Thursday, December 31, 2015

Extracting without installing: MSI installer
Windows Installer/MSI files extension usually .msi but some installers has .exe extension and wrap the raw MSI file inside, like for example Viber for Windows or Evernote.
   Even with all the Google search results on hand, we have no success in extracting wrapped-MSI installer directly. Be it answers on StackOverflow, IT-Ninja, etc., unfortunately nothing works... :(

   We just have to log its installation in VM/virtual machine. And then collect the files—by following the before/after snapshots log.
   Luckily most wrapped-MSI installer will extract its raw MSI file during installation. "During installation" means while the installation is running, not after it is completed. It usually deletes any raw MSI file after completion—except some.
   So, while installation is still in progress, or while "EULA/End User License Agreement" is shown, look—quicly—for the raw MSI in these possible places:
  1. the temporary folder: %TMP%, for example Evernote,
  2. the application folder in %LOCALAPPDATA%, for example Viber stores its raw MSI in %LOCALAPPDATA%\Package Cache\{D65DDA75-2C0A-46BA-807D-127BD5638490}v6.0.1.5,
  3. the %WINDIR%\Installers folder, this is usually application that still keep its raw MSI after installation, or
  4. these are speculatives: application-created folder in %ALLUSERSPROFILE% (C:\ProgramData), %PROGRAMFILES% or %PROGRAMFILES(X86)%, or maybe even %COMMONPROGRAMFILES% or %COMMONPROGRAMFILES(x86)%, %USERPROFILE%, %APPDATA%.

Indentifying Wrapped MSI files

We will use wrapped MSI .exe installer of Evernote and Viber as samples.
  1. We can still find the "buried" MSI file in Evernote installer, let's open it with 7-Zip, Open archive
    We can see here that it's packed with MSZip, and this also could be the sign that we have a good probability to find the full MSI file inside, MSZip
  2. Let's reopen it with Open archive* (asterisk), Open *
    Here we see something like Inno Setup installer content, Inno Setup look alike
    If we browse into .rsrc\1033\ folder and open the version.txt file we can read these values: VOS_UNKNOWN | VOS__WINDOWS32 and VFT_APP that usually means that it could be an MSI installer, Typical MSI file
  3. Now let's try open the installer with Open archive# (hash/fence), Open #
    A promising sign! We see an MSI file named 1.msi inside. Judging from the size, it's not that different compared to the packed installer size, which is 128MB, Promising sign
  4. We can actually extract that 1.msi and then extract it with msiexec.exe to get the complete Evernote binaries!
  5. Alternately we can also open the installer with Open archive#:e, Open #:e
    And get to where the MSI file packed, the MSI file

That was a good catch, but we can't say the same thing with Viber installer :(
  1. Let's try opening it with the usual Open archive, Open archive
    We get a lot of u? files packed with LZX:21 method. We got nothing here, Lots of U's
  2. Now let's try opening it with Open archive* (asterisk), Open *
    We see something like Inno Setup content, Like Inno
    If we browse into .rsrc folder and open the version.txt file, we find something familiar: VFT_APP file type. This could be an MSI installer, Typical MSI
    If we go up and try to open the biggest one [0] with Open Inside # we get 2 .cab files. But going down further will get us no MSI file still, Two cabs
    No MSI further down
    No MSI whatsoever
  3. Even if we try to open it with Open archive#:e—the most powerful 7-Zip can provide—we still get nothing.
  4. So the only way to get Viber binaries and/or its raw MSI file is through a logged installation on a virtual machine/VM. Quite troublesome, right? ;)
You might think that, "Hey, we don't have to find the MSI, just extract the binaries already!" But it would be without proper Viber folder structures, and there are files that have identical names and we don't really know which one to use either.
   So with wrapped MSI file, we only can hope that it would be an "Evernote kind" of installer. Courtesy of Evernote publisher's kindness :)

Update (Jan 12, 2018): Viber is actually extractable, find it out in Viber's DIY/Do-It-Yourself Upgrade.

How to Extract MSI Files

The extractor comes with Windows as msiexec.exe, to see available options just open a command window and write,
 msiexec /?
For our example, we will use this ready to use commmand line template:
 msiexec /a "___.msi" TARGETDIR="[absolute folder path]\__" /lv*x! "___.txt" /qn

We'll use calibre installer as example.
  1. Replace the "__" in the command line template with the installer name, in this example calibre-3.14.0:
     msiexec /a "calibre-3.14.0.msi" TARGETDIR="[absolute folder path]\calibre-3.14.0" /lv*x! "calibre-3.14.0.txt" /qn
    
    then replace the [absolute folder path] with absolute path to current installer folder, in our example C:\0TEST:
     msiexec /a "calibre-3.14.0.msi" TARGETDIR="C:\0TEST\calibre-3.14.0" /lv*x! "calibre-3.14.0.txt" /qn
    
    Copy that to clipboard (Ctrl+C).
  2. Bring up a command window in the current folder: Press Shift and right-click on any empty space on the folder → select "Open command window here" from the context menu → paste the copied command line into the command window → press Enter and close the command window, Open command window
    Paste, Enter, and close it
  3. Switch the File Explorer view to "Details" and watch the log file size increasing. Try "Refresh" the view if it looks stagnant,View Details
    Watch the log size
  4. When the log file size stop increasing, open the log file with notepad and go to the last line, if it ends with something like === Verbose logging stopped: [date] [time] ===, then the extraction is completed, Verbose logging stopped
  5. We can see a new calibre-3.14.0 folder is created in our working folder, browse inside to get the extracted files, Extracted folder
    Browse inside
    The main folder
    The files
Done!