eXeLab
eXeL@B ВИДЕОКУРС !

ВИДЕОКУРС ВЗЛОМ
выпущен 12 ноября!


УЗНАТЬ БОЛЬШЕ >>
Домой | Статьи | RAR-cтатьи | FAQ | Форум | Скачать | Видеокурс
Новичку | Ссылки | Программирование | Интервью | Архив | Связь

Русский / Russian English / Английский

Сейчас на форуме: Burn_hack (+3 невидимых)
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS · SVN ·

 eXeL@B —› WorldWide —› Need help how to unpack clickteam install creator?
Посл.ответ Сообщение

Ранг: 8.5 (гость)
Статус: Участник

Создано: 30 мая 2011 05:49 New!
Цитата · Личное сообщение · #1

Can someone tell me more about unpack clickteam install creator or send me a tutorial video how to unpack it?
I read dr_golova post in --> Link <-- about unpack clickteam install creator but I don't understand what him're saying.
Hope some help me.
Regard.


Ранг: 199.6 (ветеран)
Статус: Участник
www.uinc.ru

Создано: 4 июня 2011 05:38 · Поправил: DrGolova New!
Цитата · Личное сообщение · #2

Please post a direct link to target CT installer. I think it will really help us.
And by the way, if you meant the CT installer secured by password or license key then forget about about "unpacking" - the actual package data is really encrypted by this key, and there is no quick way to get it. Unfortunately.

Ранг: 8.5 (гость)
Статус: Участник

Создано: 4 июня 2011 17:25 New!
Цитата · Личное сообщение · #3

Thank for reply. Please you make a tutorial how to extract files inside setup made by clickteam install creator.


Ранг: 199.6 (ветеран)
Статус: Участник
www.uinc.ru

Создано: 7 июня 2011 04:52 New!
Цитата · Личное сообщение · #4

I think there is no way to create a real static generic unpacker for CT (except sandbox with some AI for clicking buttons =). Authors keep whole storage format aproximately same, but heavily change file headers format in each major version, especially flags. e.g. in one version file with 0x20 flag is uninstaller data, in other version it is directory flag, in third - long file, etc.
BUT all real raw data in CT has been bundled into single compressed token (0x7f7f If I remember correctly). So if you do not need original file names, you can try blindly split this bundle into pieces by formats. But this is realy not easy task too.

If you provide me a specific example of CT file, I can try give you a small description of the format and the flags for _this_ build of CT.

Ранг: 8.5 (гость)
Статус: Участник

Создано: 7 июня 2011 05:12 New!
Цитата · Личное сообщение · #5

Please give me a small description of the format and the flags for _this_ build of CT.
--> Link example project <--


Ранг: 199.6 (ветеран)
Статус: Участник
www.uinc.ru

Создано: 9 июня 2011 05:50 · Поправил: DrGolova New!
Цитата · Личное сообщение · #6

Like most installers ClickTeam Install Creator package consists of an executable stub and compressed data.
These data usually lie in the PE overlay (just after the last section). But it's better to find a simple 6-byte data signature - {0x77, 0x77, 0x67, 0x54, 0x29, 0x48}

Right after this signature variable count of data blocks begins. Each data block has their own header:

Code:
  1. typedef struct _ct_block_header {
  2.          uint16_t block_id; // block type
  3.          uint16_t block_flags; // block flags or padding (I’m not sure)
  4.          uint32_t packed_size; // size of raw data in that block (without header)
  5. } ct_block_header;


In all cases, what I saw, after block header goes such data:

Code:
  1. typedef _ct_block_data {
  2.          uint32_t unpacked_size; // size of the uncompressed block data
  3.          uint8_t data_stream[0]; // compressed data stream (variable size)
  4. } ct_block_data;


The first byte in data_stream[] defines compression method:
0 – stored (uncompressed)
1 – deflated (zlib)
2 – bwt (bzip2)

After method byte raw compressed data stream begins.
Enough... I think that this information is more than enough for blocks enumeration

Now about block_id’s. Each block contains certain data - background wallpaper, dialogs, strings, eula, and other crap. We are only interested in these block id's (according to your sample, but id's can change from version to version):

0x143A – package files descriptors
0x143E – project descriptors
0x7F7F – files package block

I think the most significant byte of this id’s word means the installer version (0x14 == 2.0 in decimal), and low byte - real data type (for example in version 1.8 codes were 0x123A, 0x123E, 0x7F7F respectively). But I could be wrong.

NOTE: While files package block (0x7f7f) is always single, there can be several files/project blocks pairs. It means several installation types. For example you can look to click team install creator self installer - it has two descriptors pair - one for free version, second for registered (which require license for installation).

I haven't research project descriptors block (0x143E) deeply, but I think that if the second word of them is non zero, it means that this project is password/license protected (files data is encrypted).

File descriptors block (0x143A) contains all information about embedded files. First DWORD is number of file information nodes. File nodes has variable size and types (and format is changing from version to version). In your example, the file node format is approximately this:
Code:
  1. typedef _ct_file_node {
  2.          uint16_t node_size; // size of whole node
  3.          uint8_t unknown1[0x12]; // flags?
  4.          uint32_t packed_size; // size of packed data
  5.          uint32_t data_offset; // packed data offset relative to beginning of file package block
  6.          uint32_t unpacked_size; // size of unpacked file
  7. // other data (variable size)
  8. } ct_file_node;


There must be some flags in unknown1[] part of node (I don’t deal with this), they describe at least 3 types of nodes with different content/ For example some nodes contains time-data-stamp for installed file, but some not (uninstaller do not need it). This is probably the most difficult (because it changes frequently) part to reverse.

And last – file bundle block (0x7f7f). As an usual block its prefixed by 4-bytes ‘unpacked’ size (actually it’s fake – this value is same as packed size form block header). Next going a compressed streams for each file one by one. Each of them is prefixed by one byte with compression method id (see above), but the unpacked size absent (it should be taken from file descriptors block).

Sometimes there can quick hack - because zlib/bzip2 able to stop immediately after packed stream we can avoid parsing of file descriptors block, but just unpack streams one by one. Surely in that case we couldn't get real file names but only file content.

I wrote and attach a simple ‘dumper’ works following this scheme. Unfortunately, my code should fail on stored block (due to unknown size) or on first encrypted stream (due to encryption of course).

I hope this information will be useful to you. It is very boring to write such abstruse things in a foreign
language. I waste more than an hour on this post.


{ Атач доступен только для участников форума } - ct_dump_v1.0.7z

| Сообщение посчитали полезным: _ruzmaz_, skypeaful, slip


Ранг: 8.5 (гость)
Статус: Участник

Создано: 9 июня 2011 16:55 New!
Цитата · Личное сообщение · #7

Thank DrGolova
Your method is very good but how can we know exactly the name of the files after unpacked?


Ранг: 199.6 (ветеран)
Статус: Участник
www.uinc.ru

Создано: 9 июня 2011 17:28 New!
Цитата · Личное сообщение · #8

> Your method is very good but how can we know exactly the name of the files after unpacked?

Reverse files descriptors block (0x143A) and grab names from file nodes
I can't say more specifically - file nodes format changes from version to version. Now I too lazy to deal with this.

Ранг: 8.5 (гость)
Статус: Участник

Создано: 9 июня 2011 18:32 · Поправил: skypeaful New!
Цитата · Личное сообщение · #9

Thank. I can get the file name
But there are many file from file0000.bin to file0040.bin. How can we know what is the name for the file?
Example: file0000.bin change to comdlg32.ocx or ApiLoader.exe, ...
 eXeL@B —› WorldWide —› Need help how to unpack clickteam install creator?

Оригинальный DVD-ROM: eXeL@B DVD !

Вы находитесь на форуме сайта EXELAB.RU
Проект ReactOS