RAR文件格式-笔记

RAR

RAR 文件头 52 61 72 21 1A 07 00

RAR 文件尾 C4 3D 7B 00 40 07 00

Rar 文件主要由标记块，压缩文件头块，文件头块，结尾块组成。

其每一块大致分为以下几个字段：

名称

大小

描述

HEAD_CRC

2

全部块或块部分的CRC

HEAD_TYPE

1

块类型

HEAD_FLAGS

2

阻止标志

HEAD_SIZE

2

块大小

ADD_SIZE

4

可选字段 - 添加块大小

Rar 压缩包的文件头为 0x 52 61 72 21 1A 07 00。

紧跟着文件头（0x526172211A0700）的是标记块（MARK_HEAD），其后还有文件头（File Header）。

名称

大小

描述

HEAD_CRC

2

CRC of fields from HEAD_TYPE to FILEATTR and file name

HEAD_TYPE

1

Header Type: 0x74

HEAD_FLAGS

2

Bit Flags (Please see ‘Bit Flags for File in Archive’ table for all

HEAD_SIZE

2

File header full size including file name and comments

PACK_SIZE

4

Compressed file size

UNP_SIZE

4

Uncompressed file size

HOST_OS

1

Operating system used for archiving (See the ‘Operating System Indicators’

FILE_CRC

4

File CRC

FTIME

4

Date and time in standard MS DOS format

UNP_VER

1

RAR version needed to extract file (Version number is encoded as 10 *

METHOD

1

Packing method (Please see ‘Packing Method’ table for all possibilities

NAME_SIZE

2

File name size

ATTR

4

File attributes

HIGH_PACK_SIZ

4

High 4 bytes of 64-bit value of compressed file size. Optional

HIGH_UNP_SIZE

4

High 4 bytes of 64-bit value of uncompressed file size. Optional

FILE_NAME

NAME_SIZE bytes

File name - string of NAME_SIZE bytes size

SALT

8

present if (HEAD_FLAGS & 0x400) != 0

EXT_TIME

variable size

present if (HEAD_FLAGS & 0x1000) != 0

每个 rar 文件的结尾快（Terminator）都是固定的

Field Name

Size (bytes)

Possibilities

HEAD_CRC

2

Always 0x3DC4

HEAD_TYPE

1

Header type: 0x7b

HEAD_FLAGS

2

Always 0x4000

HEAD_SIZE

2

Block size = 0x0007

Source & Reference

CTF-MISC总结

点击关注，共同学习！

安全狗的自我修养

github haidragon

https://github.com/haidragon