Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Reply
Thread Tools Search this Thread Display Modes
Old 30th September 2011, 14:43   #1
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
How to prevent files extraction from an Installer created with NSIS?

Hi there,

I am pretty happy with NSIS, but i'd wish to avoid to extract the files directly from the Installer EXE. I've serched the Forums and the web without success.

Is it possible to prevent files extraction? if YES, then how?
If NO, then how can I simply encrypt my files inside the Installer EXE using some script lines within the *.nsi file, and WITOUT using a thrid-party software to run properly the Installer?

Thanks in advance,
within
within is offline   Reply With Quote
Old 30th September 2011, 15:27   #2
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
It is possible, but you have to rebuild NSIS. All NSIS instructions have an opcode and all you need to do is change the opcode of the File instruction so that e.g. 7-zip does not find any.

Stu
Afrow UK is offline   Reply With Quote
Old 2nd October 2011, 05:07   #3
T.Slappy
Major Dude
 
T.Slappy's Avatar
 
Join Date: Jan 2006
Location: Slovakia
Posts: 531
Send a message via ICQ to T.Slappy
Do not put files into setup.exe but at first put them into archive with password, then extract that archive $PLUGINDIR or $TEMP and unpack files into final destination.
It may be slow to unpack huge archives but no special software/script is needed.

Cool looking installer with custom design: www.graphical-installer.com
I offer NSIS scripting, C/C++/C#/Delphi programming: www.unsigned.sk
Develop NSIS projects in Visual Studio 2005-2019: www.visual-installer.com
or RAD Studio 2009, 2010, XE-10.3 Rio: www.rad-installer.com
T.Slappy is offline   Reply With Quote
Old 2nd October 2011, 06:41   #4
MSG
Major Dude
 
Join Date: Oct 2006
Posts: 1,892
Quote:
Originally Posted by T.Slappy View Post
Do not put files into setup.exe but at first put them into archive with password, then extract that archive $PLUGINDIR or $TEMP and unpack files into final destination.
This does NOT work. The password is stored in plaintext in the nsi script, and the nsi script can be extracted. Anything that is long enough to be a strong password will also be easy to find by someone looking through the code.

I suppose you could try to put a lot of variable manipulations here and there, and pass those variables as the password parameter, but even then it's still relatively easy to replace the plugin / unrar.exe / 7za.exe by something that simply MessageBox's the parameters it was given. Voila instant password.
MSG is offline   Reply With Quote
Old 2nd October 2011, 19:40   #5
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,153
...or just check the 7zip command line in process explorer...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 2nd October 2011, 19:46   #6
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
You don't even need process explorer any more. You can see it in task manager on Windows 7 if you add the column.

Stu
Afrow UK is offline   Reply With Quote
Old 3rd October 2011, 07:57   #7
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
Thanks to all of you for your comments and possible solutions.

Password solution might be easy to do, but quite "useless" if I read your comments...
Rebuild NSIS? not sure if it's a good idea...

I've gathered some information from wiki, and the NSIS resources pages and it seems I can use the password way with encryption. Seems a plug-in is necessary for compress/decompress. The thing is: I'd like to avoid special requirements for the installer to be run properly. I mean, I just wish the installer can run without any third parties to be installed first. I admit the encryption docs I've read aren't clear for me...
within is offline   Reply With Quote
Old 3rd October 2011, 09:43   #8
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
What's wrong with rebuilding NSIS?

Stu
Afrow UK is offline   Reply With Quote
Old 3rd October 2011, 09:46   #9
DrO
 
Join Date: Sep 2003
Posts: 27,873
wouldn't making the installer use bzip compression block 7zip accessing the installer without the need to rebuild NSIS itself? (i know that used to be the way to do what seems to be asked).

-daz
DrO is offline   Reply With Quote
Old 3rd October 2011, 09:49   #10
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Ah yes I forgot about that. It does work indeed. The only downside is the poorer compression.

Stu
Afrow UK is offline   Reply With Quote
Old 3rd October 2011, 11:43   #11
Yathosho
Forum King
 
Yathosho's Avatar
 
Join Date: Jan 2002
Location: AT-DE
Posts: 3,363
Quote:
Originally Posted by DrO View Post
wouldn't making the installer use bzip compression block 7zip accessing the installer without the need to rebuild NSIS itself? (i know that used to be the way to do what seems to be asked).

-daz
iirc the latest 7-zip builds also extracts bzip compressed installers

edit: it does, see screenshot
Attached Thumbnails
Click image for larger version

Name:	Bildschirmfoto.png
Views:	502
Size:	12.5 KB
ID:	49191  
Yathosho is offline   Reply With Quote
Old 3rd October 2011, 11:51   #12
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
Quote:
Originally Posted by Afrow UK View Post
What's wrong with rebuilding NSIS?

Stu
I am not aware of doing it. Furthermore, I am not sure what do do then...
within is offline   Reply With Quote
Old 3rd October 2011, 11:53   #13
DrO
 
Join Date: Sep 2003
Posts: 27,873
Yathosho: *shrugs* wasn't aware of that having changed and from a quick try that seems to be true.

-daz
DrO is offline   Reply With Quote
Old 3rd October 2011, 12:02   #14
Yathosho
Forum King
 
Yathosho's Avatar
 
Join Date: Jan 2002
Location: AT-DE
Posts: 3,363
btw, here's the original post in which the extraction of files has been discussed

Quote:
Originally Posted by DrO View Post
Yathosho: *shrugs* wasn't aware of that having changed and from a quick try that seems to be true.
happened with 9.x, presumably 9.16 ("NSIS support was improved")
Yathosho is offline   Reply With Quote
Old 3rd October 2011, 12:19   #15
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
found this post, but can't figure out a solution... dumb me
within is offline   Reply With Quote
Old 3rd October 2011, 12:46   #16
Yathosho
Forum King
 
Yathosho's Avatar
 
Join Date: Jan 2002
Location: AT-DE
Posts: 3,363
it seems to me there's no secure way of protecting your files, but rebuilding NSIS comes closest. i think there are some valid points why it's ultimately pointless, but maybe you can describe your situation a bit better. what exactly are you trying to protect - and why?
Yathosho is offline   Reply With Quote
Old 4th October 2011, 05:04   #17
T.Slappy
Major Dude
 
T.Slappy's Avatar
 
Join Date: Jan 2006
Location: Slovakia
Posts: 531
Send a message via ICQ to T.Slappy
Quote:
Originally Posted by Afrow UK View Post
What's wrong with rebuilding NSIS?

Stu
Regular people do not like compiling and building software before they want to use it
This is Linux speciality.
Also 99% NSIS users has no time/resources/knowledge to rebuild NSIS from sources!

Cool looking installer with custom design: www.graphical-installer.com
I offer NSIS scripting, C/C++/C#/Delphi programming: www.unsigned.sk
Develop NSIS projects in Visual Studio 2005-2019: www.visual-installer.com
or RAD Studio 2009, 2010, XE-10.3 Rio: www.rad-installer.com
T.Slappy is offline   Reply With Quote
Old 4th October 2011, 08:45   #18
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
Quote:
Originally Posted by Yathosho View Post
it seems to me there's no secure way of protecting your files, but rebuilding NSIS comes closest. i think there are some valid points why it's ultimately pointless, but maybe you can describe your situation a bit better. what exactly are you trying to protect - and why?
There are 2 reasons to limit file extracttion:
- first, we do provide a kind of license, that just says "you are aware of what you do... bla bla bla... and only you can use this software... bla bla bla". This softare is not ment to be widely spread, but only given to dedicated people according to a contract they have to sign. Thus, the license is here to remind them. If extraction is possible, it means the software can be available to everyone, even if they didn't sign the contract before and without agreement.
- we also provide the software and some sources. we don't wish this sources to be available without the above agreement and the ability to be given to third parties.


I believe compressing and encrypt the file and then package it into the installer is maybe the best solution. I just need to find out how!
within is offline   Reply With Quote
Old 4th October 2011, 12:28   #19
Yathosho
Forum King
 
Yathosho's Avatar
 
Join Date: Jan 2002
Location: AT-DE
Posts: 3,363
you will have to encrypt your file with a 3rd party app. nsis can deal with several encryption algorithms, but i haven't found a way to decrypt a file without relying on a 3rd party tool (which, as mentioned, can easily be intercepted). so the passing of the password is the real weak spot.

if the files don't exceed the strlen, i guess you could read the file into the buffer and let one of the plugins decrypt it there.

http://nsis.sourceforge.net/NsisCrypt_plug-in
http://nsis.sourceforge.net/Blowfish_plug-in

i'm not an expert on encryption/decryption, there might still be a weak spot. i'm sure there are commercial solutions to deal with that.
Yathosho is offline   Reply With Quote
Old 4th October 2011, 12:32   #20
Yathosho
Forum King
 
Yathosho's Avatar
 
Join Date: Jan 2002
Location: AT-DE
Posts: 3,363
i'm wondering... suppose the 7-zip plugin for nsis would support commandline instructions (such as passing a password), could that password be intercepted as it can be done when using 7za.exe? can this password be extracted when using that old 7-zip 4.40 beta which could extract (portions of) the .nsi file?
Yathosho is offline   Reply With Quote
Old 4th October 2011, 13:13   #21
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
Interesting comments Yathosho. I may have to rethink some things...
within is offline   Reply With Quote
Old 4th October 2011, 13:46   #22
MSG
Major Dude
 
Join Date: Oct 2006
Posts: 1,892
Quote:
Originally Posted by Yathosho View Post
i'm wondering... suppose the 7-zip plugin for nsis would support commandline instructions (such as passing a password), could that password be intercepted as it can be done when using 7za.exe? can this password be extracted when using that old 7-zip 4.40 beta which could extract (portions of) the .nsi file?
Any string is visible, as far as I know. But like I said before, you can simply replace the plugin dll, and still get the password that way.
MSG is offline   Reply With Quote
Old 6th October 2011, 06:41   #23
within
Junior Member
 
Join Date: Aug 2008
Posts: 19
Thanks to all of you for comments and remarks. Interesting subject, but we'd deceided to drop down this idea. We'd rather seperate the Installer into 2: one for application itself, and one for sources (SDK) on the other side.
within is offline   Reply With Quote
Old 3rd January 2012, 01:11   #24
Brizz
Junior Member
 
Join Date: Dec 2011
Posts: 1
I have searched all over--and asked on other forums.

...This thread is what shows up in Google--and I imagine there are others that also want this..

I'm willing to edit source--and compile. ...not complete newb--but def can't sit down and code stuff from scratch.

I want to prevent NSIS executables from being able to be extracted (at least prevent it from being done simply...).

If someone knows--can you please point me to where I would find this in the source..and what exactly I would need to modify. ...would be VERY much appreciated..
Brizz is offline   Reply With Quote
Old 4th January 2012, 16:30   #25
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
You need to modify exehead\fileform.h. Insert a dummy enum value name just before EW_EXTRACTFILE (this ensures File gets a new opcode). E.g.
code:
EW_WHYDIDNTITHINKOFTHISDOH,
EW_EXTRACTFILE,

Stu
Afrow UK is offline   Reply With Quote
Old 18th June 2012, 18:15   #26
isawen
Junior Member
 
Join Date: Jan 2010
Posts: 39
Why NSIS is not released with opcode changed?

Quote:
Originally Posted by Afrow UK View Post
You need to modify exehead\fileform.h. Insert a dummy enum value name just before EW_EXTRACTFILE (this ensures File gets a new opcode). E.g.
code:
EW_WHYDIDNTITHINKOFTHISDOH,
EW_EXTRACTFILE,

Stu
Hi Afrow,

If this idea is good, why NSIS is not released with the opcode changed?
Compiling it is just to an easy task for me.

isawen is offline   Reply With Quote
Old 18th June 2012, 20:08   #27
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
Because then 7-zip could be modified to decompile installers using the new opcode which would defeat the purpose.

Stu
Afrow UK is offline   Reply With Quote
Old 18th June 2012, 23:19   #28
isawen
Junior Member
 
Join Date: Jan 2010
Posts: 39
Compiling NSIS

Quote:
Originally Posted by Afrow UK View Post
Because then 7-zip could be modified to decompile installers using the new opcode which would defeat the purpose.

Stu
Hard stuff compiling the NSIS even with the metioned prerequisites. I give up trying to compile it.

isawen is offline   Reply With Quote
Old 21st August 2015, 07:49   #29
T.Slappy
Major Dude
 
T.Slappy's Avatar
 
Join Date: Jan 2006
Location: Slovakia
Posts: 531
Send a message via ICQ to T.Slappy
Quote:
Originally Posted by isawen View Post
Hi Afrow,

If this idea is good, why NSIS is not released with the opcode changed?
Compiling it is just to an easy task for me.
What about releasing NSIS with some binary module? My idea:

code:
The EW_ enum values will not be defined at NSIScompile time (compile_machine) but in some binary file at make_machine.
When someone installs NSIS on his machine (make_machine) the binary file will be created with random order of EW_ enum.
When makensis.exe is run it reads the binary file and builds the resulting installer.
SO every NSIS installation can have different EW_ enum so it is be complicated for 7zip to unpack such generated installer.


Cool looking installer with custom design: www.graphical-installer.com
I offer NSIS scripting, C/C++/C#/Delphi programming: www.unsigned.sk
Develop NSIS projects in Visual Studio 2005-2019: www.visual-installer.com
or RAD Studio 2009, 2010, XE-10.3 Rio: www.rad-installer.com
T.Slappy is offline   Reply With Quote
Old 21st August 2015, 09:49   #30
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,153
Quote:
Originally Posted by T.Slappy View Post
What about releasing NSIS with some binary module? My idea:

code:
The EW_ enum values will not be defined at NSIScompile time (compile_machine) but in some binary file at make_machine.
When someone installs NSIS on his machine (make_machine) the binary file will be created with random order of EW_ enum.
When makensis.exe is run it reads the binary file and builds the resulting installer.
SO every NSIS installation can have different EW_ enum so it is be complicated for 7zip to unpack such generated installer.

The difficult part would be patching the exehead when compiling, after all, if we embed the EW_ file as a resource it can just be extracted...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 21st August 2015, 17:29   #31
T.Slappy
Major Dude
 
T.Slappy's Avatar
 
Join Date: Jan 2006
Location: Slovakia
Posts: 531
Send a message via ICQ to T.Slappy
Quote:
Originally Posted by Anders View Post
The difficult part would be patching the exehead when compiling, after all, if we embed the EW_ file as a resource it can just be extracted...
Embedding the EW_ file in makensis.exe or directly in generated installer?
I think if it is embedded in makensis then it will become invisible in generated .exes (but 7zip author still can download the makensis and look at it - this is why I prefer random values).

I started to play with makensis and disassembler and I got another idea:
Enums in C++ are translated as integers => every enum occurrence in source files is (during compilation) replaced by some int value.

What if I find that integer value (e.g. EW_EXTRACTFILE it is 20) and replace it with different?
In disasm that is only instruction like mov reg, 0x0000value.

So I could find e.g. EW_CHDETAILSVIEW and replace it with EW_EXTRACTFILE values.

This should, work, shouldn't it? Is single change enough?

Cool looking installer with custom design: www.graphical-installer.com
I offer NSIS scripting, C/C++/C#/Delphi programming: www.unsigned.sk
Develop NSIS projects in Visual Studio 2005-2019: www.visual-installer.com
or RAD Studio 2009, 2010, XE-10.3 Rio: www.rad-installer.com
T.Slappy is offline   Reply With Quote
Old 21st August 2015, 18:04   #32
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,153
Thumbs down

No matter how you look at it you need to replace the values used in the generated installer, in both the exehead instruction decoder which is just a big switch statement and also in the instructions generated by makensis. The last part is easy of course, the tricky part is changing the exehead, you cannot just use a simple search and replace. MakeNSIS would have to know the offset of the switch statement inside the exehead stub and even then it is tricky. The C compiler is free to generate a jump table for the switch or just a bunch of "if" branches. When you also take into account that we have multiple exeheads (12 in NSIS v3, even more if you count the special builds and 64-bit) and these exeheads can be compiled with all the different compilers we support: VC6, VC2003...2015 + GCC on Windows and cross compiling on POSIX plus the unofficial support for Borland C++ etc. you can see that supporting this if it is not automated would be impossible.

I'll finish with a personal statement (which may not represent the views of the NSIS project nor its other contributors): I personally like the fact that 7zip is able to decompress our installers. Sometimes it is handy to just grab the single file you need instead of having a installer spew stuff all over the place without knowing if it will clean up everything again when you uninstall. It would be sad if we lost the freedom to open NSIS, Inno and MSI installers to inspect their contents...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 22nd August 2015, 01:21   #33
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 879
This is a cool idea from a programmers perspective, but I share the view with Anders. I like being able to open up an nsis installer and extract a file or two that I need.

Adding some sort of randomizing algorithm would appeal to crack writers as it would hide all the code and files from the user. This kind of goes against the philosophy of open source software, where everyone should be able to view and use the software and its source code with a fair amount of freedom.

There is nothing stopping you from forking the codebase and writing in this functionality yourself.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 22nd August 2015, 07:21   #34
T.Slappy
Major Dude
 
T.Slappy's Avatar
 
Join Date: Jan 2006
Location: Slovakia
Posts: 531
Send a message via ICQ to T.Slappy
Quote:
Originally Posted by JasonFriday13 View Post
This is a cool idea from a programmers perspective, but I share the view with Anders. I like being able to open up an nsis installer and extract a file or two that I need.

Adding some sort of randomizing algorithm would appeal to crack writers as it would hide all the code and files from the user. This kind of goes against the philosophy of open source software, where everyone should be able to view and use the software and its source code with a fair amount of freedom.

There is nothing stopping you from forking the codebase and writing in this functionality yourself.
My first idea was to provide all users an option to make an NSIS installer safer.

OK, at the beginning it can be in standard order of EW_s and it can be randomized later when user chose to -let's have an option for this.

This was intended as new feature (discussion) for all users which could help many commercial projects to choose NSIS.

For me it suits recompiling NSIS with changing EW_ in the .h file.

Cool looking installer with custom design: www.graphical-installer.com
I offer NSIS scripting, C/C++/C#/Delphi programming: www.unsigned.sk
Develop NSIS projects in Visual Studio 2005-2019: www.visual-installer.com
or RAD Studio 2009, 2010, XE-10.3 Rio: www.rad-installer.com
T.Slappy is offline   Reply With Quote
Old 23rd August 2015, 02:18   #35
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 879
Quote:
Originally Posted by T.Slappy View Post
My first idea was to provide all users an option to make an NSIS installer safer.

OK, at the beginning it can be in standard order of EW_s and it can be randomized later when user chose to -let's have an option for this.
I think that making this option script configurable is a bad idea for end users, as Joe Bloggs can add security to their installer even though it's only 200kb in size. Then if they lose all their data and the installer is the only part left, they can't do anything with it because the codes aren't in the default order. For companies see below.

Quote:
Originally Posted by T.Slappy View Post
This was intended as new feature (discussion) for all users which could help many commercial projects to choose NSIS.

For me it suits recompiling NSIS with changing EW_ in the .h file.
If a company really wants some security in their nsis installer, there is nothing stopping them from randomizing the values and compiling the source themselves. This lends itself well to automation, as the .h file can be automatically generated with random values, compiled, and then the resulting makensis.exe is used to build the installer.

For the standard user, I don't think security is a big enough problem. When you start getting into companies that use NSIS, it's not really a big deal to compile the source with a random set of values. I can change the values around in the .h file myself if I wanted to, but I don't see the need (I like to compile the 64 bit version as well during my coding experiments).

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump