How can I identify a WinRAR SFX using a binary signature of some sort?

I'm looking for an answer similar to the one in this question, but for WinRAR instead of 7zip. Essentially I want an authoritative signature that I can say at least "All WinRAR generated self-extracting executables created with the Default SFX file in version 420 will have bytes 0x15, 0xa1, 0x45, 0xcc, 0x21, 0x98 at location 0x00027400, and other NON SFX files are unlikely to have this signature". Even better, if the same signature can be found in all versions of the WinRAR SFX files, even if they are in different locations.

By nature of how SFX's work, they will be very similar, except for the archive portion of the file, but some strings make poor identifiers (e.x., "This program cannot be run in DOS mode" is in every SFX, but it happens to also be in most other Windows executables)

Currently my method of determining a signature is to look at various versions of the WinRAR SFX, and finding sequences of 4 or 6 bytes that all files have in common. Unfortunately, there are a lot of these, making it difficult to pick one.

Answer1:

From TechNote.txt in the WinRAR installation folder:

<ol> <li>To process an SFX archive you need to skip the SFX module searching for the marker block in the archive. There is no marker block sequence (0x52 0x61 0x72 0x21 0x1a 0x07 0x00) in the SFX module itself.</li> </ol>

This you already indicated yourself: the unrar source code has in archive.cpp the code how it reads in a file. The maximum size of the SFX part will never be larger than the number defined in rardefs.hpp:

#define MAXSFXSIZE 0x100000

Answer2:

If I have it right, you'd like to look a file up and see if it is a valid SFX file built with WinRAR, right?

In this case, these are the PE signatures you should be looking for (haven't tried them, but they're listed in the PE sig DB linked at the bottom):

WinRAR-SFX=80E9A1C1C11368E4167546C1C1055EEB019D6864863746EB028CE05FF7D0 WinRAR-SFX=EB0102EB02CD20B880

Just get the entry point and see if these bytes are following in the right order. An extensive list of PE signatures is available at http://tot-ltd.org/packer.db.

人吐槽 人点赞

Recommend

Comment

用户名: 密码:
验证码: 匿名发表

你可以使用这些语言

查看评论:How can I identify a WinRAR SFX using a binary signature of some sort?