0

In NSIS installers, there is a compiled bytecode blob representing the NSIS script located in the overlay of the executable. The overlay start with flags 0xdeadbeef then "NullsoftInst". The next two DWORDs are sizes in bytes. What is the offset of the NSIS script? How can I extract it using Python?

I am aware of 7zip, but it returns the decompiled representation of the NSIS script. I want the compiled bytecode.

Improve this question

1 Answer 1

Reset to default
2

It seems the NSIS decompression process is quite complicate because even the headers can be compressed with deflate or LZMA. I suggest you to study NsisIn.cpp from 7-zip source code, in particular CInArchive::Open and CInArchive::Open2.

/*
NsisExe = 
{
  ExeStub
  Archive  // must start from 512 * N
  #ifndef NSIS_CONFIG_CRC_ANAL
  {
    Some additional data
  }
}


Archive
{
  FirstHeader
  Data
  #ifdef NSIS_CONFIG_CRC_SUPPORT && FirstHeader.ThereIsCrc()
  {
    CRC
  }
}

FirstHeader
{
  UInt32 Flags;
  Byte Signature[16];
  // points to the header+sections+entries+stringtable in the datablock
  UInt32 HeaderLength;
  UInt32 ArchiveSize;
}
*/

HRESULT CInArchive::Open(IInStream *inStream, const UInt64 *maxCheckStartPosition

See also loadHeaders in NSIS's fileform.c

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.