Removing Integrity Check from a Setup.exe

We had an executable installer that had a forced reboot and no option to remove it via command line. We wanted to run it through a task sequence and allow the task sequence to handle the reboot.

Following the process below the reboot was removed easily https://chentiangemalc.wordpress.com/2015/06/09/removing-forced-reboot-from-an-exe/

However this resulted in error message

NSIS Error

Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer’s author to obtain a new copy.

More information at:
http://nsis.sf.net/NSIS_Error

image

To remove the integrity check we opened EXE in IDA Pro and used Search Text function to find the error message

image

Selecting this an hitting ‘X’ we find the code using this reference:

image

Jumping to this code we can see the program jumps to this error message via loc_403889 label, so we select it and hit ‘X’ to reveal all the conditional jumps that result in an integrity check failure.

image

We select each one replacing them with bytes of value 90 (nop) which will ensure the integrity check failure code will never be reached. This is performed using IDA’s Edit –> Patch Program –> Change Byte command

The jg and jz instructions are replaced with 6 nop instructions, while the jnz short instructions are replaced with 2 nop instructions.

image

Resultant code changes will look something like this:

From:

image

to:

image

From:

image

To:

image

This process is continued until there are no more jumps to the integrity check.

Installer now launches fine:

image

Of course being a NSIS installer we could have just added /NCRC to the command line…

Next time we will look at how to retain the integrity check, but modify the checksum in installer to match our patches.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Hack, Hacking, IDA. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s