search

Squiblydoo / debloat

A GUI and CLI tool for removing bloat from executables
BSD 3-Clause "New" or "Revised" License
301 stars 25 forks source link

NSIS Parser DeflateReader: invalid code lengths set #25

Closed gdesmar closed 4 months ago

gdesmar commented 5 months ago

When trying to debloat this file, the NSIS Parser hits a zlib.error: Error -3 while decompressing data: invalid code lengths set in the DeflateReader class.

Squiblydoo commented 4 months ago

File now parses with version 1.5.3.3 Output will look as follows:

Installer unpacked!

The files are being written to C:\Downloads\75f6920dc32d7274b57fb14a2fe5b08ad1527d47e891c9ba7206fa86d7d52967\75f6920dc32d7274b57fb14a2fe5b08ad1527d47e891c9ba7206fa86d7d52967_patched.exe
File: $PLUGINSDIR\SpiderBanner.dll
File: $PLUGINSDIR\StdUtils.dll
File: $PLUGINSDIR\System.dll
File: $PLUGINSDIR\WinShell.dll
File: $PLUGINSDIR\app-64.7z
File: $PLUGINSDIR\nsExec.dll
File: $PLUGINSDIR\nsis7z.dll
File: $R0\Uninstall MiitalaBeta.exe
File: setup.nsis

The user will need to determine which file is malicious if any.
If a file is bloated: resubmit it through the tool to debloat it.
Consider reviewing the 'setup.nsis' from the installer to determine how the files were meant to be used.
Squiblydoo commented 4 months ago

This issue had been determined to be an issue with writing the setup.nsis file. There had been a logic error with parsing the WRITEUNINSTALLER command. The important change was adding

if arg[4] or arg[5] or arg[0] <= 1 or arg[3] <= 1:
                    continue

after the under elif cmd is Op.WRITEUNINSTALLER: instruction.