2. NSIS Discussion
  3. How to prevent files extraction from an Installer created with NSIS?

Archive: How to prevent files extraction from an Installer created with NSIS?


within
30th September 2011 15:43 UTC

How to prevent files extraction from an Installer created with NSIS?
Hi there,

I am pretty happy with NSIS, but i'd wish to avoid to extract the files directly from the Installer EXE. I've serched the Forums and the web without success.

Is it possible to prevent files extraction? if YES, then how?
If NO, then how can I simply encrypt my files inside the Installer EXE using some script lines within the *.nsi file, and WITOUT using a thrid-party software to run properly the Installer?

Thanks in advance,
within

Afrow UK
30th September 2011 16:27 UTC

It is possible, but you have to rebuild NSIS. All NSIS instructions have an opcode and all you need to do is change the opcode of the File instruction so that e.g. 7-zip does not find any.

Stu

T.Slappy
2nd October 2011 06:07 UTC

Do not put files into setup.exe but at first put them into archive with password, then extract that archive $PLUGINDIR or $TEMP and unpack files into final destination.
It may be slow to unpack huge archives but no special software/script is needed.

MSG
2nd October 2011 07:41 UTC

Originally posted by T.Slappy
Do not put files into setup.exe but at first put them into archive with password, then extract that archive $PLUGINDIR or $TEMP and unpack files into final destination.
This does NOT work. The password is stored in plaintext in the nsi script, and the nsi script can be extracted. Anything that is long enough to be a strong password will also be easy to find by someone looking through the code.

I suppose you could try to put a lot of variable manipulations here and there, and pass those variables as the password parameter, but even then it's still relatively easy to replace the plugin / unrar.exe / 7za.exe by something that simply MessageBox's the parameters it was given. Voila instant password.

Anders
2nd October 2011 20:40 UTC

...or just check the 7zip command line in process explorer...

Afrow UK
2nd October 2011 20:46 UTC

You don't even need process explorer any more. You can see it in task manager on Windows 7 if you add the column.

Stu

within
3rd October 2011 08:57 UTC

Thanks to all of you for your comments and possible solutions.

Password solution might be easy to do, but quite "useless" if I read your comments...
Rebuild NSIS? not sure if it's a good idea...

I've gathered some information from wiki, and the NSIS resources pages and it seems I can use the password way with encryption. Seems a plug-in is necessary for compress/decompress. The thing is: I'd like to avoid special requirements for the installer to be run properly. I mean, I just wish the installer can run without any third parties to be installed first. I admit the encryption docs I've read aren't clear for me...

Afrow UK
3rd October 2011 10:43 UTC

What's wrong with rebuilding NSIS?

Stu

DrO
3rd October 2011 10:46 UTC

wouldn't making the installer use bzip compression block 7zip accessing the installer without the need to rebuild NSIS itself? (i know that used to be the way to do what seems to be asked).

-daz

Afrow UK
3rd October 2011 10:49 UTC

Ah yes I forgot about that. It does work indeed. The only downside is the poorer compression.

Stu

Yathosho
3rd October 2011 12:43 UTC

Originally posted by DrO
wouldn't making the installer use bzip compression block 7zip accessing the installer without the need to rebuild NSIS itself? (i know that used to be the way to do what seems to be asked).

-daz
iirc the latest 7-zip builds also extracts bzip compressed installers

edit: it does, see screenshot

within
3rd October 2011 12:51 UTC

Originally posted by Afrow UK
What's wrong with rebuilding NSIS?

Stu
I am not aware of doing it. Furthermore, I am not sure what do do then...

DrO
3rd October 2011 12:53 UTC

Yathosho: *shrugs* wasn't aware of that having changed and from a quick try that seems to be true.

-daz

Yathosho
3rd October 2011 13:02 UTC

btw, here's the original post in which the extraction of files has been discussed

Originally posted by DrO
Yathosho: *shrugs* wasn't aware of that having changed and from a quick try that seems to be true.
happened with 9.x, presumably 9.16 ("NSIS support was improved")

within
3rd October 2011 13:19 UTC

found this post, but can't figure out a solution... dumb me

Yathosho
3rd October 2011 13:46 UTC

it seems to me there's no secure way of protecting your files, but rebuilding NSIS comes closest. i think there are some valid points why it's ultimately pointless, but maybe you can describe your situation a bit better. what exactly are you trying to protect - and why?

T.Slappy
4th October 2011 06:04 UTC

Originally posted by Afrow UK
What's wrong with rebuilding NSIS?

Stu
Regular people do not like compiling and building software before they want to use it :)
This is Linux speciality.
Also 99% NSIS users has no time/resources/knowledge to rebuild NSIS from sources!

within
4th October 2011 09:45 UTC

Originally posted by Yathosho
it seems to me there's no secure way of protecting your files, but rebuilding NSIS comes closest. i think there are some valid points why it's ultimately pointless, but maybe you can describe your situation a bit better. what exactly are you trying to protect - and why?
There are 2 reasons to limit file extracttion:
- first, we do provide a kind of license, that just says "you are aware of what you do... bla bla bla... and only you can use this software... bla bla bla". This softare is not ment to be widely spread, but only given to dedicated people according to a contract they have to sign. Thus, the license is here to remind them. If extraction is possible, it means the software can be available to everyone, even if they didn't sign the contract before and without agreement.
- we also provide the software and some sources. we don't wish this sources to be available without the above agreement and the ability to be given to third parties.


I believe compressing and encrypt the file and then package it into the installer is maybe the best solution. I just need to find out how!

Yathosho
4th October 2011 13:28 UTC

you will have to encrypt your file with a 3rd party app. nsis can deal with several encryption algorithms, but i haven't found a way to decrypt a file without relying on a 3rd party tool (which, as mentioned, can easily be intercepted). so the passing of the password is the real weak spot.

if the files don't exceed the strlen, i guess you could read the file into the buffer and let one of the plugins decrypt it there.

http://nsis.sourceforge.net/NsisCrypt_plug-in
http://nsis.sourceforge.net/Blowfish_plug-in

i'm not an expert on encryption/decryption, there might still be a weak spot. i'm sure there are commercial solutions to deal with that.

Yathosho
4th October 2011 13:32 UTC

i'm wondering... suppose the 7-zip plugin for nsis would support commandline instructions (such as passing a password), could that password be intercepted as it can be done when using 7za.exe? can this password be extracted when using that old 7-zip 4.40 beta which could extract (portions of) the .nsi file?

within
4th October 2011 14:13 UTC

Interesting comments Yathosho. I may have to rethink some things...

MSG
4th October 2011 14:46 UTC

Originally posted by Yathosho
i'm wondering... suppose the 7-zip plugin for nsis would support commandline instructions (such as passing a password), could that password be intercepted as it can be done when using 7za.exe? can this password be extracted when using that old 7-zip 4.40 beta which could extract (portions of) the .nsi file?
Any string is visible, as far as I know. But like I said before, you can simply replace the plugin dll, and still get the password that way.

within
6th October 2011 07:41 UTC

Thanks to all of you for comments and remarks. Interesting subject, but we'd deceided to drop down this idea. We'd rather seperate the Installer into 2: one for application itself, and one for sources (SDK) on the other side.

Brizz
3rd January 2012 02:11 UTC

I have searched all over--and asked on other forums.

...This thread is what shows up in Google--and I imagine there are others that also want this..

I'm willing to edit source--and compile. ...not complete newb--but def can't sit down and code stuff from scratch.

I want to prevent NSIS executables from being able to be extracted (at least prevent it from being done simply...).

If someone knows--can you please point me to where I would find this in the source..and what exactly I would need to modify. ...would be VERY much appreciated..

Afrow UK
4th January 2012 17:30 UTC

You need to modify exehead\fileform.h. Insert a dummy enum value name just before EW_EXTRACTFILE (this ensures File gets a new opcode). E.g.

EW_WHYDIDNTITHINKOFTHISDOH,
EW_EXTRACTFILE,
Stu

isawen
18th June 2012 19:15 UTC

Why NSIS is not released with opcode changed?

Originally posted by Afrow UK
You need to modify exehead\fileform.h. Insert a dummy enum value name just before EW_EXTRACTFILE (this ensures File gets a new opcode). E.g. 
EW_WHYDIDNTITHINKOFTHISDOH,
EW_EXTRACTFILE,
Stu
Hi Afrow,

If this idea is good, why NSIS is not released with the opcode changed?
Compiling it is just to an easy task for me.

Afrow UK
18th June 2012 21:08 UTC

Because then 7-zip could be modified to decompile installers using the new opcode which would defeat the purpose.

Stu

isawen
19th June 2012 00:19 UTC

Compiling NSIS

Originally posted by Afrow UK
Because then 7-zip could be modified to decompile installers using the new opcode which would defeat the purpose.

Stu
Hard stuff compiling the NSIS even with the metioned prerequisites. I give up trying to compile it.:cry:

Fork me on GitHub