如何使用某种二进制签名识别 WinRAR SFX? [英] How can I identify a WinRAR SFX using a binary signature of some sort?
问题描述
我正在寻找类似于这个问题中的答案,但适用于 WinRAR 而不是 7zip.本质上,我想要一个权威签名,我至少可以说所有 WinRAR 生成的自解压可执行文件使用版本 420 中的默认 SFX 文件创建的将有字节 0x15、0xa1、0x45、0xcc、0x21、0x98 在位置 0x00027400 和其他 NONSFX 文件不太可能具有此签名".更好的是,如果可以在所有版本的 WinRAR SFX 文件中找到相同的签名,即使它们位于不同的位置.
就 SFX 的工作方式而言,它们将非常相似,除了文件的存档部分,但有些字符串的标识符很差(例如,此程序不能在 DOS 模式下运行"在每个 SFX 中,但是它恰好也存在于大多数其他 Windows 可执行文件中)
目前我确定签名的方法是查看 WinRAR SFX 的各种版本,并找到所有文件共有的 4 或 6 个字节的序列.不幸的是,其中有很多,因此很难选择一个.
来自 WinRAR 安装文件夹中的 TechNote.txt:
<块引用>- 要处理 SFX 存档,您需要跳过 SFX 模块搜索用于存档中的标记块.没有标记块序列(0x520x61 0x72 0x21 0x1a 0x07 0x00) 在 SFX 模块本身中.
你已经表明了这一点:unrar 源代码在 archive.cpp 中有它如何在文件中读取的代码.SFX 部分的最大大小永远不会大于 rardefs.hpp 中定义的数字:
#define MAXSFXSIZE 0x100000I'm looking for an answer similar to the one in this question, but for WinRAR instead of 7zip. Essentially I want an authoritative signature that I can say at least "All WinRAR generated self-extracting executables created with the Default SFX file in version 420 will have bytes 0x15, 0xa1, 0x45, 0xcc, 0x21, 0x98 at location 0x00027400, and other NON SFX files are unlikely to have this signature". Even better, if the same signature can be found in all versions of the WinRAR SFX files, even if they are in different locations.
By nature of how SFX's work, they will be very similar, except for the archive portion of the file, but some strings make poor identifiers (e.x., "This program cannot be run in DOS mode" is in every SFX, but it happens to also be in most other Windows executables)
Currently my method of determining a signature is to look at various versions of the WinRAR SFX, and finding sequences of 4 or 6 bytes that all files have in common. Unfortunately, there are a lot of these, making it difficult to pick one.
From TechNote.txt in the WinRAR installation folder:
- To process an SFX archive you need to skip the SFX module searching for the marker block in the archive. There is no marker block sequence (0x52 0x61 0x72 0x21 0x1a 0x07 0x00) in the SFX module itself.
This you already indicated yourself: the unrar source code has in archive.cpp the code how it reads in a file. The maximum size of the SFX part will never be larger than the number defined in rardefs.hpp:
#define MAXSFXSIZE 0x100000
这篇关于如何使用某种二进制签名识别 WinRAR SFX?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
