![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/01\/tc_signal1.png\")
<\/a><\/figure>\n\n\n\nI was specifically interested in the To my surprise, the sigcheck reported that this binary was compiled for… ARM processors!<\/p>\n\n\n\n Huh?<\/p>\n\n\n\n I was puzzled. <\/p>\n\n\n\n I literally downloaded what I believed to be an installer of Signal that was meant for Intel-based Windows, but now I am seeing the ARM binary inside it!<\/p>\n\n\n\n <Anxiety level intensifies><\/p>\n\n\n\n I then tried the very same approach with the installer of the older version of Signal (7.38), but the result was the same….<\/p>\n\n\n\n What’s going on here? I wondered…<\/p>\n\n\n\n I must make a note here that the Signal setup program is using the Nullsoft installer to deliver the software to users. And in the reverse engineering world, once you recognize the installer type, the natural step in analysis is to decompile the script used by the installer. <\/p>\n\n\n\n Using the older version of 7z (7z_1505) that extracts the [NSIS].nsi script file I got the following output listing all the embedded files inside the most recent Signal installer:<\/p>\n\n\n\n Huh…<\/p>\n\n\n\n As you can see, there are two embedded 7z files listed above:<\/p>\n\n\n\n The first one is Intel-based, and the second one is ARM-based.<\/p>\n\n\n\n The [NSIS].nsi script references them here (using the respective 7z file depending on the architecture):<\/p>\n\n\n\n Kinda surprisingly, we can actually locate these 2 7z files inside the main installer file at the following offsets:<\/p>\n\n\n\n and after carving\/extraction, browsing them with Total Commander we can reveal their content as shown below:<\/p>\n\n\n\n ARM (app-arm64.7z):<\/strong><\/p>\n\n\n\n INTEL (app-64.7z):<\/strong><\/p>\n\n\n\n Do you see where it is going?<\/p>\n\n\n\n With files\/installers using many embedded files, the Total Commander’s (+its plugins’) visibility seems to be limited only to the first embedded archive, in this case it is the app-arm64.7z<\/em> file! (in fact, it’s a bit more complicated in case TC or its plugins can parse PE file\/their sections of the sample, adding an additional layer in a game of nested dolls).<\/p>\n\n\n\n When I look at that original Signal installer again now I can see the Total Commander (+its plug-ins) only see the first embedded archive. As a result, I see the Intel-targeting setup file embedding the ARM-targeting file shown in TC. The proper handling would include full file analysis of the installer and recognition of all embedded archives as virtual subfolders… at least. <\/p>\n\n\n\n The bottom line is this:<\/p>\n\n\n\n This case is kinda DFIR-fascinating. There is an unwritten rule in the DFIR world that says – always check the results provided by one tool, with another tool, or manually… Well… it all sounds nice in theory, until we come … Continue reading Signal.exe<\/code> binary so I used TC to copy Signal.exe<\/code> to my temporary work folder.<\/p>\n\n\n\nVerified: Signed\nSigning date: 01:00 2025-01-23\nPublisher: Signal Messenger, LLC\nCompany: Signal Messenger, LLC\nDescription: Signal\nProduct: Signal\nProd version: 7.39.0.0\nFile version: 7.39.0\nMachineType: 64-bit ARM<\/pre>\n\n\n\n
$PLUGINSDIR\\app-64.7z\n$PLUGINSDIR\\app-arm64.7z\n$PLUGINSDIR\\nsExec.dll\n$PLUGINSDIR\\nsis7z.dll\n$PLUGINSDIR\\SpiderBanner.dll\n$PLUGINSDIR\\StdUtils.dll\n$PLUGINSDIR\\System.dll\n$PLUGINSDIR\\WinShell.dll\n$R0\\Uninstall Signal.exe\n$PLUGINSDIR\\installerHeaderico.ico\n[NSIS].nsi<\/pre>\n\n\n\n
\n
label_796:\n StrCmp $_40_ ARM64 0 label_799\n SetOverwrite on\n AllowSkipFiles on\n File $PLUGINSDIR\\app-arm64.7z<\/strong>\n Goto label_802\nlabel_799:\n StrCmp $_40_ 64 0 label_802\n File $PLUGINSDIR\\app-64.7z<\/strong>\n Goto label_802<\/pre>\n\n\n\n
\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n\n