"Create Install v3.8"

( 'Reversing a window or 2- Theres Always a way!'  )


Win Code Reversing



by ShADë



Code Reversing For Beginners 





Program Details
Program Name: crinst.exe
Program Type: Install Creation
Program Location: Here 
Program Size: 187kb 





Tools Used:
W32Dasm - Dissassembler
UEdit32 - or another good hex editor
ExEScope - or some other resource editor
Getype- File identifier
FileMon - File access monitor




Easy (  ) Medium (X)   Hard (    )  Pro (    ) 


Create Install v3.8

( 'Removing Windows'  )

Written by ShADë


The author of  Create Install v3.8 says :
CreateInstall is a 32-bit program for Windows95/98/NT designed for the creation of setup procedures for applications.

The installer creates compact, easy to use, yet fully featured installations, with many capabilities. It also supports any language without having to re-compile the program. The ouput (setup) files are compact, easy to install with plenty of options.

About this protection system

I am not going to remove the protection from this program, you will have to do that yourself, the author deserves better. This is a really great install making utility, the programing is excellent it is very compact and simple to use, and as the author states so are the output(setup) files it produces. I am not sure wether the author has written the compression algorithm himself or used a component, but either way it is fairly unique.

If you have seen my VirtualSpy program then you will know that I like to use Create Install as the delivery system as it is so small. The only problem was that the author of Create Install does not provide a facility for a silent (ie. no visible windows) install. I needed this option so I set about removing the windows that are displayed during a normal setup.

Hence this essay.


The Essay 

There are two windows shown in a normal setup the first requires the user to press a button in order to accept it and the second is just a simple progress gauge. First we have to find the windows we want to remove in the code, easy! not quite..........

There are very few files included with Create Install. We have the ability to change the language for setups. This is done by inserting the relevant string references from the file : ****.lng at creation time. This means that we cannot do a search for a string reference in the code. So I firstly open all the included files using ExEScope to search for the windows. What the..... our windows aren't in any of the files. This is where I figure they must be compressed, so I open them in Getype and check it out, nope non of them are compressed, but they must be!!

After pondering this for sometime, I make a small install whilst monitoring with Filemon. We see that Create Install makes the setup using just our selected files and the file crinst.pat, which is prepended to the setup. So now we know where the windows are. So change the name of the file to crinstpat.exe and open her up in ExEScope, }:-( no windows, it runs ok if we double click on it so we know it is a program but the windows must be compressed yet again within this file. So what now?? Well we know that during the setup process the windows must be de-compressed, so lets run our setup and watch it in Filemon. We see the file instcrin.dll copied over to the \windows\temp directory, bingo! Quit our setup and go and get it.... its not there, the program deletes it again. No problem.... run the setup again but this time while the first window is on screen go into Explorer and make a copy of the file instcrin.dll. Quit the program and now we have a copy, open it in ExEScope, bingo we now have our uncompressed windows.

So lets disable them:

The first window:

Our first problem is that the file is a .dll not the usual .exe so how do we find out when the window is displayed, we need a dead listing from W32Dasm. Open in W32Dasm your small setup program, select 'Load Process', then on the 'Data' window make sure you have 'DLL Load Brk' selected. Now press F9 to run your program. W32Dasm breaks almost immediatly. In the 'Data' window scroll down the list of active dll's and select instcrin.dll, load it. Deselect 'DLL Load Brk' and press F9. When the window pops up select 'Pause' and then click on the setup window. The code box in W32Dasm should now show that we are in instcrin.dll. We come out somewhere in this code:

:10004E73 55 push ebp
:10004E74 8B44240C mov eax, dword ptr [esp+0C]
:10004E78 8BEC mov ebp, esp
:10004E7A 3D10010000 cmp eax, 00000110
:10004E7F 56 push esi
:10004E80 57 push edi
:10004E81 BE01000000 mov esi, 00000001
:10004E86 7410 je 10004E98
:10004E88 3D11010000 cmp eax, 00000111
:10004E8D 741C je 10004EAB
:10004E8F 3D12010000 cmp eax, 00000112
:10004E94 7436 je 10004ECC
:10004E96 EB7A jmp 10004F12

Well we have all read +ORC's tutorial 9.3 haven't we??? if not you need to read it!. So we know that a button click generates a WM_COMMAND message, which has a value of 00000111.
So offset :10004E88 checks for WM_COMMAND. What would happen if we made it think it had recieved a WM_COMMAND message, It very much depends what is in the return address which is compared later, but lets try it anyway. Exit the setup program, then load and run it again loading the .dll as before. This time before pressing F9 a second time, in the small W32Dasm window select 'goto address' type in 10004E8D then select 'patch address'. Type in 'jmp 10004EAB' and return, then click on 'apply patch' and accept. Ok now press F9 again to run our program. Bingo! it flies straight past the first window.
Now we go to the copy of the instcrin.dll we made earlier, open it in a hex editor and search the bytes: 8BEC3D100100005657. Just below this we see our bytes 741C change these to EB1C (jmp 10004EAB) and save it.

Right thats the first window now for the second:

Unfortunatly because this one has a guage on it which is going to be an integral part of the program I don't think it is going to be so easy to get rid of. So lets not get rid of it! lets hide it. Open up instcrin.dll (your copy) in ExEScope and look for the progress dialog its id 116d.
Now lets change a few things, first we need to stop it appearing in the center of the screen so select 'Dialog' then deselect 'center'. Nothing more on this tab, select 'Ex Styles' and select 'Tool Window' this should stop it from bieng shown in the taskbar. Next select 'Style' and deselect all. If you check in your dead listing you will see that the dialog is called with the API function DialogBoxParamA. Checking your API help will tell you that this function overrides the 'visible' setting and displays the dialog regardless, so just leaving this un-checked is not going to do it. What we can do is change its size and position so we can't see it. Change as follows: X=2000 Y=2000 Width=0 Height=0.
Finally delete the caption just in case it does show up.

All this will make our dialog box a little grey square hardly visible in the bottom left of your screen.

Thats all there is to it, but now we have another problem. We have edited our copy of instcrin.dll but this is not what will be included with our setups. A compressed copy gets included from the file crinst.pat if you remember. We have two problems here, firstly we need to compress it secondly we need to insert it into crinst.pat.

First the compression:

Create Install uses its own compression algorithm so how are we going to compress our file with the same format? simple, we let Create Install do it for us.
Make a new directory and put just your patched instcrin.dll into it. Now make a new Create Install project out of your instcrin.dll. Ensure that the 'General/Self Extracting Setup' is NOT selected and make your install. Now you have a compressed file called disk1.pak which contains a few headers and then your now compressed .dll.

If while you are making this install you run filemon with the filter 'process include(s)' crinst you will be able to see how the file disk1.pak is made. The file instcrin.dll is written into it at offset 1664d in my case, it will vary depending on the options you have selected for your install and your directory name lengths. If you open up the file in a Hex editor and then go to this offset you will see just prior the name instcrin.dll and then the first character of our compressed .dll 'aWAW' if we then delete everything up to your offset for the first character 'a' we will have only the compressed .dll left.

Now for the second problem, getting it into crinst.pat.

Open up crinst.pat in your hex editor and look for the bytes 'aWAW' you will find them at 8192d/2000h. Now find the exact filesize of your compressed .dll using your hex editor and delete this same number of bytes from crinst.pat. .Next cut and paste your .dll into crinst.pat. Now when CreateInstall makes a setup it appends the bytes 04 and several 00's to the file. Edit the 04 onwards to read 30 so your last bytes should read 09 68 then 30 to the end.

Finally check the file size, crinst.pat was 41492 if you have any more or less delete/add some 30's to correct.

Thats all there is to it.


In Conclusion 

I did all this for a purpose I wanted the end result. There is still the registration protection on the program, but I am not going into that here. Finding the button and removing the first window could have been much more complicated, it was just fortunate that the value in the memory location which is normally returned by clicking the button was correct. Reading the tutorial 9.1 / 9.2 /9.3 by +ORC will show you what you need.

There is virtually always a way in.


+ORC Lesson 9 (3): How to crack Windows, Hands on.
Available at 'Fravia's page of reverse engineering'.

and of course the invaluable Win32 API reference - available at the Sandmans site.


Final Notes


Cracking is a hobby, a challenge, a sport, if you use it buy it.

I would like to thank The Sandman for making The Newbies Forum available, without it I would still be lost in the dark codewoods, ALONE!

Thanks to the snake and everybody on the newbies forum.

Essay by:            ShADë
Page Created: 1st October 1999 n problem.