从二进制内容识别的7z SFX [英] Recognize a 7z SFX from binary contents
问题描述
如何有可能认识到一个7Z SFX(自解压EXE)从它的二进制内容的文件,有没有偏移,从开始或特定字节来寻找或两者兼而有之?
how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.
非常感谢
推荐答案
谷歌是你的朋友。搜索7zip的头后的第一个结果。文档说,这是7zip的签名:
Google is your friend. First result after searching "7zip header". The documentation says this is the 7zip signature:
BYTE kSignature[6] = {'7', 'z', 0xBC, 0xAF, 0x27, 0x1C};
您应该阅读第6个字节的文件。如果这6字节序列是一样的上述 kSignature
,则该文件应该是一个7Z。
You should read the first 6 bytes of the file. If that 6 byte sequence is the same as the kSignature
above, then the file should be a 7z.
修改:我一直在使用的GNU / Linux操作系统(这实际上包装箱SFX ELF文件,而不是PE)7Z尝试的东西。而且我发现,数据的最后一个大块之一,7Z签名实际上是present。 hexdump都产生转储到字节数0x00057960,签名位于:
EDIT: I've been trying stuff using 7z on GNU/Linux(which actually crates SFX ELF files, not PE). And i've found that on one of the last chunks of data, the 7z signature is actually present. Hexdump generates a dump up to the byte number 0x00057960, the signature is located here:
0x000578f0: 37 7a bc af 27 1c
0x37符号和0x7a是'7'和'Z'。因此,在这种情况下,签名的偏移量是在EOF - 。112字节
0x37 and 0x7a are '7' and 'z' respectively. Therefore, in this case, the offset of the signature is at EOF - 112 bytes.
我建议你下载一个十六进制编辑器,创建一个文件SFX和测试该偏移是否在每个创建自解压7z格式的应用程序一样。请记住,我已经在GNU / Linux测试过这一点,因此它可能是在Windows上的不同。
I'd recommend you to download a hex editor, create a SFX file and test whether this offset is the same in every application that creates SFX 7z. Remember that i've tested this on GNU/Linux, therefore it might be different on Windows.
这篇关于从二进制内容识别的7z SFX的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!