[File] [PATCH] Magdir/archive for InstallShield archive setup.ibt
Christos Zoulas
christos at zoulas.com
Fri May 27 21:28:14 UTC 2022
Committed thanks!
christos
> On May 25, 2022, at 8:12 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> some days ago i handled some software packages made by InstallShield.
> In some (uh! only 3) cases are files with name setup.ibt. When
> running file command version 5.41 some such IBT examples and
> related files i get an output like:
>
> setup.ibt: data
> setup-2.ibt: data
> setup-3.ibt: data
> setup-1-181883.bin: data
> setup-2-169370.bin: data
> setup-3-168085.bin: data
> setup-1-41.bin: MS Compress archive data, SZDD variant,
> original size: 331908 bytes
> setup-2-37.bin: MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 311428 bytes
> setup-3-37.bin: MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 311428 bytes
>
>
> With option -i application/x-ms-compress-szdd for SZDD archives
> is shown. With option --extension 3 byte sequence ??_ for these
> archives is shown.
>
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). It identifies the
> SZDD archives as "Microsoft SZDD compressed (Haruhiko Okumura's
> LZSS)" by szdd.trid.xml. But it also does not recognise the IBT
> examples (described as "Unknown!" see appended trid-v-ibt.txt.gz).
>
> Luckily TrID tool with option -v shows a reference URL for SZDD
> archives. There also a link to SZDD and KWAJ formats description,
> examples and software is listed. That information is added inside
> Magdir/archive by comment lines like:
> # URL: http://fileformats.archiveteam.org/wiki/
> # MS-DOS_installation_compression
> # Reference: http://www.cabextract.org.uk/libmspack/doc/
> # szdd_kwaj_format.html
> # http://mark0.net/download/triddefs_xml.7z
> # defs/s/szdd.trid.xml
>
> The detection of SZDD archives happens inside Magdir/archive by
> lines like:
>> 0 string SZDD MS Compress archive data, SZDD variant
> !:mime application/x-ms-compress-szdd
> !:ext ??_
>
> According to specification after the 4 byte ASCII magic SZDD comes
> 4 more unique bytes. So one could also test for these bytes or check
> for these bytes by additional DEBUGGING line like:
>>> 4 ubelong 0x88F02733 \b, SIGNATURE OK
>
> If you compress window library with file name extension DLL, then
> the compressed file gets here extension DL_ and the character
> missing from the end of the filename is stored inside compressed
> sample. This is shown by line like:
>>> 9 string >\0 \b, %-.1s is last character of original name
>
> When looking inside IBT examples i saw SZDD string and got the
> thought that these InstallShield archives are just containing SZDD
> compressed files. So with the help of hexl-mode of emacs and dd
> tools i split IBT examples in parts with BIN file name extension.
> And not surprisingly some are identified by file command as "MS
> Compress archive data, SZDD variant". But this could be happen
> luckily. On mentioned site download links for tools are listed. So
> verified information partly by decoding tool deark (See appended
> deark-l-bin.txt.gz) and 7-zip package tool (See appended
> 7z-l-bin.txt.gz) by command lines like:
> deark -l -m lzss_oku -d2 setup-1-41.bin
> 7z l -tMsLZ -slt *.bin
> So i know the SZDD starting parts are really compressed archives.
>
> Unfortunately i found only little pieces of information about
> InstallShield setup.ibt. That information is added inside
> Magdir/archive by comment lines like:
> # URL: https://community.flexera.com
> # /t5/InstallShield-Knowledge-Base
> # /InstallShield-Redistributable-Files/ta-p/5647
>
> The detection happens by new lines like:
> 1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive
> !:mime application/x-installshield-compress-szdd
> !:ext ibt
>> &0 indirect x
> Instead of generic mime type application/octet-stream i display a
> user defined one. The inspection of the compressed part is done by
> indirect call at offset of SZDD magic.
>
> Now i look at bytes before SZDD magic. This part contain 4 nil
> terminated text strings. The first is apparently the name of
> compressed archive member (like: setup.dl_ _setup7int.dl_
> _setup2k.dl_ _igdi.dl_ cabinet.dl_). So shown this information by
> line like:
>> 0 string x %s
> Afterwards apparently comes the name of uncompressed original file
> (like: setup.dll _Setup.dll IGdi.dll CABINET.DLL). So shown this
> information by line like:
>>> &1 string x (%s)
> The third string is point separated digits (like 9.0.0.333
> 9.1.0.429 11.50.0.42618). Probably this is a kind of version. So
> show this information by line like:
>>>> &1 string x \b, version %s
> As fourth part comes a number string (like 168048 169333 181842).
> When counting this number from SZDD magic you jump to next archive
> text block. So apparently this is the SZDD member length. So show
> this information by line like:
>>>>> &1 string x \b, %s bytes
>
> After applying the above mentioned modifications by patch
> file-5.41-archive-ibt.diff then all my inspected IBT examples are
> now described. This now looks like:
> setup.ibt: InstallShield archive setup.dl_ (setup.dll)
> , version 11.50.0.42618, 181842 bytes
> MS Compress archive data, SZDD variant,
> original size: 331908 bytes
> setup-2.ibt: InstallShield archive setup.dl_ (setup.dll)
> , version 9.1.0.429, 169333 bytes
> MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 311428 bytes
> setup-3.ibt: InstallShield archive setup.dl_ (setup.dll)
> , version 9.0.0.333, 168048 bytes
> MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 311428 bytes
> setup-1-181883.bin: InstallShield archive _setup7int.dl_ (_Setup.dll)
> , version 11.50.0.42618, 117732 bytes
> MS Compress archive data, SZDD variant,
> original size: 368640 bytes
> setup-2-169370.bin: InstallShield archive _setup7int.dl_ (_Setup.dll)
> , version 9.1.0.429, 117722 bytes
> MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 368640 bytes
> setup-3-168085.bin: InstallShield archive _setup2k.dl_ (_Setup.dll)
> , version 9.0.0.333, 57337 bytes
> MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 159744 bytes
> setup-1-41.bin: MS Compress archive data, SZDD variant,
> original size: 331908 bytes
> setup-2-37.bin: MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 311428 bytes
> setup-3-37.bin: MS Compress archive data, SZDD variant,
> l is last character of original name,
> original size: 311428 bytes
>
> I hope my diff file can be applied in future version of file
> utility.
>
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYo7F9wAKCRCv8rHJQhrU
> 1qCQAJ0d8ilP952Nsgqn7YryYVD6SCBc/gCcCkpeqj91afdNA2Ez0gJVBHh011g=
> =YyYR
> -----END PGP SIGNATURE-----
> <file-5_41-archive-ibt_diff.DEFANGED-0><file-5_41-archive-ibt_diff_sig.DEFANGED-1><deark-l-bin.txt.gz><7z-l-bin.txt.gz><trid-v-ibt.txt.gz>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20220527/3c7d85b7/attachment.asc>
More information about the File
mailing list