从二进制内容识别的7z SFX [英] Recognize a 7z SFX from binary contents

问题描述

如何有可能认识到一个7Z SFX（自解压EXE）从它的二进制内容的文件，有没有偏移，从开始或特定字节来寻找或两者兼而有之？

how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.

非常感谢

推荐答案

谷歌是你的朋友。搜索7zip的头后的第一个结果。文档说，这是7zip的签名：

Google is your friend. First result after searching "7zip header". The documentation says this is the 7zip signature:

BYTE kSignature[6] = {'7', 'z', 0xBC, 0xAF, 0x27, 0x1C};

您应该阅读第6个字节的文件。如果这6字节序列是一样的上述 kSignature ，则该文件应该是一个7Z。

You should read the first 6 bytes of the file. If that 6 byte sequence is the same as the kSignature above, then the file should be a 7z.

修改：我一直在使用的GNU / Linux操作系统（这实际上包装箱SFX ELF文件，而不是PE）7Z尝试的东西。而且我发现，数据的最后一个大块之一，7Z签名实际上是present。 hexdump都产生转储到字节数0x00057960，签名位于：

EDIT: I've been trying stuff using 7z on GNU/Linux(which actually crates SFX ELF files, not PE). And i've found that on one of the last chunks of data, the 7z signature is actually present. Hexdump generates a dump up to the byte number 0x00057960, the signature is located here:

0x000578f0:  37 7a bc af 27 1c

0x37符号和0x7a是'7'和'Z'。因此，在这种情况下，签名的偏移量是在EOF - 。112字节

0x37 and 0x7a are '7' and 'z' respectively. Therefore, in this case, the offset of the signature is at EOF - 112 bytes.

我建议你下载一个十六进制编辑器，创建一个文件SFX和测试该偏移是否在每个创建自解压7z格式的应用程序一样。请记住，我已经在GNU / Linux测试过这一点，因此它可能是在Windows上的不同。

I'd recommend you to download a hex editor, create a SFX file and test whether this offset is the same in every application that creates SFX 7z. Remember that i've tested this on GNU/Linux, therefore it might be different on Windows.

这篇关于从二进制内容识别的7z SFX的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！