{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 叼着烟拽天下 的问题《How can I identify a WinRAR SFX using a binary sig》','https://www.manongdao.com/q-861872.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm looking for an answer similar to the one in this question, but for WinRAR instead of 7zip. Essentially I want an authoritative signature that I can say at least "All WinRAR generated self-extracting executables created with the Default SFX file in version 420 will have bytes 0x15, 0xa1, 0x45, 0xcc, 0x21, 0x98 at location 0x00027400, and other NON SFX files are unlikely to have this signature". Even better, if the same signature can be found in all versions of the WinRAR SFX files, even if they are in different locations.
By nature of how SFX's work, they will be very similar, except for the archive portion of the file, but some strings make poor identifiers (e.x., "This program cannot be run in DOS mode" is in every SFX, but it happens to also be in most other Windows executables)
Currently my method of determining a signature is to look at various versions of the WinRAR SFX, and finding sequences of 4 or 6 bytes that all files have in common. Unfortunately, there are a lot of these, making it difficult to pick one.
If I have it right, you'd like to look a file up and see if it is a valid SFX file built with WinRAR, right?
In this case, these are the PE signatures you should be looking for (haven't tried them, but they're listed in the PE sig DB linked at the bottom):
WinRAR-SFX=80E9A1C1C11368E4167546C1C1055EEB019D6864863746EB028CE05FF7D0 WinRAR-SFX=EB0102EB02CD20B880
Just get the entry point and see if these bytes are following in the right order. An extensive list of PE signatures is available at http://tot-ltd.org/packer.db.
From TechNote.txt in the WinRAR installation folder:
This you already indicated yourself: the unrar source code has in archive.cpp the code how it reads in a file. The maximum size of the SFX part will never be larger than the number defined in rardefs.hpp: