Results 1 to 11 of 11

Thread: installshield or msi ?

  1. #1
    The Keeper
    Guest

    installshield or msi ?

    hello, i have a program.msi which when launched seems to be a install shield protection, but when i reach the serial part and enter
    name/comp/serial and search all HD for *.ins and *.inx nothing is found, can it be the MSI protection instead of the install shield one ? if so any hints, any hints at all is appreciated.

    thanks in advance
    The Keeper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    prolly msi

    My guess is it's a real life red blooded msi package, which uses the windows installer service.

    What I have seen done in MSI installers with reg code entry is a DLL that is in the binary table in the MSI, which gets extracted into memory and run, and the reg code is passed to it to determine valid or not. So you would have to extract the DLL and then you could reverse that to determine how to get a good code.

    You can use a tool called "Orca" from the microsoft website to open MSI file databases and modify / whatever you wish to them. Theoretically, you could make it skip over the reg dialog, but this would only work if the program never checks later again.

    In numerous books and readings, this is why it is a BAD IDEA to have the installer take care of reg codes or anything like that. BAD !


    -nt20

  3. #3
    The Keeper
    Guest

    hi

    hello

    i have extracted the content of the msi file with msiexec /a file.msi
    i have the program and i can install it manually if i want but then it wouldnt be cracking, im thinking now, to be sure if its the msi protection or the install shield, i just need to see a pic of how a regbox of a install shield is, this one asks for

    Name
    Organization
    Serial number (format 1111-111111-11)

    doesnt this look like install shield ? if anyone got pics of the reg screen of both i'd like to see it =)

    there is a data.cab in the same dir as the msi too, i opened it and it has some long name files with hex digits at the end.
    btw, i tried to get orca but it is inclkuded in sdk only could u upload somewhere if u have it standalone ?

    anything that helps is welcome
    thanks in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    DakienDX
    Guest
    Hello The Keeper !

    If you have a .MSI file as setup executable, it's Windows Installer for sure.

    All dialogs are completely customizable, so how it asks for the serial number is not the point here to identify it.
    (In InstallShield "normal" you can also customize all dialogs)

    InstallShield can produce two output formats, the "normal" InstallShield and the .MSI. So two installation can look the same but are still different.

    If you can read the .CAB file, it's a Windows .CAB file, so it's Windows Installer again. (InstallShield "normal" uses .CAB files too, but they have nothing in common expect the extension)

    The MSI SDK is about 7MB and Orca is about 2MB, so why should anybody download it, unpack it and upload Orca somewhere seperatly?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    The Keeper
    Guest

    hello

    Hello Dakien,

    i've clicked to download the sdk and it tells me

    Confirm Install Selections

    --------------------------------------------------------------------------------

    Download size: 43.4 MB
    Install size required: 92.4 MB

    Drive space available: 0 KB Download Time: @56.6 1 hr 46 min
    @256 23 min
    @1536 4 min

    where can i get this small one ? thanks again, so its msi, anyone ever reversed the serial scheme of a msi installer ? any hints are appreciated now, all my bp are failing but i dont think i should debug the msi virtual machine and yes the "place"(dll?) which generates the serial

    thanks in advance
    Keeper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    DakienDX
    Guest
    Hello The Keeper !

    Here's the direct download link to the file.

    http://msdn.microsoft.com/msdn-files/027/001/457/IntelSDK.msi (8670KB)

    Maybe you found the wrong SDK with the search function.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    actually as soon as the sdk is installed orca.msi is laying around on your harddrive... unless you remove it of course... if anybody feels more like grabbing orca at 2.4MB the the full SDK at 8.6MB (atleast the one i have... you can grab it from http://nervgaz.ath.cx/Orca.msi
    Last edited by NervGaz; September 4th, 2002 at 21:53.

  8. #8
    The Keeper
    Guest

    dll

    hello,

    thanks dakien, nerz, niko

    any of u guys know how to identify where a dll ends ? i found where it starts by the MZ but not where it ends..i believe that its with 00's but if any of u know a way that i can be 100% sure that i reached the end of a dll

    regards
    keeper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    how do you mean when does it end... is it inside something else?... in that case just grab everything after the MZ and the take a look at it in LordPE or something else to get the imagesize... and just delete everything after that... bah. too tired to give a really good explanation right now... hope you know what i mean

  10. #10
    The Keeper
    Guest

    ye i tried that

    hello nerz, yes its inside something else, yes understood what u mean, i did that before posting, but before i opened the procs.dll in lordpe dir to check if the imagesize was == dll size but it isnt

    see: size of image 00005000 (20480d)
    file attributes: size: 8,5kb, 8,704 bytes 65.536 bytes used

    am i doing something wrong ?

    Keeper
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    DakienDX
    Guest
    Hello The Keeper !

    The DLLs are stored in the .MSI file. They're extracted and loaded when they're need and unloaded and deleted after they've been used.

    You can be lucky and the DLL shows you an "invalid serial" message. If this happens, you can find the DLL file in your Windows TEMP directory.

    But this wouldn't be Win2000 compatible as defined by Microsoft. So the installer loads the DLL, gets the return value, deletes it again and shows the message according the the return value in normal Windows Installer dialogs without help of the DLL.

    So the best would be run the installation, get to the serial check, set a breakpoint on DeleteFile (both A and W depeding on OS) and enter a false serial number. You should break then. Modify the filename to be deleted so the DeleteFile function will fail. (give it a good return value so everything seems fine to the installer)

    Now you've the DLL verifying the serial.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Learning to RE installshield, am i doing it right?
    By ear plug in forum The Newbie Forum
    Replies: 2
    Last Post: October 28th, 2004, 17:20
  2. installshield 6.0 scripting trouble
    By archmage in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: December 15th, 2002, 15:00
  3. installshield
    By silverstorm in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 22nd, 2002, 19:38
  4. passwords used in installshield
    By racasan in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: November 6th, 2001, 15:09
  5. installshield 6
    By deadkid in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: September 25th, 2001, 12:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •