Target : Denali Memory Modeler v2.9.21
URL : ftp://ftp.denalisoft.com/releases/WinNT/
This little essay will deal with various ways of extracting and decrypting the passwords from WISE installers, I have been asked several times how to do this simple task, and as a result I decided to write this text. This text is pretty basic, but I have not seen any texts on this subject yet... So... lets dive right in....
1. The SoftICE way.
Run the installer "Denali_2.900-0021.EXE" and continue until we reach the dialog which will ask for a password to continue... As this installer is 16-bit and does not use any API calls for the password check routine we won't have much luck trying to break on standard things, instead we press CTRL+D to enter SoftICE.
and press space until you reach something which looks like this:
Window Handle hQueue SZ QOwner Class Name Window Procedure
0FFC(1) 3D77 16 GLBSSTUB #32770 (Dialog) 55E7:0000144A
Note down the Window Handle (0FFC in this case) and press F5 to leave. Now enter some text into the password field anything will do as long as you give it some input, press CTRL+D to enter SoftICE again.
: BMSG 0FFC wm_destroy
Press F5 to return to the installer, press the OK button, and SoftICE will break.
: BD *
Now press F12 (7 times for me) until you reach some code in WISE0001(03) which looks like this :
548F:645E CALL 096F:4D52
>548F:6463 CMP AX, 0002
548F:6466 JZ 646B (NO JUMP)
548F:6468 JMP 63AA (JUMP)
Now trace a little with F8 and take the jump at 6468 and you will end up here :
548F:63A8 MOV SP, BP
>548F:63AA PUSH WORD PTR [0B72]
548F:63AE PUSH WORD PTR [0B70]
548F:63B2 CALL 548F:6498
Inside this call at 548F:6498 is where the fun stuff is happening so trace inside with F8 and start stepping with F10 until you reach some code which looks like this :
>548F:6597 MOV ES, [BP+08]
548F:659A MOV BX, DI
548F:659C ADD BX, SI
548F:659E CMP BYTE PTR ES:[BX], 0
548F:65A2 JZ 660C (NO JUMP)
548F:65A4 LES BX, [04DE]
548F:65A8 MOV BL, ES:[BX+SI]
At 65A8, type :
: DB ES:BX+SI
Look in your data window, you will see :
92 92 CB 9B 9A 91 9E 93 96 00
This is the encrypted password, note this down, then turn your attention to the next instruction in the debug window :
548F:65AB NOT BL
This instruction performs a Bitwise Negation (NOT) on the BL register, if you are not familiar with the NOT instruction then you can think of it as "ENCRYPTED_CHARS[si] XOR 255" which will perform the same action. So now all there is left is to decrypt this data, we can do this easily, on a piece of paper, with windows calculator, or you can write your own little program.
NOT 0x96 == 0x69 == Char: i
NOT 0x92 == 0x6D == Char: m
NOT 0xCB == 0x34 == Char: 4
NOT 0x9B == 0x64 == Char: d
NOT 0x9A == 0x65 == Char: e
NOT 0x91 == 0x6E == Char: n
NOT 0x9E == 0x61 == Char: a
NOT 0x93 == 0x6C == Char: l
NOT 0x96 == 0x69 == Char: i
So the installer password is : im4denali.
2. The Other Way
Well, now know how to get and decrypt the password with SoftICE, but where is this encrypted data stored in the installer files?. Searching the main installer exe for the encrypted password string does not give us any hits, so lets see what kind of tools exist for working with WISE installers. A quick search of the web returns two interesting results :
exwise v0.5 by Andrew de Quincey & E_WISE by Veit Kannegieser.
Both tools include source code, and are fairly complete, so lets try to run exwise on "Denali_2.900-0021.EXE", you better run this in a temporary directory, as it will create a lot of files.
Extracting file script.bin, startPos 0, CRC e88a50a1,
Extracting file wise0001.dll, startPos 239e, CRC 94d71b99, endPos 12a36
Extracting file file2.bin, startPos 12a36, CRC 5fa34a2c, endPos 15935
Extracting file file3.bin, startPos 15935, CRC 2d0cba84, endPos 167ec .....
We turn our interest immediately to script.bin, lets open this file in a hex editor and lo and behold at offset 0x25 we find our encrypted password string. Now you already know what to do, you can use whatever way you like the best.