Mark0's Forum
Software => TrID File Identifier => Topic started by: Nuker5 on March 09, 2008, 08:56:13 PM
-
Hello ladies and gentlemen,
I have a question. Could anyone identify this CAB-File.
I add the XML-File of TRiDScan:
<TrID ver="2.00">
<Info>
<FileType>Enter a useful file type description</FileType>
<Ext>CAB</Ext>
<ExtraInfo>
<Rem></Rem>
<RefURL></RefURL>
</ExtraInfo>
<User>Your name for the credits!</User>
<E-Mail>Your antispam-encoded e-mail!</E-Mail>
<Home>Your Home Page</Home>
</Info>
<General>
<FileNum>3</FileNum>
<CheckStrings>True</CheckStrings>
<Date>
<Year>2008</Year>
<Month>03</Month>
<Day>09</Day>
</Date>
<Time>
<Hour>20</Hour>
<Min>13</Min>
<Sec>24</Sec>
</Time>
<Creator>TrIDScan32 v1.56</Creator>
</General>
<FrontBlock>
<Pattern>
<Bytes>789C</Bytes>
<ASCII> x</ASCII>
<Pos>0</Pos>
</Pattern>
<Pattern>
<Bytes>3F</Bytes>
<ASCII> ?</ASCII>
<Pos>72</Pos>
</Pattern>
<Pattern>
<Bytes>17</Bytes>
<Pos>188</Pos>
</Pattern>
<Pattern>
<Bytes>72</Bytes>
<ASCII> r</ASCII>
<Pos>300</Pos>
</Pattern>
<Pattern>
<Bytes>F1</Bytes>
<Pos>377</Pos>
</Pattern>
<Pattern>
<Bytes>3E</Bytes>
<Pos>780</Pos>
</Pattern>
<Pattern>
<Bytes>AE</Bytes>
<Pos>823</Pos>
</Pattern>
<Pattern>
<Bytes>CE</Bytes>
<Pos>1082</Pos>
</Pattern>
<Pattern>
<Bytes>0A</Bytes>
<Pos>1276</Pos>
</Pattern>
<Pattern>
<Bytes>95</Bytes>
<Pos>1523</Pos>
</Pattern>
<Pattern>
<Bytes>5B</Bytes>
<ASCII> [</ASCII>
<Pos>1651</Pos>
</Pattern>
<Pattern>
<Bytes>1D</Bytes>
<Pos>1663</Pos>
</Pattern>
<Pattern>
<Bytes>2F</Bytes>
<ASCII> /</ASCII>
<Pos>1909</Pos>
</Pattern>
</FrontBlock>
<GlobalStrings>
<String>4AOZ</String>
</GlobalStrings>
</TrID>
Could anyone help me identifying this?
Greetings
Nuker5
-
Uhm... I think TrIDScan isn't the best tool for this job.
Assumed that TrID wasn't able to identify it, it probably isn't a standard Microsoft CAB archive, and neither an InstallShield compressed archive.
Maybe you can post an hexdump of it, obtained with MiniDumper (http://mark0.net/soft-minidumper-e.html)?
Thanks,
Bye!
-
No Problem here are MiniDumps of two that setup.cabs:
MiniDumper v1.05 - (C) 2004-06 By Marco Pontello
File name: setup1.cab
File size: 248KB
0000: 78 9C CD 99 F7 5F 53 67 D8 C6 A3 55 6B B5 56 6B x...._Sg...Uk.Vk
0010: B5 8E D6 3D 51 C4 AD A8 88 0C D9 7B EF 10 32 C8 ...=Q......{..2.
0020: 1E 64 EF BD 77 42 20 40 D8 84 BD 41 86 6C 10 07 .d..wB @...A.l..
0030: 22 B8 07 8A DB 5A 77 5B B5 53 21 EF C1 F7 FD 23 "....Zw[.S!....#
0040: DE 93 0F FC 70 92 93 73 3F F7 78 AE EF 75 12 19 ....p..s?.x..u..
0050: E0 EB BB 79 23 08 14 E7 19 EB 93 8E A7 AE 5F 02 ...y#........._.
0060: 02 81 66 01 AF EF 77 82 BE FC CD 02 CD 07 C1 D3 ..f...w.........
0070: A8 69 20 E0 33 54 32 31 83 4C A3 CB 4D A6 CC AC .i .3T21.L..M...
0080: C6 7C 34 BB 62 B0 B9 6E 7C AC 80 45 48 83 70 AC .|4.b..n|..EH.p.
0090: 79 C4 C3 8B 67 2F 0B B4 8E DF 9F 68 84 AF 06 CD y...g/.....h....
00A0: 06 7D EB 4E 2E 1D 1A E9 CE 41 BB 6D 5A BC 6A 77 .}.N.....A.mZ.jw
00B0: 2C B7 68 E4 0F C7 CC 31 F5 B4 85 BA 17 F4 C3 FA ,.h....1........
00C0: 39 A0 85 6E 74 5B FD 8D A9 69 C7 8B FE EC 50 A7 9..nt[...i....P.
00D0: AD 5E 58 0E DE 75 1E 08 B4 B7 F4 1F C7 94 E3 A1 .^X..u..........
00E0: D9 77 31 68 EE 3E 6A E7 47 C7 F4 F4 44 95 0C 72 .w1h.>j.G...D..r
00F0: FC E7 D9 A0 99 E0 B6 67 F4 00 A7 1C D3 AF 46 6A .......g......Fj
and
MiniDumper v1.05 - (C) 2004-06 By Marco Pontello
File name: C:\JENS\rapid\setup2.cab
File size: 826KB
0000: 78 9C EC 9A 7F 5C 54 65 BE C7 9F 81 01 46 1C 3D x....\Te.....F.=
0010: 83 42 81 68 CE 09 D6 50 89 05 41 43 61 6C 44 1C .B.h...P..ACalD.
0020: C7 04 1C 04 07 D4 04 4C 40 64 51 08 07 A3 E3 8F .......L@dQ.....
0030: A0 61 C8 F1 38 EA EE 9A 59 ED 7A 25 8C 65 FB 71 .a..8...Y.z%.e.q
0040: 63 5B 6B CD 7A E9 20 1B 3F CA 1F 64 DE 1B AD 76 c[k.z. .?..d...v
0050: 2F 7B C5 1C A3 5A FC 11 52 96 E7 7E 9E E7 0C A0 /{...Z..R..~....
0060: AC BB B5 FD D1 7D DD D7 8B F3 7A BD CF F7 FB FC .....}....z.....
0070: 38 DF E7 39 DF F3 3D CF 8F 33 93 BC 6C 17 F1 24 8..9..=..3..l..$
0080: 84 28 81 24 11 72 88 C8 87 9E 7C FF 51 01 46 4F .(.$.r....|.Q.FO
0090: 3C 3C 9A 1C 1C 71 82 3F A4 48 3A C1 A7 17 AC 59 <<...q.?.H:....Y
00A0: AF 2D 29 2D 5E 5D BA 72 AD 76 D5 CA 75 EB 8A 2D .-)-^].r.v..u..-
00B0: DA 47 F2 B4 A5 65 EB B4 6B D6 69 13 17 A5 69 D7 .G...e..k.i...i.
00C0: 16 E7 E6 45 8C 1A E5 1B EA B6 61 9A 47 48 92 42 ...E......a.GH.B
00D0: 49 BA DB 67 0D 34 D9 49 3C 42 46 2A BC 3C C8 5D I..g.4.I<BF*.<.]
00E0: 0A 42 AE C9 79 87 FC 71 D2 00 2D F2 88 C0 33 5D .B..y..q..-...3]
00F0: 23 F7 9B 90 41 49 22 3D 58 22 6C 81 27 F1 60 19 #...AI"=X"l.'.`.
Hope you could help - Thank you
Nuker5
-
It seems to be a zlib (http://en.wikipedia.org/wiki/Zlib) compressed stream.
If you rename it with a ".z" extension, you should be able to decompress it with some packer/archiver that know how to deal with that format, for example gzip.
Hope this helps,
Bye!
-
I've uploaded some of these files.
http://www.filefactory.com/file/e42972/ (http://www.filefactory.com/file/e42972/)
They are not zlib-ed.
I've tried.
Thanks in advance
Nuker5
-
I see. I also just tried with Universal Extractor (http://legroom.net/software/uniextract) without luck.
I'm not able to help more at the moment. If I'll discover something I will post here.
Bye!
-
Microsoft Cab File Header is simple..
MSCF followed by 4 zeroes
4D 54 43 46 30 30 30 30
InstallShield files (cab and hdr) have ISc( as a tag
49 53 63 28
if the above 4 bytes match, then check the DWORD at file offset 0x14.. if it is the actual file size, its a hdr file,
if not, its an installshield cab file
*edited* had the ISc( the wrong way round, because i viewed it as dword view...
-
Actually, I have an InstallShield CAB file that's 512 bytes long and the DWORD at offset 0x14 is also 512. (Attached.) So this method of differentiating between InstallShield CAB and HDR files isn't completely reliable.
Looking at a few InstallShield HDR files from different sources, I notice that offset 0x10 has a DWORD value of 38584, while in the InstallShield CAB files I have in front of me this value is 0.
In HDR files, the value at 0x14 does seem to be the length of the file.