从二进制内容中识别 7z SFX [英] Recognize a 7z SFX from binary contents

问题描述

如何从其二进制内容中识别 7z SFX(自解压 EXE)文件，是否有任何偏移量要开始或查找特定字节或两者?.

how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.

非常感谢

推荐答案

Google 是您的朋友.搜索 "7zip header" 后的第一个结果.文档说这是 7zip 签名:

Google is your friend. First result after searching "7zip header". The documentation says this is the 7zip signature:

BYTE kSignature[6] = {'7', 'z', 0xBC, 0xAF, 0x27, 0x1C};

您应该读取文件的前 6 个字节.如果该 6 字节序列与上面的 kSignature 相同，则该文件应该是 7z.

You should read the first 6 bytes of the file. If that 6 byte sequence is the same as the kSignature above, then the file should be a 7z.

编辑:我一直在尝试在 GNU/Linux 上使用 7z 的东西(它实际上是打包 SFX ELF 文件，而不是 PE).我发现在最后一组数据中，实际上存在 7z 签名.Hexdump 生成一个字节数为 0x00057960 的转储，签名位于此处:

EDIT: I've been trying stuff using 7z on GNU/Linux(which actually crates SFX ELF files, not PE). And i've found that on one of the last chunks of data, the 7z signature is actually present. Hexdump generates a dump up to the byte number 0x00057960, the signature is located here:

0x000578f0:  37 7a bc af 27 1c

0x37 和 0x7a 分别是 '7' 和 'z'.因此，在这种情况下，签名的偏移量为 EOF - 112 字节.

0x37 and 0x7a are '7' and 'z' respectively. Therefore, in this case, the offset of the signature is at EOF - 112 bytes.

我建议您下载一个十六进制编辑器，创建一个 SFX 文件并测试这个偏移在每个创建 SFX 7z 的应用程序中是否相同.请记住，我已经在 GNU/Linux 上对此进行了测试，因此在 Windows 上可能会有所不同.

I'd recommend you to download a hex editor, create a SFX file and test whether this offset is the same in every application that creates SFX 7z. Remember that i've tested this on GNU/Linux, therefore it might be different on Windows.

这篇关于从二进制内容中识别 7z SFX的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！