A reverser I had worked with once told me that she never once ran an automated installation program excepting the time when she was installing the Windows OS. She would unpack every automated installer and "install" the software manually.

I also unpacked manually, but only when the site said that their software would be bundled with adware/spyware. The other times I would just run the installer and clean up after it (remove superfluous keys it had set in the registry, delete autorun entries that many so like to install, ...)

Today I was searching for a specific software, and found something I wanted to try out, so I downloaded the installer. It was freeware anyway, and it did not say "ad-supported" or anything suspicious. Nonetheless, I still had a bad feeling about this one. I decided to do it manually.

It was packed with Inno, but Innounp wouldn't unpack it automatically. I took the manual approach of stripping the zlib-compressed portion out and manually decompressing the files it contained. A simple search revealed 21 separate files within the package. This was beginning to become suspicious. I was expecting one EXE and maybe a few other helpfiles and some crap. Unpacking revealed the install script, the main EXE of the program, a helpfile and some crap, and the complete set of Microsoft OLE DLLs for WinXP, French version, as well as an XP-version of KERNEL32.DLL!

Looking at the install script, it seems that the installer would just blindly copy the new DLLs to the system directory on reboot, overwriting any previous versions. Besides being completely incompatible with my system (98se) and being of the wrong language, these are vital system DLLs, so if I had run the installer my OS kernel would've gotten trashed on the next reboot, and I wouldn't've had a single idea what had happened.

Despite including XP system files, the site claims the software to be compatible with "Windows 95/98/98se/ME/2000/XP". I read the install script, installed it manually (excepting the new kernel and DLLs), inspected the (VB) code for maliciousness, and ran it. It didn't work, complaining that an import couldn't be found. This was an NT-only API, for Win 2000 and XP. Maybe that explains why they bundled the XP kernel and DLLs?

I've now reported this extreme case of ignorance and stupidity to them. It looks like a very new software company, so I doubt it was intentional. But the mere fact that they are so ignorant as to what their installer does is a major cause for concern.

From now on I'll be quite sure to unpack, inspect, and manually install every program I try

Good save. I wish I had a sixth sense.

...It's worrying to think just how many people are now running a Franco-English frankenstein copy of XP.

This is probably the first time I've seen an OS kernel being bundled with the software... which actually has nothing at all to do with OLE and the system files. I've seen stupid installers in the past, but this is certainly the worst in a very long time. Perhaps they wanted to "make sure that every file needed by the program is supplied"

Despite its name, kernel32.dll is not part of the kernel.

Not the kernel per se, but it's tightly related to core functionality of the operating system anyway, which is what I think he meant.

Anyway, using VMware (combined with monitoring tools inside the virtual machine) instead of manually unpacking every installer can probably save you a lot of time and problems LLXX.

Actually, "she meant"

Do most reversers work regularly inside of a VM? I tend to use a second "sacrificial" machine for the purpose of analyzing particularly hazardous software. However, I still like to stop problems before they ever become problems

Hi, I build installers all the time - one would hope that installer itself in the "installation logic" was checking for the system version to decide what to do properly.

Oh, and another reason to get away from 98se

-nt20