Author Topic: TrID variants of dat-inno*.trid.xml for Inno Setup Uninstall Log (unins0??.dat)  (Read 4216 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Hello,

when running trid on some Inno Setup Uninstall Log (unins0??.dat) all
examples are recognized.

Then i compare it with identifying by file(1) command. So i saw that there
exist 2 variants. For log examples mentioned in file list file-ansi.txt
strings are stored as ANSI strings ( see output/file-ansi.txt). On the other
hand examples mentioned in file list file-utf.txt contains strings that are
stored as UTF-16 LE ( see output/file-utf.txt).

When looking in source Undo.pas found for example at
https://github.com/jrsoftware/issrc/blob/master/Projects/ we recognize that
at offset 320 version is stored as ulelong value. I do not know how this
integer correlates to setup version, but i see that for unified variant just
1000 is added. So the non Unicode Version may never become greater than or
equal to 1000. Then on the other hand version 1000 or higher which implies
Unicode. So mention this fact in remark line.

Then for utf examples described by dat-inno-v1k.trid.xml with version like
0x418 only the 2 upper bytes are null. This is described by XML construct:

   <Pattern>
      <Bytes>0000</Bytes>
      <Pos>322</Pos>
   </Pattern>

For ANSI examples described by dat-inno-v0k.trid.xml only 1 byte is used of
version and the other 3 upper bytes are null. This is described by XML
construct:

   <Pattern>
      <Bytes>000000</Bytes>
      <Pos>321</Pos>
   </Pattern>

Then at offset 470 host, user, install directory are stored as Pascal
strings for ansi variant. Mention this in remark. Furthermore when running
tridscan on examples i got in global section lines like:
   <String>START MENU</String>
For UTF examples i got in in global section lines like:
   <String>S'T'A'R'T' 'M'E'N'U</String>
   <String>P'R'O'G'R'A'M' 'F'I'L'E'S</String>

When installing Inno Setup without creating start menu, then of course this
first line in global section disappears. On Modern Windows systems the
directory for installing programs is by default "C:\Program Files". On
German Windows XP the default directory is "C:\Programme". So second line
in global section vanish if counting such examples.

Then at offset 475 host, user, install directory are stored as UFT-16 LE
strings. Mention this fact in remark line. So first character of host name
is described by XML construct:

   <Pattern>
      <Bytes>00</Bytes>
      <Pos>476</Pos>
   </Pattern>

Unfortunately utf strings are not null terminated, but are prepended by
fe??ffFFff probably coding string size. This is described by construct:
   <Pattern>
      <Bytes>FE</Bytes>
      <Pos>470</Pos>
   </Pattern>
   <Pattern>
      <Bytes>FFFFFF</Bytes>
      <Pos>472</Pos>
   </Pattern>

In original dat-inno.trid.xml look only for string "Inno Setup Uninstall Log
(b)" at the beginning by construct like:
<Pattern>
   <Bytes>496E6E6F20536574757020556E696E7374616C6C204C6F6720286229</Bytes>
   <ASCII> I n n o   S e t u p   U n i n s t a l l   L o g   ( b )</ASCII>
   <Pos>0</Pos>
</Pattern>

Unfortunately then also ASCII text like unins000.txt starting with these magic
phrase are misidentified as Inno Setup log, but in real log first field is
padded by nulls. This is now expressed by XML construct:
<Pattern>
   <Bytes>0000000000000000000000000000000000000000000000000000000000</Bytes>
   <Pos>35</Pos>
</Pattern>


Next field is 128 bytes string App Id. Often this is similar to following
App Name, but sometimes it is a GUID that start with left brace ({ = 7B) like
{4BB0DCDC-BC24-49EC-8937-72956C33A470}. Next field is 128 bytes string with
App name like "Minimal SYStem", ClamWin Free Antivirus , etc. . So mention
these facts in remark line.

According to source header contains array[0..26] of Longint reserved for
future use. This is expressed by XML construct like:

<Pattern>
   <Bytes>000000000000000000000000000000000000000000000000</Bytes>
   <Pos>336</Pos>
</Pattern>


With variant definition files all inspected examples are now distinguished
(See appended trid-ansi.txt and trid-utf.txt in output directory).

TrID definition, some examples and output are stored in archive dat_trid.zip .
I hope that my 2 XML files can be used in future version of triddefs.

Maybe thess 2 distinguishing ways should also be applied to Inno Setup
installer described by exe-innosetup.trid.xml.

With best wishes
J?rg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Thanks Joerg!