It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
ssokolow: Sorry for the delay. Here's the script I wrote which successfully unpacks the Deadly Premonition Director's Cut installer using only the output of innoextract to deduce the RAR password.

https://gist.github.com/ssokolow/7368450647df37c40830
avatar
shmerl: Thanks for pointing it out! The ini file there indeed has that id as a name. That's useful and simplifies unpacking.
It's still fragile compared to reading from the .iss script like the actual InnoSetup code does, but it's a fair stopgap until innoextract is suitably extended to dump that.

My main concern was making sure that whatever solution I came up with would retain consistent behaviour if I burned gog_unrar.py to a DVD+R alongside the installer and then GOG went belly-up. That's why, if I ever get around to implementing the web-based fallback, I'll have it print a warning and dump the ID to a cache file alongside the installer.
Post edited December 28, 2014 by ssokolow
A quick way to obtain game id (using the above assumption of the ini file):

innoextract -l "$exe_file" | pcregrep -o1 'tmp/(\d+)\.ini'

Put actual exe file instead of $exe_file or set that variable before.

UPDATE:

I also created a small script to unpack these files (nothing sophisticated, just barebones unpacking):

https://gist.github.com/shmerl/271659ca6831db943a37
Post edited December 28, 2014 by shmerl
I didn't test it on multipart rar though. I assume unrar x can handle it, but if not - let me know, I'll update the script.
avatar
shmerl: I didn't test it on multipart rar though. I assume unrar x can handle it, but if not - let me know, I'll update the script.
It'll fail on multipart RAR because you'll be replacing ".exe" with ".bin" rather than "-1.bin" and, thus, generating a nonexistant filename.

Conversely, mine will fail on non-multipart RAR because, with only one game to test against, I forgot to handle the case yours works on.

That aside, mine and yours are more or less the same thing. Mine just tries to live up to a "this is a program" standard of quality rather than "this is a script". (Working --help and --version, a lot more error checking, and a basic attempt to Just Work™ on Windows if you install the Python 2.7 runtime and drop innoextract.exe and unrar.exe into the PATH)
avatar
ssokolow: It'll fail on multipart RAR because you'll be replacing ".exe" with ".bin" rather than "-1.bin" and, thus, generating a nonexistant filename.
Yeah, I see. When there are many parts they are called "-<number>.bin". I'll update the script to handle those, but I'm not sure if they are detected by unrar as continuation or all require separate unrar command. I'll try testing it on the Witcher since some reported it as affected by this issue.

UPDATE:
Another thing I just discovered - the affected games are not available through lgogdownloader!

UPDATE2:
No, I take that back. Witcher is not affected but it's still missing in lgogdownloader. I suspect GOG slowly removes some games from old API and switches them to Galaxy.
Post edited December 28, 2014 by shmerl
avatar
shmerl: UPDATE2:
No, I take that back. Witcher is not affected but it's still missing in lgogdownloader. I suspect GOG slowly removes some games from old API and switches them to Galaxy.
Speaking of Galaxy, does anyone here know someone participating in the Galaxy Client closed alpha who'd be willing to complain in this thread?

http://www.gog.com/forum/general/gog_galaxy_client_closed_alpha/

Given how wary a lot of people seemed to be of anything even remotely Steam-like in a lot of the old "Steam-like game manager/downloader" wishlist threads, I suspect it might not be too difficult to rekindle that worry that "Steam-like == Steam DRM" train of thought.

We might be able to force a response and possible backpedal on the encryption if we can get a confirmed early adopter to get other confirmed early adopters to start worrying that Galaxy is really just an attempt to sneak "gog = steam.clone();" in through the back door.

(Also, for the record, I'm saving copies of every page of this thread in case GOG decides to pull a face-heel turn and delete it.)
Post edited December 29, 2014 by ssokolow
avatar
ssokolow: Also, as I just mentioned in another thread, given that two installers apparently use non-RAR compression (one FreeArc, the other unknown), I'm wondering whether they just hired a warez kiddie into their installer department.
Do the games come with a file_id.diz file now? ;-)

The GOG packing team seems to be exploring with new file formats. I'm all for it, as long as I can work with them without much trouble. However, that password thing... Why!? I see no benefit in it!

I just hope you are not goint through all this trouble of figuring how it works, and tomorrow the entire format is changed once again.

Regarding the per user encryption, if they are not heading in this route, nor some sort of digital signature system, then I am completely at lost.
GOG could use several tricks to avoid the re-processing of the big archives, and still achieve this sort of "evil goals".

Awaiting some news on this front.

BTW, I saw some of those releases back then, and some of them were really impressive. Compressing WAVs into MP3s and then re-encoding them back into WAVs was a smart idea. :-)
I wouldn't go as far as suspecting GOG of making a Steam clone DRM-wise. Let's give them some time since many of the staff can be on the winter break now. If we won't hear anything by some early January - then it will be a reason to worry.
avatar
Gede: BTW, I saw some of those releases back then, and some of them were really impressive. Compressing WAVs into MP3s and then re-encoding them back into WAVs was a smart idea. :-)
That doesn't sound like a good idea to me. Lossless → lossy → lossless is a rather pointless sequence. Once something is compressed with a lossy codec, you can't reconstruct the lossless original anymore. But let's not go too much into off-topic.
Post edited December 29, 2014 by shmerl
avatar
Gede: BTW, I saw some of those releases back then, and some of them were really impressive. Compressing WAVs into MP3s and then re-encoding them back into WAVs was a smart idea. :-)
avatar
shmerl: That doesn't sound like a good idea to me. Lossless → lossy → lossless is a rather pointless sequence. Once something is compressed with a lossy codec, you can't reconstruct the lossless original anymore. But let's not go too much into off-topic.
They were making big downloads on small broadband connections more feasible by imitating ScummVM's "Ogg-based CD Audio emulation" support for game engines with no source and no support for compressed formats.
avatar
ssokolow: They were making big downloads on small broadband connections more feasible by imitating ScummVM's "Ogg-based CD Audio emulation" support for game engines with no source and no support for compressed formats.
Ah, in that sense. Then it's useful.
high rated
Hello,

-Rars are used for convenience, as they have some features that the old archives lack. For example when making a test build of the game, it's faster for us to update the archives than to repack them from scratch when making small changes for testers.

-Watermarking the installers with username is not planned. One, for ideological reasons, two it's not really technologically feasible.

-Yes, the archives are password-protected. Here's why:

The supported way of installing the games is by using the Installer, which apart from unpacking the files, also creates registry entries, shortcuts, compatibility fixes etc. We want to avoid having the situation, when user will see a unprotected rar file, download and unpack it, and get a "broken" installation, because he didn't use the installer.
There were situations, when users would download just a single part of the installer, or try to unrar it manually (because apparently some browsers detect our new archives as rar files), or even try to open the .bin files with the VLC Video Player.
In such a situation I think it's better to give immediate "it won't work that way" message, rather than allow someone to make a "partial" installation, which may or may not work, without any information.

Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents. I don't want the GOG Installer installing anything else than it was supposed to, and it doesn't matter how it was obtained.

The Installer is designed mostly for reliability and ease of use for any user. And it's intentionally designed as it is.

Mind you - if you are using the supported installation mode, you don't have to enter the password anywhere. Nor is it in any way dependent on username, or hardware, or anything else. It's more or less hardcoded into the installer (I see you guys already figured out how), as much as the decompression algorithm. You can still use the installer exactly as you could since the beginning of GOG, and install your games wherever, whenever, and however many times you want. It doesn't detect where was it downloaded from either. That hasn't changed at all.

We don't really support installing the game by manually unpacking the archives (for whatever reason you do that). On the other hand, I see you already figured out the algorithm for obtaining the password, so you are still able to do as much. I'm not going to say "Hey, good job hacking into our software guys!", but I'm not going to try and make the password harder either.
high rated
avatar
Gowor: -Rars are used for convenience, as they have some features that the old archives lack. For example when making a test build of the game, it's faster for us to update the archives than to repack them from scratch when making small changes for testers.
Compared to letting InnoSetup pack them, I can understand that... but why RAR rather than some other standalone compression format with a similar compression ratio and fewer licensing restrictions on the compressor (like 7-zip)?

avatar
Gowor: There were situations, when users would download just a single part of the installer, or try to unrar it manually (because apparently some browsers detect our new archives as rar files), or even try to open the .bin files with the VLC Video Player.

In such a situation I think it's better to give immediate "it won't work that way" message, rather than allow someone to make a "partial" installation, which may or may not work, without any information.
That makes sense... but have you considered just prepending some kind of stub to foil the header detection? That'd give you a lot more control. Heck, you could make it an EXE that just pops up a "Please use this installer properly" dialog.

(That's how self-extractors work, so tools like unrar and 7zip will try to seek past a prepended stub when you ask it to extract an EXE... or image file for that matter.)

avatar
Gowor: Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents. I don't want the GOG Installer installing anything else than it was supposed to, and it doesn't matter how it was obtained.
Malware pushers tend to be better at this kind of stuff than we are and have more of an incentive and yet we already figured out the password algorithm and realized that innounp.exe will unpack an InnoSetup installer completely enough to modify the resources and repack it into a new installer.

(Speaking of which, are you using an unmodified InnoSetup instance? If so, they could just unpack the InnoSetup EXE, rebuild it with a malware-installing component, and reuse your password-calculating unrar.dll without figuring out how it works.)

avatar
Gowor: We don't really support installing the game by manually unpacking the archives (for whatever reason you do that).
Mostly to run the games on Linux or MacOS... either because it's a DOSBox game, because these new installers crash under Wine (they do), or because the installer contains resources we want to use with a clean-room engine clone like CorsixTH for Theme Hospital.

...plus, it just generally rubs us the wrong way when we don't have the option of unpacking our installers ourselves should GOG ever go under and Wine ever drop backwards compatibility, leaving us with only open-source clean-room engine clones and archive unpackers.

avatar
Gowor: On the other hand, I see you already figured out the algorithm for obtaining the password, so you are still able to do as much. I'm not going to say "Hey, good job hacking into our software guys!", but I'm not going to try and make the password harder either.
Obviously, but I still think you should re-evaluate your approach. It's ineffective at preventing malware distribution, it gives a bad impression to people who don't know your intentions, there are better ways to prevent a browser from mis-identifying an archive, and I can probably think of some alternative proposals for minimizing the chance that Windows users will unpack them rather than running them.

Update: One option would be to try snipping off the magic constant at the beginning of the archive header that identifies it as that file type. ('\x52\x61\x72\x21\x1a\x07\x00' in the case of RAR) Then, even if users do rename them to whatever archive extension they actually are, WinRAR or 7zip or whatever wouldn't recognize them while your custom unrar.dll and our niche extraction tools could easily be modified to act as if offset 0 in the file is actually offset 7 and the check already passed.

After all, your old InnoSetup BIN files already get mis-identified as AIX core dumps half the time.
Post edited December 29, 2014 by ssokolow
high rated
avatar
Gowor: We don't really support installing the game by manually unpacking the archives (for whatever reason you do that).
I'll add my voice here with ssokolow - to unpack and run things in Linux, MacOS or other OS. There are many many games for sale on GOG that work great with Wine, that are only available officially for Windows (not to mention all the Dosbox games).

One way is to unpack the Win-installer as discussed in this topic - another one is to run the setup.exe in Wine. But the new GOG installers do not work in Wine properly at the moment (why I have no idea - it has changed recently, before they all worked ok).

I've bought many Win-only games and ran them myself in Wine succesfully, and I do not expect support of course. Now that I can not unpack things or even use the setup.exe, there's no point in buying really. I'll just wait and see how this unfolds.
Post edited December 29, 2014 by Daliz
high rated
Another voice against this practise in here. Same reasons as above; tinkering in Linux and with cleanroom implementations along with concern with future (and even present!) compatibility.

Please discontinue this practise. It is offensive and causes grief. I come here to avoid DRM, and I expect better from you.
high rated
Malware pushers tend to be better, and any protection can be broken (as this thread shows), but AFAIK innounp doesn't unpack the compiled code, just the resources, so it's not the same thing. Plus, a repacked installer won't have the digital signature, so it can be easily distinguished (Windows shows a notification if you run unsigned downloaded exe).

The browser actually identifies the archive very well (it is a rar file after all). The problem is when the only downloaded things are the rar files, without the installer exe, or even only the first part of the multi-part archive. And if I try to add any more protection from extracting such a download, then you'll have even more work to break that :-P Current solution works well enough for that purpose.

Thanks for the input though. I listen to your feedback and try to add requested features to the Installer, so if there are any ideas than can be integrated with the current design and requirements, I'm open to try :-)

As for Wine... Well, it's not really officially supported. I added a /nogui switch some time ago for that purpose, because it was a feature requested by some users. For now it's not working due to other updates which had higher priority. I'll look into getting it working again.