如何使用某种二进制签名识别WinRAR SFX? [英] How can I identify a WinRAR SFX using a binary signature of some sort?
问题描述
我正在寻找与此问题中的答案类似的答案,但用于WinRAR而不是7zip.本质上,我想要一个权威的签名,至少可以说使用版本420中的默认SFX文件创建的所有WinRAR生成的自解压缩可执行文件在位置0x00027400处将具有字节0x15、0xa1、0x45、0xcc,0x21、0x98,以及其他NON SFX文件不太可能具有此签名".更好的是,即使在所有版本的WinRAR SFX文件中都可以找到相同的签名,即使它们位于不同的位置.
I'm looking for an answer similar to the one in this question, but for WinRAR instead of 7zip. Essentially I want an authoritative signature that I can say at least "All WinRAR generated self-extracting executables created with the Default SFX file in version 420 will have bytes 0x15, 0xa1, 0x45, 0xcc, 0x21, 0x98 at location 0x00027400, and other NON SFX files are unlikely to have this signature". Even better, if the same signature can be found in all versions of the WinRAR SFX files, even if they are in different locations.
根据SFX的工作方式,它们将非常相似,除了文件的存档部分,但是某些字符串的标识符很差(例如,每个SFX中都有此程序无法在DOS模式下运行",但是碰巧也出现在大多数其他Windows可执行文件中)
By nature of how SFX's work, they will be very similar, except for the archive portion of the file, but some strings make poor identifiers (e.x., "This program cannot be run in DOS mode" is in every SFX, but it happens to also be in most other Windows executables)
当前,我确定签名的方法是查看WinRAR SFX的各种版本,并查找所有文件共有的4或6字节序列.不幸的是,有很多这样的东西,很难选一个.
Currently my method of determining a signature is to look at various versions of the WinRAR SFX, and finding sequences of 4 or 6 bytes that all files have in common. Unfortunately, there are a lot of these, making it difficult to pick one.
推荐答案
来自WinRAR安装文件夹中的 TechNote.txt :
From TechNote.txt in the WinRAR installation folder:
- 要处理SFX存档,您需要跳过SFX模块搜索 用于存档中的标记块.没有标记块序列(0x52 SFX模块本身中的0x61 0x72 0x21 0x1a 0x07 0x00).
- To process an SFX archive you need to skip the SFX module searching for the marker block in the archive. There is no marker block sequence (0x52 0x61 0x72 0x21 0x1a 0x07 0x00) in the SFX module itself.
您已经表明了自己的意思:unrar源代码在 archive.cpp 中包含了代码在文件中的读取方式. SFX部分的最大大小将永远不会大于 rardefs.hpp 中定义的数字:
This you already indicated yourself: the unrar source code has in archive.cpp the code how it reads in a file. The maximum size of the SFX part will never be larger than the number defined in rardefs.hpp:
#define MAXSFXSIZE 0x100000
这篇关于如何使用某种二进制签名识别WinRAR SFX?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
