问题
how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.
many thanks
回答1:
Google is your friend. First result after searching "7zip header". The documentation says this is the 7zip signature:
BYTE kSignature[6] = {'7', 'z', 0xBC, 0xAF, 0x27, 0x1C};
You should read the first 6 bytes of the file. If that 6 byte sequence is the same as the kSignature above, then the file should be a 7z.
EDIT: I've been trying stuff using 7z on GNU/Linux(which actually crates SFX ELF files, not PE). And i've found that on one of the last chunks of data, the 7z signature is actually present. Hexdump generates a dump up to the byte number 0x00057960, the signature is located here:
0x000578f0: 37 7a bc af 27 1c
0x37 and 0x7a are '7' and 'z' respectively. Therefore, in this case, the offset of the signature is at EOF - 112 bytes.
I'd recommend you to download a hex editor, create a SFX file and test whether this offset is the same in every application that creates SFX 7z. Remember that i've tested this on GNU/Linux, therefore it might be different on Windows.
来源:https://stackoverflow.com/questions/9542538/recognize-a-7z-sfx-from-binary-contents