Palemoon web installer

General discussion and chat (archived)
access2godzilla

Palemoon web installer

Unread post by access2godzilla » 2013-09-23, 12:17

I have some questions regarding the web installer.

1. The web installer has a pretty inefficient design. Firstly, it stores all its files (unpacked/downloaded) into the present working directory. Secondly, for determining the capabilities of the CPU, it unpacks a file called "cpucheck.exe" in the present working directory, which gets executed; which in turn creates a "cpucheck.txt" file, which is read by the installer.

Shouldn't unpacked/downloaded files be kept in %temp%? And as for determining 32/64 bit, isn't it better to simply do it programatically?

2. Why is it so heavily packed? (I'm sure that you have some good intents behind this, but I just wanted to ask.)

Code: Select all

C:\>trid palemoon-websetup.exe

TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello
Definitions found:  5114
Analyzing...

Collecting data from file: palemoon-websetup.exe
 41.1% (.EXE) UPX compressed Win32 Executable (30569/9/7)
 35.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
  8.8% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)
  6.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  2.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Let's unpack!

Code: Select all

C:\>upx -d palemoon-websetup.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   2116135 <-    789543   37.31%    win32/pe     palemoon-websetup.exe

Unpacked 1 file.
... but, unfortunately, on running:

Code: Select all

Unable to access resource data.
Disk read error! File may be damaged.
Also, by a cursory inspection (with 7zip), it seems that it is not a normal UPX-packed binary. All binaries packed with UPX have two segments: UPX0 and UPX1. However, this is not seen in the installer with 7zip: the extraction fails right away.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Palemoon web installer

Unread post by Moonchild » 2013-09-23, 12:41

ad 1.: I'm aware it's a little clunky. Previously, it was done programmatically BUT because WMI has so many issues with non-standard CPUs (especially on Win XP) I was forced to use a different method. If I was able to make WinAPI calls directly from the installer, I wouldn't need to do this -- but none of the available scripting languages for the web setup allow WinAPI calls. Short of spending a disproportionate amount of time on writing a custom plugin for the RAB the web installer was written in, just to check the CPU capabilities from the installer internally, there was no other option, so the current setup was chosen.

Because the downloaded browser installer, when saved, needs to be in a logical location anyway, and it needs to be run from a writeable location as a result, using the application's folder is a logical choice for the temporary files. I'd rather do that than dump everything in %TEMP% and then having to copy 20MB back to a different location...
It works, it works fast, and it hasn't failed so far (unlike the WMI setup previously which was slower in execution and faulty in results) - is there any particular reason why using the program's location for temporary&downloaded files is a problem?

ad 2.: Yes, it's packed -- it's a web installer, it should be as small a download as possible. No, external/manual unpacking is likely not going to work, because it uses overlays. Yes, the scripting inside it is protected to prevent casual script kiddies from making unwanted edits or stealing my code ;). It's freeware, not open source. Please don't try to reverse-engineer it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

access2godzilla

Re: Palemoon web installer

Unread post by access2godzilla » 2013-09-24, 03:52

Why don't you make it open source? After all, PM is open source software, and it makes sense that the web installer is open source, too. And there's nothing of much value in a web installer, after all.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Palemoon web installer

Unread post by Moonchild » 2013-09-24, 12:19

access2godzilla wrote:Why don't you make it open source?
Because I don't want to. :)
In addition, part of the runtime code is closed-source, as well as part of the graphics being my IP - I don't want to deal with writing an elaborate legal document to cover all the potential use and abuse of different components.
access2godzilla wrote:it makes sense that the web installer is open source, too
Why, pray tell, would it make sense? It's an independent tool. It's not even required to use to make use of the browser.
access2godzilla wrote:there's nothing of much value in a web installer, after all.
If there's nothing much of value in it, there's also no reason to make it open source... and there should not even be a reason to ask, unless you'd like to make verbatim copies ;)

(as an aside, I doubt the RAB code would be of much use)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Palemoon web installer

Unread post by Moonchild » 2013-10-01, 10:06

The web installer has been updated to use the windows temp folder for everything, as it does make for a cleaner run if you e.g. run the web installer from the desktop and prevents potential issues with saving temp files in system folders as a result.
It should also wait long enough for file locks to be released now when cleaning up temp files, which may have been a problem before.

While at it, I made sure to prevent some potential process hijacking attempts as well.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Tweakzy

Re: Palemoon web installer

Unread post by Tweakzy » 2013-10-07, 12:20

hmm why you need detect cpu capability there many way to detect 32|64 bit os ??

me look at web install seems you gone allot effort to hide all code info from people like you have hide something or use someones code and hide so they no see used there code maybe??
very strange can't veiw simple exe manifest or .rc data me find it odd that you do this been you so open and truthful but hide the web install very suspicious only bad people like virus or password steal do this me glad me not use it but still very strange why such reason to hide is something we should worry :problem:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Palemoon web installer

Unread post by Moonchild » 2013-10-07, 16:18

Tweakzy wrote:hmm why you need detect cpu capability there many way to detect 32|64 bit os ??
Pale Moon doesn't run on processors that don't support SSE2. I do CPU detection not only for x64/x86, but also to let people know that their processor is incapable of running Pale Moon before they download it, saving them bandwidth and time. I may eventually drop the check, since we're really getting into the time where non-SSE2 processors really do belong in a museum and can no longer keep up.
me look at web install seems you gone allot effort to hide all code info from people like you have hide something or use someones code and hide so they no see used there code maybe??
:lol: No, it's been no effort whatsoever, as it's part of the RAB tool I use for miscellaneous utilities (a commercial product called Neobook). I don't hide the code because it would be malicious or "not mine to use". I'm not in the habit of ripping fellow developers off. Having trust issues with me specifically, or is it just general paranoia? :shifty:

In addition, if I don't use the "compress and encrypt" option for the scripting code, it is included in the .exe as plain text which makes the web installer (unnecessarily) larger.

EDIT: By the way, the "yodas crypter" part found by TrID is most likely part of the commercial protection of the RAB run-time (since it IS a commercial package and they protect their investment). I had a poke at that little program and it makes no difference if I encrypt the scripting or not ;)

EDIT2: TrID seems to be thoroughly confused, I don't think it knows what its looking at. Removing all encryption and compression I can, making it a straight up compile (resulting in 2.1 MB of a stub installer, much too large) makes it give:

Code: Select all

TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello
Definitions found:  5132
Analyzing...

Collecting data from file: palemoon-websetup.exe
 51.4% (.OCX) Windows ActiveX control (116521/4/18)
 19.0% (.EXE) InstallShield setup (43053/19/16)
 18.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
  6.4% (.EXE) Win32 Executable Delphi generic (14687/80/4)
  1.9% (.EXE) Win32 Executable (generic) (4508/7/1)
Which is wrong on many accounts ;)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked