Skip navigation.


I'm dealing with a large amount of files every day (guess which kind of files), and major part are different kind of installers (Wise, Inno Setup, NSIS...).
Some of them can be unpacked by using specialized tools. The problem is that none of those tools are updated recently, or they do not support all the versions of the installer they claim to unpack.
During the time, on my HDD was growing a collection of installers that I could not unpack.

Yesterday I got to an idea :)
Someone here may remember the old DOS days. There was a program named Ripper (latest version I have had was 2.91), that could rip multimedia files from the games.
Why wouldn't do such tool for installers?
Scan through the files, and search for known signatures of BZip2, zlib, GZip, ZIP, CAB... as most of the installers are using one of those for internal storage.

Yup, I did it, and it works, but...

First problem is that my ripper does not know where is the end of internal storage archive, so it will copy the stream beginning at signature until the end of the file, or until it find another signature of same kind.
The signatures are based on magic numbers.

Second problem are file-names in the cases where those are not stored inside the internal storage (e.g. bzip2). The Ripper will not process the installer's header to search for file names (thats why I categorize it as a ripper, not as an unpacker).

To download the Ripper, look here in Links section for a link to MC AV-Test, and go to Download section.

btw. I can compile this app for Linux if needed (GTK1).

Excellent, this will be a

Excellent, this will be a very useful tool. This is sort of similar to a paper by Miroslav Vnuk and Pavol Navrat entitles "Decompression of run-time compressed PE-files". You can find a copy of the paper here.

They apply a general approach which is to try decompressing various session headers with common compression algorithms. Their argument is that most malware writers don't want to reimplement compression, and will use common methods already available.


Try this one