Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-09-2011, 03:31
new_profile new_profile is offline
VIP
 
Join Date: Aug 2002
Posts: 144
Rept. Given: 27
Rept. Rcvd 7 Times in 7 Posts
Thanks Given: 42
Thanks Rcvd at 33 Times in 16 Posts
new_profile Reputation: 7
Extracting file from MSI package

Hi,
I'm trying to crack (or keygen) a software where the serial is validated at setup time. I've unpacked the MSI content using the "msiexec /a /pb" command line switches or using lessmsi utility. However, the file used to validate the serial number is missing.
I've looked with ORCA and I've found that it uses CustomAction (_serial_verifyCA_isx and _serial_verifyCA_isx_helper). The property SERIALNUMVALDLL is set to <ISProjectFolder>\dlls\serialnumber3\debug\ValidateSN.dll

Does anyone have an idea on how to extract the "ValidateSN.dll" ?

(I didn't find the file in the temp folder and I've tried to dump the msiexec memory with no luck so far).

Thank you.
Reply With Quote
  #2  
Old 12-09-2011, 04:11
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 870
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 170
Thanks Rcvd at 380 Times in 213 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
I"ve similar issue - with the same dll name!
you have to inspect carefully each dll in temp dir (with stange names like ~blabla.tmp,etc!
I recommend to search by contents for validate word
but do it when app is asking s/n, not after it was closed.
the dll definitely must be present in temp dir!
you could also use procmon to monitor when it'll be written there....
good luck
Reply With Quote
  #3  
Old 12-09-2011, 04:26
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
jsMSIx.exe worked quite okay for me. There was also MsiStudio but I didn't test newer versions. I've used an older version a few times and it worked very well, but it is commercial (and much more powerful).
Reply With Quote
  #4  
Old 12-09-2011, 17:16
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
put break on LoadLibraryExW (take a look at stack, there is filename), then but break inside LoadLibraryExW after LdrLoadDll call, then you can try to directly forward to export name (CTRL+G in olly) or search your dll in module list (ALT+M in olly)
Reply With Quote
  #5  
Old 12-09-2011, 18:09
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 316
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 287 Times in 89 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Most the MSI unpacking tools will only unpack the *.CAB files inside the MSI, they will ignore any files outside the *.CAB, but still embedded in the MSI.

Extracting these files can be a bit tricky, one easy way is to simply prevent the files from being deleted. This can be done by breaking on DeleteFile or (if available) by telling your host intrusion prevention system to deny the file delete privilege to any application. If breaking on DeleteFile will not work, the file handle will have the "delete on close" flag set and you will have to start looking there. A HIPS will prevent this trick.

LoadLibrary might be called many times before you see the call you're looking for.

Is the MSI you're working with available for public download?
Reply With Quote
  #6  
Old 12-10-2011, 19:55
BorJa
 
Posts: n/a
try MSI Plus plugin for Total Commander
http://www.totalcmd.net/plugring/msiplus.html
Reply With Quote
  #7  
Old 12-11-2011, 03:01
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 870
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 170
Thanks Rcvd at 380 Times in 213 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Last update 6 years ago, does it still crack the latest MSIs?
Reply With Quote
  #8  
Old 12-12-2011, 13:36
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
you can try SuperOrca
Reply With Quote
  #9  
Old 12-12-2011, 19:54
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 390
Rept. Given: 10
Rept. Rcvd 15 Times in 13 Posts
Thanks Given: 24
Thanks Rcvd at 128 Times in 54 Posts
WhoCares Reputation: 15
Universal Extractor is OK: _http://legroom.net/software/uniextract
or try the open source WIX from Microsoft.
__________________
AKA Solomon/blowfish.
Reply With Quote
  #10  
Old 12-12-2011, 22:45
copyleft copyleft is offline
VIP
 
Join Date: Apr 2010
Posts: 171
Rept. Given: 174
Rept. Rcvd 43 Times in 39 Posts
Thanks Given: 125
Thanks Rcvd at 59 Times in 35 Posts
copyleft Reputation: 43
I usually use "Wise.Installation.Studio" which can open .msi files and covert to wise format as well.
using "Wise.Installation.Studio" you can make a new setup after doing all required changes in .msi file (replacing files, ...).
You can also produce a new .msi file.
Reply With Quote
  #11  
Old 12-14-2011, 00:04
hp3 hp3 is offline
Friend
 
Join Date: Oct 2011
Posts: 92
Rept. Given: 19
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 83
Thanks Rcvd at 19 Times in 13 Posts
hp3 Reputation: 2
Scriptlogic MSI Studio Professional Edition

use Scriptlogic MSI Studio Professional Edition work fine
Reply With Quote
  #12  
Old 12-17-2011, 05:09
new_profile new_profile is offline
VIP
 
Join Date: Aug 2002
Posts: 144
Rept. Given: 27
Rept. Rcvd 7 Times in 7 Posts
Thanks Given: 42
Thanks Rcvd at 33 Times in 16 Posts
new_profile Reputation: 7
Quote:
Originally Posted by sendersu View Post
I"ve similar issue - with the same dll name!
you have to inspect carefully each dll in temp dir (with stange names like ~blabla.tmp,etc!
I recommend to search by contents for validate word
but do it when app is asking s/n, not after it was closed.
the dll definitely must be present in temp dir!
you could also use procmon to monitor when it'll be written there....
good luck
Hi,
you're right, the dll is unpacked in temporary folder but just when the serial check is made. I thought that by displaying the serial number dialog box is enough to find the required DLL but this is not the case.

Thank you all for your help.
By the way, the app is Wowza media server.
Reply With Quote
  #13  
Old 12-17-2011, 06:45
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 870
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 170
Thanks Rcvd at 380 Times in 213 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Well, that dll is not the point you should pay your time for....
why? because it does not have the full s/n validator as the java classes have.....

it accepts even fake s/n, here is an example:
00000-99999-00000-00000-00000-0000z

again, the real s/n validator is hidden deep deep down in a highly obfuscated java code (yes, not names, but java code!)
you'll have a real fun reversing it, I guarantee it to you

if you are interestd, I could post the validation code for S/N from that tricky dll.....
half a screen page
Reply With Quote
  #14  
Old 12-17-2011, 22:28
new_profile new_profile is offline
VIP
 
Join Date: Aug 2002
Posts: 144
Rept. Given: 27
Rept. Rcvd 7 Times in 7 Posts
Thanks Given: 42
Thanks Rcvd at 33 Times in 16 Posts
new_profile Reputation: 7
You're right. I've found that any expired key will be accepted with no problem.
I've played a little bit with the server.jar and FileChunk class and it seems that even the JD-GUI doesn't decompile it.
Back to java disassembly to see what to do with.

Thank you
Reply With Quote
  #15  
Old 06-14-2012, 01:51
uCares
 
Posts: n/a
Or just use msiexec command line like :

msiexec /a youMSIfile.msi TARGETDIR="Path:\\where\You\Want\The\File"

This will do an administrative install, you should then get the files with the all Folder tree from inside the msi
Reply With Quote
The Following User Gave Reputation+1 to For This Useful Post:
|roe (06-15-2012)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse jonwil Community Tools 10 02-26-2022 04:48
unlinker - a program for extracting functions from a PE file for later reuse jonwil Community Tools 5 11-25-2016 08:24
Self Extracting Exe SLIM SLIM General Discussion 0 12-17-2002 04:34


All times are GMT +8. The time now is 19:09.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )