How to secure/encrypt Inno Setup from decompiling

3
votes

I am using an Inno Setup Tool to pack/setup all my files (dll, exe, jpg, etc). But I found that there is a software called InnoExtractor which can really open my setup and read all the scripts and also extract all the files, since I need to hide/protect my files in setup I spent a lot of time/efforts to secure my setup.exe which was generated from Inno Setup, but I found some people saying add a password to Inno Setup Script, but this is also a wrong because the client knows that password and he can simply use InnoExtractor and extract everything even it was protected by Password! is not it!?

Now, I just ask if there someone can suggest me to solve this problem. In fact I embed XML files and DLL which is used to install specific files at client side according to the client machine, but if the client extract all DLLs to his machine then it will be a catastrophe! I need a way to prevent the client from seeing/extracting my setup.exe!

2
installationinno-setup

2 Answers

3
votes

There's no way to protect code from an user, if you need to be able to run the same code on the user's machine. Once you deliver files to client's machine, no matter what method you used to pack them, the client can extract the files.

You can only make it harder, but there's no absolute solution.

More standard tools you use, more easy it is to decompile the code. If you want to make decompiling hard, make your custom installer, instead of relying on a standard installer tool (like Inno Setup).

Probably the only safe way is to use some online service.

  • You can encrypt the files with some very strong cipher (each file/DLL with a different encryption key). The installer will ask the user for some password, and will send the password to some online service. The online service, after verifying the password, will send back a decryption key for the DLL that you allow the client to install. This will allow the installer to decrypt only the DLL for that client.

  • Another alternative is that the installer will actually download the DLL from a server, only after you verify the client.

2
votes

There's no way to 100% protect your installer from an attacker. If someone want to crack it then it can do it.

What you can do:

1) Encrypt the files with some custom (3rd party) system or use [Setup] Encryption directive

2) Modify Inno Setup - download sources, change them and compile again

3) Place sensitive files and data on server and download them during setup (+ encrypt)

4) [Code] section cannot be entirely unpacked, place some calculations or file operations there