NSIS反编译器 [英] NSIS decompiler

问题描述

任何熟悉 NSIS 反编译器的人(谷歌不是 :-))

Anyone familiar with NSIS decompiler (google wasn't :-) )

谢谢，E

推荐答案

如何访问 NSIS 安装程序脚本?

好的，这就是那篇文章的重点.

How to access the NSIS Installer Script?

Okay that's the big topic for that post.

http:///netcologne.dl.sourceforge.net/project/nsis/NSIS%202/2.09/nsis-2.09-src.tar.bz2

nsis-2.09-src\Source\exehead\fileform.c
nsis-2.09-src\Source\exehead\fileform.h

nsis-2.09-src\Source\exehead\fileform.c
nsis-2.09-src\Source\exehead\fileform.h

#define FH_SIG 0xDEADBEEF

// neato surprise signature that goes in firstheader. :)
#define FH_INT1 0x6C6C754E  // 'Null'
#define FH_INT2 0x74666F73  // 'soft'
#define FH_INT3 0x74736E49  // 'Inst'

typedef struct
{
  int flags; // FH_FLAGS_*
  int siginfo;  // FH_SIG

  int nsinst[3]; // FH_INT1,FH_INT2,FH_INT3

  // these point to the header+sections+entries+stringtable in the datablock
  int length_of_header;

  // this specifies the length of all the data (including the firstheader and CRC)
  int length_of_all_following_data;
} firstheader;

数据样本:

$ ==>  00000000  ....
$+4    DEADBEEF  
$+8    6C6C754E  Null
$+C    74666F73  soft
$+10   74736E49  Inst 
$+14   000268E2            157 922  length_of_header (inside <<Compressed Data>>)
$+18   011947CB         18 433 995  length_of_all_following_data
       <<Compressed Data>>

$+011947CB CRC32

获取<<压缩数据>>未压缩

Getting <<Compressed Data>> Uncompressed

好吧，这个数据被写入 %temp%但是 ShareMode=None 和 Attributes = DELETE_ON_CLOSE 所以你不能访问它.

Well this data is written to %temp% however with ShareMode=None and Attributes = DELETE_ON_CLOSE so you can't access it.

Fix:
    Inside 'NSIS Setup.exe'
Replace 
    68 00 01 00 04 with
    68 00 00 00 00
    To avoid that this tempfile get's create with DELETE_ON_CLOSE

Background:

    00402E56  |.  68 00010004   PUSH    4000100                          ; |Attributes = TEMPORARY|DELETE_ON_CLOSE
                  ^^^^^^^^^^^-Patch Target
    00402E5B  |.  6A 02         PUSH    2                                ; |Mode = CREATE_ALWAYS
    00402E5D  |.  53            PUSH    EBX                              ; |pSecurity
    00402E5E  |.  53            PUSH    EBX                              ; |ShareMode
    00402E65  |.  68 000000C0   PUSH    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
    00402E6A  |.  50            PUSH    EAX                              ; |FileName
    00402E6B  |.  FF15 90704000 CALL    [<&KERNEL32.CreateFileA>]        ; \CreateFileA

好的，那个大 <> 未压缩的临时文件是这样开始的:

Okay that big <> Uncompressed temporary file starts like this:

00000000   E2 68 02 00 A0 00 00 00  2C 01 00 00 08 00 00 00  2C   âh      ,       ,

E2 68 02 00 -> 000268E2 157 922 length_of_header(内部 <>)

E2 68 02 00 -> 000268E2 157 922 length_of_header (inside <>)

只要切出这个数据块，NSIS 脚本就可以作为未压缩的原始数据

Just cut out this datablock and well have the NSIS script as uncompressed Raw

其余数据是 7z 将为您提取的数据文件.

The rest of data are data files that 7z will extract for you.

更新:获取通用提取器

使用

cmdTotal 1.02 (c) 2006/2007 KaKeeware, http://www.kakeeware.com

带插件:InstExpl.wcx

或多或少成功提取 Nullsoft Setup.exe.小心不要太相信提取的文件 - 有些东西已损坏.(为此更喜欢 7zip.)然而，该程序的主要内容是script.bin那是在我测试的 3-4 示例中，状态良好.:)

to more or less successfully extract a Nullsoft Setup.exe. Be careful don't trust much on the extracted files - there are somethings corrupted. (Prefer 7zip for that.) However the main thing of that procedure is the script.bin That was on the 3-4 example I test in good shape. :)

好的更新:这是我的一个非常早期的版本NullsoftDecompiler 1.2 alpha

Okay an update: Here's an really early version of my NullsoftDecompiler 1.2 alpha

目前它仍在大量开发中，但这是它的第一个未完成的原始版本.

At the moment it's still heavily under development however here's the first raw unfinished version of it.

更新(大约一年后):NullsoftDecompiler 3最后我添加了解压支持.

UPDATE(About a year later): NullsoftDecompiler 3 Finally I added decompression support.

这篇关于NSIS反编译器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！