Old 4th May 2006, 13:33   #1
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
7zip now allows to extract installers

Quote:
Release Name: 4.40 beta

Notes:

--------------------------------------------------------------------------------
Changes:
- 7-Zip now can unpack some installers created by NSIS
- New localization: Kurdish
- Some bugs were fixed
Is there a way to protect the source from being extracted and so on because this is really no longer safe to use.

If this happens, Afrow UK passdialog.dll will not be useful anymore since it can be extracted instead entering username and password.

Last edited by rxs2k5; 4th May 2006 at 14:12.
rxs2k5 is offline   Reply With Quote
Old 4th May 2006, 14:27   #2
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,343
You can mix up the EW_* values in Source\exehead\fileform.h and recompile.

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Old 4th May 2006, 15:17   #3
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
where is this fileform.h and how to edit it to EW_* can u show more examples.

thanks for replying The Head Developer Of NSIS
rxs2k5 is offline   Reply With Quote
Old 4th May 2006, 18:57   #4
Koopa
16-Bit Moderator
 
Koopa's Avatar
 
Join Date: Apr 2004
Posts: 4,341
There is already a thread about the new 7-Zip feature:

Link
Koopa is offline   Reply With Quote
Old 5th May 2006, 12:51   #5
ggf31416
Junior Member
 
Join Date: May 2006
Location: Salto, Uruguay
Posts: 7
Quote:
Originally posted by rxs2k5
where is this fileform.h
Download the Source Code: NSIS Download Page . The fileform.h is located in nsis-2.16-src\Source\exehead\
ggf31416 is offline   Reply With Quote
Old 5th May 2006, 14:10   #6
guest_dude
Guest
 
Posts: n/a
Quote:
Originally posted by kichik
You can mix up the EW_* values in Source\exehead\fileform.h and recompile.
Release notes for 2.16 has an item that says:
* Changing Source/exehead/fileform.h to alter the internal structure of installers is no longer enough....

There seems to be a contradiction here, could you please clarify the issue?
  Reply With Quote
Old 5th May 2006, 16:22   #7
potska
Junior Member
 
Join Date: May 2006
Posts: 3
Installers must be possible to unpack, example i hate installers from people who bundle spyware, now i can unpack directly THATS ALL.
potska is offline   Reply With Quote
Old 5th May 2006, 16:34   #8
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
Agreed.

CraigF is offline   Reply With Quote
Old 5th May 2006, 16:53   #9
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
Quote:
Originally posted by potska
Installers must be possible to unpack, example i hate installers from people who bundle spyware, now i can unpack directly THATS ALL.
well that's the good thing about the unpack.... but you will have to think if this happens, the author which wants to protect his/her installer or to hide their hard copy script from some other people from leeching making it as their work.

Plus bundle spywares, you would have been able to find those later, and mostly people do not really include spywares especially those who uses username and passwordto protect the installer for private usage. If username and password is required there's no way a installer will have spyware in it because its the original work.
rxs2k5 is offline   Reply With Quote
Old 5th May 2006, 17:34   #10
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
I don't see in what way this is a threat to the PassDialog plugin. As far as I know, the unpacker only unpacks files and nothing more. How can anyone use it to access hard coded passwords in your installer? The username or passwords aren't stored in passdialog.dll... so what is the problem?

-Stu
Afrow UK is offline   Reply With Quote
Old 5th May 2006, 20:47   #11
Red Wine
Forum King
 
Red Wine's Avatar
 
Join Date: Mar 2006
Location: Ath. GR
Posts: 2,078
Unpacking installers is useful only to those who want to steal other people work, in every possible way they can do it. That's it. Moreover, why they do not unpack InstallShield for example? Unpacking free and open source installers like NSIS, has the meaning of kicking out of the scene this software, it seems some are bothered, and they use others like the author of 7z to make the dirty work, in order to kick out nsis.

Quick AVI Creator - Quick and easy convert from DVD/MPEG/AVI/MKV to AVI/MP4/MKV
Quick AVI Creator entirely edited with NSIS and entirely upgraded to Unicode NSIS
Red Wine is offline   Reply With Quote
Old 5th May 2006, 21:55   #12
guest_dude
Guest
 
Posts: n/a
Quote:
Originally posted by potska
Installers must be possible to unpack, example i hate installers from people who bundle spyware, now i can unpack directly THATS ALL.
What a crap!

If a software bundles spyware, then avoid it.
If you definitely need the software without spyware/adware, then buy it.
Other ways serve nothing but freeloaders.
  Reply With Quote
Old 5th May 2006, 22:13   #13
potska
Junior Member
 
Join Date: May 2006
Posts: 3
What is different that i unpack or not, i do always this way thai i install program and copy program folder, uninstall and program is install free....
potska is offline   Reply With Quote
Old 5th May 2006, 22:24   #14
Koopa
16-Bit Moderator
 
Koopa's Avatar
 
Join Date: Apr 2004
Posts: 4,341
Quote:
What is different that i unpack or not
You don't need to agree to the licence file when you use the program.
Koopa is offline   Reply With Quote
Old 5th May 2006, 22:26   #15
venekirsa
Junior Member
 
Join Date: May 2006
Location: Russia
Posts: 3
All installers should be unpackable. I don't want installers to ruin my windows.
Program must work clearly.
venekirsa is offline   Reply With Quote
Old 5th May 2006, 22:27   #16
potska
Junior Member
 
Join Date: May 2006
Posts: 3
I never read licenses, i am country man and i dont care.
potska is offline   Reply With Quote
Old 5th May 2006, 22:28   #17
venekirsa
Junior Member
 
Join Date: May 2006
Location: Russia
Posts: 3
Quote:
Originally posted by Koopatrooper
You don't need to agree to the licence file when you use the program.
Why the hell do I need those licences. I never read them.
I collect the licences and send them to Business Software Alliance, so they can carefully read licences, which is their main work. I'm glad to help!
venekirsa is offline   Reply With Quote
Old 5th May 2006, 22:34   #18
Koopa
16-Bit Moderator
 
Koopa's Avatar
 
Join Date: Apr 2004
Posts: 4,341
Quote:
Originally posted by venekirsa
Why the hell do I need those licences. I never read them.
E.g one part of the licence file say, that the author isn't liable for all damages, wich maybe appear after using the program. You have to agree otherwise the intaller will abort.

Other licence files maybe contain important infos related to the program.

Quote:
I don't want installers to ruin my windows.
Yeah, but other people like installers, because an installer is much easier to handle for many users.

Btw, not all installers are bad.

Your posting makes no sense for me, you don't like installers, because you fear, they could destroy your system. Why are you posting then in the Nullsoft Scriptable Installer System forum?
Koopa is offline   Reply With Quote
Old 5th May 2006, 22:42   #19
venekirsa
Junior Member
 
Join Date: May 2006
Location: Russia
Posts: 3
I have another opinion on damages.
First I take programs that look good, but if program is bad and does any damage, I will throw computer out of window.
Few month ago, some program screwd up my Windows and I threw my computer againt the wall. Wall got damaged
Or else, if some programs screws up something, I will mail-bomb it's author.

There is only one use for licences. I don't want hot cooking-pan to burn my table cover, so I put can put some licence papers under the cooking-pan.
venekirsa is offline   Reply With Quote
Old 6th May 2006, 03:05   #20
dandaman32
Senior Member
 
dandaman32's Avatar
 
Join Date: Jan 2005
Location: Look behind you.
Posts: 209
My vote: no - this harms s/w developers

The problem here is that while the ability to (partially) decompile NSIS installers can prevent spyware installations and such, software developers are now at risk because their NSIS source code is partially available.

IMO: I say this feature gets booted from 7-zip. Why would anyone need to extract an NSIS installer? Yes, I understand that it can save you from spyware. But why download illicit software in the first place? Most spyware-infested programs (to name names, FlashGet or NetAnts, both of which I have used) aren't worth a dime, even without the ad banner or whatever. This only puts software developers at risk. For example I have a friend I'm working with who's writing an installer for a certain open source program (he prefers that I don't give the name). He's making it a webdownload so the installer EXE itself only maxes out at around 500kB. But he prefers to keep the URLs to his files secret, and yet I was able to decompile the installer using 7-zip and get the URLs.

One thing that I have noticed is that some strings, namely Registry entries, do not appear in the unpacked script files. Which means that the Registry key where my NSIS-based ClockLock trial system is still safe. But what if 7-zip learns to unpack the string table that has that key in it? people will start cracking my custom-built installers which will cost me a lot of money.

People, most of you are installer developers. For those of you who don't do open source development, you know that your code can be compromised by this new feature in 7-zip. And that's why I'm saying what I'm saying.

@Igor Pavlov: I am a long time user of 7-zip and I absolutely love it. Currently it's the only archive utility installed on any of my Windows machines, and I have never needed anything more. I've also used 7za in a package management system that I'm working on, and because of that the package files are very, VERY well compressed. Great job. But I feel that this ability can be harmful towards software developers and that things like licensing algorithms can be compromised by this. Therefore, I vote that you remove this feature from 7-zip.

-dandaman32

ExperienceUI for NSIS | Latest project: Enano CMS
Do not PM me on the Winamp forums, I hardly ever check my messages here; you are more likely to get my attention through the ExperienceUI forum.
dandaman32 is offline   Reply With Quote
Old 6th May 2006, 03:53   #21
Pharaoh Atem
Junior Member
 
Join Date: Feb 2006
Posts: 35
I think that there should be an obfusicator for the NSI script on NSIS now...
Pharaoh Atem is offline   Reply With Quote
Old 6th May 2006, 04:54   #22
ggf31416
Junior Member
 
Join Date: May 2006
Location: Salto, Uruguay
Posts: 7
Quote:
I think that there should be an obfusicator for the NSI script on NSIS now...
Quote:
Originally posted by kichik
You can mix up the EW_* values in Source\exehead\fileform.h and recompile.
7-zip is an archiver, not an hacking tool like the installshield and inno unpackers, so it's very unlikely that it will be able to overcome a good protection.
Modify the fileform.h and the fileform.c should work because 7-zip refuses to open archives with incorrect/non-standard headers.
Anyway if 7-zip can unpack an installer, any competent hacker can do the same without installing 7-zip. Depend of the NSIS format to protect your installer without taking any other step is the same than use Aspack or Upack without any additional tools to protect the program files.

Edit: the last 3 paragraphs.

Last edited by ggf31416; 6th May 2006 at 05:41.
ggf31416 is offline   Reply With Quote
Old 6th May 2006, 08:26   #23
galil
Member
 
Join Date: Jan 2003
Posts: 83
Instead of begging the author of 7z to remove such feature (which is too little too late anyway :P), the right answer to this could be incorporating his password protection (optional) to lzma compression of NSIS. Or no?
galil is offline   Reply With Quote
Old 6th May 2006, 09:33   #24
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
Quote:
Originally posted by Afrow UK
I don't see in what way this is a threat to the PassDialog plugin. As far as I know, the unpacker only unpacks files and nothing more. How can anyone use it to access hard coded passwords in your installer? The username or passwords aren't stored in passdialog.dll... so what is the problem?

-Stu
Well when I tested one of the installer I made compressed with Lzma, using 7zip to extract,

the source files, the dlls , the images and the nsi file which contains all the information, the username and password is being reveal in that .nsi script. So its like he can read all the available username and password in the .nsi script.

I not too sure why is it 7zip is able to create a .nsi during extracting.
rxs2k5 is offline   Reply With Quote
Old 6th May 2006, 10:24   #25
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Hmm sorry didn't realise that 7-Zip decompiled the installer as well. That is very very bad. Indeed, we should ask for this feature to be removed from 7-Zip.

One solution rxs2k5, would be to store the MD5 checksum for your passwords and usernames, rather than the passwords and usernames themselves. To get the MD5 checksum of strings, use the MD5 plugin on the Wiki. You can create a dummy installer to convert the strings to MD5 checksums, which you can then put into your main installer. When the user enters the username or password, you need to call the MD5 plugin to convert them to their MD5 checksum equivalents before comparing.

I'll add an example to my PassDialog plugin which does this.

-Stu
Afrow UK is offline   Reply With Quote
Old 6th May 2006, 12:20   #26
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
pass/user with md5 is mandatory!
if bzip2 is still protected there is no other way.
in any other case encrypt all files in a container
and put the accesskey hidden somewhere into program.
my solution uses that method and the installer is
about 150kb smaller than lzma (incl extractor!, total~4mb)
sure my mind m8 weird

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 6th May 2006, 12:28   #27
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,343
Quote:
Originally posted by guest_dude
Release notes for 2.16 has an item that says:
* Changing Source/exehead/fileform.h to alter the internal structure of installers is no longer enough....

There seems to be a contradiction here, could you please clarify the issue?
EW_* are defined in an enum, they're not part of a struct. Only struct changes must be reflected in Source/fileform.cpp.

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Old 6th May 2006, 14:14   #28
dopey.ru
Guest
 
Posts: n/a
Quote:
Originally posted by Afrow UK
Indeed, we should ask for this feature to be removed from 7-Zip.
This is ridiculous.


Anyways, if any of you want to password protect your installer for your little weird reasons, why not pack the compilled installer into a passworded (with encrypt filenames option) WinRAR SFX (with options to silently unpack to $Temp and run the installer.exe). Haven't heard of anyone cracking a decent Rar password. Not sure if 7zip supports password encryption on SFXs, maybe it could be done too.
While this opensource plugins to incorporate psw protection into NSIS is of amateur level (no offense) and could be defeated very easy, doesn't matter md5 or no md5, by anyone who has a debugger and knows how to use it, even if there wasn't that 7z unpack feature.
  Reply With Quote
Old 6th May 2006, 14:39   #29
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Please explain in what way it is ridiculous?

I have added an example (EncryptionUserPass.nsi) to the PassDialog plugin which uses an MD5 checksum for username and password validation instead of the usernames and passwords themselves.
I also included a script called EncryptWithMD5.nsi which once compiled allows you to enter a string and get its MD5 checksum. The MD5DLL plugin is also required (as well as installation of the latest PassDialog.dll plugin).

http://nsis.sf.net/File:PassDialog.zip
http://nsis.sf.net/File:Md5dll.zip

-Stu
Afrow UK is offline   Reply With Quote
Old 6th May 2006, 15:56   #30
Red Wine
Forum King
 
Red Wine's Avatar
 
Join Date: Mar 2006
Location: Ath. GR
Posts: 2,078
I guess the whole conversation offers to Mr Igor a very good free of charge publicity. Perhaps you know what has been said "you may say what you like about me as long as you spell my name right".
The fact is that until he gets cracked bzip2 as well, lzma is useless to everyone who wants to protect his work, therefore I think, kichik, perhaps you should think about kick out lzma from nsis.

Quick AVI Creator - Quick and easy convert from DVD/MPEG/AVI/MKV to AVI/MP4/MKV
Quick AVI Creator entirely edited with NSIS and entirely upgraded to Unicode NSIS
Red Wine is offline   Reply With Quote
Old 6th May 2006, 15:58   #31
Pharaoh Atem
Junior Member
 
Join Date: Feb 2006
Posts: 35
Umm, kicking out LZMA compression from NSIS would destroy the best compression available to NSIS!! It makes more sense to get 7-zip to remove that feature!
Pharaoh Atem is offline   Reply With Quote
Old 6th May 2006, 16:05   #32
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
7zip is based on lzma

@dopey - not exactly, but nearly

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 6th May 2006, 16:14   #33
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
Quote:
Originally posted by Afrow UK
Please explain in what way it is ridiculous?

I have added an example (EncryptionUserPass.nsi) to the PassDialog plugin which uses an MD5 checksum for username and password validation instead of the usernames and passwords themselves.
I also included a script called EncryptWithMD5.nsi which once compiled allows you to enter a string and get its MD5 checksum. The MD5DLL plugin is also required (as well as installation of the latest PassDialog.dll plugin).

http://nsis.sf.net/File:PassDialog.zip
http://nsis.sf.net/File:Md5dll.zip

-Stu
Thanks alot Afrow UK,

I was like shocked when I tested it, 7zip can really exact the entire raw data username and password out of it. I will try your method, do I still use Lzma or stick to bzip2 ???
rxs2k5 is offline   Reply With Quote
Old 6th May 2006, 16:19   #34
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,343
Nothing will get kicked out of nowhere. Being "uncrackable" is in no way a declared feature of NSIS. On the contrary, it's open-source. Everyone could easily "crack" it. Many anti-virus applications already open NSIS installers to check what's inside them. 7-zip is not the first to do it, it's just the first user-end utility to do this.

If you want to protect a password or a file in your installer, you shouldn't count on an open-sourced code that compresses it or encodes it. If you want to protect, you encrypt it, ask the user for a password which will be used to generate a key and use that key to decrypt the file.

Afrow UK, keeping an MD5 in the script is still not good enough because one can simply yank the MD5, put a breakpoint at the appropriate place and change the input to that MD5. To protect a password, you should take a known set of bytes, preferably random to prevent dictionary attacks, and encrypt it with the password. This way, one must enumerate all key options to successfully decrypt the content.

Note that this will not work for a simple page that blocks the user from continuing until the correct password is given. In this case, the password doesn't really matter and a simple code patch will do the trick. One could easily change the jump address of a failure check to a good jump address. Without the protected computing everyone has been talking about lately, you can't really protect a program. Everything can be cracked, you can only make it harder. How hard? Depends on how much you're willing to invest in it and what level of attacks you want to block.

You can, however, have the password decrypt a file crucial to the program, using the method mentioned above.

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Old 6th May 2006, 16:21   #35
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
LZMA is fine. You will still be able to get the MD5 checksums out of it, but I'm taking a guess that it isn't possible to get the original string from an MD5 checksum.

-Stu
Afrow UK is offline   Reply With Quote
Old 6th May 2006, 16:26   #36
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,343
Afrow UK, just for the sake of a complete discussion:

http://it.slashdot.org/article.pl?si...49256&from=rss
http://it.slashdot.org/article.pl?sid=05/08/21/1946254
http://developers.slashdot.org/artic.../12/07/2019244
http://it.slashdot.org/article.pl?si...37232&from=rss

As I said, it's all just a matter of setting a threshold of time you're willing to invest in defending yourself.

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Old 6th May 2006, 16:42   #37
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Thanks Kichik. Think I'll let other people take this a step futher if they need to

-Stu
Afrow UK is offline   Reply With Quote
Old 6th May 2006, 22:00   #38
dopey.ru
Guest
 
Posts: n/a
Quote:
Originally posted by Brummelchen

@dopey - not exactly, but nearly
Not exactly, what?
  Reply With Quote
Old 6th May 2006, 22:23   #39
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
i cannot tell you, just use your imagination ^^

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 7th May 2006, 00:33   #40
dopey.ru
Guest
 
Posts: n/a
I don't know what are you blabbering about.
  Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump