search

Squiblydoo / debloat

A GUI and CLI tool for removing bloat from executables
BSD 3-Clause "New" or "Revised" License
301 stars 25 forks source link

NSIS NSArchive header unpacking fails with "Invalid data stream" #26

Closed gdesmar closed 4 months ago

gdesmar commented 5 months ago

When trying to debloat this file, the NSIS Parser calls the NSArchive class and hits a OSError: Invalid data stream error trying to read the header entries.

Squiblydoo commented 4 months ago

File now extracts in version 1.5.3.3. Output displays as the following.

Installer unpacked!

The files are being written to C:\Downloads\334af40ee6d2b1ce196a201fc4a326e2a9d03b8e88cdbaecedceed180068bbb7\334af40ee6d2b1ce196a201fc4a326e2a9d03b8e88cdbaecedceed180068bbb7_patched.exe
File: $INSTDIR\AutoFill.dll
File: $INSTDIR\DesEncrypt.dll
File: $INSTDIR\Dzfp_Auto.dll
File: $INSTDIR\Dzfp_Phone.dll
File: $INSTDIR\GxptDZFP.dll
File: $INSTDIR\JSDiskDLL.dll
File: $INSTDIR\KpInfo.dll
File: $INSTDIR\Lib\AddedRealTax.dll
File: $INSTDIR\Lib\DiskInfon.dll
File: $INSTDIR\Lib\MakeHashCode.dll
File: $INSTDIR\Lib\ReadAreaCode.dll
File: $INSTDIR\Microsoft.VC90.ATL.manifest
File: $INSTDIR\Microsoft.VC90.CRT.manifest
File: $INSTDIR\Microsoft.VC90.MFC.manifest
File: $INSTDIR\MysqlPollingSvc.dll
File: $INSTDIR\NuoNuoCryp.dll
File: $INSTDIR\ReadAreaCode.dll
File: $INSTDIR\ReadJspDll.dll
File: $INSTDIR\ResDll.dll
File: $INSTDIR\Sqlite3X.dll
File: $INSTDIR\TaxCancelCom.dll
File: $INSTDIR\TaxCancelCom.tlb
File: $INSTDIR\TaxCancelCom32.reg
File: $INSTDIR\TaxCancelCom64.reg
File: $INSTDIR\agreement.dll
File: $INSTDIR\ca\NNuoCA.cer
File: $INSTDIR\ca\server.key
File: $INSTDIR\ca\server.pem
File: $INSTDIR\dzfp_nnpush.exe
File: $INSTDIR\e_invoice_dll.dll
File: $INSTDIR\e_invoice_net.dll
File: $INSTDIR\electro_invoice.exe
File: $INSTDIR\electro_invoice.ico
File: $INSTDIR\elin_crash_report.exe
File: $INSTDIR\elin_ui.dll
File: $INSTDIR\fp_synchronous.exe
File: $INSTDIR\invoice_nnservice.exe
File: $INSTDIR\jxgx\Cryp_Ctl.ocx
File: $INSTDIR\jxgx\DevCa.exe
File: $INSTDIR\jxgx\Gxpt.dll
File: $INSTDIR\jxgx\GxptLogic.exe
File: $INSTDIR\jxgx\Microsoft.VC90.CRT.manifest
File: $INSTDIR\jxgx\cryp_api.dll
File: $INSTDIR\jxgx\debug.ini
File: $INSTDIR\jxgx\decodecert.dll
File: $INSTDIR\jxgx\msvcm90.dll
File: $INSTDIR\jxgx\msvcp100.dll
File: $INSTDIR\jxgx\msvcp90.dll
File: $INSTDIR\jxgx\msvcr100.dll
File: $INSTDIR\jxgx\python34.dll
File: $INSTDIR\kpsoft.dll
File: $INSTDIR\kpsoft_service.exe
File: $INSTDIR\liblog.dll
File: $INSTDIR\libmysql.dll
File: $INSTDIR\local.kp
File: $INSTDIR\log.ini
File: $INSTDIR\mc_talk.dll
File: $INSTDIR\mfc90u.dll
File: $INSTDIR\mfcm90u.dll
File: $INSTDIR\msvcm90.dll
File: $INSTDIR\msvcp90.dll
File: $INSTDIR\msvcr90.dll
File: $INSTDIR\nn_csharpcore.dll
File: $INSTDIR\nn_errorhandler.exe
File: $INSTDIR\nn_fpbrowser\DuiLib.dll
File: $INSTDIR\nn_fpbrowser\NNBrower.exe
File: $INSTDIR\nn_fpbrowser\NNBrower.ini
File: $INSTDIR\nn_fpbrowser\cef.ini
File: $INSTDIR\nn_fpbrowser\cef.pak
File: $INSTDIR\nn_fpbrowser\cef_extensions.pak
File: $INSTDIR\nn_fpbrowser\icudtl.dat
File: $INSTDIR\nn_fpbrowser\libcef.dll
File: $INSTDIR\nn_fpbrowser\locales\en-US.pak
File: $INSTDIR\nn_fpbrowser\locales\zh-CN.pak
File: $INSTDIR\nn_fpbrowser\msvcp120.dll
File: $INSTDIR\nn_fpbrowser\msvcr120.dll
File: $INSTDIR\nn_fpbrowser\natives_blob.bin
File: $INSTDIR\nn_fpbrowser\uicef.dll
File: $INSTDIR\soft_sqlite.dll
File: $INSTDIR\soft_sqlite.slcg
File: $INSTDIR\sqlite3.dll
File: $INSTDIR\stop.exe
File: $INSTDIR\tools\sync_tool\ConsoleCard.exe
File: $INSTDIR\tools\sync_tool\DuiLib.dll
File: $INSTDIR\tools\sync_tool\GoodsUsersSYN.exe
File: $INSTDIR\tools\sync_tool\Microsoft.VC90.ATL.manifest
File: $INSTDIR\tools\sync_tool\Microsoft.VC90.CRT.manifest
File: $INSTDIR\tools\sync_tool\Microsoft.VC90.MFC.manifest
File: $INSTDIR\tools\sync_tool\Nisec.ini
File: $INSTDIR\tools\sync_tool\Nisec\KeyHelper.dll
File: $INSTDIR\tools\sync_tool\NkpHelper.dll
File: $INSTDIR\tools\sync_tool\NuoNuoCryp.dll
File: $INSTDIR\tools\sync_tool\ReadData.dll
File: $INSTDIR\tools\sync_tool\ReadInterface.dll
File: $INSTDIR\tools\sync_tool\Skp\AQJR.ini
File: $INSTDIR\tools\sync_tool\Skp\AuthBwZjjkDll.dll
File: $INSTDIR\tools\sync_tool\Skp\AuthBwZjjkDll_old.dll
File: $INSTDIR\tools\sync_tool\Skp\Crypt_key.dll
File: $INSTDIR\tools\sync_tool\Skp\Crypt_skp.dll
File: $INSTDIR\tools\sync_tool\Skp\TaxDiskc.dll
File: $INSTDIR\tools\sync_tool\Skp\TaxSkpc.dll
File: $INSTDIR\tools\sync_tool\Sqlite3X.dll
File: $INSTDIR\tools\sync_tool\Sqlite3X.slcg
File: $INSTDIR\tools\sync_tool\TaxCardBW.dll
File: $INSTDIR\tools\sync_tool\TaxCardIdentify.dll
File: $INSTDIR\tools\sync_tool\Ukey\AQJR.ini
File: $INSTDIR\tools\sync_tool\Ukey\DTplkcs.dll
File: $INSTDIR\tools\sync_tool\Ukey\KeyHelper.dll
File: $INSTDIR\tools\sync_tool\Ukey\NISEC_UKEYC.dll
File: $INSTDIR\tools\sync_tool\Ukey\Net_Util.dll
File: $INSTDIR\tools\sync_tool\Ukey\SWUKey_SKF.dll
File: $INSTDIR\tools\sync_tool\Ukey\SWUKey_SafeHelper.dll
File: $INSTDIR\tools\sync_tool\Ukey\Sm2Clt.dll
File: $INSTDIR\tools\sync_tool\Ukey\TaxCardUkeyc.dll
File: $INSTDIR\tools\sync_tool\Ukey\TaxUKeyBase.dll
File: $INSTDIR\tools\sync_tool\Ukey\TaxUkeyc.dll
File: $INSTDIR\tools\sync_tool\Ukey\Utility.dll
File: $INSTDIR\tools\sync_tool\Ukey\decodecert.dll
File: $INSTDIR\tools\sync_tool\Ukey\libeay32.dll
File: $INSTDIR\tools\sync_tool\Ukey\sangfor.dll
File: $INSTDIR\tools\sync_tool\Ukey\x64\DTplkcs.dll
File: $INSTDIR\tools\sync_tool\Ukey\x64\SWUKey_SKF.dll
File: $INSTDIR\tools\sync_tool\Ukey\x86\DTplkcs.dll
File: $INSTDIR\tools\sync_tool\Ukey\x86\SWUKey_SKF.dll
File: $INSTDIR\tools\sync_tool\XwUkeyInterface.dll
File: $INSTDIR\tools\sync_tool\ca\NNuoCA.cer
File: $INSTDIR\tools\sync_tool\ca\server.key
File: $INSTDIR\tools\sync_tool\ca\server.pem
File: $INSTDIR\tools\sync_tool\libeay32.dll
File: $INSTDIR\tools\sync_tool\liblog.dll.manifest
File: $INSTDIR\tools\sync_tool\libxl.dll
File: $INSTDIR\tools\sync_tool\log.ini
File: $INSTDIR\tools\sync_tool\mfc90u.dll
File: $INSTDIR\tools\sync_tool\skin
File: $INSTDIR\tools\sync_tool\soft_sqlite.dll
File: $INSTDIR\tools\sync_tool\soft_sqlite.slcg
File: $INSTDIR\tools\sync_tool\sqlite3.dll
File: $INSTDIR\tools\sync_tool\sqlite3_tools.dll
File: $INSTDIR\tools\sync_tool\ssleay32.dll
File: $INSTDIR\tools\sync_tool\syntools
File: $INSTDIR\tools\sync_tool\ukey_utility.dll
File: $INSTDIR\tools\sync_tool\utility.dll
File: $INSTDIR\uninst.exe
File: $INSTDIR\update_bak.exe
File: $INSTDIR\utility.dll
File: $INSTDIR\ver.config
File: $INSTDIR\wininject.dll
File: $INSTDIR\ŵŵ·¢Æ±.exe
File: $PLUGINSDIR\CustomLicense.dll
File: $PLUGINSDIR\Licence.rtf
File: $PLUGINSDIR\System.dll
File: $PLUGINSDIR\WizModernImage-Is.bmp
File: $PLUGINSDIR\modern-wizard.bmp
File: $PLUGINSDIR\nsDialogs.dll
File: setup.nsis

The user will need to determine which file is malicious if any.
If a file is bloated: resubmit it through the tool to debloat it.
Consider reviewing the 'setup.nsis' from the installer to determine how the files were meant to be used.
Squiblydoo commented 4 months ago

The issue was determined to be some logic errors with the general parser. Initially, it threw an error stating that something had not been implemented yet, but we found that it should not be triggering that error. Huettenhain (https://github.com/huettenhain) re-wrote a parts of the parser for the Binary-Refinery and then I re-implemented the changes into Debloat.