3

I'm looking for an answer similar to the one in this question, but for WinRAR instead of 7zip. Essentially I want an authoritative signature that I can say at least "All WinRAR generated self-extracting executables created with the Default SFX file in version 420 will have bytes 0x15, 0xa1, 0x45, 0xcc, 0x21, 0x98 at location 0x00027400, and other NON SFX files are unlikely to have this signature". Even better, if the same signature can be found in all versions of the WinRAR SFX files, even if they are in different locations.

By nature of how SFX's work, they will be very similar, except for the archive portion of the file, but some strings make poor identifiers (e.x., "This program cannot be run in DOS mode" is in every SFX, but it happens to also be in most other Windows executables)

Currently my method of determining a signature is to look at various versions of the WinRAR SFX, and finding sequences of 4 or 6 bytes that all files have in common. Unfortunately, there are a lot of these, making it difficult to pick one.

Community
  • 1
  • 1
Rollie
  • 4,391
  • 3
  • 33
  • 55
  • 2
    1) 7-zip is open-sourced; 2) it can 'unrar' thigns; 3) you could guess the rest :) You could also see [UnRAR.dll source code](http://www.rarlab.com/rar_add.htm). – Aleksei Zabrodskii Nov 07 '12 at 18:20
  • Good suggestion, I will have a look at that. But in this case, I'm not looking to UnRar anything, I'm trying to determine if the file as a whole is a self-extracting executable, not a RAR file. I imagine similar logic exists somewhere in 7z source, though it's not always easy to find. – Rollie Nov 07 '12 at 18:25
  • I believe UnRAR.dll checking that the file is actually RAR-archive (SFX even) and not trying to uncompress just random 2GiB-files. Anyway, I can just speculate here, so hopefuly someone else cold give something more specific. Good luck :) – Aleksei Zabrodskii Nov 07 '12 at 18:28
  • Looks like it just goes through the first 0x100000 bytes and tries to find the signature for a RAR file. I was hoping to avoid doing that, but it may be a more robust solution. I don't expect a better answer on this one - feel free to contribute an answer to this effect and I will accept. – Rollie Nov 07 '12 at 19:20
  • Well, what I found is `RAR.SFX` starting at byte 83131 in both of two SFX-archives created with 4.20 (x86) in Windows XP. Not sure about plain RAR-files. – Aleksei Zabrodskii Nov 08 '12 at 19:59
  • It also looks like all plain RAR-archives start with `Rar!`. And I believe that the first thing after SFX module in SFX-arhive is `RAR.SFX`. (Everything in ASCII of course.) – Aleksei Zabrodskii Nov 08 '12 at 20:09

2 Answers2

2

From TechNote.txt in the WinRAR installation folder:

  1. To process an SFX archive you need to skip the SFX module searching for the marker block in the archive. There is no marker block sequence (0x52 0x61 0x72 0x21 0x1a 0x07 0x00) in the SFX module itself.

This you already indicated yourself: the unrar source code has in archive.cpp the code how it reads in a file. The maximum size of the SFX part will never be larger than the number defined in rardefs.hpp:

#define  MAXSFXSIZE        0x100000
Gfy
  • 8,173
  • 3
  • 26
  • 46
0

If I have it right, you'd like to look a file up and see if it is a valid SFX file built with WinRAR, right?

In this case, these are the PE signatures you should be looking for (haven't tried them, but they're listed in the PE sig DB linked at the bottom):

WinRAR-SFX=80E9A1C1C11368E4167546C1C1055EEB019D6864863746EB028CE05FF7D0 WinRAR-SFX=EB0102EB02CD20B880

Just get the entry point and see if these bytes are following in the right order. An extensive list of PE signatures is available at http://tot-ltd.org/packer.db.

Bogdan Botezatu
  • 579
  • 1
  • 9
  • 25