Please Help Extracting SFX Stub From EXE???

[comp1]

Hi everyone,

Is there a simple way to extract an SFX stub module from an already existing EXE file?

I know using a hex editor is an option but I am not very experienced with hex editing.

Is there a software program that can extract the self-extracting stub module from the EXE?

Any help or ideas? Thanks guys!

[cade]

Read the PE structure of the exe. Appended data is the part of the exe after the image size. The python library pefile can help you, here's an example of its usage:

http://reverseengineering.stackexchange.com/a/2015
But just write out the part r[:offset], which is the exe until the end. This post wants the appended data, which is offset and onwards.

pefile library is here:
https://code.google.com/p/pefile/

[comp1]

Read the PE structure of the exe. Appended data is the part of the exe after the image size. The python library pefile can help you, here's an example of its usage:

http://reverseengineering.stackexchange.com/a/2015
But just write out the part r[ffset], which is the exe until the end. This post wants the appended data, which is offset and onwards.

pefile library is here:
https://code.google.com/p/pefile/

Wow thank you but that is way over my head...

If I upload the exe file can somebody help me extract the sfx module?

[comp1]

UPDATE:

Ok I tried using a hex editor to strip away everything but the sfx module stub and no Windows gives an error that it is not a valid Win32 application...

The file size was exactly the same what the "Archive" properties tab says it should be (WinRAR's tab in the right-click "Properties" dialog).

The compressed format is CAB according to WinRAR so I removed all hex data starting at "MSCF".

Can anyone help? The EXE file with the stub I want is the iTunesSetup.exe file (131 MB) which I downloaded from Apple's site. (https://www.apple.com/hk/en/itunes/download/)

Any help guys?

[Skymmer]

I'll look into it.

[Skymmer]

Actually there is no SFX. I mean that its not a decompression stub + archive overlay. The installator made as one big natural EXE file and the CAB file is not overlay but the resource inside the .rsrc section. Its called [I]CABINET[\/I] and located inside RCData entry with a lang ID of 1033. So when you just strip everything starting from MSCF header, you destroy PE structure.\nI made correct errrr.... rips lets say for both x86 and x64 versions. There are still CABINET files inside but they are replaced with dummy 99 bytes CAB files.
https://mega.co.nz/#!4JtA0JjI
Decryption key in PM.

[comp1]

Actually there is no SFX. I mean that its not a decompression stub + archive overlay. The installator made as one big natural EXE file and the CAB file is not overlay but the resource inside the .rsrc section. Its called [I]CABINET[\/I] and located inside RCData entry with a lang ID of 1033. So when you just strip everything starting from MSCF header, you destroy PE structure.\nI made correct errrr.... rips lets say for both x86 and x64 versions. There are still CABINET files inside but they are replaced with dummy 99 bytes CAB files.
https://mega.co.nz/#!4JtA0JjI
Decryption key in PM.

Thanks for the help and the PM.

So does this mean that the "SFX" they use is not usable? Meaning the "copy /b ..." is not an option, correct?

[surfersat]

I don't know if it helps, but you can download this little SDK, and you can make your own self-extracting cab: http://web.archive.org/web/200704032...-us/cabsdk.exe

"Makecab filename" will make a cabinet for the source file.

Then you can use: copy /b extract.exe + cabinet_file self.exe. When you run self.exe it extracts the original file (extract.exe is used as SFX stub).

Cabinet format documentation from Microsoft: http://msdn.microsoft.com/en-us/library/bb417343.aspx

Greetings!

[Skymmer]

So does this mean that the "SFX" they use is not usable? Meaning the "copy /b ..." is not an option, correct?

copy /b is surely not an option but installer is usable. It unpacks all files from CABINET and initializes installation of MSI file. The Product Code of the desired MSI is written inside RCData\PRODUCTCODE resource.
But exuse me for question, why you need this iTunes installer? Its a useless crap from my point of view, capable of extracting CAB files only, which are crap too due the bad LZX\MSZIP compression.