Can I decompile an existing installer?: Difference between revisions
(Added EW_FPUTWS) |
(Added _LANG_INVALIDCRC 2.x detection) |
||
| Line 28: | Line 28: | ||
====Detection==== | ====Detection==== | ||
* 2.0rc1 [3306] _LANG_INVALIDCRC string changed | |||
* 2.35 [5459] _LANG_INVALIDCRC string changed | |||
* 2.45 PE.OptionalHeader.MajorImageVersion == [https://sourceforge.net/p/nsis/bugs/909/ 6] | * 2.45 PE.OptionalHeader.MajorImageVersion == [https://sourceforge.net/p/nsis/bugs/909/ 6] | ||
* 2.47 [r6659] & v3.0b1 [r6506] String: InitiateShutdownA/W | * 2.47 [r6659] & v3.0b1 [r6506] String: <code>InitiateShutdownA</code>/<code>W</code> | ||
<!-- * [r5975] OptionalHeader.DllCharacteristics sets TS_AWARE --> | <!-- * [r5975] OptionalHeader.DllCharacteristics sets TS_AWARE --> | ||
* A Unicode stub imports <code>CreateFileW</code> and other wide API functions. Theses stubs support EW_FPUTWS and EW_FGETWS. | * A Unicode stub imports <code>CreateFileW</code> and other wide API functions. Theses stubs support EW_FPUTWS and EW_FGETWS. | ||
| Line 35: | Line 37: | ||
* 2.47 [r6658] & 3.0b3 [r6657] SetFileSecurityA/W | * 2.47 [r6658] & 3.0b3 [r6657] SetFileSecurityA/W | ||
* 2.51 [r6719] & 3.0b3 [r6706] String: <code>CLBCATQ</code> | * 2.51 [r6719] & 3.0b3 [r6706] String: <code>CLBCATQ</code> | ||
* 3.0rc1 [r6721] StringTable: <code>$TEMP | * 3.0rc1 [r6721] StringTable: <code>$TEMP\$1u_.exe</code> changed to <code>$TEMP\Un_$1.exe</code>. | ||
<!-- * 3.0b1 [r6537] Changed default DllCharacteristics to TS_AWARE+NO_SEH+NX_COMPAT+DYNAMIC_BASE (Do not use these for version detection). --> | <!-- * 3.0b1 [r6537] Changed default DllCharacteristics to TS_AWARE+NO_SEH+NX_COMPAT+DYNAMIC_BASE (Do not use these for version detection). --> | ||
* 3.02 [r6839] ShellExecuteA/W has been replaced by ShellExecuteExA/W. | * 3.02 [r6839] ShellExecuteA/W has been replaced by ShellExecuteExA/W. | ||
Revision as of 22:22, 12 April 2017
About
Currently NSIS installers cannot be fully decompiled. The installer itself doesn't provide any method to extract files or the script without installation. It is the developer's choice whether the source code and/or the files for the installer are available to the public or not.
Extraction Tools
There are, however, external tools that allow this:
- Since version 4.42[may 2006] 7-zip supports decompressing NSIS installers.
Since version 9.34 [Jun 2014] 7-zip is also able to extract the compiled scriptcode. - The decompression plug-in InstallExplorer InstExpl.wcx is also available for TotalCommander. Beside the files it'll create the file 'script.bin' compiled scriptcode.For use without the TotalCommander the Universal Extractor is a good option.
Well since [Feb 2014] InstExpl suffers from problems naming file names and dirs correctly that were created with NSIS 3. That's because the implementation GetNSISString() was slightly changed so names like $INSTDIR, $PROGRAMFILE ... inside strings are not expanded correctly.
Decompilers
- 7-zip Since version 9.34 [Jun 2014] it'll extract *beside the files of the setup* the compiled script code to a file named [NSIS].nsi
- NullsoftDecompiler or NSIDis
NSIDis is a open source Python script that'll help you to nearly fully recover your NSIS-installation scripts. Its state is currently alpha - and so not very user friendly and stable. - NsisDecompiler
Protection against Decompilers
As a general note to software developers, you should use a plugin like DCryptDll if you need to protect certain files in your installer.
.. or if ya in the mood for compiling the NSIS have a look into nsis-3.xx-src\Source\exehead\fileform.h. Mixing up the order of the enum with all the EW_* a little bit as recommend in the Comment. It will mess up decompilers output that expect these tokes to be in the standard order.
Or shift or enlarge the .reloc section in the PE-header by 0x400. <-I saw that trick @ some old 'conduit'-adwareinstaller. Inserting so fill bytes between the EOF-exe at the start of the script might also do the trick to stop 7-zip and maybe some Antiviruses.
Technical Details
Detection
- 2.0rc1 [3306] _LANG_INVALIDCRC string changed
- 2.35 [5459] _LANG_INVALIDCRC string changed
- 2.45 PE.OptionalHeader.MajorImageVersion == 6
- 2.47 [r6659] & v3.0b1 [r6506] String:
InitiateShutdownA/W - A Unicode stub imports
CreateFileWand other wide API functions. Theses stubs support EW_FPUTWS and EW_FGETWS. - 2.47 [r6658] & 3.0b3 [r6657] SetFileSecurityA/W
- 2.51 [r6719] & 3.0b3 [r6706] String:
CLBCATQ - 3.0rc1 [r6721] StringTable:
$TEMP\$1u_.exechanged to$TEMP\Un_$1.exe. - 3.02 [r6839] ShellExecuteA/W has been replaced by ShellExecuteExA/W.
EW_ASSIGNVAR
- 3.01 [r6810] Empty maxlen string is treated as parameter not present.
EW_CREATEDIR
- 2.51 [r6701] & 3.0b3 [r6657] parm2 = CreateRestrictedDirectory
EW_CREATESHORTCUT
- 3.0b0 [r6452] 0x8000 in parm4 will disable SetWorkingDirectory
- 3.0b3 [r6638] parm4 packing changed to support larger icon index.
EW_FPUTWS
- 3.0b3 [r6626] parm3 = TryWriteBOM
EW_SETFLAG
- 3.02 [r6841] alter_reg_view can be KEY_WOW64_32KEY in 64-bit stubs.
EW_SHELLEXEC
- 3.02 [r6839] Parameter count changed. parm4 is SHELLEXECUTEINFO.fMask and SEE_MASK_NOCLOSEPROCESS is set for ExecShellWait.
EW_WRITEREG
- 3.02 [r6829] ent.offsets[5] is REG_MULTI_SZ for WriteRegMultiStr.
