Hi all,

Story;

At a certain stage during as setup (setup.exe) a window is displayed.

It says Insert CD2.

options; Ok, Cancel

I go for the Ok option.

Using Spy ++ I see the following;

IRP_MJ_CREATE

IRP_MJ_QUERY_INFORMATION

IRP_MJ_QUERY_VOLUME_INFORMATION

IRP_MJ_CLEANUP

IRP_MJ_CLOSE

so it does a check if cd2 is inserted.

Using Olly debug;

I see in the windows page

Handle 002a0503

Parent 0015056E

ID 00000001

Thread Main

cls proc 752358F1

Is it possible to put a breakpoint on the ok button, using Olly or IDA?

pressing the OK button executes a piece of code, is this easily found?

I think I need to manipulate the information struct, telling the cd2 has been inserted.

regards,

ger

You could try using the 'Execute Until Usercode' feature in the debug menu.

When you get the point where you see the screen you mention, hit pause in Olly, then choose Debug -> Execute Until Usercode. Then click the OK button and it should break afterward.

You could try using the 'Execute Until Usercode' feature in the debug menu.

When you get the point where you see the screen you mention, hit pause in Olly, then choose Debug -> Execute Until Usercode. Then click the OK button and it should break afterward.

Agree, get the messagebox up and press the pause (II) button then press ALT+F9 and click any button. Most of the times it will get you into the code...

Unless you're unlucky enough that the 'msgbox' is actually a dialog, pausing and Alt+F9 will land in the msg pump. From there you'd need to see where the WndProc is setup, most likely the call to RegisterClass/RegisterClassEx, then set breakpoint(s) in that code loop.

HR,

Ghandi

thanks guys for all the input.

It is pretty hard to find the dailog box.

@ ghandi I will try your last post.

did some digging,

the setup is the Call of Duty (the first one) installer, yes I know it is old but I like It.

the set is two CD's one called COD1 and one called CoD2. found with GetVolumeInformation.

a hex search or string search does not do the job. (try to find it in the installer).

So when the dialog insert CD2 is shown.

the program checks if CD2 is inserted (asume) I think it will use GetVolumeInformation.

so I need to find the GetVolumeInformation routine, how do I find this using Olly/IDA?

On the other hand the dialog has 3 options;

cancel, for me of no use

ok (and cd1 still in drive) results in displaying the dialog again.

ok (and cd2 inserted) results in closing the dialog and continue the install.

also, I can not find a install list.

a list with all the files the installer has to copy (put on HDD).

is this encrypted? the installer is of type Wise installer system, yep an old one.

everything in one exe file.

regards,

ger

Try scan COD.exe with ProtectionID. If it Securom it is not easy )))

I think he is still busy with that project... It's not about the protection of the end product, but of the installer. Some old tutorials (don't ask me which ones) give you api hints to break... But why not simply download an ISO of both cds???

Hi All,

Why not Use both ISOs, I Want to put all the CODs versions on in one ISO, blu ray....

and for the fun !!

So back to work;

I stated I could not find the install list, well I found it.

Every time when I start the program (in Olly) it allocates a memory block of 0x66000 bytes, and guess what is in there..

When I edit this block, I can "remove" the insert CD2 dialog.

original mem block; file-a-, file-b-, file-c-, dialog text cd2, file -d-, file -e-

edit by me mem block; file -a-, file -b-, file -c-, file -d-, file -e-, dialog text cd2.

runs fine , it does no checks until it 'sees' dialog cd2

and file -d- and file -e- are nicely installed!! (put all the files on one dvd, for testing)

so if I can remove the dialog cd2 text.

than the problem is solved.

so I think the program fills the mem block with install-data, only where does it come from......

regards,

ger

That's an epic idea! But back to topic: does this memory block contain "dialog text cd2"?? Or is it something else?

I mean: can find find some kind of table or is it the pure file data...

@ Mr. eXoDia

Yes this memory block contains the "dialog text cd2"

It is some kind of table as you said.

It it very hard to find where this table comes from, a lot of jump's and call's.........

on the other hand,

if I can (externaly using C#) allocate this block I can edit it, problem solved!!

like the "Memory Map" Tab in Olly, and edit option

I know it is 0x66000 bytes very time with a given base address at lets say 00400000.

I can edit the memory block.

regards,

ger

I would recommend breaking VirtualAlloc or GlobalAlloc, these function allocate memory (duh) and maybe you can find some loop if you trace a bit...

Hi All,

Did some digging.....

found the "insert cd2 compare statement"

If I manipulate the outcome of the CMP to 0x00 iso 0xFF it continues with the installment....(YES!!!!)

now I need to implement this in the setup.exe file.

setup creates a tmp file which is then loaded as dll, so I'm unable to write in the dll when it is loaded.

so I have to edit it before it is loaded.

found the load dll call, so I have the handle (to that file) at the DS stack.

now I need to write several bytes at certain positions to the created temp file.

does anyone has a piece of code (which I can put directly in Olly).

which does the job. Please with comment so I can see/learn what the statements are doing

Thanks in advance!!

Best Regards,

ger

You could try redirecting that call where the dll is created to a code cave... This code should load a custom dll which intercepts the handle, duplicates it and changes a few bytes in the file..

@eXoDia

Thanks for the reply,

Your suggestion is out of my league, yet...

I tried;

mov ah,3d ;Open file function

mov al,20 ;Write-Only file access

mov dx,0102 ;Points to filename

int 21 ;Do it

mov bx,ax ;Move retrieved file handle into BX

mov ax,4000 ;Write to File function

mov dx,011a ;Points to data to write

mov cx,0d ;Number of bytes to write

int 21 ;Do it

mov ax,4c00 ;Exit function

int 21 ;Do it

It does not work, I think this is old stuff.

I'm looking for something like kernel32.OpenFile or kernel32.WriteToFile.

Any clues...

Thanks,

Ger

It's uber-old

Try CreateFileA for opening file (if you already have a handle it's not needed), then use WriteFile (with an bytes write flag) see MSDN for more info..

Hi All,

Found the Buffer which is used to create the .dll.

It is a Buffer of 32K which is emptied 6 times into the file, with the dll as a result.

it is using CreateFile and WriteFile.

So I tried to find the buffer data.

And as guessed it is not a 1 to 1 copy....

It is packed, crypted or something like that.

So I think I will go for the edit the dll when finished version.

Will do some futher digging.

Regards,

ger

@ eXoDia

I use the kernel32.OpenFile call like this;

push 2 ; mode read/write

push 403170 ; pOfstruct

push 18FE5C ; name of the file

call kernel32.OpenFIle

If I run this in Olly, I get SUCCES_ERROR (asume verything went well, If I try to open de file with a hex editor it says it is open)

and at location 403170 a piece of data is created. (in this piece of data the name of the file is shown)

when I want to call the Write file function, I need a handle.

where can I find this handle.....

for the write call I use (for testing)

push 0 ; overlapping

push 0 ; bytes written

push 10 ; bytes to be written

push 403170 ; buffer of bytes (it is the buffer created in OpenFile, no issue for testing)

push xxxxxx ; the handle ...........

call kernel32.WriteFile

Later,

Ger

you`re supposed to use CreateFile() to open a file and WriteFile() to write to it.

The handle is returned by the CreateFile() function. (---> you will find it in eax).

in c++:

	HANDLE x = CreateFileA("C:\\x.txt",GENERIC_READ|GENERIC_WRITE,0,0,CREATE_NEW,0,0);
	DWORD wrtn;
	WriteFile(x, "test", 4, &wrtn, 0);

in olly:

the code creates a new file (C:\x.txt) and writes 4 bytes of data to it ("test").

/>http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
/>http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747%28v=vs.85%29.aspx

Thanks,

But why not use OpenFile, as the file is allready there.

I'm not creating a new one.

will have a go on your stuff!!

Ger

Edited May 19, 201213 yr by TBBW

OpenFile() is old and not used anymore, CreateFile() is a lot more powerful.

to open an exisitng file, replace the CREATE_NEW (0x01) paramter with OPEN_EXISTING(0x03).

IE replace the "push 1" (third push) in CreateFileA() by "push 3".

Thanks,

The PUSH C0000000

for the read write is not accepted in Olly.

Ger

Edited May 19, 201213 yr by TBBW

you cant start a constant with a letter (A-F).

Instead, type

push 0C0000000

Hi all,

Can not get the #$$^&&&!! Working....

I do

PUSH 0

PUSH 0

PUSH 3

PUSH 0

PUSH 0C

PUSH 18FE5C

Call KERNEL32.CreateFileA

After this piece of code I get ERROR_SUCCES

So I asume no errors, very thing run fine up till here

Now to write a number of bytes I do;

PUSH 0

PUSH 0

PUSH 4

PUSH 720000

PUSH EAX

Call KERNEL32.WriteFile

NOP

Put breakpoint on NOP, it does not reach the breakpoint, because I get an error accces violation writing 00000000

where do I go wrong??

ger

You should pay more attention to MSDN: http://msdn.microsof...7(v=vs.85).aspx

lpNumberOfBytesWritten [out, optional] - This parameter can be NULL only when the lpOverlapped parameter is not NULL.

IOW how should I setup the Call?

I just want to write, lets say 4 bytes, to a file which is allready there.

Is there a document which says where the outcomes are placed in ECX or EAX etc.

Ger