Need some help with cracking an .msi install file

[Sailor_EDA]

Hi everybody,

I've been trying to crack this msi file. I've read the tutorials on the web and I can't seem to figure this one out. Its a fairly standard setup - it asks for name, company and password. I just wanted to get past the password bit.

So this is what I have so far.

1. I've tried various installshield decompilers etc that are available for older versions on the web and they don't work.
2. According to one tutorial I'd read, they use Wise for Windows Installer to hack the script so that you could find the "DoNext" function associated with the serial check and then set the condition to always bypass it. I installed Wise of Windows, and opened the msi file. It asked me if I wanted to convert to a wise script. I said yes and hit next. After about 3 minutes of processing Wise would crash.
3. Instead I tried Installshield 9.5. This one works more; infact displays all the dialogs, methods and I can actually see the details and conditions that NEXT button point to.
4. As per the tutorial, I set the condition accordingly and save the file.
5. When I run it I get an error telling me there's something wrong with the script.
6. Okay the simple thing didn't work. Lets look a little more deeper. The DoAction of the Next button has "LicenseCheck" as the Argument and Condition as "1". Changing this to "0" obviously didn't do the trick. A little more searching and I find LicenseCheck is a custom action (i.e. a user defined function that the script can access) and the function is called from a dll. I don't want to reveal names here but let me just say that the dll name isn't a standard win system dll.
7. So now I start Filemon and see which dll's are loaded. I find nothing even remotely resembling the dll filename.
8. This is where I am right now - stuck because I can't find out where this function is loaded from. As a desperate method, in the custom actions dialog for CheckLicense, I delete the name of the function that is being called. This just causes a CKSUM error on running the installer.

So even though the custom action says its using a function from a dll file, I'm not absolutely sure. For all I know it could stored in the install script itself.
This is my very first installshield cracking project and I really don't know too much about installshield to tell you quite frankly so if anybody has any pointers, hints or some more tutorials that deal with newer targets, it would be truly appreciated.

Thanks

Sailor_EDA

[hosiminh]

So far i haven't seen that *. msi install file that needs password for installation .
Most of the time is used InstallShield with greyed OK button , and when it is ungreyed (or correct password is entered) , msi installer starts (you can see this with looking \temp folder).

Try with bp like "lstrcmpA" and similar .

However have you tryed with some msi extractors like : MsiEx 0.2 [tulipfan] (hxxp://www.wasm.ru/all.php?mode=tool) ?
Works fine for me (after you have *.msi file from \temp of course)

[WhoCares]

Total Commander with MSI plugin is also OK with *.msi files.

[Mkz]

Try the following:
- Check for a temp directory where the instalation bootstrap files are located. The dll is probably there, at least if you're stopped at the error box.
- Debug the install process an set ot break o LoadLibrary or on GetProcAddress, it should occur when you press next with an invalid serial.

In a process monitor you won't see the dll in the loaded modules list, because it normally is loaded when the function is called, executed, and then freed - hence the 2 breakpoints I have suggested. The dll isn't actually linked with the installation process, so it's only loaded when needed.

I suggest to try the Windows Installer Editor from Wise Package Studio.
So far I found that it is the best tool for editing .msi installer files (delete,
replace components, edit scripts, etc).
Custom dlls for authorization can be found in "Project definitions\resources"-
simply reverse existing one, write your own with necessary features, replace
original dll (somtimes it's possible to simply delete original security dll).

[FoxB]

Esse in Russian letter about them:

http://www.wasm.ru/article.php?article=msi

WBR and Happy New Year!

[Sailor_EDA]

Mkz,

thanks for you tips. Sorry I haven't replied in a long time as I was away for christmas - I have some questions though

In Olly, I did a bpx LoadLibrary and GetProcAddress but there seem to be too many places from which this is happening. Any tips for how I should go about this under Ollydbg?

Also, I can't find any temp dirs being created or accessed (although I can use winrar to look into the .msi archive - though none of the dlls there seem to be the ones with check serial function but I could be mistaken on this)

I have yet to look at the russian site, I should probably do that.

Thanks

Quote:

Originally Posted by Mkz

Try the following:
- Check for a temp directory where the instalation bootstrap files are located. The dll is probably there, at least if you're stopped at the error box.
- Debug the install process an set ot break o LoadLibrary or on GetProcAddress, it should occur when you press next with an invalid serial.

In a process monitor you won't see the dll in the loaded modules list, because it normally is loaded when the function is called, executed, and then freed - hence the 2 breakpoints I have suggested. The dll isn't actually linked with the installation process, so it's only loaded when needed.

[Mkz]

Did you activate the BPX's from the start, or only in the screen immediately before the check, just before pressing Next and getting the error?