#------------------------------------------------------------ # $File: android,v 1.4 2014/06/03 19:01:34 christos Exp $ # Various android related magic entries #------------------------------------------------------------ # Dalvik .dex format. http://retrodev.com/android/dexformat.html # From "Mike Fleming" # Fixed to avoid regexec 17 errors on some dex files # From "Tim Strazzere" 0 string dex\n >0 regex dex\n[0-9]{2}\0 Dalvik dex file >4 string >000 version %s 0 string dey\n >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) >4 string >000 version %s # http://android.stackexchange.com/questions/23357/\ # is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ # 23608#23608 0 string ANDROID\040BACKUP\n Android Backup >15 string 1\n \b, version 1 >17 string 0\n \b, uncompressed >17 string 1\n \b, compressed >19 string none\n \b, unencrypted >19 string AES-256\n \b, encrypted AES-256 # Android bootimg format # From https://android.googlesource.com/\ # platform/system/core/+/master/mkbootimg/bootimg.h 0 string ANDROID! Android bootimg >8 lelong >0 \b, kernel >>12 lelong >0 \b (0x%x) >16 lelong >0 \b, ramdisk >>20 lelong >0 \b (0x%x) >24 lelong >0 \b, second stage >>28 lelong >0 \b (0x%x) >36 lelong >0 \b, page size: %d >38 string >0 \b, name: %s >64 string >0 \b, cmdline (%s) # Dalvik .dex format. http://retrodev.com/android/dexformat.html # From "Mike Fleming" # Fixed to avoid regexec 17 errors on some dex files # From "Tim Strazzere" 0 string dex\n >0 regex dex\n[0-9]{2}\0 Dalvik dex file >4 string >000 version %s 0 string dey\n >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) >4 string >000 version %s # http://android.stackexchange.com/questions/23357/\ # is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ # 23608#23608 0 string ANDROID\040BACKUP\n Android Backup >15 string 1\n \b, version 1 >17 string 0\n \b, uncompressed >17 string 1\n \b, compressed >19 string none\n \b, unencrypted >19 string AES-256\n \b, encrypted AES-256 # Android bootimg format # From https://android.googlesource.com/\ # platform/system/core/+/master/mkbootimg/bootimg.h 0 string ANDROID! Android bootimg >8 lelong >0 \b, kernel >>12 lelong >0 \b (0x%x) >16 lelong >0 \b, ramdisk >>20 lelong >0 \b (0x%x) >24 lelong >0 \b, second stage >>28 lelong >0 \b (0x%x) >36 lelong >0 \b, page size: %d >38 string >0 \b, name: %s >64 string >0 \b, cmdline (%s) # Android Backup archive # From: Ariel Shkedi # File extension: .ab # No mime-type defined # URL: https://github.com/android/platform_frameworks_base/blob/\ # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ # android/server/BackupManagerService.java#L2367 # After the header comes a tar file # If compressed, the entire tar file is compressed with JAVA deflate # # Include the version number hardcoded with the magic string to avoid # false positives 0 string/b ANDROID\ BACKUP\n1\n Android Backup >17 string 0\n \b, Not-Compressed >17 string 1\n \b, Compressed # any string as long as it's not the word none (which is matched below) >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) >>19 string none\n \b, Not-Encrypted # Commented out because they don't seem useful to print # (but they are part of the header - the tar file comes after them): #>>>&1 regex/1l .* \b, Password salt: %s #>>>>&1 regex/1l .* \b, Master salt: %s #>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s #>>>>>>&1 regex/1l .* \b, IV: %s #>>>>>>>&1 regex/1l .* \b, Key: %s