Created
August 10, 2020 10:18
-
-
Save zhangyoufu/b85496abe9d9301e2d422858330a471a to your computer and use it in GitHub Desktop.
extract password-protected InstallBuilder installer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!./tclkit | |
| ## prepare runtime environment | |
| proc init {} { | |
| ## mount optional.pak (for tcltwofish) | |
| set optionalPak installbuilder/paks/optional.pak | |
| vfs::mk4::Mount $optionalPak $optionalPak -readonly | |
| ## adjust library search path | |
| set ::auto_path [list $tcl::kitpath/lib/tcl$::tcl_version $tcl::kitpath/lib $tcl::kitpath/libraries $optionalPak/linux-x64 $tcl::kitpath] | |
| ## load packages | |
| package require maui::util | |
| package require vfs::cookfs | |
| } | |
| proc extract_metakit {src dst} { | |
| ## mount metakit | |
| set db [tclKitMkOpen $src] | |
| vfs::filesystem mount $src [list vfs::mk4::handler $db] | |
| vfs::RegisterMount $src [list vfs::mk4::Unmount $db] | |
| ## ensure destination directory | |
| file mkdir $dst | |
| ## read cookfsinfo.txt | |
| set f [open $src/cookfsinfo.txt] | |
| gets $f cookfsinfo | |
| close $f | |
| ## read manifest.txt | |
| set f [open $src/manifest.txt] | |
| set manifest [read $f] | |
| close $f | |
| ## copy project.xml | |
| file copy -- $src/project.xml $dst | |
| ## copy images/ | |
| file copy -- $src/images $dst | |
| ## unmount metakit | |
| vfs::filesystem unmount $src | |
| return [list $cookfsinfo $manifest] | |
| } | |
| proc extract {src password dst} { | |
| ## clean up destination | |
| file delete -force $dst | |
| ## copy images/ to dst, get manifest, mount cookfs | |
| lassign [extract_metakit $src $dst] cookfsinfo manifest | |
| ## mount cookfs | |
| set cookfsHandle [vfs::cookfs::Mount $src $src -readonly {*}$cookfsinfo] | |
| ## prepare decryption | |
| set payloadinfo [$cookfsHandle getmetadata "installbuilder.payloadinfo"] | |
| maui::util::m4ZQu $password $payloadinfo | |
| ## copy cookfs content to components/ | |
| set dst $dst/components | |
| ## extract directory/file/link | |
| foreach {fileName props} $manifest { | |
| puts "$fileName" | |
| # directory mode mtime 0 {0 0} | |
| # file mode mtime 0 {{0 size} {0 size}} | |
| # link target mtime {0 0} | |
| lassign $props type arg mtime | |
| switch -- $type { | |
| directory { | |
| file mkdir $dst/$fileName | |
| file attributes $dst/$fileName -permissions $arg | |
| } | |
| file { | |
| file mkdir [file dirname $dst/$fileName] | |
| file copy $src/$fileName $dst/$fileName | |
| set numParts [llength [lindex $props 4]] | |
| if {$numParts > 0} { | |
| set fdst [open $dst/$fileName {WRONLY APPEND BINARY}] | |
| for {set i 1} {$i < $numParts} {incr i} { | |
| set fsrc [open $src/${fileName}___bitrockBigFile$i {RDONLY BINARY}] | |
| fcopy $fsrc $fdst | |
| close $fsrc | |
| } | |
| close $fdst | |
| } | |
| file attributes $dst/$fileName -permissions $arg | |
| file mtime $dst/$fileName $mtime | |
| } | |
| link { | |
| file mkdir [file dirname $dst/$fileName] | |
| # file link -symbolic $dst/$fileName $arg | |
| # file mtime $dst/$fileName $mtime | |
| exec ln -s -- $arg $dst/$fileName | |
| exec touch -h -t [clock format $mtime -format %Y%m%d%H%M.%S] $dst/$fileName | |
| } | |
| default { | |
| error "not implemented" | |
| } | |
| } | |
| } | |
| ## restore directory mtime | |
| foreach {fileName props} $manifest { | |
| lassign $props type arg mtime | |
| if {$type == "directory"} { | |
| file mtime $dst/$fileName $mtime | |
| } | |
| } | |
| ## unmount cookfs | |
| vfs::filesystem unmount $src | |
| } | |
| init | |
| extract {*}$argv |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| cp installbuilder/paks/linux-x64-noupx.pak tclkit | |
| sed --in-place --null-data --expression='/^if {\[file isfile \[file join \$::tcl::kitpath main.tcl/{s/^./\x1A/}' tclkit | |
| chmod +x tclkit |
::maui::util::a64bL {password key iv times} { #hash times
set YKL8w [sha2::sha256 -bin $password]
for {set i 0} {$i < $times} {incr i} {
set YKL8w [tcltwofish::encrypt $key $YKL8w iv]
}
return [sha2::sha256 -bin $YKL8w]
}
proc maui::util::m4ZQu {password LZQjH} { #check password
set ::maui::util::H6VeX ""
set ::maui::util::EL0BW [string repeat \0 32]
package require tcltwofish
package require sha256
if {[string length $LZQjH] == 0} {
error "Unable to initialize encryption - missing essential data"
}
if {[binary scan $LZQjH Ia16a32a64a32a* times iv passwordKey encryptedKey payloadIVsHash encryptedPayloadIVs] < 6} {
error "Unable to initialize encryption - header missing or corrupt"
}
set iHcWR [a64bL $password $passwordKey $iv $times]
set BJvoG [string range [tcltwofish::decrypt $iHcWR $encryptedKey] 32 63]
for {set i 0} {$i < $times} {incr i 64} {
set encryptedPayloadIVs [tcltwofish::decrypt $BJvoG $encryptedPayloadIVs]
}
set ZQpQw [string range $encryptedPayloadIVs 32 end]
if {[sha2::sha256 -bin $ZQpQw] != $payloadIVsHash} {
maui::d_RUj "Invalid payload password"
}
set ::maui::util::H6VeX $ZQpQw
set ::maui::util::EL0BW $BJvoG
}
proc ::maui::util::MI_oJ {compressionAlgorithm data} { #decrypt and decompress
if {$compressionAlgorithm == "0"} {
set compressionAlgorithm zip
} elseif {$compressionAlgorithm == "1"} {
set compressionAlgorithm lzma
}
if {[catch {
if {[binary scan $data Ica* checksum iv data] < 3} {
error "Unable to decrypt payload header"
}
set iv [expr {$iv & 0xff}]
set iv [string range $::maui::util::H6VeX [expr {$iv * 16}] [expr {$iv * 16 + 15}]]
set data [tcltwofish::decrypt $::maui::util::EL0BW $data iv]
set hbA8n [format 0x%08x [expr {[zlib crc32 $data] & 0xffffffff}]]
set checksum [format 0x%08x [expr {$checksum & 0xffffffff}]]
if {$hbA8n != $checksum} {
error "Unable to decrypt payload - CRC mismatch"
}
set data [QZqgk [string range $data 32 end]]
if {($compressionAlgorithm == "lzma") || ($compressionAlgorithm == "lzma-ultra")} {
set YKL8w [lzmadec $data]
} elseif {($compressionAlgorithm == "lzham") || ($compressionAlgorithm == "lzham-ultra")} {
set YKL8w [tcllzham::decompress $data]
} else {
set YKL8w [vfs::zip -mode decompress -nowrap 1 $data]
}
} V77Ls]} {
set ykaki $::errorCode
set qXoNi $::errorInfo
maui::util::debug "decryptPayload: error decrypting: $V77Ls"
error $V77Ls $qXoNi $ykaki
}
return $YKL8w
}
thank you @jon1scr, today I placed a logger on TclEvalObjvInternal and found (sha256->encrypt*16000->sha256) is belong of a64bL, too.
209 binary +++++++
209 binary -------
1 a64bL +++++++
1 sha2::sha256 +++++++
::sha2::sha256 buflen: 11, buf:
00000000: 7A 31 32 33 34 35 36 37 38 39 30 | z1234567890
1 ::sha2::_sha256 +++++++
8346 array +++++++
8346 array -------
........
1183 unset +++++++
1183 unset -------
2 SHA256Final -------
2 ::sha2::_sha256 -------
sha256 hash:
00000000: 50 8A 8C 5F EE 98 49 AA 1A 9B 85 9A BA 19 4D 67 | P.._..I.......Mg
00000010: FA 4D A2 D3 58 4E 7F 4C 32 59 A4 B7 59 FC 96 04 | .M..XN.L2Y..Y...
2 sha2::sha256 -------
1 a64bL -------
1 tcltwofish::decrypt +++++++
::tcltwofish::decrypt buflen: 64, buf:
00000000: 05 8A 77 A1 15 85 96 D3 62 33 04 CC F3 2D B4 67 | ..w.....b3...-.g
00000010: C1 0E 28 6A 2C A9 EF 30 B4 BC 67 86 B2 F9 D1 2D | ..(j,..0..g....-
00000020: F6 29 C3 9F 4E EB 33 AE 7C 28 96 B6 F0 C2 4F 58 | .)..N.3.|(....OX
00000030: 02 B9 4A D7 21 30 E2 37 62 C3 60 45 65 42 46 AF | ..J.!0.7b.`EeBF.
1 tcltwofish::decrypt -------
I'll try verify your decompiled code on known password installers.
PS: how do you decompile the bytecode from maui-utils, is there any tools sugguested?
Author
Tbc is not good at protecting string literals. They can be decoded directly.
I think use installbuilder to build a empty installer with payload encrypt option enabled, then the built installer's metakit will have tcltwofish now.
Author
@banxian You can always extract pre-built tcltwofish for win/linux/mac from optional.pak under InstallBuilder installation directory.
Infact I compared metakit content between built installer and windows-noupx.pak, the installer contains all package plus tcltwofish and 8 extra project files than windows-noupx.pak.
I mean it's a better start point which does not require additional optional.pak dependency, so it's easy to use tcltksh to pack the script and runtime to a single executable.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks, this command is the exact function I am looking for. it's contains in obfuscated bytecode of maui-util.tcl.
hope it only have sha2 and twofish dependency.
I'll try to finger-out the algorithm for m4ZQu, then port them to cuda version