android 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259
  1. #------------------------------------------------------------
  2. # $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $
  3. # Various android related magic entries
  4. #------------------------------------------------------------
  5. # Dalvik .dex format. http://retrodev.com/android/dexformat.html
  6. # From <mkf@google.com> "Mike Fleming"
  7. # Fixed to avoid regexec 17 errors on some dex files
  8. # From <diff@lookout.com> "Tim Strazzere"
  9. 0 string dex\n
  10. >0 regex dex\n[0-9]{2}\0 Dalvik dex file
  11. >4 string >000 version %s
  12. 0 string dey\n
  13. >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
  14. >4 string >000 version %s
  15. # Android bootimg format
  16. # From https://android.googlesource.com/\
  17. # platform/system/core/+/master/mkbootimg/bootimg.h
  18. # https://github.com/djrbliss/loki/blob/master/loki.h#L43
  19. 0 string ANDROID! Android bootimg
  20. >1024 string LOKI \b, LOKI'd
  21. >>1028 lelong 0 \b (boot)
  22. >>1028 lelong 1 \b (recovery)
  23. >8 lelong >0 \b, kernel
  24. >>12 lelong >0 \b (%#x)
  25. >16 lelong >0 \b, ramdisk
  26. >>20 lelong >0 \b (%#x)
  27. >24 lelong >0 \b, second stage
  28. >>28 lelong >0 \b (%#x)
  29. >36 lelong >0 \b, page size: %d
  30. >38 string >0 \b, name: %s
  31. >64 string >0 \b, cmdline (%s)
  32. # Android Backup archive
  33. # From: Ariel Shkedi
  34. # Update: Joerg Jenderek
  35. # URL: https://github.com/android/platform_frameworks_base/blob/\
  36. # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
  37. # android/server/BackupManagerService.java#L2367
  38. # Reference: https://sourceforge.net/projects/adbextractor/
  39. # android-backup-extractor/perl/backupencrypt.pl
  40. # Note: only unix line feeds "\n" found
  41. # After the header comes a tar file
  42. # If compressed, the entire tar file is compressed with JAVA deflate
  43. #
  44. # Include the version number hardcoded with the magic string to avoid
  45. # false positives
  46. 0 string/b ANDROID\ BACKUP\n Android Backup
  47. # maybe look for some more characteristics like linefeed '\n' or version
  48. #>16 string \n
  49. # No mime-type defined officially
  50. !:mime application/x-google-ab
  51. !:ext ab
  52. # on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
  53. >15 string >\0 \b, version %s
  54. # "1" on 3rd line means compressed
  55. >17 string 0\n \b, Not-Compressed
  56. >17 string 1\n \b, Compressed
  57. # The 4th line is encryption "none" or "AES-256"
  58. # any string as long as it's not the word none (which is matched below)
  59. >19 string none\n \b, Not-Encrypted
  60. # look for backup content after line with encryption info
  61. #>>19 search/7 \n
  62. # data part after header for not encrypted Android Backup
  63. #>>>&0 ubequad x \b, content %#16.16llx...
  64. # look for zlib compressed by ./compress after message with 1 space at end
  65. #>>>&0 indirect x \b; contains
  66. # look for tar archive block by ./archive for package name manifest
  67. >>288 string ustar \b; contains
  68. >>>31 use tar-file
  69. # look for zip/jar archive by ./archive ./zip after message with 1 space at end
  70. #>>2079 search/1025/s PK\003\004 \b; contains
  71. #>>>&0 indirect x
  72. >19 string !none
  73. >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s)
  74. # Commented out because they don't seem useful to print
  75. # (but they are part of the header - the tar file comes after them):
  76. # The 5th line is User Password Salt (128 Hex)
  77. # string length too high with standard src configuration
  78. #>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s"
  79. #>>>&1 regex/1l .* \b, Password salt: %s
  80. # The 6th line is Master Key Checksum Salt (128 Hex)
  81. #>>>>&1 regex/1l .* \b, Master salt: %s
  82. # The 7th line is Number of PBDKF2 Rounds (10000)
  83. #>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s
  84. # The 8th line is User key Initialization Vector (IV) (32 Hex)
  85. #>>>>>>&1 regex/1l .* \b, IV: %s
  86. #>>>>>>&1 regex/1l .* \b, IV: %s
  87. # The 9th line is Master IV+Key+Checksum (192 Hex)
  88. #>>>>>>>&1 regex/1l .* \b, Key: %s
  89. # look for new line separator char after line number 9
  90. #>>>0x204 ubyte 0x0a NL found
  91. #>>>>&1 ubequad x \b, Content magic %16.16llx
  92. # *.pit files by Joerg Jenderek
  93. # https://forum.xda-developers.com/showthread.php?p=9122369
  94. # https://forum.xda-developers.com/showthread.php?t=816449
  95. # Partition Information Table for Samsung's smartphone with Android
  96. # used by flash software Odin
  97. 0 ulelong 0x12349876
  98. # 1st pit entry marker
  99. >0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
  100. # minimal 13 and maximal 18 PIT entries found
  101. >>4 ulelong <128 Partition Information Table for Samsung smartphone
  102. >>>4 ulelong x \b, %d entries
  103. # 1. pit entry
  104. >>>4 ulelong >0 \b; #1
  105. >>>0x01C use PIT-entry
  106. >>>4 ulelong >1 \b; #2
  107. >>>0x0A0 use PIT-entry
  108. >>>4 ulelong >2 \b; #3
  109. >>>0x124 use PIT-entry
  110. >>>4 ulelong >3 \b; #4
  111. >>>0x1A8 use PIT-entry
  112. >>>4 ulelong >4 \b; #5
  113. >>>0x22C use PIT-entry
  114. >>>4 ulelong >5 \b; #6
  115. >>>0x2B0 use PIT-entry
  116. >>>4 ulelong >6 \b; #7
  117. >>>0x334 use PIT-entry
  118. >>>4 ulelong >7 \b; #8
  119. >>>0x3B8 use PIT-entry
  120. >>>4 ulelong >8 \b; #9
  121. >>>0x43C use PIT-entry
  122. >>>4 ulelong >9 \b; #10
  123. >>>0x4C0 use PIT-entry
  124. >>>4 ulelong >10 \b; #11
  125. >>>0x544 use PIT-entry
  126. >>>4 ulelong >11 \b; #12
  127. >>>0x5C8 use PIT-entry
  128. >>>4 ulelong >12 \b; #13
  129. >>>>0x64C use PIT-entry
  130. # 14. pit entry
  131. >>>4 ulelong >13 \b; #14
  132. >>>>0x6D0 use PIT-entry
  133. >>>4 ulelong >14 \b; #15
  134. >>>0x754 use PIT-entry
  135. >>>4 ulelong >15 \b; #16
  136. >>>0x7D8 use PIT-entry
  137. >>>4 ulelong >16 \b; #17
  138. >>>0x85C use PIT-entry
  139. # 18. pit entry
  140. >>>4 ulelong >17 \b; #18
  141. >>>0x8E0 use PIT-entry
  142. 0 name PIT-entry
  143. # garbage value implies end of pit entries
  144. >0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
  145. # skip empty partition name
  146. >>0x24 ubyte !0
  147. # partition name
  148. >>>0x24 string >\0 %-.32s
  149. # flags
  150. >>>0x0C ulelong&0x00000002 2 \b+RW
  151. # partition ID:
  152. # 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER
  153. # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
  154. >>>0x08 ulelong x (%#x)
  155. # filename
  156. >>>0x44 string >\0 "%-.64s"
  157. #>>>0x18 ulelong >0
  158. # blocksize in 512 byte units ?
  159. #>>>>0x18 ulelong x \b, %db
  160. # partition size in blocks ?
  161. #>>>>0x22 ulelong x \b*%d
  162. # Android sparse img format
  163. # From https://android.googlesource.com/\
  164. # platform/system/core/+/master/libsparse/sparse_format.h
  165. 0 lelong 0xed26ff3a Android sparse image
  166. >4 leshort x \b, version: %d
  167. >6 leshort x \b.%d
  168. >16 lelong x \b, Total of %d
  169. >12 lelong x \b %d-byte output blocks in
  170. >20 lelong x \b %d input chunks.
  171. # Android binary XML magic
  172. # In include/androidfw/ResourceTypes.h:
  173. # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
  174. # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
  175. # The strength is increased to avoid misidentifying as Targa image data
  176. 0 lelong 0x00080003 Android binary XML
  177. !:strength +1
  178. # Android cryptfs footer
  179. # From https://android.googlesource.com/\
  180. # platform/system/vold/+/refs/heads/master/cryptfs.h
  181. 0 lelong 0xd0b5b1c4 Android cryptfs footer
  182. >4 leshort x \b, version: %d
  183. >6 leshort x \b.%d
  184. # Android Vdex format
  185. # From https://android.googlesource.com/\
  186. # platform/art/+/master/runtime/vdex_file.h
  187. 0 string vdex Android vdex file,
  188. >4 string >000 verifier deps version: %s,
  189. >8 string >000 dex section version: %s,
  190. >12 lelong >0 number of dex files: %d,
  191. >16 lelong >0 verifier deps size: %d
  192. # Android Vdex format, dexfile is currently being updated
  193. # by android system
  194. # From https://android.googlesource.com/\
  195. # platform/art/+/master/dex2oat/dex2oat.cc
  196. 0 string wdex Android vdex file, being processed by dex2oat,
  197. >4 string >000 verifier deps version: %s,
  198. >8 string >000 dex section version: %s,
  199. >12 lelong >0 number of dex files: %d,
  200. >16 lelong >0 verifier deps size: %d
  201. # Disassembled DEX files
  202. 0 string/t .class\x20
  203. >&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali)
  204. !:ext smali
  205. # Android ART (baseline) profile + metadata: baseline.prof, baseline.profm
  206. # Reference: https://android.googlesource.com/platform/frameworks/support/\
  207. # +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
  208. # src/main/java/androidx/profileinstaller/ProfileTranscoder.java
  209. # Reference: https://android.googlesource.com/platform/frameworks/support/\
  210. # +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
  211. # src/main/java/androidx/profileinstaller/ProfileVersion.java
  212. 0 string pro\x00
  213. >0 regex pro\x000[0-9][0-9]\x00 Android ART profile
  214. !:ext prof
  215. >>4 string 001\x00 \b, version 001 N
  216. >>4 string 005\x00 \b, version 005 O
  217. >>4 string 009\x00 \b, version 009 O MR1
  218. >>4 string 010\x00 \b, version 010 P
  219. >>4 string 015\x00 \b, version 015 S
  220. 0 string prm\x00
  221. >0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata
  222. !:ext profm
  223. >>4 string 001\x00 \b, version 001 N
  224. >>4 string 002\x00 \b, version 002
  225. # Android package resource table (ARSC): resources.arsc
  226. # Reference: https://android.googlesource.com/platform/tools/base/\
  227. # +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\
  228. # src/main/java/com/google/devrel/gmscore/tools/apk/arsc
  229. # 00: resource table type = 0x0002 (2) + header size = 12 (2)
  230. # 04: chunk size (4, skipped)
  231. # 08: #packages (4)
  232. 0 ulelong 0x000c0002 Android package resource table (ARSC)
  233. !:ext arsc
  234. >8 ulelong !1 \b, %d packages
  235. # 12: string pool type = 0x0001 (2) + header size = 28 (2)
  236. # 16: chunk size (4, skipped)
  237. # 20: #strings (4), #styles (4), flags (4)
  238. >12 ulelong 0x001c0001
  239. >>20 ulelong !0 \b, %d string(s)
  240. >>24 ulelong !0 \b, %d style(s)
  241. >>28 ulelong &1 \b, sorted
  242. >>28 ulelong &256 \b, utf8
  243. # extracted APK Signing Block
  244. -16 string APK\x20Sig\x20Block\x2042 APK Signing Block