how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.
many thanks
how it's possible to recognize a 7z SFX ( self extracting EXE ) File from its Binary contents , is there any offset to start from or specific bytes to look for or Both ?.
many thanks
Google is your friend. First result after searching "7zip header". The documentation says this is the 7zip signature:
BYTE kSignature[6] = {'7', 'z', 0xBC, 0xAF, 0x27, 0x1C};
You should read the first 6 bytes of the file. If that 6 byte sequence is the same as the kSignature
above, then the file should be a 7z.
EDIT: I've been trying stuff using 7z on GNU/Linux(which actually crates SFX ELF files, not PE). And i've found that on one of the last chunks of data, the 7z signature is actually present. Hexdump generates a dump up to the byte number 0x00057960, the signature is located here:
0x000578f0: 37 7a bc af 27 1c
0x37 and 0x7a are '7' and 'z' respectively. Therefore, in this case, the offset of the signature is at EOF - 112 bytes.
I'd recommend you to download a hex editor, create a SFX file and test whether this offset is the same in every application that creates SFX 7z. Remember that i've tested this on GNU/Linux, therefore it might be different on Windows.