Skip to content

B
binwalk
Commit 43ddf9b9 by devttys0
Options

Fixed extraction bug; prettified magic files

parent d95e015d
Showing with 72 additions and 81 deletions
src/binwalk/core/magic.py
......@@ -23,6 +23,7 @@ class SignatureResult(object):
self.strlen = 0
self.string = False
self.invalid = False
self.extract = True
# These are set by code internally
self.file = None
......
src/binwalk/magic/console
......@@ -4,8 +4,9 @@
#------------------------------------------------------------------------------
# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format
#
0x104 belong 0xCEED6666 Gameboy ROM,
>0x134 string >\0 name: "%.16s"
0x104 ubelong 0xCEED6666 Gameboy ROM,
>0x134 byte !0
>>0x134 string x name: "%.16s"
>0x146 byte 0x03 \b,[SGB]
>0x147 byte 0x00 \b, [ROM ONLY]
>0x147 byte 0x01 \b, [ROM+MBC1]
......@@ -56,8 +57,9 @@
# genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format
#
0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump,
>0x120 string x Name: "%.16s"
>0x110 string >\0 "%.16s"
>0x120 string x Name: "%.16s",
>0x110 byte !0
>>0x110 string x "%.16s",
>0x1B0 string RA with SRAM
# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
......@@ -68,7 +70,7 @@
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0 string PS-X\ EXE Sony Playstation executable
0 string PS-X\x20EXE Sony Playstation executable
# Area:
>113 string x (%s)
......@@ -77,17 +79,11 @@
0 string XBEH Microsoft Xbox executable (XBE),
## probabilistic checks whether signed or not
>0x0004 ulelong =0x0
>>2 ulelong !0x0 \b, {invalid}
>>2 ulelong =0x0
>>>2 ulelong !0x0 \b, {invalid}
>>>2 ulelong =0x0 \b, not signed
>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
>>2 ulelong =0x0 \b, {invalid}
>>2 ulelong >0
>>>2 ulelong =0x0 \b, {invalid}
>>>2 ulelong >0 \b, signed
>0x0104 lelong <0 \b, {invalid} base address
>>2 ulelong >0 \b, signed
## expect base address of 0x10000
>0x0104 ulelong !0x10000 {invalid}
>0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
>>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007
......
src/binwalk/magic/crypto
......@@ -10,7 +10,9 @@
# From: Nicolas Collignon <tsointsoin@gmail.com>
0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key,
>28 string >\0 version "%s"
>28 byte !0
>>28 string x version "%s"
>28 byte 0 {invalid}
0 string ssh-dss\x20 OpenSSH DSA public key
0 string ssh-rsa\x20 OpenSSH RSA public key
......@@ -18,12 +20,12 @@
# Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com>
0 string \x30\x82 Private key in DER format (PKCS#8),
>4 string !\x02\x01\x00 {invalid},
>>2 beshort x header length: 4, sequence length: %d
>4 string !\x02\x01\x00 {invalid}
>2 beshort x header length: 4, sequence length: %d
0 string \x30\x82 Certificate in DER format (x509 v3),
>4 string !\x30\x82 {invalid},
>>2 beshort x header length: 4, sequence length: %d
>4 string !\x30\x82 {invalid}
>2 beshort x header length: 4, sequence length: %d
# GnuPG
# The format is very similar to pgp
......@@ -66,23 +68,23 @@
>3 byte 16 algorithm: blowfish-256,
>3 byte 100 algorithm: RC6,
>3 byte 101 algorithm: IDEA,
>3 byte <0 {invalid} algorithm
>3 byte >101 {invalid} algorithm,
>3 byte <0 {invalid}
>3 byte >101 {invalid}
>3 byte >16
>>3 byte <100 {invalid} algorithm,
>>3 byte <100 {invalid}
>4 byte 0 mode: CBC,
>4 byte 1 mode: ECB,
>4 byte 2 mode: CFB,
>4 byte 3 mode: OFB,
>4 byte 4 mode: nOFB,
>4 byte <0 {invalid} mode,
>4 byte >4 {invalid} mode,
>4 byte <0 {invalid}
>4 byte >4 {invalid}
>5 byte 0 keymode: 8bit
>5 byte 1 keymode: 4bit
>5 byte 2 keymode: SHA-1 hash
>5 byte 3 keymode: MD5 hash
>5 byte <0 {invalid} keymode
>5 byte >3 {invalid} keymode
>5 byte <0 {invalid}
>5 byte >3 {invalid}
#------------------------------------------------------------------------------
# pgp: file(1) magic for Pretty Good Privacy
......@@ -100,3 +102,4 @@
0 string Salted__ OpenSSL encryption, salted,
>8 belong x salt: 0x%X
>12 belong x \b%X
src/binwalk/magic/images
......@@ -35,7 +35,6 @@
>25 byte 3 colormap,
>25 byte 4 gray+alpha,
>25 byte 6 \b/color RGBA,
#>26 byte 0 deflate/32K,
>28 byte 0 non-interlaced
>28 byte 1 interlaced
......@@ -56,22 +55,22 @@
#>10 byte&0x07 =0x07 256 colors
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM
>14 leshort 12 PC bitmap, OS/2 1.x format
0 string BM PC bitmap,
>14 leshort 12 OS/2 1.x format,
>>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x
>>20 lelong <1 {invalid}
>>20 lelong >1000000 {invalid}
>>20 leshort x %d
>14 leshort 64 PC bitmap, OS/2 2.x format
>14 leshort 64 OS/2 2.x format,
>>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x
>>20 lelong <1 {invalid}
>>20 lelong >1000000 {invalid}
>>20 leshort x %d
>14 leshort 40 PC bitmap, Windows 3.x format
>14 leshort 40 Windows 3.x format,
>>18 lelong <1 {invalid}
>>18 lelong >1000000 {invalid}
>>18 lelong x \b, %d x
......@@ -81,7 +80,7 @@
>>28 lelong <1 {invalid}
>>28 lelong >1000000 {invalid}
>>28 leshort x %d
>14 leshort 128 PC bitmap, Windows NT/2000 format
>14 leshort 128 Windows NT/2000 format,
>>18 lelong >1000000 {invalid}
>>18 lelong <1 {invalid}
>>18 lelong x \b, %d x
......@@ -239,12 +238,4 @@
>>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d
# I've commented-out quantisation table reporting. I doubt anyone cares yet.
#>(4.S+5) byte 0xDB \b, quantisation table
#>>(4.S+6) beshort x \b length=%d
#>14 beshort x \b, %d x
#>16 beshort x \b %d
0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50}
>27 string !8888888888\n {invalid}
src/binwalk/magic/kernels
......@@ -6,15 +6,14 @@
# and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image
>514 string !HdrS ({invalid})
>514 string !HdrS {invalid}
# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries.
0 string Linux\ version\ Linux kernel version
0 string Linux\x20version\x20 Linux kernel version
>14 byte 0 {invalid}
>14 byte !0
>>14 string x "%s
>>45 string x \b%s"
>>14 string x "%s"
# eCos kernel exception handlers
#
......@@ -29,10 +28,10 @@
0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL,
>14 leshort !0x3C1B {invalid}
>18 leshort !0x277B {invalid}
>12 leshort x exception vector table base address: 0x%.4X
>16 leshort x \b%.4X
>12 uleshort x exception vector table base address: 0x%.4X
>16 uleshort x \b%.4X
0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS,
>12 beshort !0x3C1B {invalid}
>16 beshort !0x277B {invalid}
>14 beshort x exception vector table base address: 0x%.4X
>18 beshort x \b%.4X
>14 ubeshort x exception vector table base address: 0x%.4X
>18 ubeshort x \b%.4X
src/binwalk/magic/misc
......@@ -25,15 +25,15 @@
0 string LinuxGuestRecord Xen saved domain file
0 string \x3chtml HTML document header{extract-delay:HTML document footer}
0 string \x3chtml HTML document header
>5 byte !0x20
>>5 byte !0x3e \b, {invalid}
0 string \x3cHTML HTML document header{extract-delay:HTML document footer}
>>5 byte !0x3e {invalid}
0 string \x3cHTML HTML document header
>5 byte !0x20
>>5 byte !0x3e \b, {invalid}
>>5 byte !0x3e {invalid}
0 string \x3c/html\x3e HTML document footer{offset-adjust:7}
0 string \x3c/HTML\x3e HTML document footer{offset-adjust:7}
0 string \x3c/html\x3e HTML document footer
0 string \x3c/HTML\x3e HTML document footer
0 string \x3c?xml\x20version XML document,
>15 string x version: "%.3s"
......@@ -57,13 +57,13 @@
>63 string x \b%s"
0 string begin\x20 uuencoded data,
>9 byte !0x20 {invalid} format,
>6 byte <0x30 {invalid} permissions,
>6 byte >0x39 {invalid} permissions,
>7 byte <0x30 {invalid} permissions,
>7 byte >0x39 {invalid} permissions,
>8 byte <0x30 {invalid} permissions,
>8 byte >0x39 {invalid} permissions,
>9 byte !0x20 {invalid}invalid format,
>6 byte <0x30 {invalid}invalid permissions,
>6 byte >0x39 {invalid}invalid permissions,
>7 byte <0x30 {invalid}invalid permissions,
>7 byte >0x39 {invalid}invalid permissions,
>8 byte <0x30 {invalid}invalid permissions,
>8 byte >0x39 {invalid}invalid permissions,
>10 string x file name: "%s",
>6 string x file permissions: "%.3s"
src/binwalk/magic/network
......@@ -79,8 +79,8 @@
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
>20 belong >163 ({invalid} link layer
>20 belong <0 ({invalid} link layer
>20 belong >163 {invalid}(invalid link layer
>20 belong <0 {invalid}(invalid link layer
>16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
......@@ -148,7 +148,7 @@
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
>20 lelong >163 ({invalid} link layer
>20 lelong <0 ({invalid} link layer
>20 lelong >163 {invalid}(invalid link layer
>20 lelong <0 {invalid}(invalid link layer
>16 lelong x \b, snaplen: %d)
src/binwalk/magic/sql
......@@ -6,24 +6,24 @@
# Recognize some MySQL files.
#
0 beshort 0xfe01 MySQL table definition file
>2 string <1 {invalid}
>2 string >\11 {invalid}
>2 ubyte <1 {invalid}
>2 ubyte >11 {invalid}
>2 byte x Version %d
0 string \xfe\xfe\x03 MySQL MISAM index file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x07 MySQL MISAM compressed data file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x05 MySQL ISAM index file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x06 MySQL ISAM compressed data file
>3 string <1 {invalid}
>3 string >\11 {invalid}
>3 ubyte <1 {invalid}
>3 ubyte >11 {invalid}
>3 byte x Version %d
#0 string \376bin MySQL replication log
......@@ -33,8 +33,9 @@
# As observed from iRivNavi.iDB and unencoded firmware
#
0 string iRivDB iRiver Database file
>11 string >\0 Version "%s"
>39 string iHP-100 [H Series]
>11 byte !0
>>11 string x Version "%s"
#>39 string iHP-100 [H Series]
#------------------------------------------------------------------------------
# SQLite database files
......@@ -49,7 +50,7 @@
# Version 3 of SQLite allows applications to embed their own "user version"
# number in the database. Detect this and distinguish those files.
0 string SQLite\x20format\x203
>60 string _MTN Monotone source repository
>60 belong !0 SQLite 3.x database, user version %u
>60 belong 0 SQLite 3.x database
0 string SQLite\x20format\x203 SQLite 3.x database,
>60 string _MTN monotone source repository
>60 ubelong !0 \b, user version %u
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment