![\"rar\"](\"http:\/\/manatails.net\/blog\/wp-content\/uploads\/2016\/03\/rar.png\")
<\/a><\/p>\nFrom Forensics Wiki:<\/p>\n
From Forensics Wiki:<\/p>\n<\/a><\/p>\n
| Field Name<\/th>\n | Size (bytes)<\/th>\n | Description<\/th>\n<\/tr>\n |
|---|---|---|
| HEAD_CRC<\/td>\n | 2<\/td>\n | CRC of fields from HEAD_TYPE to FILEATTR and file name<\/td>\n<\/tr>\n |
| HEAD_TYPE<\/td>\n | 1<\/td>\n | Header Type: 0x74<\/td>\n<\/tr>\n |
| HEAD_FLAGS<\/td>\n | 2<\/td>\n | Bit Flags (Please see ‘Bit Flags for File in Archive’ table for all possibilities)<\/td>\n<\/tr>\n |
| HEAD_SIZE<\/td>\n | 2<\/td>\n | File header full size including file name and comments<\/td>\n<\/tr>\n |
| PACK_SIZE<\/td>\n | 4<\/td>\n | Compressed file size<\/td>\n<\/tr>\n |
| UNP_SIZE<\/td>\n | 4<\/td>\n | Uncompressed file size<\/td>\n<\/tr>\n |
| HOST_OS<\/td>\n | 1<\/td>\n | Operating system used for archiving (See the ‘Operating System Indicators’ table for the flags used)<\/td>\n<\/tr>\n |
| FILE_CRC<\/td>\n | 4<\/td>\n | File CRC<\/td>\n<\/tr>\n |
| FTIME<\/td>\n | 4<\/td>\n | Date and time in standard MS DOS format<\/td>\n<\/tr>\n |
| UNP_VER<\/td>\n | 1<\/td>\n | RAR version needed to extract file (Version number is encoded as 10 * Major version + minor version.)<\/td>\n<\/tr>\n |
| METHOD<\/td>\n | 1<\/td>\n | Packing method (Please see ‘Packing Method’ table for all possibilities<\/td>\n<\/tr>\n |
| NAME_SIZE<\/td>\n | 2<\/td>\n | File name size<\/td>\n<\/tr>\n |
| ATTR<\/td>\n | 4<\/td>\n | File attributes<\/td>\n<\/tr>\n |
| HIGH_PACK_SIZE<\/td>\n | 4<\/td>\n | High 4 bytes of 64-bit value of compressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.<\/td>\n<\/tr>\n |
| HIGH_UNP_SIZE<\/td>\n | 4<\/td>\n | High 4 bytes of 64-bit value of uncompressed file size. Optional value, presents only if bit 0x100 in HEAD_FLAGS is set.<\/td>\n<\/tr>\n |
| FILE_NAME<\/td>\n | NAME_SIZE bytes<\/td>\n | File name – string of NAME_SIZE bytes size<\/td>\n<\/tr>\n |
| SALT<\/td>\n | 8<\/td>\n | present if (HEAD_FLAGS & 0x400)\u00a0!= 0<\/td>\n<\/tr>\n |
| EXT_TIME<\/td>\n | variable size<\/td>\n | present if (HEAD_FLAGS & 0x1000)\u00a0!= 0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n But the actual implementation of HEAD_CRC is the lower bits of CRC32 of header defined as in HEAD_SIZE without HEAD_CRC part calculated with standard polynomial of 0xEDB88320. I write it up here because RAR spec documents are crap. I hope this saves a couple of hours for someone.<\/p>\n","protected":false},"excerpt":{"rendered":" From Forensics Wiki: Field Name Size (bytes) Description HEAD_CRC 2 CRC of fields from HEAD_TYPE to FILEATTR and file name HEAD_TYPE 1 Header Type: 0x74 HEAD_FLAGS 2 Bit Flags (Please see ‘Bit Flags for File in Archive’ table for all possibilities) HEAD_SIZE 2 File header full size including file name and comments PACK_SIZE 4 Compressed … Continue reading RAR header<\/span> |