've found that it uses CustomAction (_serial_verifyCA_isx and _serial_verifyCA_isx_helper). The property SERIALNUMVALDLL is set to <ISProjectFolder>\dlls\serialnumber3\debug\ValidateSN.dll

Does anyone have an idea on how to extract the "ValidateSN.dll" ?

(I didn't find the file in the temp folder and I've tried to dump the msiexec memory with no luck so far).

Thank you.

sendersu 12-09-2011 04:11
I"ve similar issue - with the same dll name!
you have to inspect carefully each dll in temp dir (with stange names like ~blabla.tmp,etc!
I recommend to search by contents for validate word
but do it when app is asking s/n, not after it was closed.
the dll definitely must be present in temp dir!
you could also use procmon to monitor when it'll be written there....
good luck

mcp 12-09-2011 04:26
jsMSIx.exe worked quite okay for me. There was also MsiStudio but I didn't test newer versions. I've used an older version a few times and it worked very well, but it is commercial (and much more powerful).

Av0id 12-09-2011 17:16
put break on LoadLibraryExW (take a look at stack, there is filename), then but break inside LoadLibraryExW after LdrLoadDll call, then you can try to directly forward to export name (CTRL+G in olly) or search your dll in module list (ALT+M in olly)

Kerlingen 12-09-2011 18:09
Most the MSI unpacking tools will only unpack the *.CAB files inside the MSI, they will ignore any files outside the *.CAB, but still embedded in the MSI.

Extracting these files can be a bit tricky, one easy way is to simply prevent the files from being deleted. This can be done by breaking on DeleteFile or (if available) by telling your host intrusion prevention system to deny the file delete privilege to any application. If breaking on DeleteFile will not work, the file handle will have the "delete on close" flag set and you will have to start looking there. A HIPS will prevent this trick.

LoadLibrary might be called many times before you see the call you're looking for.

Is the MSI you're working with available for public download?

BorJa 12-10-2011 19:55
try MSI Plus plugin for Total Commander
http://www.totalcmd.net/plugring/msiplus.html

sendersu 12-11-2011 03:01
Last update 6 years ago, does it still crack the latest MSIs?

Av0id 12-12-2011 13:36
you can try SuperOrca

WhoCares 12-12-2011 19:54
Universal Extractor is OK: _http://legroom.net/software/uniextract
or try the open source WIX from Microsoft.

copyleft 12-12-2011 22:45
I usually use "Wise.Installation.Studio" which can open .msi files and covert to wise format as well.
using "Wise.Installation.Studio" you can make a new setup after doing all required changes in .msi file (replacing files, ...).
You can also produce a new .msi file.

hp3 12-14-2011 00:04
Scriptlogic MSI Studio Professional Edition
 
use Scriptlogic MSI Studio Professional Edition work fine

new_profile 12-17-2011 05:09
Quote:
Originally Posted by sendersu (Post 76248)
I"ve similar issue - with the same dll name!
you have to inspect carefully each dll in temp dir (with stange names like ~blabla.tmp,etc!
I recommend to search by contents for validate word
but do it when app is asking s/n, not after it was closed.
the dll definitely must be present in temp dir!
you could also use procmon to monitor when it'll be written there....
good luck
Hi,
you're right, the dll is unpacked in temporary folder but just when the serial check is made. I thought that by displaying the serial number dialog box is enough to find the required DLL but this is not the case.

Thank you all for your help.
By the way, the app is Wowza media server.

sendersu 12-17-2011 06:45
Well, that dll is not the point you should pay your time for....
why? because it does not have the full s/n validator as the java classes have.....

it accepts even fake s/n, here is an example:
00000-99999-00000-00000-00000-0000z

again, the real s/n validator is hidden deep deep down in a highly obfuscated java code (yes, not names, but java code!)
you'll have a real fun reversing it, I guarantee it to you

if you are interestd, I could post the validation code for S/N from that tricky dll.....
half a screen page

new_profile 12-17-2011 22:28
You're right. I've found that any expired key will be accepted with no problem.
I've played a little bit with the server.jar and FileChunk class and it seems that even the JD-GUI doesn't decompile it.
Back to java disassembly to see what to do with.

Thank you

uCares 06-14-2012 01:51
Or just use msiexec command line like :

msiexec /a youMSIfile.msi TARGETDIR="Path:\\where\You\Want\The\File"

This will do an administrative install, you should then get the files with the all Folder tree from inside the msi


All times are GMT +8. The time now is 14:41.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX