Results 1 to 14 of 14

Thread: Installshield 7 exe fun

  1. #1

    Installshield 7 exe fun


    Having a bit of fun with this one...

    When running the <App>.exe a single messagebox pops up asking for the password. OK & Cancel buttons but OK is greyed out.

    So, typed in random password. All chars appear as ||||| in the window and OK button stays greyed out so no Softice bpx option.

    Had a look at the .exe with PiED, says its Installshield 2003 stub [overlay]

    Decided to look for strings with WDASM32 which revealed a string "PASSWORD", hmmm promising.

    Opened OllyDbg and put a break on the PASSWORD string which broke a few times before loading the password enter messagebox.

    Saw that in memory a .tmp file was being written.
    Temp file contents:-

    DiskSpace=8000 ;DiskSpace requirement in KB

    Product=<appz name removed for board>
    PackageName=<appz name removed for board>.msi







    [<appz name removed for board>.msi]
    Location=<appz name removed for board>.msi

    So there it was!!! Under [Key], Password=1954169968 !!!!!!!

    But... entering this password does not enable the OK button so I'm still in the dark..

    Tried a few Installshield unpackers but nothing worked.

    Any suggestions greately appreciated.

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    One suggestion would be that you really didn't need to post all that code just to show that there was s listing for "password" in the strings.

    Next, you have not indicated what, if anything you have done to try to solve yourown problem, for example searching here and on the net for information on defeating the protector and/or how such serial protection systems might function. So far, all you've told us you have done is look at the exe in a dissassembler and try the "password" listed in the exe, which didn't work. Were you actually suprised when it didn't?

    Did you even try to set a breakpoint when that "password" might be sitting in memory and/or actually examing and try to trace the code where the "password" might be called???


  3. #3


    Sorry for posting the whole tmp file, thought it might contain info that would help understand the problem.

    Yes, searched this forum (and others) for serial protection tuts and tips but all the serial methods rely on entering dud serials and then bpxs on the OK button which is greyed out in this instance.

    Yes, put bpm on memory access to the exe and tmp file read/write of the password but nothing doing, and yes am using the addr context correctley.

    Yes, searched for Installsheild decrypters, unpackers tips, found a few isextr, isftw, sid Some of these are for isx, ins files which i dont have, just the exe so far.

    Will continue to research but just thought that with the vast knowleadge of the forum you could give me some tips to save time.


    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    My point was that the Rules suggest that you make the statement about the extent of your attempt to help yourself in your "first" post, then I don't have to ask if you did.

    You have stated that you have done some searching, but you didn't indicate that you that you have studied the dissassebled "deadlisting" in the procedure which calls the "password" string to see if it contins any information which may be useful or a place which will permit you to place a breakpoint. And I was suggesting that you try breakpoints when one or the other of the registers may actually contain the "password" from the file, not necessarily on "memory access."

    I don't know if you can read Russian or have access to a translation program, such as Systran, but there has been some good work done on the regarding Installshield (although the analysis was of version 6) by Volodya and others. There is an article titled "Study InstallShield 6+ - the survey of the procedures." It's in the Articles section and is number 19 of the top 50. They Systran translator, available in the wild, make it fairly understandable and might give you some insight.


  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth
    Hi Medic.

    Run the app under filemon. You may see other temp files being created in weird places. They usually vanish when you close the app, but you can save copies for your self in safe folders.
    Pay special attention to files with .dll extentions, or files that despite the name, have PE structure. In my short experience with instshield, that is where the action is. . .

    Do not give up with the serial box yet. you can use BMSG <box handle> WM_KEY. . .
    to try to catch the program analizing your serial on on the fly, or at least see the mod that does the analisis

  6. #6

    Red face

    Hi JMI and Naides,

    Thanks again for your help,

    Have been going at this for several days now, learning more but finding it difficult in deciding on the approach as there are clearly several routes and I'm spending time going down dead ends, but learning as well!!

    Attempted to unpack the Installshield, so far no tools found help.

    Deadlisting studied but the password string relates to the creation of the tmp file which is not what I need.

    Used InCrtl5 to find that the installshield generates a RNG key, so am now looking for brute force approach as I think the PASSWORD created in the tmp file might be the seed for the RNG. Will look at the Filemon route next.

    The memory address where the password is stored is for the Installsheild password which is different to the real password. Have set breaks on access to this but no joy. Will look at WM_KEY to see if I can discover how the installer is monitoring the entered password, guess it might be using PEEKMESSAGE but that breaks allot so will have to try another route.

    Thanks for your thoughts and patience,

    Not had any sleep jet so will have to continue tomorrow

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth
    Quote Originally Posted by Medic
    Hi JMI and Naides,

    The memory address where the password is stored is for the Installsheild password which is different to the real password. Have set breaks on access to this but no joy.
    Consider the fact that the OK button is grayed while you key in the serial, and will turn active when you hit gold. . . The serial is not stored in one place, and then analized, it is analized every time you enter a digit.

    The Bmsg would break inside the system, when the program gets notified someone entered something. You need to learn a bit about message handling, but it will at least tell you the general area where password validation is taking place. PM the app, I will take a look, but I WILL NOT CRACK IT FOR YOU

  8. #8
    I had the same problem with installing another program 'coz there is "Installshield password protection" ; greyed OK button)

    Well , I used Ollydbg and M$ Xp Pro

    snippet from Ollydbg

    Text strings referenced in L***trac:.text, item 64
    Disassembly=PUSH Logitrac.004234E4
    Text string=ASCII "Software\InstallShield\ISWI\7.0\SetupExeLog" ( i guess it is "InstallShield v7" setup used too )

    Solution (?)
    You can use "breakpoint on lstrcmpA" ("bp lstrcmpA") and enter some bogus character , Ollydbg should break , some F8 work untill user code and then just patch some bytes like this:

    0040BF78 FF15 CCF14100 CALL NEAR DWORD PTR DS:[<&KERNEL32.lstrcmpA>]
    0040BF7E 85C0 TEST EAX,EAX ; patch here 85C0 -> 33C0 XOR EAX,Eax
    0040BF80 74 02 JE SHORT LOGITRAC.0040BF84 ; or patch here to JNE

    and then it installs OK

    The "Password" that i could see in EAX register is 1952762995 (on bp) but suprise it's not working. (on my target)
    Last edited by hosiminh; October 22nd, 2004 at 06:08.

  9. #9

    Will explore over the weekend and get back to you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    InstallShield Password bruteforcing

    tools: ollydbg,radasm+masm for bruter

    reference: CRC and how to Reverse it by Anarchriz/DREAD

    target: <not published here>

    level: bruteforcing/advanced


    1. Password bruteforcing


    first the install package asks for a Pass, well we don't have one!
    lets see how to get around. bp GetWindowTextA works, and we land into the simple checking

    0040BFC8 push 64 ; /Count = 64 (100.)
    0040BFCA push eax ; |Buffer = 00000009
    0040BFCB push 3E8 ; |ControlID = 3E8 (1000.)
    0040BFD0 push [arg.1] ; |hWnd = 002300EA ('Please enter the password',class='#32770')
    0040BFD3 call [<&USER32.GetDlgItemTextA>] ; \GetDlgItemTextA
    0040BFD9 test eax,eax
    0040BFDB je short 0040C02B
    0040BFDD push 1 ; /ControlID = 1
    0040BFDF push [arg.1] ; |hWnd = 002300EA ('Please enter the password',class='#32770')
    0040BFE2 call [<&USER32.GetDlgItem>] ; \GetDlgItem
    0040BFE8 mov ecx,[428EF0]
    0040BFEE mov esi,eax
    0040BFF0 lea eax,[local.25]
    0040BFF3 push eax ; /Arg1 = 00000009
    0040BFF4 call 0040BF49 ; \LOGITR~1.0040BF49
    0040BFF9 test esi,esi ; LOGITR~1.0040BF8C
    0040BFFB je short 0040C02B
    0040BFFD movzx eax,al
    0040C000 push eax ; /Enable = TRUE
    0040C001 push esi ; |hWnd = 0040BF8C
    0040C002 call [<&USER32.EnableWindow>] ; \EnableWindow
    0040C008 jmp short 0040C02B

    0040BFFB je short 0040C02B ;;;;;;--- PassGood?

    but we are not interested in patching if we can reverse it..

    0040BFF3 push eax ; /Arg1 = 0012E8E8 ASCII "dummy"
    0040BFF4 call 0040BF49 ; \LOGITR~1.0040BF49

    investigating the CheckPass routine leads to

    0040BF78 call [<&KERNEL32.lstrcmpA>] ; \lstrcmpA

    comparing with hardcoded pass 1952629872

    -------------------- [FOR CURIOUS]
    bp GetTempFileNameA

    INI file:

    -------------------- [/FOR CURIOUS]

    blah, but how to get a working pass?

    0040C16F push esi
    0040C170 push edi
    0040C171 mov edi,ecx
    0040C173 call 0040C057
    0040C178 push -1 ; /Arg3 = FFFFFFFF
    0040C17A push dword ptr [esp+10] ; |/String = "..@"
    0040C17E call [<&KERNEL32.lstrlenA>] ; |\lstrlenA
    0040C184 push eax ; |Arg2 = 0012E8E8 ASCII "dummy"
    0040C185 mov ecx,edi ; |
    0040C187 push dword ptr [esp+14] ; |Arg1 = 77D48065
    0040C18B call 0040C0B0 ; \LOGITR~1.0040C0B0
    0040C190 mov ecx,edi
    0040C192 mov esi,eax
    0040C194 call 0040C099
    0040C199 not esi
    0040C19B push esi
    0040C19C mov ecx,edi
    0040C19E call 0040C0F1
    0040C1A3 pop edi ; LOGITR~1.0040BF5D
    0040C1A4 pop esi ; LOGITR~1.0040BF5D
    0040C1A5 retn 4

    (if can't recognize it yourself peid->kanal can)
    thats a CRC32 routine + this:

    0040C111 movzx eax,byte ptr [ebp-4]
    0040C115 push 3
    0040C117 push eax
    0040C118 call 00415846
    0040C11D xor al,74
    0040C11F push 5
    0040C121 mov [ebp-4],al
    0040C124 movzx eax,byte ptr [ebp-3]
    0040C128 push eax
    0040C129 call 0041581D
    0040C12E xor al,74
    0040C130 push 7
    0040C132 mov [ebp-3],al
    0040C135 movzx eax,byte ptr [ebp-2]
    0040C139 push eax
    0040C13A call 00415846
    0040C13F xor al,74
    0040C141 push 3
    0040C143 mov [ebp-2],al
    0040C146 movzx eax,byte ptr [ebp-1]
    0040C14A push eax
    0040C14B call 0041581D

    which turn out to be rol&ror routines

    - switching to code -

    based on the FACT that crc32 is *reversible*

    edi points to pass string

    invoke StrLen,edi ; length of pass
    invoke CRC32,0,edi,eax ; crc32(pass) ; 0=init, edi=pass, eax=len
    movzx ebx,al
    movzx ecx,ah
    shr eax,16
    movzx edx,al
    movzx eax,ah
    and eax,0FFh
    and ebx,0FFh
    and ecx,0FFh
    and edx,0FFh
    rol ebx,3 ; rol and mix bytes
    ror ecx,5
    rol edx,7
    ror eax,3
    xor bl,74h
    xor cl,74h
    xor dl,74h
    xor al,74h
    mov ch,bl
    mov ah,dl
    and ecx,0FFFFh
    shl eax,16
    or eax,ecx
    cmp eax,1952629872 ; Check if install pass matches


    reverse the obvious:
    mov eax,1952629872
    mov ecx,eax
    shr eax,16
    and ecx,0FFFFh
    mov bl,ch
    mov dl,ah
    and eax,0FFh
    and ebx,0FFh
    and ecx,0FFh
    and edx,0FFh
    xor bl,74h ; first mix & rol
    xor cl,74h
    xor dl,74h
    xor al,74h
    rol al,3
    ror dl,7
    rol cl,5
    ror bl,3
    shl eax,8
    mov al,dl
    shl eax,16
    mov ah,cl
    mov al,bl
    mov esi,eax
    lea edi,tbuf ; then brute

    ; bruteforce something nice :

    invoke StrCpy,edi,T('OneofZero!0000 ')
    leng equ 18
    mov ebx,1000
    inc ebx
    cmp ebx,9999
    jz @F
    invoke DwToStr,ebx,addr [edi+10]

    ; esi=wantedCrc, edi=newPass, leng=length, leng-4= offset where to put RCRC32
    invoke RCRC32,esi,edi,leng,leng-4 ; Calculate Reverse CRC32
    ; coded with the help of Anarchriz's tut.
    ; just take some implementation of crc32
    ; and code it yourself!

    movzx eax,byte ptr [edi+leng-4]
    invoke ChrIsPrint,eax ; Is char printable?
    dec eax
    js @B
    movzx eax,byte ptr [edi+leng-3] ; Is char printable?
    invoke ChrIsPrint,eax
    dec eax
    js @B
    movzx eax,byte ptr [edi+leng-2] ; Is char printable?
    invoke ChrIsPrint,eax
    dec eax
    js @B
    movzx eax,byte ptr [edi+leng-1] ; Is char printable?
    invoke ChrIsPrint,eax
    dec eax
    js @B

    the routine goes trough (its very fast)
    OneofZero!1001Đ.p if printable then break else continue

    edi has a valid pass!

    some passwords:

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    Nice work. Are you sure that the passwords will really work though? Normally, passwords are initially checked with an intentionally weak hash algo, but the whole password is then used for the actual decryption. This way, you get very many passwords that match the a bruteforce hash-check, but only the single real password will work in the end anyway for the decryption.

    But then again, of course these guys aren't necessarily that clever, I'm just asking...

  12. #12
    I have tested both passwords with my target, and worked with both versions

  13. #13

    Red face


    Thanks for the tips. Hosiminhs idea about breaking on lstrcmpA took me striaght into the right code.

    Turns out that OK button can be activated by a simple patch which then starts the Install prog proper. It writes isscript.msi and <progname>.msi to the windows temp dir but then must do the serial check again as it fails. It checks for a valid serial (which we've bipassed, then offers a network lic option before exiting...

    msi can not be unpacked and if run on it's own pops up a window to say it must be run from setup.exe

    Went back to the password bit and the encryption lots strong. HDdrive serial number is combined with a RNG to give a 10 digit key (the one given in my first post). Entered a dummy serial to find what number is produced and tried entering that into the tmp file during run time which allows me to enter "my" password and activate the prog correctely but I still get chucked out after the msi starts working so I guess there is a duplicate check in the msi.

    Long night, dont see how the msi route will work so will take another look at bruting the encryption in the morning


    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    If you've got an MSI you can too "unpack it". An MSI is just a database. There is a tool called ORCA which can open an MSI and allow you to browse, edit, and whatever, to the database.

    Of course you have to understand the structure of an MSI to find the stuff you want, so grab a copy of Installshield for Windows Installer or InstallShield 8.0 or X , and practice making some MSI's you'll get familiar with them that way. The Installshield product allows you to edit the MSI tables directly when building an Installer, if you have to. Installshield works with project files only (ISM).

    ORCA opens already compiled MSI files, but the tables you will see will be the same tables as when you design the installer.

    Look thru the actions table, and the binary table, etc. If the installer has its own custom action that is not allowing you to run, you can just edit it with ORCA. Sometimes installers unpack a DLL from the binary table, and this DLL does the password check.

    But, for example, the not allowing to run other than from setup.exe, you should be able to work around that my editing the MSI with ORCA.


Similar Threads

  1. Installshield v6.31 problem
    By Mr.Red in forum The Newbie Forum
    Replies: 9
    Last Post: January 16th, 2005, 03:15
  2. Installshield 9 - S/N Protection
    By lordbyte in forum The Newbie Forum
    Replies: 3
    Last Post: June 12th, 2004, 16:39
  3. Installshield script help!!!
    By boxx in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: October 26th, 2001, 13:00
  4. Installshield 6 -Need help
    By draX in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: June 29th, 2001, 08:05
  5. Installshield V5
    By TR in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 24th, 2001, 03:29


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts