Read Inno Setup encryption key from Internet instead of password box

Question

I want the setup to read the password from a HTTP GET request instead of directly from the user. Is there any way to bypass the password box and do this?

Answer 1

Read the key using WinHttpRequest object, insert it to the password box and submit the Password page:

[Setup]
Password=123
Encryption=yes

[Code]
procedure ExitProcess(uExitCode: Integer);
  external 'ExitProcess@kernel32.dll stdcall';
  
const
  BN_CLICKED = 0;
  WM_COMMAND = $0111;
  CN_BASE = $BC00;
  CN_COMMAND = CN_BASE + WM_COMMAND;
  
procedure CurPageChanged(CurPageID: Integer);
var
  WinHttpReq: Variant;
  Error: string;
  Param: LongInt;
begin
  if CurPageID = wpPassword then
  begin
    WinHttpReq := CreateOleObject('WinHttp.WinHttpRequest.5.1');
    WinHttpReq.Open('GET', 'https://www.example.com/password.txt', False);
    WinHttpReq.Send('');
    if WinHttpReq.Status <> 200 then
    begin
      Error :=
        'Error checking for decryption key: ' +
        IntToStr(WinHttpReq.Status) + ' ' + WinHttpReq.StatusText;
      MsgBox(Error, mbError, MB_OK);
      ExitProcess(1);
    end
      else
    begin
      WizardForm.PasswordEdit.Text := Trim(WinHttpReq.ResponseText);
      Param := 0 or BN_CLICKED shl 16;
      // post the click notification message to the next button
      PostMessage(WizardForm.NextButton.Handle, CN_COMMAND, Param, 0);
    end;
  end;
end;

With use of code from:

• How to skip all the wizard pages and go directly to the installation process?
• Exit from Inno Setup installation from [Code]
• Inno Setup - HTTP request - Get www/web content

---

Note that it is not difficult to extract the URL from the installer and find out the password. See Disassembling strings from Inno Setup [Code].