NSIS反编译器

发布于 2024-09-13 11:11:48 字数 46 浏览 4 评论 0原文

任何熟悉 NSIS 反编译器的人(谷歌不是:-))

谢谢, 乙

Anyone familiar with NSIS decompiler (google wasn't :-) )

Thanks,
E

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

弃爱 2024-09-20 11:11:48

如何访问 NSIS 安装程序脚本?

好吧,这就是这篇文章的大主题。

http://netcologne。 dl.sourceforge.net/project/nsis/NSIS%202/2.09/nsis-2.09-src.tar.bz2

nsis-2.09-src\Source\exehead\fileform.c
nsis-2.09-src\Source\exehead\fileform.h

#define FH_SIG 0xDEADBEEF

// neato surprise signature that goes in firstheader. :)
#define FH_INT1 0x6C6C754E  // 'Null'
#define FH_INT2 0x74666F73  // 'soft'
#define FH_INT3 0x74736E49  // 'Inst'

typedef struct
{
  int flags; // FH_FLAGS_*
  int siginfo;  // FH_SIG

  int nsinst[3]; // FH_INT1,FH_INT2,FH_INT3

  // these point to the header+sections+entries+stringtable in the datablock
  int length_of_header;

  // this specifies the length of all the data (including the firstheader and CRC)
  int length_of_all_following_data;
} firstheader;

数据示例:

$ ==>  00000000  ....
$+4    DEADBEEF  
$+8    6C6C754E  Null
$+C    74666F73  soft
$+10   74736E49  Inst 
$+14   000268E2            157 922  length_of_header (inside <<Compressed Data>>)
$+18   011947CB         18 433 995  length_of_all_following_data
       <<Compressed Data>>

$+011947CB CRC32

获取<<压缩数据>>未压缩

,该数据被写入 %temp%
但是,如果 ShareMode=None 且 Attributes = DELETE_ON_CLOSE,则您无法访问它。

Fix:
    Inside 'NSIS Setup.exe'
Replace 
    68 00 01 00 04 with
    68 00 00 00 00
    To avoid that this tempfile get's create with DELETE_ON_CLOSE

Background:

    00402E56  |.  68 00010004   PUSH    4000100                          ; |Attributes = TEMPORARY|DELETE_ON_CLOSE
                  ^^^^^^^^^^^-Patch Target
    00402E5B  |.  6A 02         PUSH    2                                ; |Mode = CREATE_ALWAYS
    00402E5D  |.  53            PUSH    EBX                              ; |pSecurity
    00402E5E  |.  53            PUSH    EBX                              ; |ShareMode
    00402E65  |.  68 000000C0   PUSH    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
    00402E6A  |.  50            PUSH    EAX                              ; |FileName
    00402E6B  |.  FF15 90704000 CALL    [<&KERNEL32.CreateFileA>]        ; \CreateFileA

好吧,那么大<>未压缩的临时文件的开头如下:

00000000   E2 68 02 00 A0 00 00 00  2C 01 00 00 08 00 00 00  2C   âh      ,       ,

E2 68 02 00 -> 000268E2 157 922 length_of_header (在<>内)

只需剪下这个数据块,我们就可以将NSIS脚本作为未压缩的Raw

其余数据是7z将为您提取的数据文件。

更新:获取 Universal Extractor

cmdTotal 1.02 (c) 2006/2007 KaKeeware, http://www.kakeeware.com

与插件一起使用:InstExpl.wcx

或多或少成功地提取了 Nullsoft Setup.exe。
小心不要太相信提取的文件 - 有些东西已损坏。
(为此更喜欢 7zip。)
然而该程序的主要内容是
脚本.bin
这是我在 3-4 示例中测试的,状态良好。 :)

好的更新
这是我的一个非常早期的版本
NullsoftDecompiler 1.2 alpha

目前仍在大力开发中然而这是它的第一个未完成的原始版本。

更新(大约一年后):
NullsoftDecompiler 3
Notepad++ 中 nsiDecomp 的反编译输出
最后我添加了解压支持。

How to access the NSIS Installer Script?

Okay that's the big topic for that post.

http://netcologne.dl.sourceforge.net/project/nsis/NSIS%202/2.09/nsis-2.09-src.tar.bz2

nsis-2.09-src\Source\exehead\fileform.c
nsis-2.09-src\Source\exehead\fileform.h

#define FH_SIG 0xDEADBEEF

// neato surprise signature that goes in firstheader. :)
#define FH_INT1 0x6C6C754E  // 'Null'
#define FH_INT2 0x74666F73  // 'soft'
#define FH_INT3 0x74736E49  // 'Inst'

typedef struct
{
  int flags; // FH_FLAGS_*
  int siginfo;  // FH_SIG

  int nsinst[3]; // FH_INT1,FH_INT2,FH_INT3

  // these point to the header+sections+entries+stringtable in the datablock
  int length_of_header;

  // this specifies the length of all the data (including the firstheader and CRC)
  int length_of_all_following_data;
} firstheader;

Data Sample:

$ ==>  00000000  ....
$+4    DEADBEEF  
$+8    6C6C754E  Null
$+C    74666F73  soft
$+10   74736E49  Inst 
$+14   000268E2            157 922  length_of_header (inside <<Compressed Data>>)
$+18   011947CB         18 433 995  length_of_all_following_data
       <<Compressed Data>>

$+011947CB CRC32

Getting <<Compressed Data>> Uncompressed

Well this data is written to %temp%
however with ShareMode=None and Attributes = DELETE_ON_CLOSE so you can't access it.

Fix:
    Inside 'NSIS Setup.exe'
Replace 
    68 00 01 00 04 with
    68 00 00 00 00
    To avoid that this tempfile get's create with DELETE_ON_CLOSE

Background:

    00402E56  |.  68 00010004   PUSH    4000100                          ; |Attributes = TEMPORARY|DELETE_ON_CLOSE
                  ^^^^^^^^^^^-Patch Target
    00402E5B  |.  6A 02         PUSH    2                                ; |Mode = CREATE_ALWAYS
    00402E5D  |.  53            PUSH    EBX                              ; |pSecurity
    00402E5E  |.  53            PUSH    EBX                              ; |ShareMode
    00402E65  |.  68 000000C0   PUSH    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
    00402E6A  |.  50            PUSH    EAX                              ; |FileName
    00402E6B  |.  FF15 90704000 CALL    [<&KERNEL32.CreateFileA>]        ; \CreateFileA

Okay that big <> Uncompressed temporary file starts like this:

00000000   E2 68 02 00 A0 00 00 00  2C 01 00 00 08 00 00 00  2C   âh      ,       ,

E2 68 02 00 -> 000268E2 157 922 length_of_header (inside <>)

Just cut out this datablock and well have the NSIS script as uncompressed Raw

The rest of data are data files that 7z will extract for you.

Update: Get Universal Extractor

It uses

cmdTotal 1.02 (c) 2006/2007 KaKeeware, http://www.kakeeware.com

with plugin: InstExpl.wcx

to more or less successfully extract a Nullsoft Setup.exe.
Be careful don't trust much on the extracted files - there are somethings corrupted.
(Prefer 7zip for that.)
However the main thing of that procedure is the
script.bin
That was on the 3-4 example I test in good shape. :)

Okay an update:
Here's an really early version of my
NullsoftDecompiler 1.2 alpha

At the moment it's still heavily under development however here's the first raw unfinished version of it.

UPDATE(About a year later):
NullsoftDecompiler 3
Decompiled output from nsiDecomp in Notepad++
Finally I added decompression support.

韬韬不绝 2024-09-20 11:11:48

再谷歌一下。

NSIS“我可以反编译现有的安装程序吗”

简短的回答:不。

长答案:可能可以使用 7Zip 或其他解压缩器,但不能保证,并且可能需要大量工作来重建原始脚本。

Google it again.

NSIS "Can I decompile an existing installer"

Short answer: no.

Long answer: it might be possible using 7Zip or other decompresser but there are no guarantees and would likely take a lot of work to reconstruct the original script.

夏末染殇 2024-09-20 11:11:48

根据您的问题,我假设您想要将 NSIS 安装程序逆向工程到 Windows Installer 数据库中。有一些称为“Repackagers”的商业程序,它们基本上捕获给定进程或安装程序所做的状态更改,并将其转换为 MSI 项目。请注意,这些程序仅从 NSIS 包中捕获 1 个业务规则实例。有时需要多次运行该过程,分析行为差异并手动将它们编写到您的安装中。

大约六年前,我写了一篇关于此的博客:

http:// /blog.deploymentengineering.com/2004/12/chriss-rant-about-repackaging.html

I assume from your question that you want to reverse engineer a NSIS installer into a Windows Installer database. There are commerical programs called "Repackagers" that basically capture the state changes made by a given process or installer and transform them into an MSI project. Note that these programs only capture 1 instance of the business rules from the NSIS package. Sometimes it is needed to run the process more then once, anaylize the behavior differences and manually author them into your install.

I wrote a blog about this almost six years ago:

http://blog.deploymentengineering.com/2004/12/chriss-rant-about-repackaging.html

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文