检测存档类型

【问题标题】:Detect archive type检测存档类型
【发布时间】:2018-07-28 16:54:18
【问题描述】:

我有一个没有扩展名的存档,我如何检测文件格式?

文件开头(截图):

文件开头(文本): ef cd ab 19 14 00 05 00 08 00 1b 8c 2f 34 63 e3 f1 35 68 00 00 00 8c 00 00 00 09 00 00 00 49 4e 44 45 58 2e 53 59 53 90 77 a2 38 fc 2f 53 09 a9 df 40 2d 0f d5 8f 89 2e 2f a1 eb e2 2e a1 9a 02 39 5d ad 4c b1 cc ca e4 e4 ab 83 a6 ef 1d ab 1f 66 b5 fd 2b f5 81 aa 9d b4 19 34 52 f3 24 58 15 45 4a 38 4a c0 84 19 22 6b ad ef 28 e3 89 36 e7 aa e2 aa 64 dd 19 4b 5d 8b 38 7a 15 14 77 a2 7e f4 e0 be ba f9 bd a3 e5 4e 54 12 c6 47 d6 cc ef cd ab 19 14 00 05 00 08 00 f4 80 51 4c a4 35 50 85 b4 00 00 00 d9 00 00 00 08 00 00 00 49 4e 46 4f 2e 53 59 53 52 b4 68 91 65 88 05 26 da 72 0a 5f ce a3 8e 2a cc 6d a2 8f 9e 36 d6 fa f8 84 7d 43 0d 95 1b 7c 15 ee 3f ba 43 13 41 7f de 47 f1 3c a6 4f 45 e5 cc 0d 32 1b 7c 62 c2 8d d6 f1 f7 d8 f2 88 14 62 a1 ac 6e 96 e5 85 db bd 82 40 e4 83 a9 88 a8 90 26 89 fd aa b1 85 71 10 30 2a 2d c2 ce e1 3c 13 4b 3c 13 13 60 e1 76 87 df c4 9b ef 4f 2a c2 bd 74 14 de 42 d8 f2 77 a1 60 31 fb 72 ec 88 1e 41 72 3c de 2a f0 ac de a3 31 fb ee 11 30 1b f7 fb d8 3b 74 26 b2 56 46 03 a2 b3 7e 87 00 1b 6b 84 c3 ea ae be f0 0c 9c 2f 11 44 74 75 c9 2d 92 c1 ac 24 6a 31 ef cd ab 19 14 00 05 00 08 00 8d a9 47 32 08 85 79 7f f0 00 00 00 22 01 00 00 0c 00 00 00 51 4d 57 57 49 4e 4a 47 2e

【问题讨论】:

    标签: file types binary reverse-engineering archive


    【解决方案1】:

    对于初学者来说,您提供的数据中似乎存在某种模式

    C:\>grep -obUaP "\xef\xcd\xab\x19\x14\x00\x05\x00\x08\x00" bindata
0:ïI«↓¶ ♣
143:ïI«↓¶ ♣
361:ïI«↓¶ ♣

C:\>xxd -g 1 -l 10 -s 0  bindata & xxd -g 1 -l 10 -s 143 bindata & xxd -g 1 -l 10 -s 361 bindata
0000000: ef cd ab 19 14 00 05 00 08 00                    ..........
000008f: ef cd ab 19 14 00 05 00 08 00                    ..........
0000169: ef cd ab 19 14 00 05 00 08 00                    ..........

    那是 0x19abcdef 作为一些魔法签名,你可以从这里跟进

    似乎还有一个恒定偏移量的文件名

    C:\>xxd -g 1 -l 16 -s 30  bindata & xxd -g 1 -l 16 -s 173 bindata & xxd -g 1 -l 16 -s 391 bindata
000001e: 49 4e 44 45 58 2e 53 59 53 90 77 a2 38 fc 2f 53  INDEX.SYS.w.8./S
00000ad: 49 4e 46 4f 2e 53 59 53 52 b4 68 91 65 88 05 26  INFO.SYSR.h.e..&
0000187: 51 4d 57 57 49 4e 4a 47 2e                       QMWWINJG.

    假设它是某种PKZIP xxd 自卸车似乎证实了?布局

    echo off
set /a qwsize           = 8
set /a dwsize           = 4
set /a wsize            = 2
set /a bsize            = 1


set /a signature        = %1
set /a version          = %signature%           + %dwsize%
set /a flags            = %version%             + %wsize%
set /a Compression      = %flags%               + %wsize%
set /a ModTime          = %compression%         + %wsize%
set /a ModDate          = %ModTime%             + %wsize%
Set /a Crc32            = %ModDate%             + %wsize%
set /a CompressedSize   = %Crc32%               + %dwsize%
set /a UncompressedSize = %CompressedSize%      + %dwsize%
set /a FileNameLength   = %UncompressedSize%    + %dwsize%
set /a ExtraFieldLength = %FileNameLength%      + %wsize%
set /a filename         = %ExtraFieldLength%    + %wsize% 

printf "%%20s" "signature "         & xxd -g 4 -s  %signature%          -l %dwsize%     bindata &^
printf "%%20s" "version "           & xxd -g 2 -s  %version%            -l %wsize%      bindata &^
printf "%%20s" "flags "             & xxd -g 2 -s  %flags%              -l %wsize%      bindata &^
printf "%%20s" "Compression "       & xxd -g 2 -s  %Compression%        -l %wsize%      bindata &^
printf "%%20s" "ModTime "           & xxd -g 2 -s  %ModTime%            -l %wsize%      bindata &^
printf "%%20s" "ModDate "           & xxd -g 2 -s  %ModDate%            -l %wsize%      bindata &^
printf "%%20s" "Crc32 "             & xxd -g 4 -s  %Crc32%              -l %dwsize%     bindata &^
printf "%%20s" "Compressed_Size "   & xxd -g 4 -s  %CompressedSize%     -l %dwsize%     bindata &^
printf "%%20s" "UncompressedSize "  & xxd -g 4 -s  %UncompressedSize%   -l %dwsize%     bindata &^
printf "%%20s" "File Name length  " & xxd -g 2 -s  %FileNameLength%     -l %wsize%      bindata &^
printf "%%20s" "Extra Field len "   & xxd -g 2 -s  %ExtraFieldLength%   -l %wsize%      bindata &^
printf "%%20s" "filename "          & xxd -g 1 -s  %filename%           -l %qwsize%      bindata

    C:>dumpinxxd.bat 0

    C:\>echo off
          signature 0000000: efcdab19                             ....
            version 0000004: 1400                                     ..
              flags 0000006: 0500                                     ..
        Compression 0000008: 0800                                     ..
            ModTime 000000a: 1b8c                                     ..
            ModDate 000000c: 2f34                                     /4
              Crc32 000000e: 63e3f135                             c..5
    Compressed_Size 0000012: 68000000                             h...
   UncompressedSize 0000016: 8c000000                             ....
  File Name length  000001a: 0900                                     ..
    Extra Field len 000001c: 0000                                     ..
           filename 000001e: 49 4e 44 45 58 2e 53 59                          INDEX.SY

    C:>dumpinxxd.bat 143

    C:\>echo off
          signature 000008f: efcdab19                             ....
            version 0000093: 1400                                     ..
              flags 0000095: 0500                                     ..
        Compression 0000097: 0800                                     ..
            ModTime 0000099: f480                                     ..
            ModDate 000009b: 514c                                     QL
              Crc32 000009d: a4355085                             .5P.
    Compressed_Size 00000a1: b4000000                             ....
   UncompressedSize 00000a5: d9000000                             ....
  File Name length  00000a9: 0800                                     ..
    Extra Field len 00000ab: 0000                                     ..
           filename 00000ad: 49 4e 46 4f 2e 53 59 53                          INFO.SYS

    C:>dumpinxxd.bat 361

    C:\>echo off
          signature 0000169: efcdab19                             ....
            version 000016d: 1400                                     ..
              flags 000016f: 0500                                     ..
        Compression 0000171: 0800                                     ..
            ModTime 0000173: 8da9                                     ..
            ModDate 0000175: 4732                                     G2
              Crc32 0000177: 0885797f                             ..y.
    Compressed_Size 000017b: f0000000                             ....
   UncompressedSize 000017f: 22010000                             "...
  File Name length  0000183: 0c00                                     ..
    Extra Field len 0000185: 0000                                     ..
           filename 0000187: 51 4d 57 57 49 4e 4a 47                          QMWWINJG

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2012-12-03
      • 1970-01-01
      • 2023-03-07
      • 2012-12-08
      • 2013-08-24
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode