2. NSIS Discussion
  3. De-compile NSIS-Uninstaller

Archive: De-compile NSIS-Uninstaller


Mosestycoon
19th February 2003 11:47 UTC

De-compile NSIS-Uninstaller
Dear folks,

is there a way to decompile an unistaller package built with NSIS?

This question has a special background:
Yesterday I called the uninstaller of "myDevStudio" which IS a pretty nice tool for building *.nsi, BUT this f***ing little tool killed several systemfiles (e.g. NTDETECT.COM, NTLDR and all the funky *.sys stuff in the root-directory). It told that it did that after pressing the "details" button of the uninstaller...(and voilĂ , it did)

That's not very nice of course, because this took me about 15 minutes to re-establish my system.

No, seriously:
If this is build in the uninstaller to look, search and delete these files, this tool should be banned (AND I WILL DO THIS, E.G. POSTS IN PUBLIC FORUMS...)
and I would like to verify this, or is the uninstaller spread wide open to infect itself by a virus, and showing this under Uninstall "details".


So is there a way to check this?

Thx
Mo

Sunjammer
19th February 2003 12:54 UTC

Not really. There are now many posts in this forum about decompiling NSIS installers (this applies to uninstallers too).

NSIS itself won't do what you've reported, those actions will have been performed by NSIS because the script writer asked it to.

As for a virus, well I've never heard of anything that targets NSIS installers, and to be honest I'd be suprised if NSIS is high profile enough to attract that kind of attention.

As has been said *many* times before on this forum you cannot decompile an NSIS installer unless you have a tool to do so, and that tool does not exist because it would need to be able to understand the binary generated by many different versions of NSIS (which has changed considerably over time) and also would need to be psychic because it would need to potentially also understand NSIS installers that were built from modified NSIS source (it is open source remember).

Joost Verburg
19th February 2003 13:08 UTC

Where did you download myDevStudio? From the website of the author?

Looks like a serious issue, you should contact the author.

Mosestycoon
19th February 2003 13:15 UTC

So we can point out, that this "feature" MUST be programmed and can't be manipulated elsewhere (e.g. virus, etc.).

That's fine because I don't know if anybody ever had this too.

I had it and I am not very pleased about a uninstaller trying to kill my system. (WinXP Pro on NTFS). Maybe somebody has had the same effect? Otherwise be warned! Think we should post this in archive too.

"Running myDevStudio-uninstaller can kill your system! (Perhaps this is M$'s fault :-)"

Is there anybody who wants to verify this? (I think nobody does)

Thx Sunjammer

The dam**d URL [http://mydevstudio.cjb.net/]


------[edited]

JOST:

I downloaded via NSIS.ARCHIVE, I took the link...

You think this is a "Versehen" (don't know the english word for that).

Really I don't like to contact him...
I would like to post it in several forums... :-)
(e.g. heise.de, securitytracker.com, etc. think this would be very nice

------

Sunjammer
19th February 2003 13:18 UTC

Well like any other program if someone were to hexedit it they might be able to make it do other things, but that can be checked by doing a crc check with a download that the author considers to be virus free. Any random hex editing would likely cause the installer to crash rather than change it's behaviour anyway.

I think you should contact the authors before posting something somewhere else. The official site is at http://www.vvvsoft.com/ds/index.html. It might not be their fault, or it might be an unknown bug, either way the authors should be given a chance to rectify the problem before you flame them (IMO).

Mosestycoon
19th February 2003 13:21 UTC

OK, this way you like it....
Think I'm a bit upset now! So now in my way I knew what to do, my little sister wouldn't :-)

Mosestycoon
19th February 2003 13:22 UTC

What about: http://mydevstudio.cjb.net/
that's the link from NSIS.ARCHIVE?

Sunjammer
19th February 2003 13:27 UTC

I presume that's a mirror or something, it has vvvsoft links on it and looks the same as the vvvsoft site. In fact I think it forwards to vvvsoft.com so it's exactly the same page.

Mosestycoon
19th February 2003 13:43 UTC

I wrote a mail to vvvsoft. Let's sit and wait for response. If they ever will respond.

rainwater
19th February 2003 22:42 UTC

Have you verified that this occurs on other systems as well? I tend not to blame the author before I'm sure its not a problem on my own system.

Mosestycoon
20th February 2003 09:21 UTC

I think if the installer tells me that it killed these files it's not my systems fault, hmm?

By the way, the author hasn't written back right now... (I'm still waiting!)

;-)
Mo

Fork me on GitHub