2. Customize (but don't change the length on) the 7-byte constant header prefix in your RAR files so WinRAR won't recognize them.
If they change the rar archive to be unrecognizable by the standard unpacker, someone has to take out a hex editor, examine the file, figure out that it is just a mutated rar archive and then post these results here publicly. Then we can come up with a method/script which repairs the file to a standard rar archive, so that we can unpack it.
How is that any different from what we currently do with the password protected installers?
Imho there are two alternatives here:
Either GOG decides to stick to standard rar archives together with an installer exe which sets up registry keys, compatibility settings, etc. To unexperienced users is has to be explained that for a proper installation the installer has to be executed, just unraring the file is not enough. Users who want to fool around with the game data without using the installer can do so with standard unpack utilities.
- or -
They try to make it impossible to just unrar the archive. Then it doesn't really matter if they do it with password protection, malformed archives or any other clever tricks. Those who want to bypass the installer have to create and maintain their own tool/script to unpack these gog installers. And be prepared that the script will most likely break whenever GOG changes something.
I personally belief throwing explanations at the user is the better alternative in the long run, rather then limiting the user's options so much that they can't do anything stupid. But since this is supposed to be a "tech"-thread, I will refrain from any long philosophical ramblings :p