how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.
many thanks
Asked
Active
Viewed 1,440 times
1 Answers
3
Google is your friend. First result after searching "7zip header". The documentation says this is the 7zip signature:
BYTE kSignature[6] = {'7', 'z', 0xBC, 0xAF, 0x27, 0x1C};
You should read the first 6 bytes of the file. If that 6 byte sequence is the same as the kSignature above, then the file should be a 7z.
EDIT: I've been trying stuff using 7z on GNU/Linux(which actually crates SFX ELF files, not PE). And i've found that on one of the last chunks of data, the 7z signature is actually present. Hexdump generates a dump up to the byte number 0x00057960, the signature is located here:
0x000578f0: 37 7a bc af 27 1c
0x37 and 0x7a are '7' and 'z' respectively. Therefore, in this case, the offset of the signature is at EOF - 112 bytes.
I'd recommend you to download a hex editor, create a SFX file and test whether this offset is the same in every application that creates SFX 7z. Remember that i've tested this on GNU/Linux, therefore it might be different on Windows.
mfontanini
- 21,410
- 4
- 65
- 73
-
I'm talking about the 7z SFX Archives ( self extracting EXE File). so are these 6 bytes present in the 7z SFX Archives if yes at what offset ? – randydom Mar 03 '12 at 02:30
-
Sorry, didn't take that into account on the first place. I've editted my answer. – mfontanini Mar 03 '12 at 03:13