It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
vv221: French installers of Heroes of Might and Magic 5 are affected (version 2.1.0.22 & TotE 2.1.0.24).
avatar
shmerl: Yep, I don't own it.
Affected installers from my library are:
_Heroes of Might and Magic 5, French version 2.1.0.22
_Heroes of Might and Magic 5: Tribes of the East, French version 2.1.0.24
_Overlord: Rising Hell, French version 2.1.0.13
_The Bard’s Tale, version 2.1.0.9
_Deponia, version 2.2.0.8
_Chaos on Deponia, version 2.2.0.6
_Goodbye Deponia, version 2.1.0.10
_Neverwinter Nights, French version 2.1.0.19

There is a common denominator here: every one of these installers use a small .exe and a big .bin file (actually the rar archive), the last one being password-protected and containing the actual game data. All of them have been recently built, maybe in a Galaxy-compatible way.
avatar
shmerl: Yep, I don't own it.
avatar
vv221: Affected installers from my library are:
_Heroes of Might and Magic 5, French version 2.1.0.22
_Heroes of Might and Magic 5: Tribes of the East, French version 2.1.0.24
_Overlord: Rising Hell, French version 2.1.0.13
_The Bard’s Tale, version 2.1.0.9
_Deponia, version 2.2.0.8
_Chaos on Deponia, version 2.2.0.6
_Goodbye Deponia, version 2.1.0.10
_Neverwinter Nights, French version 2.1.0.19

There is a common denominator here: every one of these installers use a small .exe and a big .bin file (actually the rar archive), the last one being password-protected and containing the actual game data. All of them have been recently built, maybe in a Galaxy-compatible way.
Ah, I have a few of them like Deponia games, The Bard's Tale and Neverwinter Nights. So I'll try playing around with unpacking, but as I suspected most probably innoup can only unpack when you provide explicit password, so it's not any better than unrar.
Post edited December 21, 2014 by shmerl
Just found out that InnoSetup is open-source. Could that help us to find out how the password-protected archives are handled?

Here is the github repo:
https://github.com/jrsoftware/issrc
avatar
vv221: Just found out that InnoSetup is open-source. Could that help us to find out how the password-protected archives are handled?

Here is the github repo:
https://github.com/jrsoftware/issrc
Thanks for the pointer. That can help probably. I'll take a look when I'll have time. On a side note, who writes this in Pascal these days??

One thing is confusing however - there is no open source RAR compressor. So how can Innosetup create RAR packages? May be it's a confusion and that thing is not RAR at all? Their site mentions this:
Includes integrated support for "deflate", bzip2, and 7-Zip LZMA/LZMA2 file compression.
Support for digitally signed installs and uninstalls.
I'll dig into it a bit later.
Post edited December 22, 2014 by shmerl
What is wrong with Pascal?
avatar
Kristian: What is wrong with Pascal?
I'd say grim prospects of getting any modern libraries and such (especially for good cross platform UI). I didn't really develop in Pascal in any recent times, so I don't know may be there is a some modern movement in it as well.
Post edited December 22, 2014 by shmerl
avatar
Kristian: What is wrong with Pascal?
avatar
shmerl: I'd say grim prospects of getting any modern libraries and such (especially for good cross platform UI). I didn't really develop in Pascal in any recent times, so I don't know may be there is a some modern movement in it as well.
As far as I can tell Delphi and Free Pascal/Lazarus is where it is at in Pascal land:

http://www.freepascal.org/

http://www.lazarus.freepascal.org/

http://wiki.freepascal.org/Lazarus_Application_Gallery

http://wiki.freepascal.org/Projects_using_Lazarus

http://www.embarcadero.com/products/delphi

http://www.embarcadero.com/products/rad-studio/application-showcase

Anyway...... I am attempting a brute force attack on the Goodbye Deponia archive.
Post edited December 22, 2014 by Kristian
@Kristian: So far I doubt that it's RAR even. I'll take a look later today. If it is RAR I have no clue how Innosetup created it.
Post edited December 22, 2014 by shmerl
avatar
shmerl: @Kristian: So far I doubt that it's RAR even. I'll take a look later today. If it is RAR I have no clue how Innosetup created it.
More than one password cracking program I tried recognizes it as a RAR and WinRAR will open it but asks for a password. The problem was that several of the programs I tried turned out to be demo or trial versions. But cRARk is having a go at it now, it is currently trying 5 character passwords... so it could take a while even if it ultimately works!
avatar
Kristian: currently trying 5 character passwords... so it could take a while even if it ultimately works!
Yeah, but there's an easy way to destroy that progress...

32 random characters seeded from a pool: Name of Game :32 random characters seeded from another pool

Be far better to map what functions are being called during the install step and peek at their various input values, even if you can't identify their size/type. Reverse engineering and assembly language needed for that.
avatar
Kristian: currently trying 5 character passwords... so it could take a while even if it ultimately works!
avatar
rtcvb32: Yeah, but there's an easy way to destroy that progress...

32 random characters seeded from a pool: Name of Game :32 random characters seeded from another pool

Be far better to map what functions are being called during the install step and peek at their various input values, even if you can't identify their size/type. Reverse engineering and assembly language needed for that.
Sure, you are absolutely right. But someone else will have to attempt that route because it is beyond my technical abilities.
My gut feeling says that brute forcing is not going to help. The password could well be 127 bytes of random generated individually for each new version of each game.

The only way to get it would be to pull it from the installer, and doing this in an automated fashion could be challenging with variable versions of the software creating them, etc. Not to even mention that they probably obfuscate it to make it hard.
avatar
vv221: Just found out that InnoSetup is open-source. Could that help us to find out how the password-protected archives are handled?

Here is the github repo:
https://github.com/jrsoftware/issrc
avatar
shmerl: Thanks for the pointer. That can help probably. I'll take a look when I'll have time. On a side note, who writes this in Pascal these days??

One thing is confusing however - there is no open source RAR compressor. So how can Innosetup create RAR packages? May be it's a confusion and that thing is not RAR at all? Their site mentions this:
Includes integrated support for "deflate", bzip2, and 7-Zip LZMA/LZMA2 file compression.
Support for digitally signed installs and uninstalls.
avatar
shmerl: I'll dig into it a bit later.
For the benefit of people in this thread, I'll point out that dscharrer responded to you on GitHub by pointing out that it unpacks an "unrar.dll" as a temporary file.

To me, that suggests they scripted InnoSetup to unpack unrar.dll and then call it to unpack a RAR/BIN file they generated independently from InnoSetup.

(Which would make sense if Larian sent GOG that RAR and said "Here's the DLL, here's the password, here's the content. Wrap them up in your installer.")

If that's the case, I think I remember someone saying that InnoUnp.exe unpacks InnoSetup stuff so well that you can use the output to regenerate the installer. Look through the InnoUnp.exe output to see if you can find the password embedded, in the clear, in one of the install control scripts.
Post edited December 23, 2014 by ssokolow
avatar
shmerl: @Kristian: So far I doubt that it's RAR even. I'll take a look later today. If it is RAR I have no clue how Innosetup created it.
Here is the command that led me thinking it should be a RAR archive:
dave@HAL9000:~/bureau$ file setup_the_bards_tale_2.1.0.9.bin
setup_the_bards_tale_2.1.0.9.bin: RAR archive data, v3e,
-----

avatar
ssokolow: To me, that suggests they scripted InnoSetup to unpack unrar.dll and then call it to unpack a RAR/BIN file they generated independently from InnoSetup.

(Which would make sense if Larian sent GOG that RAR and said "Here's the DLL, here's the password, here's the content. Wrap them up in your installer.")
Seeing that there are multiple installers using these password-encrypted RAR archives, I doubt it is done on the developer part. To me it looks more like GOG has changed its way to package InnoSetup installers.

avatar
ssokolow: If that's the case, I think I remember someone saying that InnoUnp.exe unpacks InnoSetup stuff so well that you can use the output to regenerate the installer. Look through the InnoUnp.exe output to see if you can find the password embedded, in the clear, in one of the install control scripts.
Sadly, like I said earlier innounp failed to extract these password-encrypted installers.
Post edited December 23, 2014 by vv221
When I run Innounp on Goodbye Deponia's installer(The actual executable, not the data) I DO get some output.