#1
|
|||
|
|||
Extracting file from MSI package
Hi,
I'm trying to crack (or keygen) a software where the serial is validated at setup time. I've unpacked the MSI content using the "msiexec /a /pb" command line switches or using lessmsi utility. However, the file used to validate the serial number is missing. I've looked with ORCA and I've found that it uses CustomAction (_serial_verifyCA_isx and _serial_verifyCA_isx_helper). The property SERIALNUMVALDLL is set to <ISProjectFolder>\dlls\serialnumber3\debug\ValidateSN.dll Does anyone have an idea on how to extract the "ValidateSN.dll" ? (I didn't find the file in the temp folder and I've tried to dump the msiexec memory with no luck so far). Thank you. |
#2
|
|||
|
|||
I"ve similar issue - with the same dll name!
you have to inspect carefully each dll in temp dir (with stange names like ~blabla.tmp,etc! I recommend to search by contents for validate word but do it when app is asking s/n, not after it was closed. the dll definitely must be present in temp dir! you could also use procmon to monitor when it'll be written there.... good luck |
#3
|
|||
|
|||
jsMSIx.exe worked quite okay for me. There was also MsiStudio but I didn't test newer versions. I've used an older version a few times and it worked very well, but it is commercial (and much more powerful).
|
#4
|
|||
|
|||
put break on LoadLibraryExW (take a look at stack, there is filename), then but break inside LoadLibraryExW after LdrLoadDll call, then you can try to directly forward to export name (CTRL+G in olly) or search your dll in module list (ALT+M in olly)
|
#5
|
|||
|
|||
Most the MSI unpacking tools will only unpack the *.CAB files inside the MSI, they will ignore any files outside the *.CAB, but still embedded in the MSI.
Extracting these files can be a bit tricky, one easy way is to simply prevent the files from being deleted. This can be done by breaking on DeleteFile or (if available) by telling your host intrusion prevention system to deny the file delete privilege to any application. If breaking on DeleteFile will not work, the file handle will have the "delete on close" flag set and you will have to start looking there. A HIPS will prevent this trick. LoadLibrary might be called many times before you see the call you're looking for. Is the MSI you're working with available for public download? |
#6
|
|||
|
|||
try MSI Plus plugin for Total Commander
http://www.totalcmd.net/plugring/msiplus.html |
#7
|
|||
|
|||
Last update 6 years ago, does it still crack the latest MSIs?
|
#8
|
|||
|
|||
you can try SuperOrca
|
#9
|
||||
|
||||
Universal Extractor is OK: _http://legroom.net/software/uniextract
or try the open source WIX from Microsoft.
__________________
AKA Solomon/blowfish. |
#10
|
|||
|
|||
I usually use "Wise.Installation.Studio" which can open .msi files and covert to wise format as well.
using "Wise.Installation.Studio" you can make a new setup after doing all required changes in .msi file (replacing files, ...). You can also produce a new .msi file. |
#11
|
|||
|
|||
Scriptlogic MSI Studio Professional Edition
use Scriptlogic MSI Studio Professional Edition work fine
|
#12
|
|||
|
|||
Quote:
you're right, the dll is unpacked in temporary folder but just when the serial check is made. I thought that by displaying the serial number dialog box is enough to find the required DLL but this is not the case. Thank you all for your help. By the way, the app is Wowza media server. |
#13
|
|||
|
|||
Well, that dll is not the point you should pay your time for....
why? because it does not have the full s/n validator as the java classes have..... it accepts even fake s/n, here is an example: 00000-99999-00000-00000-00000-0000z again, the real s/n validator is hidden deep deep down in a highly obfuscated java code (yes, not names, but java code!) you'll have a real fun reversing it, I guarantee it to you if you are interestd, I could post the validation code for S/N from that tricky dll..... half a screen page |
#14
|
|||
|
|||
You're right. I've found that any expired key will be accepted with no problem.
I've played a little bit with the server.jar and FileChunk class and it seems that even the JD-GUI doesn't decompile it. Back to java disassembly to see what to do with. Thank you |
#15
|
|||
|
|||
Or just use msiexec command line like :
msiexec /a youMSIfile.msi TARGETDIR="Path:\\where\You\Want\The\File" This will do an administrative install, you should then get the files with the all Folder tree from inside the msi |
The Following User Gave Reputation+1 to For This Useful Post: | ||
|roe (06-15-2012) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse | jonwil | Community Tools | 10 | 02-26-2022 04:48 |
unlinker - a program for extracting functions from a PE file for later reuse | jonwil | Community Tools | 5 | 11-25-2016 08:24 |
Self Extracting Exe | SLIM SLIM | General Discussion | 0 | 12-17-2002 04:34 |