1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#------------------------------------------------------------
# $File: android,v 1.3 2013/11/08 01:24:22 christos Exp $
# Various android related magic entries
#------------------------------------------------------------
# Dalvik .dex format. http://retrodev.com/android/dexformat.html
# From <mkf@google.com> "Mike Fleming"
# Fixed to avoid regexec 17 errors on some dex files
# From <diff@lookout.com> "Tim Strazzere"
0 string dex\n
>0 regex dex\n[0-9]{2}\0 Dalvik dex file
>4 string >000 version %s
0 string dey\n
>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
>4 string >000 version %s
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0 string ANDROID\040BACKUP\n Android Backup
>15 string 1\n \b, version 1
>17 string 0\n \b, uncompressed
>17 string 1\n \b, compressed
>19 string none\n \b, unencrypted
>19 string AES-256\n \b, encrypted AES-256
# Android bootimg format
# From https://android.googlesource.com/\
# platform/system/core/+/master/mkbootimg/bootimg.h
0 string ANDROID! Android bootimg
>8 lelong >0 \b, kernel
>>12 lelong >0 \b (0x%x)
>16 lelong >0 \b, ramdisk
>>20 lelong >0 \b (0x%x)
>24 lelong >0 \b, second stage
>>28 lelong >0 \b (0x%x)
>36 lelong >0 \b, page size: %d
>38 string >0 \b, name: %s
>64 string >0 \b, cmdline (%s)
# Dalvik .dex format. http://retrodev.com/android/dexformat.html
# From <mkf@google.com> "Mike Fleming"
# Fixed to avoid regexec 17 errors on some dex files
# From <diff@lookout.com> "Tim Strazzere"
0 string dex\n
>0 regex dex\n[0-9]{2}\0 Dalvik dex file
>4 string >000 version %s
0 string dey\n
>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
>4 string >000 version %s
# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0 string ANDROID\040BACKUP\n Android Backup
>15 string 1\n \b, version 1
>17 string 0\n \b, uncompressed
>17 string 1\n \b, compressed
>19 string none\n \b, unencrypted
>19 string AES-256\n \b, encrypted AES-256
# Android bootimg format
# From https://android.googlesource.com/\
# platform/system/core/+/master/mkbootimg/bootimg.h
0 string ANDROID! Android bootimg
>8 lelong >0 \b, kernel
>>12 lelong >0 \b (0x%x)
>16 lelong >0 \b, ramdisk
>>20 lelong >0 \b (0x%x)
>24 lelong >0 \b, second stage
>>28 lelong >0 \b (0x%x)
>36 lelong >0 \b, page size: %d
>38 string >0 \b, name: %s
>64 string >0 \b, cmdline (%s)
# Android Backup archive
# From: Ariel Shkedi
# File extension: .ab
# No mime-type defined
# URL: https://github.com/android/platform_frameworks_base/blob/\
# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
# android/server/BackupManagerService.java#L2367
# After the header comes a tar file
# If compressed, the entire tar file is compressed with JAVA deflate
#
# Include the version number hardcoded with the magic string to avoid
# false positives
0 string/b ANDROID\ BACKUP\n1\n Android Backup
>17 string 0\n \b, Not-Compressed
>17 string 1\n \b, Compressed
# any string as long as it's not the word none (which is matched below)
>>19 regex/1 \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s)
>>19 string none\n \b, Not-Encrypted
# Commented out because they don't seem useful to print
# (but they are part of the header - the tar file comes after them):
#>>>&1 regex/1 .* \b, Password salt: %s
#>>>>&1 regex/1 .* \b, Master salt: %s
#>>>>>&1 regex/1 .* \b, PBKDF2 rounds: %s
#>>>>>>&1 regex/1 .* \b, IV: %s
#>>>>>>>&1 regex/1 .* \b, Key: %s