Author Topic: identify CAB file  (Read 23799 times)

Nuker5

  • Newbie
  • *
  • Posts: 3
identify CAB file
« on: March 09, 2008, 08:56:13 PM »
Hello ladies and gentlemen,

I have a question. Could anyone identify this CAB-File.
I add the XML-File of TRiDScan:
Code: [Select]
<TrID ver="2.00">
<Info>
<FileType>Enter a useful file type description</FileType>
<Ext>CAB</Ext>
<ExtraInfo>
<Rem></Rem>
<RefURL></RefURL>
</ExtraInfo>
<User>Your name for the credits!</User>
<E-Mail>Your antispam-encoded e-mail!</E-Mail>
<Home>Your Home Page</Home>
</Info>
<General>
<FileNum>3</FileNum>
<CheckStrings>True</CheckStrings>
<Date>
<Year>2008</Year>
<Month>03</Month>
<Day>09</Day>
</Date>
<Time>
<Hour>20</Hour>
<Min>13</Min>
<Sec>24</Sec>
</Time>
<Creator>TrIDScan32 v1.56</Creator>
</General>
<FrontBlock>
<Pattern>
<Bytes>789C</Bytes>
<ASCII> x</ASCII>
<Pos>0</Pos>
</Pattern>
<Pattern>
<Bytes>3F</Bytes>
<ASCII> ?</ASCII>
<Pos>72</Pos>
</Pattern>
<Pattern>
<Bytes>17</Bytes>
<Pos>188</Pos>
</Pattern>
<Pattern>
<Bytes>72</Bytes>
<ASCII> r</ASCII>
<Pos>300</Pos>
</Pattern>
<Pattern>
<Bytes>F1</Bytes>
<Pos>377</Pos>
</Pattern>
<Pattern>
<Bytes>3E</Bytes>
<Pos>780</Pos>
</Pattern>
<Pattern>
<Bytes>AE</Bytes>
<Pos>823</Pos>
</Pattern>
<Pattern>
<Bytes>CE</Bytes>
<Pos>1082</Pos>
</Pattern>
<Pattern>
<Bytes>0A</Bytes>
<Pos>1276</Pos>
</Pattern>
<Pattern>
<Bytes>95</Bytes>
<Pos>1523</Pos>
</Pattern>
<Pattern>
<Bytes>5B</Bytes>
<ASCII> [</ASCII>
<Pos>1651</Pos>
</Pattern>
<Pattern>
<Bytes>1D</Bytes>
<Pos>1663</Pos>
</Pattern>
<Pattern>
<Bytes>2F</Bytes>
<ASCII> /</ASCII>
<Pos>1909</Pos>
</Pattern>
</FrontBlock>
<GlobalStrings>
<String>4AOZ</String>
</GlobalStrings>
</TrID>

Could anyone help me identifying this?

Greetings

Nuker5

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: identify CAB file
« Reply #1 on: March 10, 2008, 12:06:32 AM »
Uhm... I think TrIDScan isn't the best tool for this job.
Assumed that TrID wasn't able to identify it, it probably isn't a standard Microsoft CAB archive, and neither an InstallShield compressed archive.
Maybe you can post an hexdump of it, obtained with MiniDumper?

Thanks,
Bye!

Nuker5

  • Newbie
  • *
  • Posts: 3
Re: identify CAB file
« Reply #2 on: March 10, 2008, 02:27:03 PM »
No Problem here are MiniDumps of two that setup.cabs:
Code: [Select]
MiniDumper v1.05 - (C) 2004-06 By Marco Pontello

File name: setup1.cab
File size: 248KB

0000: 78 9C CD 99 F7 5F 53 67 D8 C6 A3 55 6B B5 56 6B  x...._Sg...Uk.Vk
0010: B5 8E D6 3D 51 C4 AD A8 88 0C D9 7B EF 10 32 C8  ...=Q......{..2.
0020: 1E 64 EF BD 77 42 20 40 D8 84 BD 41 86 6C 10 07  .d..wB @...A.l..
0030: 22 B8 07 8A DB 5A 77 5B B5 53 21 EF C1 F7 FD 23  "....Zw[.S!....#
0040: DE 93 0F FC 70 92 93 73 3F F7 78 AE EF 75 12 19  ....p..s?.x..u..
0050: E0 EB BB 79 23 08 14 E7 19 EB 93 8E A7 AE 5F 02  ...y#........._.
0060: 02 81 66 01 AF EF 77 82 BE FC CD 02 CD 07 C1 D3  ..f...w.........
0070: A8 69 20 E0 33 54 32 31 83 4C A3 CB 4D A6 CC AC  .i .3T21.L..M...
0080: C6 7C 34 BB 62 B0 B9 6E 7C AC 80 45 48 83 70 AC  .|4.b..n|..EH.p.
0090: 79 C4 C3 8B 67 2F 0B B4 8E DF 9F 68 84 AF 06 CD  y...g/.....h....
00A0: 06 7D EB 4E 2E 1D 1A E9 CE 41 BB 6D 5A BC 6A 77  .}.N.....A.mZ.jw
00B0: 2C B7 68 E4 0F C7 CC 31 F5 B4 85 BA 17 F4 C3 FA  ,.h....1........
00C0: 39 A0 85 6E 74 5B FD 8D A9 69 C7 8B FE EC 50 A7  9..nt[...i....P.
00D0: AD 5E 58 0E DE 75 1E 08 B4 B7 F4 1F C7 94 E3 A1  .^X..u..........
00E0: D9 77 31 68 EE 3E 6A E7 47 C7 F4 F4 44 95 0C 72  .w1h.>j.G...D..r
00F0: FC E7 D9 A0 99 E0 B6 67 F4 00 A7 1C D3 AF 46 6A  .......g......Fj
and
Code: [Select]
MiniDumper v1.05 - (C) 2004-06 By Marco Pontello

File name: C:\JENS\rapid\setup2.cab
File size: 826KB

0000: 78 9C EC 9A 7F 5C 54 65 BE C7 9F 81 01 46 1C 3D  x....\Te.....F.=
0010: 83 42 81 68 CE 09 D6 50 89 05 41 43 61 6C 44 1C  .B.h...P..ACalD.
0020: C7 04 1C 04 07 D4 04 4C 40 64 51 08 07 A3 E3 8F  .......L@dQ.....
0030: A0 61 C8 F1 38 EA EE 9A 59 ED 7A 25 8C 65 FB 71  .a..8...Y.z%.e.q
0040: 63 5B 6B CD 7A E9 20 1B 3F CA 1F 64 DE 1B AD 76  c[k.z. .?..d...v
0050: 2F 7B C5 1C A3 5A FC 11 52 96 E7 7E 9E E7 0C A0  /{...Z..R..~....
0060: AC BB B5 FD D1 7D DD D7 8B F3 7A BD CF F7 FB FC  .....}....z.....
0070: 38 DF E7 39 DF F3 3D CF 8F 33 93 BC 6C 17 F1 24  8..9..=..3..l..$
0080: 84 28 81 24 11 72 88 C8 87 9E 7C FF 51 01 46 4F  .(.$.r....|.Q.FO
0090: 3C 3C 9A 1C 1C 71 82 3F A4 48 3A C1 A7 17 AC 59  <<...q.?.H:....Y
00A0: AF 2D 29 2D 5E 5D BA 72 AD 76 D5 CA 75 EB 8A 2D  .-)-^].r.v..u..-
00B0: DA 47 F2 B4 A5 65 EB B4 6B D6 69 13 17 A5 69 D7  .G...e..k.i...i.
00C0: 16 E7 E6 45 8C 1A E5 1B EA B6 61 9A 47 48 92 42  ...E......a.GH.B
00D0: 49 BA DB 67 0D 34 D9 49 3C 42 46 2A BC 3C C8 5D  I..g.4.I<BF*.<.]
00E0: 0A 42 AE C9 79 87 FC 71 D2 00 2D F2 88 C0 33 5D  .B..y..q..-...3]
00F0: 23 F7 9B 90 41 49 22 3D 58 22 6C 81 27 F1 60 19  #...AI"=X"l.'.`.
Hope you could help - Thank you
Nuker5

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: identify CAB file
« Reply #3 on: March 10, 2008, 05:11:32 PM »
It seems to be a zlib compressed stream.
If you rename it with a ".z" extension, you should be able to decompress it with some packer/archiver that know how to deal with that format, for example gzip.

Hope this helps,
Bye!

Nuker5

  • Newbie
  • *
  • Posts: 3
Re: identify CAB file
« Reply #4 on: March 11, 2008, 08:40:16 PM »
I've uploaded some of these files.
http://www.filefactory.com/file/e42972/

They are not zlib-ed.
I've tried.

Thanks in advance

Nuker5

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: identify CAB file
« Reply #5 on: March 11, 2008, 09:23:36 PM »
I see. I also just tried with Universal Extractor without luck.
I'm not able to help more at the moment. If I'll discover something I will post here.

Bye!

TippeX

  • Newbie
  • *
  • Posts: 2
Re: identify CAB file
« Reply #6 on: May 24, 2009, 12:06:43 AM »
Microsoft Cab File Header is simple..

MSCF followed by 4 zeroes

4D 54 43 46 30 30 30 30

InstallShield files (cab and hdr) have  ISc( as a tag

49 53 63 28

if the above 4 bytes match, then check the DWORD at file offset 0x14.. if it is the actual file size, its a hdr file,
if not, its an installshield cab file

*edited* had the  ISc( the wrong way round, because i viewed it as dword view...
« Last Edit: May 24, 2009, 12:16:14 AM by TippeX »

dcormier

  • Newbie
  • *
  • Posts: 1
Re: identify CAB file
« Reply #7 on: October 14, 2009, 04:12:13 PM »
Actually, I have an InstallShield CAB file that's 512 bytes long and the DWORD at offset 0x14 is also 512. (Attached.) So this method of differentiating between InstallShield CAB and HDR files isn't completely reliable.

Looking at a few InstallShield HDR files from different sources, I notice that offset 0x10 has a DWORD value of 38584, while in the InstallShield CAB files I have in front of me this value is 0.

In HDR files, the value at 0x14 does seem to be the length of the file.