[File] [PATCH] Magdir/archive for InstallShield archive setup.ibt

Jörg Jenderek joerg.jen.der.ek at gmx.net
Thu May 26 00:12:49 UTC 2022


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some days ago i handled some software packages made by InstallShield.
In some (uh! only 3) cases are files with name setup.ibt. When
running file command version 5.41 some such IBT examples and
related files i get an output like:

setup.ibt:          data
setup-2.ibt:        data
setup-3.ibt:        data
setup-1-181883.bin: data
setup-2-169370.bin: data
setup-3-168085.bin: data
setup-1-41.bin:     MS Compress archive data, SZDD variant,
		    original size: 331908 bytes
setup-2-37.bin:     MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 311428 bytes
setup-3-37.bin:     MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 311428 bytes


With option -i application/x-ms-compress-szdd for SZDD archives
is shown. With option --extension 3 byte sequence ??_ for these
archives is shown.

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). It identifies the
SZDD archives as "Microsoft SZDD compressed (Haruhiko Okumura's
LZSS)" by  szdd.trid.xml. But it also  does not recognise the IBT
examples (described as "Unknown!" see appended trid-v-ibt.txt.gz).

Luckily TrID tool with option -v shows a reference URL for SZDD
archives. There also a link to SZDD and KWAJ formats description,
examples and software is listed. That information is added inside
Magdir/archive by comment lines like:
# URL:		http://fileformats.archiveteam.org/wiki/
#		MS-DOS_installation_compression
# Reference:	http://www.cabextract.org.uk/libmspack/doc/
#		szdd_kwaj_format.html
#		http://mark0.net/download/triddefs_xml.7z
#		defs/s/szdd.trid.xml

The detection of SZDD archives happens inside Magdir/archive by
lines like:
 >0	string	SZDD	MS Compress archive data, SZDD variant
 !:mime	application/x-ms-compress-szdd
 !:ext	??_

According to specification after the 4 byte ASCII magic SZDD comes
4 more unique bytes. So one could also test for these bytes or check
for these bytes by additional DEBUGGING line like:
 >>4	ubelong	0x88F02733	\b, SIGNATURE OK

If you compress window library with file name extension DLL, then
the compressed file gets here extension DL_ and the character
missing from the end of the filename is stored inside compressed
sample. This is shown by line like:
 >>9	string	>\0	\b, %-.1s is last character of original name

When looking inside IBT examples i saw SZDD string and got the
thought that these InstallShield archives are just containing SZDD
compressed files. So with the help of hexl-mode of emacs and dd
tools i split IBT examples in parts with BIN file name extension.
And not surprisingly some are identified by file command as "MS
Compress archive data, SZDD variant". But this could be happen
luckily. On mentioned site download links for tools are listed. So
verified information partly by decoding tool deark (See appended
deark-l-bin.txt.gz) and 7-zip package tool (See appended
7z-l-bin.txt.gz) by command lines like:
	deark -l -m lzss_oku -d2 setup-1-41.bin
	7z l -tMsLZ -slt *.bin
So i know the SZDD starting parts are really compressed archives.

Unfortunately i found only little pieces of information about
InstallShield setup.ibt. That information is added inside
Magdir/archive by comment lines like:
# URL:	https://community.flexera.com
#	/t5/InstallShield-Knowledge-Base
#	/InstallShield-Redistributable-Files/ta-p/5647

The detection happens by new lines like:
 1	search/48/bs	SZDD\x88\xF0\x27\x33	InstallShield archive
 !:mime	application/x-installshield-compress-szdd
 !:ext	ibt
 >&0	indirect	x
Instead of generic mime type application/octet-stream i display a
user defined one. The inspection of the compressed part is done by
indirect call at offset of SZDD magic.

Now i look at bytes before SZDD magic. This part contain 4 nil
terminated text strings. The first is apparently the name of
compressed archive member (like: setup.dl_ _setup7int.dl_
_setup2k.dl_ _igdi.dl_ cabinet.dl_). So shown this information by
line like:
 >0	string	x		%s
Afterwards apparently comes the name of uncompressed original file
(like: setup.dll _Setup.dll IGdi.dll CABINET.DLL). So shown this
information by line like:
 >>&1	string	x		(%s)
The third string is point separated digits (like 9.0.0.333
9.1.0.429 11.50.0.42618). Probably this is a kind of version. So
show this information by line like:
 >>>&1	string	x		\b, version %s
As fourth part comes a number string (like 168048 169333 181842).
When counting this number from SZDD magic you jump to next archive
text block. So apparently this is the SZDD member length. So show
this information by line like:
 >>>>&1	string	x		\b, %s bytes

After applying the above mentioned modifications by patch
file-5.41-archive-ibt.diff then all my inspected IBT examples are
now described. This now looks like:
setup.ibt:          InstallShield archive setup.dl_ (setup.dll)
		    , version 11.50.0.42618, 181842 bytes
		    MS Compress archive data, SZDD variant,
		    original size: 331908 bytes
setup-2.ibt:        InstallShield archive setup.dl_ (setup.dll)
		    , version 9.1.0.429, 169333 bytes
		    MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 311428 bytes
setup-3.ibt:        InstallShield archive setup.dl_ (setup.dll)
		    , version 9.0.0.333, 168048 bytes
		    MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 311428 bytes
setup-1-181883.bin: InstallShield archive _setup7int.dl_ (_Setup.dll)
		    , version 11.50.0.42618, 117732 bytes
		    MS Compress archive data, SZDD variant,
		    original size: 368640 bytes
setup-2-169370.bin: InstallShield archive _setup7int.dl_ (_Setup.dll)
		    , version 9.1.0.429, 117722 bytes
		    MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 368640 bytes
setup-3-168085.bin: InstallShield archive _setup2k.dl_ (_Setup.dll)
		    , version 9.0.0.333, 57337 bytes
		    MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 159744 bytes
setup-1-41.bin:     MS Compress archive data, SZDD variant,
		    original size: 331908 bytes
setup-2-37.bin:     MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 311428 bytes
setup-3-37.bin:     MS Compress archive data, SZDD variant,
		    l is last character of original name,
		    original size: 311428 bytes

I hope my diff file can be applied in future version of file
utility.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYo7F9wAKCRCv8rHJQhrU
1qCQAJ0d8ilP952Nsgqn7YryYVD6SCBc/gCcCkpeqj91afdNA2Ez0gJVBHh011g=
=YyYR
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.41/magic/Magdir/archive.old	2021-08-30 11:10:26.000000000 +0200
+++ file-5.41/magic/Magdir/archive	2022-05-26 00:47:20.138555300 +0200
@@ -671,5 +671,13 @@
 #
 #		SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ
+# URL:		http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
+# Reference:	http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html
+#		http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml
+# Note:		called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID
+#		verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ
+#		`deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura"
 >0	string	SZDD		MS Compress archive data, SZDD variant
+# 2nd part of signature
+#>>4	ubelong	0x88F02733	\b, SIGNATURE OK
 !:mime	application/x-ms-compress-szdd
 !:ext	??_
@@ -680,4 +688,22 @@
 >>8	string	!A		\b, %-.1s method
 >>10	ulelong	>0		\b, original size: %u bytes
+# Summary:	InstallShield archive with SZDD compressed
+# URL:		https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647
+# From:		Joerg Jenderek
+1	search/48/bs	SZDD\x88\xF0\x27\x33	InstallShield archive
+#!:mime	application/octet-stream
+!:mime	application/x-installshield-compress-szdd
+!:ext	ibt
+# name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_
+>0	string	x		%s
+# name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL
+>>&1	string	x		(%s)
+# probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618
+>>>&1	string	x		\b, version %s
+# SZDD member length like: 168048 169333 181842
+>>>>&1	string	x		\b, %s bytes
+# MS Compress archive data
+#>&0	string		SZDD	\b, SIGNATURE FOUND
+>&0	indirect	x
 #		QBasic SZDD variant
 3	string	\x88\xf0\x27
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.41-archive-ibt.diff.sig
Type: application/octet-stream
Size: 1163 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220526/daf61dac/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deark-l-bin.txt.gz
Type: application/x-gzip
Size: 189 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220526/daf61dac/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7z-l-bin.txt.gz
Type: application/x-gzip
Size: 305 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220526/daf61dac/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-ibt.txt.gz
Type: application/x-gzip
Size: 503 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220526/daf61dac/attachment-0002.bin>


More information about the File mailing list