Home

TeamviewerQS unpacking/resource editing

26 July, 2013 - 08:45 — pirrup
Prerequisites: 

TeamViewerQS.exe
7zip
PE editor / explorer
resource editor

File Information clearly indicates the Nullsoft PiMP stub. This mean that the application is compressed (Packaged) with NSIS (Nullsoft Scriptable Install System) technology, a professional open source system to create Windows Installers.

From basic information, let’s now view more specific information about its PE Geometry. Here is the Section Headers entry:

Entry Point belongs to .text section and .ndata pertains to Nullsoft Installer. Additionally, you can see also the presence of a Resources Section and reloc section. You can already see that it is a SFX archive.

NSIS Files Extraction and Further File Analysis

As stated previously, the executable is delivered as Windows Installer, packaged and compressed with NSIS Technology. Now we need to study the structure of this package and carve out all its files.

It’s pretty easy to unpack an NSIS Application. All that is needed is an archive manager like 7Zip.

Let’s examine the content by opening the executable with 7Zip application:

As you can see, we have 2 Directory Entries:

NSIS also has a wide range of plugins to accomplish various installation tasks. PLUGINSDIR as the name suggests, is the Container Directory of these DLLs. In our case, we have System.dll and TvGetVersion.dll
Plugins can easily be investigated by consulting the following website:http://nsis.sourceforge.net/Category:Plugins

we are only interested in the $[35] folder :

There is a plugin dir in this folder also (used to unpack the 7z files) we don't care…

Let’s examine the content of tvqsfiles.7z :

This folder is the one you really need to do the resource editing, you can repack it to a sfx archive if you want or create an installer.

All the resources can be found in the dll files (text in the language resource and images can be found in TeamViewer_StaticRes.dll)

As an example i changed the image in the quick support module (TeamViewer_StaticRes.dll) :

You can test your changes by running the TeamViewer.exe from the folder.

After you made all your changes you can then create a SXF or installer that extracts it to temp and run TeamViewer.exe.
Or leave the directory unpacked and run the TeamViewer.exe directly.

Feel free to ask me more info on this project if needed …

Regards,

pirrup

Images: