This is a bunch of astrological programs in one executable – setup.exe (47 MB). It’s called Win*Writer 2.04 by Matrix Software Inc., 2001. When setup.exe runs, it creates a separate directory with different .exe and other files. But before the installation is complete, it asks for the name and password for each astrological program (there are dozen of them in the installation file). If the password is right, it creates a license file, and that particular program can be used.
Now, I couldn’t unpack setup.exe by any unpackers, some of which say it’s not a valid PE file.
Under File Monitor it shows that only one process working when start setup.exe – that is ntvdm.exe. Through this process (ntvdm.exe) all other files are created or accessed. Some of the files created or accessed are .tmp files in WINNT directory, or in the newly created directory for Win*Writer. They, .tmp, are not removed after the installation is complete.
Setup.exe doesn’t work under debugger. If to attach Olly to ntvdm.exe process after it starts, it shows, that up to 4 threads are created, and different modules, like kernel32 are accessed.
If to get to the stage where the password is asked, there is not return to the debugger, not any movements, or EIP changes – the dialog window just accepts password if it’s right, or does not accept if it’s wrong.
Could you help, please?

| Сообщение посчитали полезным:

setup.exe - it looks like this executable is a DOS-exe file actually

| Сообщение посчитали полезным: