The installation processes goes like this - setup_<game>.exe starts another process which in turn calls a method from unrar.dll which actually unpacks the data. That method that gets password was already discovered by others using ollydbg it's called CryptProtectMemory , but I'm trying to reproduce that using winedbg. How exactly can I set a breakpoint if that DLL is loaded only later?
I tried doing something like this:
1. Launching the installer (it goes until language selection dialog)
Code: Select all
wine setup_deponia_2.2.0.8.exeCode: Select all
winedbg
Wine-dbg>info process
pid threads executable (all id:s are in hex)
00000021 2 'explorer.exe'
0000000e 7 'services.exe'
0000001a 3 \_ 'plugplay.exe'
00000012 4 \_ 'winedevice.exe'
00000008 1 'setup_deponia_2.2.0.8.exe'
00000024 1 \_ 'setup_deponia_2.2.0.8.tmp'
Wine-dbg>attach 0x24
0xf778fd5e: int $0x80
Wine-dbg>break CryptProtectMemory
No symbols found for CryptProtectMemory
Unable to add breakpoint, will check again when a new DLL is loaded
Wine-dbg>c
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
No symbols found for CryptProtectMemory
Original discussion on GOG: https://www.gog.com/forum/general/on_gn ... installers
