Creating customized .dmg files upon download - linux

I want to distribute a cross-platform application for which the executable file is slightly different, depending on the user who downloaded it. This is done by having a placeholder string somewhere in the executable that is replaced with something user-specific upon download.
The webserver that has to do these string replacements is a Linux machine. For Windows, the executable is not compressed in the installer .exe, so the string replacement is easy.
For uncompressed Mac OS X .dmg files, this is also easy. However, .dmg files that are compressed with either gzip or bzip2 are not so easy. For example, in the latter case, the compressed .dmg is not one big bzip2-compressed disk image, but instead consists of a few different bzip2-compressed parts (with different block sizes) and a plist suffix. Also, decompressing and recompressing the different parts with bzip2 does not result in the original data, so I'm guessing Apple uses some different parameters to bzip2 than the command-line tool.
Is there a way to generate a compressed .dmg from an uncompressed one on Linux (which does not have hdiutil)? Or maybe another suggestion for creating customized applications without pregenerating them? It should work without any input by the user.

I realize that I'm a bit too late here, but we wanted to do exactly the same thing and got it to work using libdmg. https://github.com/planetbeing/libdmg-hfsplus
Basically, you can use libdmg to unpack a dmg file to an uncompressed file containing a hfs+ file system, play around with the files inside the hfs+ file system, and them put it back together again as a dmg file with the correct checksums.
If you use any fancy dmg features, like showing an EULA before the image is mounted, then these will not survive the process. Background images and so on work, though.

If your web server and client support the gzip encoding, then you can deal with uncompressed files on the server, but have them compressed / decompressed on the fly by the web server / web client respectively.
e.g. apache's mod_gzip.
Otherwise maybe you can split your dmg into 3 parts:
the stuff before what you want to replace
the string you want to replace
the stuff after what you want to replace
If the gzip stream is splittable at those points, you could just concatenate the front and back onto the gzipped string you want to replace. That would let you generate it on the fly.

Release a normal, read-only, compressed dmg. Then bundle your app in a package installer with a pre-flight script that sets the variables you need.

Related

How to block the executable file upload in web server

I am working on a web app project to block all the file executable from file upload.
Example: user can upload, txt, png, image and video files and not any executable scripts like, Perl, Python, exe, PHP, .so, .sh files.
If it is a PHP file, then I strstr for "<?php" tag, If this tag is present, then it is PHP file. How can we find the same for other script/executable files?
Edit: Some time hackers will upload the malicious files using .png or .jpg extn, so what is the pattern to check inside the files?
Rather than making your own checks you make use of an existing library and you block everything that does not register as a desired format.
Most such libraries guess the content type and encoding of a file by looking for certain signatures or magic byte sequences at specific positions within the file.
Other libraries may be more specialised and will for example only identify image or video formats.
https://www.php.net/manual/en/intro.fileinfo.php
https://github.com/ahupp/python-magic
https://docs.python.org/3/library/imghdr.html
The file programme is a command line tool for identification of file types.
After the first pass where you identify and accept only the desired file formats you should then make all files that are not rejected go through an antivirus scanner.
Depending on you use cases you may decide to strip the original file name extension and/or even the complete file name that was provided during the upload and assign the mime-type that was detected rather than rely on user provided properties.

Compress Decompressed Exe File

So, I decompressed an exe file and modified it, and I want to recompress it back to exe form, not an SFX archive.
I can't find an internet solution for my problem, all of the posts I look at talk about recompressing to an SFX file, which I do not want to do, I want to convert it to a fully working exe.
I think you are looking for IExpress.exe: https://www.maketecheasier.com/create-self-extracting-archives-without-installing-software/
Modifying a binary file without breaking it requires a knowledge of hex or assembly. You can't just decompress and compress it back.
How ever there are tools that has ability to make some minor changes to an exe file. This one is an example. Those tools can only alter exe file's resources like icons, some of the texts, images etc.
Hope this helped.

Is it possible to write hidden information in plain text file?

I have a piece of metadata that I would like to hide in a plain text file, won't be shown by generic text editor, is there a way to do that?
Not within the file itself. For storing metadata I suggest using alternative data streams in the filesystem. In OS X (with HFS) they're called Forks and in Windows (with NTFS) they're called Alternate Data Streams. You're probably already familiar with the "Resource fork" on OS X.
...basically it's a hidden file with the same name as the original file (and moves with it), except it's accessed with special (normally illegal) characters in the file path.
Note that ADS files are not moved/copied between incompatible filesystems (e.g. from NTFS to FAT), when compressed into a zip or archived into a tarball, nor when uploaded, so never assume that your ADS file will be persistent (making it useful for storing local-machine-only metadata, such as editor preferences, etc)
On Windows, you can learn more here: http://support.microsoft.com/kb/105763
On Mac OS X, you can learn more here: https://developer.apple.com/library/mac/documentation/Carbon/Reference/File_Manager/DeprecationAppendix/AppendixADeprecatedAPI.html#//apple_ref/c/func/FSAllocateFork
On Linux, the main filesystems (extfs: ext3, ext4, etc) do not support forks in the filesystem. When reading a HFS volume on Linux you access forks by appending the fork name to the filename (e.g. "/foo/bar/rsrc" to access the resource fork of the file "/foo/bar").

How can I specify the version of zip to use in bash?

Background (not necessary to read)
I'm tinkering with MS office files for work (trying to figure out the quickest, easiest way to automate generation of arbitrary-length excel and powerpoint files). Since actual excel files are just zipped archives with .xlsx appended to the filename, I've been unzipping them, editing the xml, rezipping them, and seeing whether OpenOffice can still load them.
However, I've realized (after not too much such testing, thankfully) that, by default, the 'zip' command in bash (or, at least, on my mac) is zipping the files in a format that only requires unzip v1.0 to extract, but normal excel files are zipped in such a way that they require v2.0 to extract. I checked this is a problem by zipping and unzipping an excel file that I knew loaded normally, and then trying to load it. OpenOffice was displeased.
So, I know I need to make the file zip exactly the way excel does, but how to make that happen I'm not sure. I have zip version 3 on my computer, so hopefully if the zip/unzip release cycles are synchronized it should be possible, but I didn't see anything on the man page that immediately seemed to be the solution.
edit:
And zip -9 (which zip -h helpfully says instructs zip to 'zip better') still only requires v1.0 to extract.
Question:
How can I specify in bash that I want zip to zip a file in such a way that it would require unzip v2.0 to unzip?
Often, the reason for an incompatibility between compressed files produced by different versions is the compression algorithm used. If the files were compressed with an algorithm that didn't exist in zip 1.0, that would cause the incompatibility you're seeing.
Look at the man page for your zip utility, see if there's an option to specify the type of compression to use. If there is, look at the existing files created from Excel, and find out what type of compression algorithm they're compressed with, and use that.
On my Linux system, zip reports "This is Zip 2.31 (March 8th 2005), by Info-ZIP.", and it does not have an option for specifying the compression algorithm. On my Windows system, 7-zip does have the option, and it looks like they do have a Mac version available, so you could try that if your zip utility doesn't support that option.

Can a Self Extracting Zip File read a registry entry?

I'm trying to get my website to talk to a friend's program. Think ITunes - one main program with hundreds of thousands of little things installed into it. We don't want to have to create an InstallShield install program for each of those hundreds of thousands of little things.
We have the files grouped into the folder sub-structure.
We have a .REG file for what registry entry needs to be added to see the new folder group.
But is there a way to do a self extracting zip file that reads a registry entry so we know where they installed the original program to be able to dump the new files there as well? I want them to double-click the EXE and click Finish and for everything to work.
(I've been looking into INF and CAB files through IExpress.exe, but haven't found the answer. I remember Package for the Web didn't have an option to read a registry entry, but did let you modify the suggested install path.)
Thanks so much.
Best wishes,
Andrea
But is there a way to do a self extracting zip file that reads a registry entry so we know where they installed the original program to be able to dump the new files there as well? I want them to double-click the EXE and click Finish and for everything to work
Well, yes and no. There are self-extractors that can run a program after extracting all files. DotNetZip, for example, can produce an SFX which can do this.
Just an aside: a normal SFX is just a zip file, with a "stub" executable merged with it. The stub exe can do anything it wants to do, but the most basic thing it does is extract the files in the zip. When you use DotNetZip to produce an SFX, it embeds its particular stub into the zip. That stub knows how to extract files, and also knows how to invoke a program after extracting. You can also produce your own stub that can do other more exotic things.
So you could use an SFX for your purpose. When run, it would extract, then invoke it's extra program. The program could look in the registry, then move or relocate the extracted files to the appropriate place. Then terminate.
For a different twist, the SFX might have just two files: the program-to-run (the one that reads the registry, and another embedded zip. Then when the SFX runs it generates 2 files. Then it invokes the program-to-run, which reads the registry, then unpacks the contained zip and puts the files into the desired place.
Ok, so you could do it.
Should you?
mmm, maybe. This really is an installer, so, you should decide whether you want to use a zip as an installer. Don't forget, if you use an SFX as an installer, there's no good way to uninstall.
Have you tried Inno Setup toolchain? It's a bit better than a bare Self-Extracting ZIP file, it's a setup creation utility. I'm convinced it has got something to put some entry in the Registry, look also at the plugins.
Basically, a self-extracting executable that alters the registry, it's a setup program. So why don't you go for a proper one?
Website: http://www.jrsoftware.org/isinfo.php

Resources