It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
shmerl: Oh, this is very nasty. Can anything be done about it? Can GOG provide the password? May be it can be debugged in Wine to see what password it passes?
From what I hear it's not GoG who set this password but it's automatically generated by Inno Setup.
avatar
Kristian: I didn't know they used RAR files. Are there any tools to find passwords on RAR archives?
Except from using brute force, there are not any tools that would allow you to find the password; IMHO it would probably be easier to try to find the password in the EXE or using a debugger rather than trying to brute force it.
Post edited December 20, 2014 by Gersen
Post edited December 20, 2014 by ssokolow
By the way, which games exactly are affected by this? I just extracted Indiana Jones and the Fate of Atlantis with innoextract just fine.

I'll take a look at innoup source and see how it unpacks the data. May be password is stored somewhere in the file.

avatar
shmerl: May be it can be debugged in Wine to see what password it passes?
avatar
vv221: Any idea about how this could be done? (the debugging part)
In theory you'd have to run the whole thing through the debugger and go through the assembly calls until you get to the point of it reading and passing the password somewhere. You'll examine that memory and it can contain the password string. All that is rather theoretical, I didn't do such exercises before. It's not very easy and requires assembly knowledge.

In general I'd say it's stupid to use any proprietary formats like RAR, when there are better free alternatives available.
Post edited December 21, 2014 by shmerl
From the first glance at the source it appears that innoup would need that password to be provided explicitly, so I'm not sure how it can work otherwise. So far I don't know what to test it on. What installers are actually affected by this junk?
Post edited December 21, 2014 by shmerl
avatar
vv221: Any idea about how this could be done? (the debugging part)
avatar
shmerl: In theory you'd have to run the whole thing through the debugger and go through the assembly calls until you get to the point of it reading and passing the password somewhere. You'll examine that memory and it can contain the password string. All that is rather theoretical, I didn't do such exercises before. It's not very easy and requires assembly knowledge.
While examining innounp or the InnoSetup source is likely to be the more fruitful route, I get the impression you're overselling the amount of assembly knowledge needed. The most obvious approach would require it, certainly, but I don't think that's the only one.

(Disclaimer: I'm not an expert in this sort of thing)

Both InnoSetup and UnRAR have source available, which opens up a lot of avenues for making a custom build specifically designed to aid in drawing inferences about the layout of the code in another build. (Maybe even generating debugging symbols for the GOG installer, if you can find the right compilers and settings to produce identical code, but with a symbols file alongside.)

Heck, I don't remember how InnoSetup handles things but, if it's using the InstallShield "stub unpacks the installer to temp folder" approach and unrar is handled via unrar.dll, then you should be able to use whatever mechanism is employed by LD_PRELOAD and its Windows equivalent to find the "set extraction password" function.

Once you've got that, GDB supports reverse debugging, which might allow you to follow the password back in time to its source.
Post edited December 21, 2014 by ssokolow
I see from the innoextract bug that Divinity Original Sin is affected. Did anyone try to unpack it using innoup? I didn't buy it yet (waiting for the Linux version) and it's too expensive to buy it just for debugging purposes. What other games are affected?
avatar
ssokolow: While examining innounp or the InnoSetup source is likely to be the more fruitful route, I get the impression you're overselling the amount of assembly knowledge needed. The most obvious approach would require it, certainly, but I don't think that's the only one.
So far I'm not entirely convinced that innoup can do that for archives with a password without knowing it. I want to test it first. From the code it appears to ask for that password explicitly.
Post edited December 21, 2014 by shmerl
avatar
shmerl: I see from the innoextract bug that Divinity Original Sin is affected. Did anyone try to unpack it using innoup? I didn't buy it yet (waiting for the Linux version) and it's too expensive to buy it just for debugging purposes. What other games are affected?
If the game wasn't such a huge download I'd download it to test it out but I can't spare that much bandwidth atm. If there's a smaller game just name it :D
avatar
shmerl: I see from the innoextract bug that Divinity Original Sin is affected. Did anyone try to unpack it using innoup? I didn't buy it yet (waiting for the Linux version) and it's too expensive to buy it just for debugging purposes. What other games are affected?
avatar
Ganni1987: If the game wasn't such a huge download I'd download it to test it out but I can't spare that much bandwidth atm. If there's a smaller game just name it :D
Ditto. I don't own Original Sin for similar reasons (price and lack of Linux version) but I do own over 60% of GOG's catalog and I download and make a DVD+R backup of every update that gets posted, so I should have something.
I wonder if it's just new games that are affected? So something released recently can be the case. And I doubt Larian asked GOG to include that password in the installer. It must be GOG's oversight. Probably innosetup allows disabling all those passwords during archive creation.

We should get GOG to comment on this somehow.
Post edited December 21, 2014 by shmerl
avatar
shmerl: I wonder if it's just new games that are affected?
Yep.
French installers of Heroes of Might and Magic 5 are affected (version 2.1.0.22 & TotE 2.1.0.24).
If you don’t own it, I can look further for other games using this.
We should get GOG to comment on this somehow.
That would be great indeed.
Asked the question here. Feel free to add your details.
avatar
shmerl: Asked the question here. Feel free to add your details.
Thanks, I’m going to report there ;)
avatar
vv221: French installers of Heroes of Might and Magic 5 are affected (version 2.1.0.22 & TotE 2.1.0.24).
Yep, I don't own it. Can you please test unpacking it with innounp? Just run it in Wine. If it works without asking that password it means innounp can somehow deduce it from the package itself.
Post edited December 21, 2014 by shmerl
avatar
vv221: French installers of Heroes of Might and Magic 5 are affected (version 2.1.0.22 & TotE 2.1.0.24).
avatar
shmerl: Yep, I don't own it. Can you please test unpacking it with innounp? Just run it in Wine. If it works without asking that password it means innounp can somehow deduce it from the package itself.
Done.
innounp fails silently to extract the game data, the same way innoextract do.
avatar
shmerl: Yep, I don't own it. Can you please test unpacking it with innounp? Just run it in Wine. If it works without asking that password it means innounp can somehow deduce it from the package itself.
avatar
vv221: Done.
innounp fails silently to extract the game data, the same way innoextract do.
OK, so it proves that it's not a solution and password is not deduced. There is something fishy going on in innosetup step.