#1
|
|||
|
|||
Sth. about InnoSetup's passwords
the apps' setup program which use InnoSetup, set a password protection.
when install the apps,they will display a Password Dialog which need u to input the correct password which was set by the apps' author. The setup program will create two folder named just like is-*****.tmp at "%Temp%\Local Settings\Temp", in which there is a is-*****.tmp file, it is the CheckPassword routine in. Innosetup will use MD5 Algorithm to hash the password as follows: pad the message first with "PasswordCheckHash" , then with PHP Code:
After been hashed, it will compare the hash string with a const string which is the correct password's hash string. It seems that the correct password's hash string was set by Innosetup when make install program. So the problem is that can we get the correct password except for brute force? anyone get an idea? sorry for my poor English. regards Last edited by cnbragon/iPB; 02-08-2006 at 14:39. |
#2
|
||||
|
||||
You must patch MD5 comparison, it's the only way.
|
#3
|
|||
|
|||
Or you can try calculate your own passwd and patch PasswdHashString with your values. Then just put to Passwd Dialog your own passwd :-)
|
#4
|
|||
|
|||
thanks for your replies.
yes,we can patch the internal set const PasswordHashString with our values. we can find that in the is-*****.tmp file and patch the tmp file,this way we can pass the install process. But can we patch the setup.exe other than the tmp file ?? If searches the const hashstring in the setup.exe, the result Ofcourse is null,because the file is compressed. I have traced the setup.exe to find the decompress procedure,it seems the decompress algorithm make sb. crazy. So another problem is how to find the const hashstring in the setup.exe ? In other words is that how the innosetup compress and decompress the file ? |
#5
|
||||
|
||||
you can pause setup.exe JUST when createfilea (or others) is called (with olly) and then patch tmp file and continue setup.exe execution.
|
#6
|
|||
|
|||
I still think that best and easyest way is to patch cmp jmp.. you cant be passoword word out..
bye |
#7
|
|||
|
|||
TSRh released last month a tool to catch pwd for Inno Setup. You should check from them for easy way:-)
|
#8
|
|||
|
|||
thx to all of u
I've got an idea to defeat the InnoSetup's password protection. Of course we can patch the MD5 HashString to pass the installation proces,and furthermore we can make a patch just like this. Get address of the const MD5 hashstring in is-*****.tmp first. In our patch, call EnumProcess to get the process whose name is just like is-*****.tmp. Then call ReadProcessMemory to get the hashstring and CRC it to check if it is the target tmp file that we need. If it's true ,call WriteProcessMemory to patch the string with our own password MD5 hashstring. It seems that it works in my some test setup programs First, Load is-*****.tmp into OD,and search for text "PasswordCheckHash" then will find the code which is just like these: Code:
mov edx, 0046E51C ; ASCII "PasswordCheckHash" mov eax, esp // This is MD5 Context mov ecx, 11 call 00430048 mov edx, 004AE160 // this is the const pad message mov eax, esp mov ecx, 8 call 00430048 mov eax, ebx call 0040358C mov ecx, eax mov edx, ebx mov eax, esp call 00430048 lea edx, [esp+58] mov eax, esp call 004300F8 mov edx, 004AE150 // this is the const hashstring's base address lea eax, [esp+58] // this is our own password hashstring call 00430AB0 Code:
#include <windows.h> #include "psapi.h" #include <tchar.h> #pragma comment (lib,"psapi.lib") void PrintProcessNameAndID(DWORD processID) { TCHAR szProcessName[MAX_PATH]=TEXT("<unknown>"); HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID); if(hProcess!=NULL) { HMODULE hMod; DWORD cbNeeded; if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&cbNeeded)) { GetModuleBaseName(hProcess,hMod,szProcessName,sizeof(szProcessName)/sizeof(TCHAR)); } if(lstrlen(szProcessName)==12) { TCHAR innosetup[4]; TCHAR szConst[]=TEXT("is-"); memset(innosetup,0,4); memcpy(innosetup,szProcessName,3); if(lstrcmp(innosetup,szConst)==0) { CloseHandle(hProcess); hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID); if(hProcess) { _tprintf(TEXT("%s PID: %u\n"),szProcessName,processID); MODULEINFO ModInfo; if(GetModuleInformation(hProcess,hMod,&ModInfo,sizeof(MODULEINFO))) { if(ModInfo.SizeOfImage==0x000C0000) { DWORD BaseAddress=0x00482143; BYTE szBuffer[16];SIZE_T cbRead; WriteProcessMemory(hProcess,LPVOID(BaseAddress),szBuffer,16,&cbRead) } } } } } } CloseHandle(hProcess); } else { _tprintf(TEXT("Error\n")); } } void main() { DWORD aProcesses[1024], cbNeeded, cProcesses,i; if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded)) return; cProcesses=cbNeeded/sizeof(DWORD); for(i=0;i<cProcesses;i++) { PrintProcessNameAndID(aProcesses[i]); } } thx again to all of u Good Luck & Regards. Last edited by cnbragon/iPB; 02-10-2006 at 09:23. |
#9
|
|||
|
|||
Asus can you tell me where to get this tool i was looking on their site and with google i cant find it..
here is nice unpacker http://innounp.sourceforge.net/ bye Last edited by NeOXOeN; 02-10-2006 at 03:49. |
#10
|
|||
|
|||
to NeOXOeN:
I think the tool which Asus suggests is setup.factory.password.recovery.1.1.tool-tsrh, am I right ? but that's for setup factory, not for InnoSetup. I've been writed a tool to defeat Innosetup's Password protection,the source code is just like those I've posted. I've tested several apps and it works perfectly regards Last edited by cnbragon/iPB; 02-10-2006 at 09:25. |
#11
|
|||
|
|||
Nice work cnbragon/iPB!
[EDIT JMI] You don't need to quote a very long Post, just to say "nice work cnbragon/iPB." Just "Nice Work cnbragon/iPB" (if one is already a Junior Member) works just as well and doesn't take up as much room in the database. Just use the "Quick Reply Button in the far Right Bottom Corner of the Post and there is no Quote repeated!] |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Some equation for a hasp passwords | BOPOH | General Discussion | 2 | 08-26-2006 15:25 |
question about winrar passwords | abccc | General Discussion | 11 | 04-27-2005 17:02 |
Bypassing rar passwords? | Rhodium | General Discussion | 2 | 11-04-2003 21:34 |
Encpyted passwords | SLIM SLIM | General Discussion | 5 | 12-17-2002 23:28 |