Need some help with cracking an .msi install file

[Sailor_EDA]

Hi everybody,

I've been trying to crack this msi file. I've read the tutorials on the web and I can't seem to figure this one out. Its a fairly standard setup - it asks for name, company and password. I just wanted to get past the password bit.

So this is what I have so far.

1. I've tried various installshield decompilers etc that are available for older versions on the web and they don't work.
2. According to one tutorial I'd read, they use Wise for Windows Installer to hack the script so that you could find the "DoNext" function associated with the serial check and then set the condition to always bypass it. I installed Wise of Windows, and opened the msi file. It asked me if I wanted to convert to a wise script. I said yes and hit next. After about 3 minutes of processing Wise would crash.
3. Instead I tried Installshield 9.5. This one works more; infact displays all the dialogs, methods and I can actually see the details and conditions that NEXT button point to.
4. As per the tutorial, I set the condition accordingly and save the file.
5. When I run it I get an error telling me there's something wrong with the script.
6. Okay the simple thing didn't work. Lets look a little more deeper. The DoAction of the Next button has "LicenseCheck" as the Argument and Condition as "1". Changing this to "0" obviously didn't do the trick. A little more searching and I find LicenseCheck is a custom action (i.e. a user defined function that the script can access) and the function is called from a dll. I don't want to reveal names here but let me just say that the dll name isn't a standard win system dll.
7. So now I start Filemon and see which dll's are loaded. I find nothing even remotely resembling the dll filename.
8. This is where I am right now - stuck because I can't find out where this function is loaded from. As a desperate method, in the custom actions dialog for CheckLicense, I delete the name of the function that is being called. This just causes a CKSUM error on running the installer.

So even though the custom action says its using a function from a dll file, I'm not absolutely sure. For all I know it could stored in the install script itself.
This is my very first installshield cracking project and I really don't know too much about installshield to tell you quite frankly so if anybody has any pointers, hints or some more tutorials that deal with newer targets, it would be truly appreciated.

Thanks

Sailor_EDA

[hosiminh]

So far i haven't seen that *. msi install file that needs password for installation .
Most of the time is used InstallShield with greyed OK button , and when it is ungreyed (or correct password is entered) , msi installer starts (you can see this with looking \temp folder).

Try with bp like "lstrcmpA" and similar .

However have you tryed with some msi extractors like : MsiEx 0.2 [tulipfan] (hxxp://www.wasm.ru/all.php?mode=tool) ?
Works fine for me (after you have *.msi file from \temp of course)

[WhoCares]

Total Commander with MSI plugin is also OK with *.msi files.

[Mkz]

Try the following:
- Check for a temp directory where the instalation bootstrap files are located. The dll is probably there, at least if you're stopped at the error box.
- Debug the install process an set ot break o LoadLibrary or on GetProcAddress, it should occur when you press next with an invalid serial.

In a process monitor you won't see the dll in the loaded modules list, because it normally is loaded when the function is called, executed, and then freed - hence the 2 breakpoints I have suggested. The dll isn't actually linked with the installation process, so it's only loaded when needed.

I suggest to try the Windows Installer Editor from Wise Package Studio.
So far I found that it is the best tool for editing .msi installer files (delete,
replace components, edit scripts, etc).
Custom dlls for authorization can be found in "Project definitions\resources"-
simply reverse existing one, write your own with necessary features, replace
original dll (somtimes it's possible to simply delete original security dll).

[FoxB]

Esse in Russian letter about them:

http://www.wasm.ru/article.php?article=msi

WBR and Happy New Year!

[Sailor_EDA]

Mkz,

thanks for you tips. Sorry I haven't replied in a long time as I was away for christmas - I have some questions though

In Olly, I did a bpx LoadLibrary and GetProcAddress but there seem to be too many places from which this is happening. Any tips for how I should go about this under Ollydbg?

Also, I can't find any temp dirs being created or accessed (although I can use winrar to look into the .msi archive - though none of the dlls there seem to be the ones with check serial function but I could be mistaken on this)

I have yet to look at the russian site, I should probably do that.

Thanks

Quote:

Originally Posted by Mkz

Try the following:
- Check for a temp directory where the instalation bootstrap files are located. The dll is probably there, at least if you're stopped at the error box.
- Debug the install process an set ot break o LoadLibrary or on GetProcAddress, it should occur when you press next with an invalid serial.

In a process monitor you won't see the dll in the loaded modules list, because it normally is loaded when the function is called, executed, and then freed - hence the 2 breakpoints I have suggested. The dll isn't actually linked with the installation process, so it's only loaded when needed.

[Mkz]

Did you activate the BPX's from the start, or only in the screen immediately before the check, just before pressing Next and getting the error?

A debugger for .msi is overkill...
Also you would have to break in msiexec.exe (the Installshield executable
that runs the .msi) It's a mess!

Alot easier way is to use ORCA (msi tables editor available with the MS Platform SDK)

The SDK is available for free from Microsoft but it is unfortunately a mammoth download.
So...
Get ORCA here:
/h--p://www.patchlink.com/downloads/support/orca.msi

Install it and use it to open your .msi
Now on the left side you'll see all the installer tables.
Locate your username/password dialog and look at the conditions for next/ok button.

Because there are a lot of tables in an .msi, focus on "ControlCondition", "ControlEvent", "Property" and "CustomAction" tables.
Generally look around in there and you'll soon get the meaning.

Post with more info (maybe even the program you're trying to crack) if you
get in trouble and I'll try to give more details...

PS. You were on the right path with your first post.
Don't stray from that! Just look at your conditions a little better and you'll get it.
It doesn't matter that the verification is done by an external dll, this is then
evaluated by the installshield script. If you find where you can tell it to be
happy with the result you're OK.

Hope it helps.

[Sailor_EDA]

Mkz,

I didn't know which bpx to activate as there were too many.
I've included a jpg of the screen which lists locations for bpx LoadLibrary.

Thanks

Sailor_EDA

Quote:

Originally Posted by Mkz

Did you activate the BPX's from the start, or only in the screen immediately before the check, just before pressing Next and getting the error?

[Sailor_EDA]

Actually i downloaded Orca a couple of days ago and it seemed very similar to the Installshield developer tool.
In anycase this is what I have so far with Orca (based on your instruction)
I've attached a jpg with the tables of Control, ControlEvent, ControlCondition
and CustomAction. Actually its kinda neat that Orca isolates everything (a little annoying as well as you don't get a visual representation that Installshield gives you ).
I've only included the relevant table entries to reduce space so let me know if you feel you need more information.
Control - The entry in question is CustomerInformation - this is where you enter the serial number. In fact the variable name "SERIALNUMBER" is right there for everybody to see.
ControlCondition - Under CustomerInformation there are 2 entries, SerialNumberEdit and SerialNumberLabel, these don't look very interesting since I think they are just to edit the serial number. The Conditions "LicenseOK="1" looks interesting but I'm not sure where its set
ControlEvent - Under CustomerInformation again, the Next has a DoAction which points to a LicenseCheck with condition 1. Changing the condition to "0" gives me the following error "The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2803"
CustomAction - Here LicenseCheck is actually called _CheckLicense@4 and appears in TKCommonAct.
So this is pretty much where I was when I posted the message initially. Hopefully I've included more details that might be helpful.
I think it maybe easier to just post the msi file but I think it might invite the wrath of the admin.
Thanks for all of your help.
PS: I read the articale in wasm.ru, its pretty good except that the tool they suggest m_extract to extract any function calls in the msi file didn't work for me.

>..."SERIALNUMBER"
>..."LicenseOK="1"
>.. .LicenseCheck is actually called _CheckLicense@4 and appears in TKCommonAct.
>

I can't download any attachments yet, but...
Seems there is a custom dll with exported function _CheckLicense.
This function has one argument (@4), probably pointer to var "SERIALNUMBER".
If function input is valid, it returns 1 (LicenseOK=1)

[Mkz]

Activate the "kernel32.GetProcAddress" BP after you inserted the serial and before you press Next.
You'll hopefully catch it retrieving the address of that "CheckLicense" function, amongst others. Then you can BP that function, and see what it does and which module it comes from in the file system.

I cannot download attachements yet.
Consider uploading your screenshot at some free webspace
(eg. /h--p://us.imageshack.com/)
or your whole .msi to some similar
(eg. /h--p://www.yousendit.com or /h--p://www.ezshare.de)
and posting the links so I can get the files.
In the meantime:
If you look at the "ControlEvent" table you'll see several columns.
Does Next have more than one entries?
It probably has (one with the license check and another(s) with the next action
should license check passed succesfully)
The last column "Ordering" specifies which Next Action is executed first (smaller order)
Also if the DoAction you're referring to has the form "LicenseCheck=1" (I'm just guessing here
as I can't see the screenshot) don't bother to change the "=1" to "=0".
Just replace the whole "LicenseCheck=1" with "1" (true) and give it a try.
I can probably help more if you post the files somewhere I can get them...
Think simple

[Sailor_EDA]

Here is a link to an image of the orca msi tables
http://img50.exs.cx/img50/7523/orcamsitables9nb.jpg
And here is a link to an image of calls I get when I do a bpx kernel32.GetProcAddress in Olly
http://img5.exs.cx/img5/1949/intermodularcalls1kw.jpg

Thanks for all of your help.
Sailor_EDA