2. NSIS Discussion
  3. [ask] Password

Archive: [ask] Password


JHN
13th September 2006 14:14 UTC

[ask] Password
Hello,

I want to make installer so when everytime people wants to install it, its asking password. And if posibble every time the password was diffrent, or changed random. is it posibble?

thanks

Jay

The Glimmerman
13th September 2006 18:03 UTC

I think it's possible.
But no one will and can use your installer i think.

CrushBug
13th September 2006 18:30 UTC

Maybe the installer is a game? :)

Animaether
14th September 2006 18:24 UTC

it's certainly possible, but you'll have to be more precise as to what your goals are, really. If it's some manner of copy protection, then I'd not even bother with it.. once somebody has the product actually installed, who needs the installer? they can always re-distribute the actual files.

JHN
15th September 2006 13:46 UTC

my goal is i want to create installer for my program that only selected people that can install it, thats why i want to use password to protect it, so everyone can download it. but they need to email me asking for the password before they can install it, and the password has to changed everytime someone install it. I hope someone can give me a clue how to made it posibble with NSIS. thanks a lot.

Backland
15th September 2006 14:21 UTC

well, if you want it to work that way, you cant hardcode the password into the installer...

as Animaether said, once you give the password to a person, they dont need your installer anymore to distribute its files

JHN
15th September 2006 14:39 UTC

maybe i didn't make it clear, i want the password changed periodic or every time someone install it. I think not everyone can extract and gather all the files in installer, especially there's registry entry. So i am hoping someone can help me and give me a clue how i can build an installer with password, and the password change periodic or every time some one install it.

Backland
15th September 2006 14:47 UTC

So... everytime someone uses your installer, you want the the copy of the installer on your website to change its password somehow... ?

Comm@nder21
15th September 2006 16:11 UTC

i'd solve this problem with some kind of user-registration.

nsis could then download a file from the web to activate itself.

Animaether
15th September 2006 16:43 UTC

well if you must...
what you'll want to do is something silly like getting the current time


System::Call '*(&i2, &i2, &i2, &i2, &i2, &i2, &i2, &i2, &i2) i .r0'
System::Call 'kernel32::GetLocalTime(i) i(r0)'
System::Call '*$0(&i2, &i2, &i2, &i2, &i2, &i2, &i2, &i2, &i2)i (.r1, .r1, .r1, .r1, .r2, .r3, .r4, .r5'

$1 = date as a SystemTime object. I'd just ignore this one*
$2 = hour
$3 = minute
$4 = second
$5 = milliseconds

those are all ints. Now do something to those ints. For example:

IntOp $1 $2 + $3
IntOp $1 $1 * $4
IntOp $1 $1 - $5

$1 now contains the expected key code.

Now pop up a custom page with two labels and an input field. The first label should just tell the user to e-mail you at whatever@whatever.whatever with the text on the next tline. Set the text of the second label (the next line) to "$2 $3 $4 $5".

The user e-mails you those numbers. You know that the expected key code should just be: (($2 + $3) * $4) - $5 .
You send that key code back to them, and they enter it in the field.

Then when the user clicks Next (or you can put it on a NOTIFY event) you check that field's value and compare it to $1. If it matches, continue, if it doesn't - tell the user that they entered the wrong number.

Now, there's some obvious caveats...
1. the user will have to keep the installer open, on that page, while waiting for the key. So if you take a while to e-mail back, and they close their installer, the next time they start it - it'll ask for a different number. (just what you wanted, right?). So instead of e-mail, consider setting up a PHP/ASP/whatever page that the user can enter the 4 numbers into that returns the code. You can then easily combine this with things like secure accounts/etc. (comm@nder21's suggestion would work as well, but takes more code to handle internet access stuff). Don't use javascript - if you do, they'll just read the source and get the code themselves.

2. the key code generation I showed you is stupid-simple. It will deter 95% of the people who really want to bypass your installer, the other 5% will quickly figure out the math behind it. So you'll want to do something more fancy - look up on crypto stuff.

3. the numbers matching today's date is probably something obvious, yoo - consider scrambling the numbers. Again, see crypto.

4. as I said before - after they have installed it, they can easily redistribute the files as is. Yes, easily. I won't be a sillyhead and point to the fully legit resources available to users everywhere to find out what files are being accessed and how, what registry keys are being set, changed, etc. and how and tons more things. Suffice it to say, that anybody determined enough will find this manner of protection laughable.

I hope this at least gives you some tips, though.


* if you don't want to ignore the date (to add a few digits):

System::Call "Kernel32::GetDateFormatA(i 0, i 0, i r0, t 'y/M/d', t .r1, i ${NSIS_MAX_STRLEN})"

makes $1 a string of "y/M/d" (year/month/date) format, which you can then easily separate into the three by using StrCpy and StrCmp stuff.


alternative to getting the time (Even though that nearly guarantees a different (not random) key code every time), you can use Random:
http://nsis.sourceforge.net/Random
You'll still have to seed Random with something though.

Fork me on GitHub