binwalk-1.0/0000755000175000017500000000000012104542363011121 5ustar eveevebinwalk-1.0/src/0000755000175000017500000000000012104542363011710 5ustar eveevebinwalk-1.0/src/bin/0000755000175000017500000000000012104542363012460 5ustar eveevebinwalk-1.0/src/bin/binwalk0000755000175000017500000002345612104542363014047 0ustar eveeve#!/usr/bin/env python import sys import os.path import binwalk from threading import Thread from binwalk.common import str2int from getopt import GetoptError, getopt as GetOpt def display_status(bwalk): while True: # Display the current scan progress when the enter key is pressed. raw_input() print "Progress: %.2f%% (%d / %d)\n" % (((float(bwalk.total_scanned) / float(bwalk.scan_length)) * 100), bwalk.total_scanned, bwalk.scan_length) def usage(fd): fd.write("\n") fd.write("Binwalk v%s\n" % binwalk.Config.VERSION) fd.write("Craig Heffner, http://www.devttys0.com\n") fd.write("\n") fd.write("Usage: %s [OPTIONS] [FILE1] [FILE2] [FILE3] ...\n" % os.path.basename(sys.argv[0])) fd.write("\n") fd.write("\t-o, --offset= Start scan at this file offset\n") fd.write("\t-l, --length= Number of bytes to scan\n") fd.write("\t-b, --align= Set byte alignment [default: 1]\n") fd.write("\t-m, --magic= Specify an alternate magic file to use\n") fd.write("\t-i, --include= Include matches that are normally excluded and that have in their description\n") fd.write("\t-x, --exclude= Exclude matches that have in their description\n") fd.write("\t-y, --search= Only search for matches that have in their description\n") fd.write("\t-g, --grep= Grep results for the specified text\n") fd.write("\t-R, --raw-bytes= Search for a sequence of raw bytes instead of using the default magic signatures\n") fd.write("\t-f, --file= Log results to file\n") fd.write("\t-D, --dd= Extract entries whose descriptions match , give them file extension , and execute \n") fd.write("\t-e, --extract=[file] Automatically extract known file types. Load rules from file, if specified.\n") fd.write("\t-r, --rm Cleanup extracted files and zero-size files\n") fd.write("\t-d, --delay Delay file extraction for files with known footers\n") fd.write("\t-a, --all Include all short signatures\n") fd.write("\t-I, --show-invalid Show results marked as invalid\n") fd.write("\t-A, --opcodes Scan for executable code\n") fd.write("\t-C, --cast Cast file contents as various data types\n") fd.write("\t-k, --keep-going Show all matching results at a given offset, not just the first one\n") fd.write("\t-q, --quiet Supress output to stdout\n") fd.write("\t-v, --verbose Be verbose (specify twice for very verbose)\n") fd.write("\t-u, --update Update magic signature files\n") fd.write("\t-h, --help Show help output\n") fd.write("\n") if fd == sys.stderr: sys.exit(1) else: sys.exit(0) def main(): MIN_ARGC = 2 align = 1 offset = 0 length = 0 quiet = False pre_filter = True verbose = 0 log_file = None show_invalid = False short_sig = True custom_signature = None delay_extraction = False extract_rules_file = None extract_from_config = False cleanup_after_extract = False magic_flags = binwalk.magic.MAGIC_NONE options = [] magic_files = [] target_files = [] greps = [] includes = [] excludes = [] searches = [] extracts = [] config = binwalk.Config() short_options = "aACdhkeqruvPIf:o:l:b:i:x:y:D:m:R:g:" long_options = [ "rm", "all", "help", "quiet", "verbose", "opcodes", "cast", "update", "keep-going", "show-invalid", "profile", "delay", "file=", "offset=", "length=", "align=", "include=", "exclude=", "extract=", "search=", "dd=", "grep=", "magic=", "raw-bytes=", ] # Require at least one argument (the target file) if len(sys.argv) < MIN_ARGC: usage(sys.stderr) try: opts, args = GetOpt(sys.argv[1:], short_options, long_options) except GetoptError, e: sys.stderr.write("%s\n" % str(e)) usage(sys.stderr) for opt, arg in opts: if opt in ("-h", "--help"): usage(sys.stdout) elif opt in ("-d", "--delay"): delay_extraction = True elif opt in ("-f", "--file"): log_file = arg elif opt in ("-q", "--quiet"): quiet = True elif opt in ("-v", "--verbose"): verbose += 1 elif opt in ("-o", "--offset"): offset = str2int(arg) elif opt in ("-l", "--length"): length = str2int(arg) elif opt in ("-b", "--align"): align = str2int(arg) elif opt in ("-i", "--include"): includes.append(arg) elif opt in ("-y", "--search"): searches.append(arg) elif opt in ("-x", "--exclude"): excludes.append(arg) elif opt in ("-D", "--dd"): extracts.append(arg) elif opt in ("-g", "--grep"): greps.append(arg) elif opt in ("-e", "--extract"): if arg: extract_rules_file = arg else: extract_from_config = True elif opt in ("-r", "--rm"): cleanup_after_extract = True elif opt in ("-m", "--magic"): magic_files.append(arg) elif opt in ("-a", "--all"): short_sig = False elif opt in ("-k", "--keep-going"): magic_flags |= binwalk.magic.MAGIC_CONTINUE elif opt in ("-I", "--show-invalid"): show_invalid = True elif opt in ("-A", "--opcodes"): # Check every single offset align = 1 # Don't filter out short signatures as some opcode sigs are only 2 bytes short_sig = False # Load user file first so its signatures take precedence magic_files.append(config.paths['user'][config.BINARCH_MAGIC_FILE]) magic_files.append(config.paths['system'][config.BINARCH_MAGIC_FILE]) elif opt in ("-C", "--cast"): # Check every single offset align = 1 # Don't stop at the first match (everything matches everything in this scan) magic_flags |= binwalk.magic.MAGIC_CONTINUE # Disable all pre filtering; we want to check everything for this scan pre_filter = False # Don't filter shot signatures, or else some casts won't be displayed short_sig = False # Load user file first so its signatures take precedence magic_files.append(config.paths['user'][config.BINCAST_MAGIC_FILE]) magic_files.append(config.paths['system'][config.BINCAST_MAGIC_FILE]) elif opt in ("-R", "--raw-bytes"): # Disable short signature filtering, as the supplied string may be short short_sig = False custom_signature = arg elif opt in ("-u", "--update"): try: sys.stdout.write("Updating signatures...") sys.stdout.flush() binwalk.Update().update() sys.stdout.write("done.\n") sys.exit(0) except Exception, e: if 'Permission denied' in str(e): sys.stderr.write("failed (permission denied). Check your user permissions, or run the update as root.\n") else: sys.stderr.write('\n' + str(e) + '\n') sys.exit(1) # The --profile option is handled prior to calling main() elif opt not in ('-P', '--profile'): usage(sys.stderr) # Append the option and argument to the list of processed options # This is used later to determine which argv entries are file names options.append(opt) options.append(arg) options.append("%s%s" % (opt, arg)) options.append("%s=%s" % (opt, arg)) # Treat any command line options not processed by getopt as target file paths for opt in sys.argv[1:]: #TODO: Do we really want to not process valid files that start with a '-'? # This is probably OK, and ensures that no options are treated as target files. if opt not in options and not opt.startswith('-'): target_files.append(opt) # If more than one target file was specified, enable verbose mode; else, there is # nothing in the output to indicate which scan corresponds to which file. if len(target_files) > 1: verbose = True # Instantiate the Binwalk class bwalk = binwalk.Binwalk(flags=magic_flags, verbose=verbose, log=log_file, quiet=quiet) # If a custom signature was specified, create a temporary magic file containing the custom signature # and ensure that it is the only magic file that will be loaded when Binwalk.scan() is called. if custom_signature is not None: magic_files = bwalk.parser.file_from_string(custom_signature) # Set any specified filters bwalk.filter.include(includes, exclusive=False) bwalk.filter.exclude(excludes) bwalk.filter.include(searches) bwalk.filter.grep(filters=greps) # Add any specified extract rules bwalk.extractor.add_rule(extracts) # If -e was specified, load the default extract rules if extract_from_config: bwalk.extractor.load_defaults() # If --extract was specified, load the specified extraction rules file if extract_rules_file is not None: bwalk.extractor.load_from_file(extract_rules_file) # Set the extractor cleanup value (True to clean up files, False to leave them on disk) bwalk.extractor.cleanup_extracted_files(cleanup_after_extract) # Enable delayed extraction, which will prevent supported file types from having trailing data when extracted bwalk.extractor.enable_delayed_extract(delay_extraction) # Load the magic file(s) bwalk.load_signatures(magic_files=magic_files, pre_filter_signatures=pre_filter, filter_short_signatures=short_sig) # Scan each target file for target_file in target_files: bwalk.display.header(target_file) # Start the display_status function as a daemon thread t = Thread(target=display_status, args=(bwalk,)) t.setDaemon(True) t.start() # Catch keyboard interrupts so that we can properly clean up after the scan try: bwalk.scan(target_file, offset=offset, length=length, align=align, show_invalid_results=show_invalid, callback=bwalk.display.results) except KeyboardInterrupt: pass bwalk.display.footer() # Be sure to drink your ovaltine. # And also to clean up any temporary magic files. bwalk.cleanup() try: # Special options for profiling the code. For debug use only. if '--profile' in sys.argv or '-P' in sys.argv: import cProfile cProfile.run('main()') else: main() except KeyboardInterrupt: pass binwalk-1.0/src/magic/0000755000175000017500000000000012104542363012770 5ustar eveevebinwalk-1.0/src/magic/executables0000644000175000017500000005746312104542363015236 0ustar eveeve #------------------Standard file formats------------------------------------ #------------------------------------------------------------------------------ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string \177ELF ELF >4 byte 0 invalid class >4 byte 1 32-bit # only for MIPS - in the future, the ABI field of e_flags should be used. >>18 leshort 8 >>>36 lelong &0x20 N32 >>18 leshort 10 >>>36 lelong &0x20 N32 >>18 beshort 8 >>>36 belong &0x20 N32 >>18 beshort 10 >>>36 belong &0x20 N32 >4 byte 2 64-bit >5 byte 0 invalid byte order >5 byte 1 LSB # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. >>18 leshort 8 # only for 32-bit >>>4 byte 1 >>>>36 lelong&0xf0000000 0x00000000 MIPS-I >>>>36 lelong&0xf0000000 0x10000000 MIPS-II >>>>36 lelong&0xf0000000 0x20000000 MIPS-III >>>>36 lelong&0xf0000000 0x30000000 MIPS-IV >>>>36 lelong&0xf0000000 0x40000000 MIPS-V >>>>36 lelong&0xf0000000 0x60000000 MIPS32 >>>>36 lelong&0xf0000000 0x70000000 MIPS64 >>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 lelong&0xf0000000 0x00000000 MIPS-I >>>>48 lelong&0xf0000000 0x10000000 MIPS-II >>>>48 lelong&0xf0000000 0x20000000 MIPS-III >>>>48 lelong&0xf0000000 0x30000000 MIPS-IV >>>>48 lelong&0xf0000000 0x40000000 MIPS-V >>>>48 lelong&0xf0000000 0x60000000 MIPS32 >>>>48 lelong&0xf0000000 0x70000000 MIPS64 >>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2 >>16 leshort 0 no file type, >>16 leshort 1 relocatable, >>16 leshort 2 executable, >>16 leshort 3 shared object, # Core handling from Peter Tobias # corrections by Christian 'Dr. Disk' Hechelmann >>16 leshort 4 core file # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort &0xff00 processor-specific, >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, >>18 leshort 3 Intel 80386, >>18 leshort 4 Motorola >>>36 lelong &0x01000000 68000 - invalid byte order, >>>36 lelong &0x00810000 CPU32 - invalid byte order, >>>36 lelong 0 68020 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 6 Intel 80486, >>18 leshort 7 Intel 80860, >>18 leshort 8 MIPS, >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS (deprecated), >>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 15 PA-RISC - invalid byte order, >>>50 leshort 0x0214 2.0 >>>48 leshort &0x0008 (LP64), >>18 leshort 16 nCUBE, >>18 leshort 17 Fujitsu VPP500, >>18 leshort 18 SPARC32PLUS, >>18 leshort 20 PowerPC, >>18 leshort 22 IBM S/390, >>18 leshort 36 NEC V800, >>18 leshort 37 Fujitsu FR20, >>18 leshort 38 TRW RH-32, >>18 leshort 39 Motorola RCE, >>18 leshort 40 ARM, >>18 leshort 41 Alpha, >>18 leshort 0xa390 IBM S/390 (obsolete), >>18 leshort 42 Hitachi SH, >>18 leshort 43 SPARC V9 - invalid byte order, >>18 leshort 44 Siemens Tricore Embedded Processor, >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort 46 Hitachi H8/300, >>18 leshort 47 Hitachi H8/300H, >>18 leshort 48 Hitachi H8S, >>18 leshort 49 Hitachi H8/500, >>18 leshort 50 IA-64 (Intel 64 bit architecture) >>18 leshort 51 Stanford MIPS-X, >>18 leshort 52 Motorola Coldfire, >>18 leshort 53 Motorola M68HC12, >>18 leshort 62 AMD x86-64, >>18 leshort 75 Digital VAX, >>18 leshort 97 NatSemi 32k, >>18 leshort 0x9026 Alpha (unofficial), >>20 lelong 0 invalid version >>20 lelong 1 version 1 >>36 lelong 1 MathCoPro/FPU/MAU Required >5 byte 2 MSB # only for MIPS - see comment in little-endian section above. >>18 beshort 8 # only for 32-bit >>>4 byte 1 >>>>36 belong&0xf0000000 0x00000000 MIPS-I >>>>36 belong&0xf0000000 0x10000000 MIPS-II >>>>36 belong&0xf0000000 0x20000000 MIPS-III >>>>36 belong&0xf0000000 0x30000000 MIPS-IV >>>>36 belong&0xf0000000 0x40000000 MIPS-V >>>>36 belong&0xf0000000 0x60000000 MIPS32 >>>>36 belong&0xf0000000 0x70000000 MIPS64 >>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 belong&0xf0000000 0x00000000 MIPS-I >>>>48 belong&0xf0000000 0x10000000 MIPS-II >>>>48 belong&0xf0000000 0x20000000 MIPS-III >>>>48 belong&0xf0000000 0x30000000 MIPS-IV >>>>48 belong&0xf0000000 0x40000000 MIPS-V >>>>48 belong&0xf0000000 0x60000000 MIPS32 >>>>48 belong&0xf0000000 0x70000000 MIPS64 >>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2 >>16 beshort 0 no file type, >>16 beshort 1 relocatable, >>16 beshort 2 executable, >>16 beshort 3 shared object, >>16 beshort 4 core file, #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) belong >0 (signal %d), >>16 beshort &0xff00 processor-specific, >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, >>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 4 Motorola >>>36 belong &0x01000000 68000, >>>36 belong &0x00810000 CPU32, >>>36 belong 0 68020, >>18 beshort 5 Motorola 88000, >>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 7 Intel 80860, >>18 beshort 8 MIPS, >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS (deprecated), >>18 beshort 11 RS6000, >>18 beshort 15 PA-RISC >>>50 beshort 0x0214 2.0 >>>48 beshort &0x0008 (LP64) >>18 beshort 16 nCUBE, >>18 beshort 17 Fujitsu VPP500, >>18 beshort 18 SPARC32PLUS, >>>36 belong&0xffff00 &0x000100 V8+ Required, >>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, >>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required, >>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 cisco 7500, >>18 beshort 22 IBM S/390, >>18 beshort 24 cisco SVIP, >>18 beshort 25 cisco 7200, >>18 beshort 36 NEC V800 or cisco 12000, >>18 beshort 37 Fujitsu FR20, >>18 beshort 38 TRW RH-32, >>18 beshort 39 Motorola RCE, >>18 beshort 40 ARM, >>18 beshort 41 Alpha, >>18 beshort 42 Hitachi SH, >>18 beshort 43 SPARC V9, >>18 beshort 44 Siemens Tricore Embedded Processor, >>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 beshort 46 Hitachi H8/300, >>18 beshort 47 Hitachi H8/300H, >>18 beshort 48 Hitachi H8S, >>18 beshort 49 Hitachi H8/500, >>18 beshort 50 Intel Merced Processor, >>18 beshort 51 Stanford MIPS-X, >>18 beshort 52 Motorola Coldfire, >>18 beshort 53 Motorola M68HC12, >>18 beshort 73 Cray NV1, >>18 beshort 75 Digital VAX, >>18 beshort 97 NatSemi 32k, >>18 beshort 0x9026 Alpha (unofficial), >>18 beshort 0xa390 IBM S/390 (obsolete), >>18 beshort 0xde3d Ubicom32, >>20 belong 0 invalid version >>20 belong 1 version 1 >>36 belong 1 MathCoPro/FPU/MAU Required # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # like proper ELF, but extracting the string had bad results. >4 byte <0x80 >>8 string >\0 ("%s") >8 string \0 >>7 byte 0 (SYSV) >>7 byte 1 (HP-UX) >>7 byte 2 (NetBSD) >>7 byte 3 (GNU/Linux) >>7 byte 4 (GNU/Hurd) >>7 byte 5 (86Open) >>7 byte 6 (Solaris) >>7 byte 7 (Monterey) >>7 byte 8 (IRIX) >>7 byte 9 (FreeBSD) >>7 byte 10 (Tru64) >>7 byte 11 (Novell Modesto) >>7 byte 12 (OpenBSD) >>7 byte 97 (ARM) >>7 byte 255 (embedded) # XXX - according to Microsoft's spec, at an offset of 0x3c in a # PE-format executable is the offset in the file of the PE header; # unfortunately, that's a little-endian offset, and there's no way # to specify an indirect offset with a specified byte order. # So, for now, we assume the standard MS-DOS stub, which puts the # PE header at 0x80 = 128. # # Required OS version and subsystem version were 4.0 on some NT 3.51 # executables built with Visual C++ 4.0, so it's not clear that # they're interesting. The user version was 0.0, but there's # probably some linker directive to set it. The linker version was # 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). # # many of the compressed formats were extraced from IDARC 1.23 source code # 0 string MZ Microsoft >0x18 leshort <0x40 MS-DOS executable >0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows >>&18 leshort&0x2000 >0 (DLL) >>&88 leshort 0 (unknown subsystem) >>&88 leshort 1 (native) >>&88 leshort 2 (GUI) >>&88 leshort 3 (console) >>&88 leshort 7 (POSIX) >>&0 leshort 0x0 unknown processor >>&0 leshort 0x14c Intel 80386 >>&0 leshort 0x166 MIPS R4000 >>&0 leshort 0x184 Alpha >>&0 leshort 0x268 Motorola 68000 >>&0 leshort 0x1f0 PowerPC >>&0 leshort 0x290 PA-RISC >>&18 leshort&0x0100 >0 32-bit >>&18 leshort&0x1000 >0 system file >>&228 lelong >0 \b, Mono/.Net assembly >>&0xf4 search/0x140 \x0\x40\x1\x0 >>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive >30 string Copyright\x201989-1990\x20PKWARE\x20Inc. Self-extracting PKZIP archive # Is next line correct? One might expect "Corp." not "Copr." If it is right, add a note to that effect. >30 string PKLITE\x20Copr. Self-extracting PKZIP archive >0x18 leshort >0x3f >>(0x3c.l) string PE\0\0 PE >>>(0x3c.l+25) byte 1 \b32 executable >>>(0x3c.l+25) byte 2 \b32+ executable # hooray, there's a DOS extender using the PE format, with a valid PE # executable inside (which just prints a message and exits if run in win) >>>(0x3c.l+92) leshort <10 >>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender >>>>(8.s*16) string !32STUB for MS Windows >>>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) >>>>>(0x3c.l+92) leshort 0 (unknown subsystem) >>>>>(0x3c.l+92) leshort 1 (native) >>>>>(0x3c.l+92) leshort 2 (GUI) >>>>>(0x3c.l+92) leshort 3 (console) >>>>>(0x3c.l+92) leshort 7 (POSIX) >>>(0x3c.l+92) leshort 10 (EFI application) >>>(0x3c.l+92) leshort 11 (EFI boot service driver) >>>(0x3c.l+92) leshort 12 (EFI runtime driver) >>>(0x3c.l+92) leshort 13 (XBOX) >>>(0x3c.l+4) leshort 0x0 unknown processor >>>(0x3c.l+4) leshort 0x14c Intel 80386 >>>(0x3c.l+4) leshort 0x166 MIPS R4000 >>>(0x3c.l+4) leshort 0x184 Alpha >>>(0x3c.l+4) leshort 0x268 Motorola 68000 >>>(0x3c.l+4) leshort 0x1f0 PowerPC >>>(0x3c.l+4) leshort 0x290 PA-RISC >>>(0x3c.l+4) leshort 0x200 Intel Itanium >>>(0x3c.l+22) leshort&0x0100 >0 32-bit >>>(0x3c.l+22) leshort&0x1000 >0 system file >>>(0x3c.l+232) lelong >0 Mono/.Net assembly >>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed >>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed >>>>(0x3c.l+0xf8) search/0x140 UPX2 >>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>>(0x3c.l+0xf8) search/0x140 .idata >>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive >>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .rsrc >>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive >>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive >>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive >>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .data >>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed >>>>>(0x3c.l+0xf7) byte x >>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .reloc >>>>>(&0xe.l+(-4)) search/0x180 PK\3\4 \b, ZIP self-extracting archive (WinZip) >>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>>>0x30 string Inno \b, InnoSetup self-extracting archive >>(0x3c.l) string !PE\0\0 MS-DOS executable >>(0x3c.l) string NE \b, NE >>>(0x3c.l+0x36) byte 0 (unknown OS) >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte >3 (unknown OS) >>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender >>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) >>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) >>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive >>>(0x3c.l+0x70) search/0x80 WinZip(R)\x20Self-Extractor \b, ZIP self-extracting archive (WinZip) >>(0x3c.l) string LX\0\0 \b, LX >>>(0x3c.l+0x0a) leshort <1 (unknown OS) >>>(0x3c.l+0x0a) leshort 1 for OS/2 >>>(0x3c.l+0x0a) leshort 2 for MS Windows >>>(0x3c.l+0x0a) leshort 3 for DOS >>>(0x3c.l+0x0a) leshort >3 (unknown OS) >>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) >>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) >>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) >>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) >>>(0x3c.l+0x08) leshort 1 i80286 >>>(0x3c.l+0x08) leshort 2 i80386 >>>(0x3c.l+0x08) leshort 3 i80486 >>>(8.s*16) string emx \b, emx >>>>&1 string x "%s" >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive #------------------------------------------------------------------------------ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter # # Additional fields added by Craig Heffner # 0 string bFLT BFLT executable >4 belong x version %ld, >4 belong 4 >8 belong x code offset: 0x%.8X, >12 belong x data segment starts at: 0x%.8X, >16 belong x bss segment starts at: 0x%.8X, >20 belong x bss segment ends at: 0x%.8X, >24 belong x stack size: %d bytes, >28 belong x relocation records start at: 0x%.8X, >32 belong x number of reolcation records: %d, >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata #----------------------------------------------------------------- # MIPS COFF file formats # 0 beshort 0x0160 MIPSEB ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0162 MIPSEL-BE ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d >22 byte x \b.%ld # 0 beshort 0x6001 MIPSEB-LE ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d >22 byte x \b.%ld # 0 beshort 0x6201 MIPSEL ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # MIPS 2 additions # 0 beshort 0x0163 MIPSEB MIPS-II ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # MIPS 3 additions # 0 beshort 0x0140 MIPSEB MIPS-III ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x180 MIPSEB Ucode 0 beshort 0x182 MIPSEL-BE Ucode # Windows CE package files 0 string MSCE\0\0\0\0 Microsoft WinCE installer >20 lelong 0 \b, architecture-independent >20 lelong 103 \b, Hitachi SH3 >20 lelong 104 \b, Hitachi SH4 >20 lelong 0xA11 \b, StrongARM >20 lelong 4000 \b, MIPS R4000 >20 lelong 10003 \b, Hitachi SH3 >20 lelong 10004 \b, Hitachi SH3E >20 lelong 10005 \b, Hitachi SH4 >20 lelong 70001 \b, ARM 7TDMI >52 leshort 1 \b, 1 file >52 leshort >1 \b, %u files >56 leshort 1 \b, 1 registry entry >56 leshort >1 \b, %u registry entries #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytiä ) 0 string XBEH XBE, Microsoft Xbox executable # probabilistic checks whether signed or not >0x0004 ulelong =0x0 >>&2 ulelong =0x0 >>>&2 ulelong =0x0 \b, not signed >0x0004 ulelong >0 >>&2 ulelong >0 >>>&2 ulelong >0 \b, signed # expect base address of 0x10000 >0x0104 ulelong =0x10000 >>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions >>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007 >>>(0x0118-0x0FF60) ulelong >0 (regions: >>>>(0x0118-0x0FF60) ulelong &0x00000001 NA >>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan >>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World >>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer >>>(0x0118-0x0FF60) ulelong >0 \b) #------------------------------------------------------------------------------ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K # 0 beshort 0x0208 mc68k COFF >18 beshort ^00000020 object >18 beshort &00000020 executable >12 belong >0 not stripped >168 string .lowmem Apple toolbox >20 beshort 0407 (impure) >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0421 (standalone) 0 beshort 0x0209 mc68k executable (shared) >12 belong >0 not stripped 0 beshort 0x020A mc68k executable (shared demand paged) >12 belong >0 not stripped # # Motorola/UniSoft 68K Binary Compatibility Standard (BCS) # 0 beshort 0x022A 68K BCS executable # # 88K # # Motorola/88Open BCS # 0 beshort 0x022B 88K BCS executable #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : 0 string PS-X\x20EXE Sony Playstation executable # Area: >113 string x ("%s") #------------------------------------------------------------------------------ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code # # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. 0 beshort 0x8501 cisco IOS >0 belong&0xffffff00 0x85011400 microcode >0 belong&0xffffff00 0x8501cb00 experimental microcode >7 string >\0 for "%s" # EST flat binary format (which isn't, but anyway) # From: Mark Brown 0 string ESTFBINR EST flat binary # These are not the binaries themselves, but string references to them # are a strong indication that they exist elsewhere... #0 string /bin/busybox Busybox string reference: "%s"{one-of-many} #0 string /bin/sh Shell string reference: "%s"{one-of-many} binwalk-1.0/src/magic/compressed0000644000175000017500000001521312104542363015061 0ustar eveeve #------------------Compression Formats----------------------------- # AFX compressed files (Wolfram Kleff) 0 string -afx- AFX compressed file data{offset-adjust:-2} # bzip2 0 string BZh91AY&SY bzip2 compressed data, block size = 900k 0 string BZh81AY&SY bzip2 compressed data, block size = 800k 0 string BZh71AY&SY bzip2 compressed data, block size = 700k 0 string BZh61AY&SY bzip2 compressed data, block size = 600k 0 string BZh51AY&SY bzip2 compressed data, block size = 500k 0 string BZh41AY&SY bzip2 compressed data, block size = 400k 0 string BZh31AY&SY bzip2 compressed data, block size = 300k 0 string BZh21AY&SY bzip2 compressed data, block size = 200k 0 string BZh11AY&SY bzip2 compressed data, block size = 100k # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, >>13 byte 1 LZO1X-1, >>13 byte 2 LZO1X-1(15), >>13 byte 3 LZO1X-999, ## >>22 bedate >0 last modified: %s, >>14 byte =0x00 os: MS-DOS >>14 byte =0x01 os: Amiga >>14 byte =0x02 os: VMS >>14 byte =0x03 os: Unix >>14 byte =0x05 os: Atari >>14 byte =0x06 os: OS/2 >>14 byte =0x07 os: MacOS >>14 byte =0x0A os: Tops/20 >>14 byte =0x0B os: WinNT >>14 byte =0x0E os: Win32 >9 beshort >0x0939 >>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x10 - version 1. >>9 byte&0xf0 =0x20 - version 2. >>9 beshort&0x0fff x \b%03x, >>15 byte 1 LZO1X-1, >>15 byte 2 LZO1X-1(15), >>15 byte 3 LZO1X-999, ## >>25 bedate >0 last modified: %s, >>17 byte =0x00 os: MS-DOS >>17 byte =0x01 os: Amiga >>17 byte =0x02 os: VMS >>17 byte =0x03 os: Unix >>17 byte =0x05 os: Atari >>17 byte =0x06 os: OS/2 >>17 byte =0x07 os: MacOS >>17 byte =0x0A os: Tops/20 >>17 byte =0x0B os: WinNT >>17 byte =0x0E os: Win32 # lzip 0 string LZIP lzip compressed data >4 byte x \b, version: %d # LZO 0 string \211LZO\000\015\012\032\012 LZO compressed data # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # http://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7-zip archive data, >6 byte x version %d >7 byte x \b.%d # standard unix compress 0 beshort 0x1f9d compress'd data >2 byte&0x80 >0 block compressed >2 byte&0x1f !16 invalid >2 byte&0x1f x %d bits # http://tukaani.org/xz/xz-file-format.txt 0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213\x08 gzip compressed data >3 byte &0x01 \b, ASCII >3 byte &0x02 \b, has CRC >3 byte &0x04 \b, extra field >3 byte&0xC =0x08 >>10 string x \b{file-name:%s} >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x04 \b, from VM/CMS >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte =0x07 \b, from MacOS >9 byte =0x08 \b, from Z-System >9 byte =0x09 \b, from CP/M >9 byte =0x0A \b, from TOPS/20 >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS >9 byte >0x0D \b, invalid source >9 byte <0 \b, invalid source >3 byte &0x20 \b, encrypted (invalid) # Dates before 1992 are invalid, unless of course you're DD-WRT in which # case you don't know how to set a date in your gzip files. Brilliant. >4 lelong =0 \b, NULL date: >4 lelong <0 \b, invalid date: >4 lelong >0 >>4 lelong <694224000 \b, invalid date: >>4 lelong =694224000 \b, invalid date: >>4 lelong >694224000 \b, last modified: >4 ledate x %s >8 byte 2 \b, max compression >8 byte 4 \b, max speed # Zlib signatures 0 beshort 0x789C zlib compressed data 0 beshort 0x78DA zlib compressed data 0 beshort 0x7801 zlib compressed data # Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) # ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\003\004 Zip archive data, >4 byte 0x00 v0.0 >4 byte 0x09 at least v0.9 to extract, >4 byte 0x0a at least v1.0 to extract, >4 byte 0x0b at least v1.1 to extract, >0x161 string WINZIP WinZIP self-extracting, >4 byte 0x14 >>30 ubelong !0x6d696d65 at least v2.0 to extract, >18 lelong !0 >>18 lelong <0 invalid >>18 lelong x compressed size: %d, >22 lelong !0 >>22 lelong <0 invalid >>22 lelong x uncompressed size: %d,{extract-delay:end of zip archive} >30 string x {file-name:{raw-replace}}name: {raw-replace} >26 leshort x {raw-string-length:%d} >30 string x {raw-string:%s >61 string x \b%s >92 string x \b%s >123 string x \b%s >154 string x \b%s} # ZIP footer 0 string PK\x05\x06 End of Zip archive >20 leshort x {offset-adjust:22+%d} >20 leshort >0 >>20 leshort x \b, comment: {raw-replace} >>20 leshort x {raw-string-length:%d} >>22 string x {raw-string:%s} # New LZMA format signature 0 string \xFFLZMA\x00 LZMA compressed data (new), >6 byte&0x10 0 single-block stream >6 byte&0x10 0x10 multi-block stream # See lzma file for LZMA signatures binwalk-1.0/src/magic/crypto0000644000175000017500000000700012104542363014230 0ustar eveeve# Type: OpenSSL certificates/key files # From: Nicolas Collignon 0 string -----BEGIN\x20CERTIFICATE----- PEM certificate 0 string -----BEGIN\x20CERTIFICATE\x20REQ PEM certificate request 0 string -----BEGIN\x20RSA\x20PRIVATE PEM RSA private key 0 string -----BEGIN\x20DSA\x20PRIVATE PEM DSA private key # Type: OpenSSH key files # From: Nicolas Collignon 0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key, >28 string >\0 version "%s" 0 string ssh-dss\x20 OpenSSH DSA public key 0 string ssh-rsa\x20 OpenSSH RSA public key # Type: Certificates/key files in DER format # From: Gert Hulselmans 0 string \x30\x82 Private key in DER format (PKCS#8), >4 string !\x02\x01\x00 invalid, >>2 beshort x header length: 4, sequence length: %d 0 string \x30\x82 Certificate in DER format (x509 v3), >4 string !\x30\x82 invalid, >>2 beshort x header length: 4, sequence length: %d # GnuPG # The format is very similar to pgp 0 string \001gpg GPG key trust database >4 byte x version %d 0 beshort 0x9901 GPG key public ring # This magic is not particularly good, as the keyrings don't have true # magic. Nevertheless, it covers many keyrings. #------------------------------------------------------------------------------ # Mavroyanopoulos Nikos # mcrypt: file(1) magic for mcrypt 2.2.x; 0 string \0m\3 mcrypt 2.5 encrypted data, >4 byte 0 invalid >4 string >\0 algorithm: "%s", >>&1 leshort <1 invalid >>&1 leshort >0 keysize: %d bytes, >>>&0 byte 0 invalid >>>&0 string >\0 mode: "%s", 0 string \0m\2 mcrypt 2.2 encrypted data, >3 byte 0 algorithm: blowfish-448, >3 byte 1 algorithm: DES, >3 byte 2 algorithm: 3DES, >3 byte 3 algorithm: 3-WAY, >3 byte 4 algorithm: GOST, >3 byte 6 algorithm: SAFER-SK64, >3 byte 7 algorithm: SAFER-SK128, >3 byte 8 algorithm: CAST-128, >3 byte 9 algorithm: xTEA, >3 byte 10 algorithm: TWOFISH-128, >3 byte 11 algorithm: RC2, >3 byte 12 algorithm: TWOFISH-192, >3 byte 13 algorithm: TWOFISH-256, >3 byte 14 algorithm: blowfish-128, >3 byte 15 algorithm: blowfish-192, >3 byte 16 algorithm: blowfish-256, >3 byte 100 algorithm: RC6, >3 byte 101 algorithm: IDEA, >3 byte <0 invalid algorithm >3 byte >101 invalid algorithm, >3 byte >16 >>3 byte <100 invalid algorithm, >4 byte 0 mode: CBC, >4 byte 1 mode: ECB, >4 byte 2 mode: CFB, >4 byte 3 mode: OFB, >4 byte 4 mode: nOFB, >4 byte <0 invalid mode, >4 byte >4 invalid mode, >5 byte 0 keymode: 8bit >5 byte 1 keymode: 4bit >5 byte 2 keymode: SHA-1 hash >5 byte 3 keymode: MD5 hash >5 byte <0 invalid keymode >5 byte >3 invalid keymode #------------------------------------------------------------------------------ # pgp: file(1) magic for Pretty Good Privacy # #0 beshort 0x9900 PGP key public ring #0 beshort 0x9501 PGP key security ring #0 beshort 0x9500 PGP key security ring #0 beshort 0xa600 PGP encrypted data 0 string -----BEGIN\040PGP PGP armored data >15 string PUBLIC\040KEY\040BLOCK- public key block >15 string MESSAGE- message >15 string SIGNED\040MESSAGE- signed message >15 string PGP\040SIGNATURE- signature binwalk-1.0/src/magic/lzma0000644000175000017500000035661012104542363013671 0ustar eveeve # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5D # ------------------------------------------------------------------ 0 string \x5D\x00\x00 LZMA compressed data, properties: 0x5D, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x01 # ------------------------------------------------------------------ 0 string \x01\x00\x00 LZMA compressed data, properties: 0x01, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x02 # ------------------------------------------------------------------ 0 string \x02\x00\x00 LZMA compressed data, properties: 0x02, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x03 # ------------------------------------------------------------------ 0 string \x03\x00\x00 LZMA compressed data, properties: 0x03, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x04 # ------------------------------------------------------------------ 0 string \x04\x00\x00 LZMA compressed data, properties: 0x04, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x09 # ------------------------------------------------------------------ 0 string \x09\x00\x00 LZMA compressed data, properties: 0x09, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x0A # ------------------------------------------------------------------ 0 string \x0A\x00\x00 LZMA compressed data, properties: 0x0A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x0B # ------------------------------------------------------------------ 0 string \x0B\x00\x00 LZMA compressed data, properties: 0x0B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x0C # ------------------------------------------------------------------ 0 string \x0C\x00\x00 LZMA compressed data, properties: 0x0C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x12 # ------------------------------------------------------------------ 0 string \x12\x00\x00 LZMA compressed data, properties: 0x12, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x13 # ------------------------------------------------------------------ 0 string \x13\x00\x00 LZMA compressed data, properties: 0x13, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x14 # ------------------------------------------------------------------ 0 string \x14\x00\x00 LZMA compressed data, properties: 0x14, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x1B # ------------------------------------------------------------------ 0 string \x1B\x00\x00 LZMA compressed data, properties: 0x1B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x1C # ------------------------------------------------------------------ 0 string \x1C\x00\x00 LZMA compressed data, properties: 0x1C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x24 # ------------------------------------------------------------------ 0 string \x24\x00\x00 LZMA compressed data, properties: 0x24, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x2D # ------------------------------------------------------------------ 0 string \x2D\x00\x00 LZMA compressed data, properties: 0x2D, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x2E # ------------------------------------------------------------------ 0 string \x2E\x00\x00 LZMA compressed data, properties: 0x2E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x2F # ------------------------------------------------------------------ 0 string \x2F\x00\x00 LZMA compressed data, properties: 0x2F, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x30 # ------------------------------------------------------------------ 0 string \x30\x00\x00 LZMA compressed data, properties: 0x30, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x31 # ------------------------------------------------------------------ 0 string \x31\x00\x00 LZMA compressed data, properties: 0x31, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x36 # ------------------------------------------------------------------ 0 string \x36\x00\x00 LZMA compressed data, properties: 0x36, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x37 # ------------------------------------------------------------------ 0 string \x37\x00\x00 LZMA compressed data, properties: 0x37, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x38 # ------------------------------------------------------------------ 0 string \x38\x00\x00 LZMA compressed data, properties: 0x38, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x39 # ------------------------------------------------------------------ 0 string \x39\x00\x00 LZMA compressed data, properties: 0x39, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x3F # ------------------------------------------------------------------ 0 string \x3F\x00\x00 LZMA compressed data, properties: 0x3F, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x40 # ------------------------------------------------------------------ 0 string \x40\x00\x00 LZMA compressed data, properties: 0x40, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x41 # ------------------------------------------------------------------ 0 string \x41\x00\x00 LZMA compressed data, properties: 0x41, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x48 # ------------------------------------------------------------------ 0 string \x48\x00\x00 LZMA compressed data, properties: 0x48, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x49 # ------------------------------------------------------------------ 0 string \x49\x00\x00 LZMA compressed data, properties: 0x49, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x51 # ------------------------------------------------------------------ 0 string \x51\x00\x00 LZMA compressed data, properties: 0x51, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5A # ------------------------------------------------------------------ 0 string \x5A\x00\x00 LZMA compressed data, properties: 0x5A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5B # ------------------------------------------------------------------ 0 string \x5B\x00\x00 LZMA compressed data, properties: 0x5B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5C # ------------------------------------------------------------------ 0 string \x5C\x00\x00 LZMA compressed data, properties: 0x5C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5E # ------------------------------------------------------------------ 0 string \x5E\x00\x00 LZMA compressed data, properties: 0x5E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x63 # ------------------------------------------------------------------ 0 string \x63\x00\x00 LZMA compressed data, properties: 0x63, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x64 # ------------------------------------------------------------------ 0 string \x64\x00\x00 LZMA compressed data, properties: 0x64, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x65 # ------------------------------------------------------------------ 0 string \x65\x00\x00 LZMA compressed data, properties: 0x65, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x66 # ------------------------------------------------------------------ 0 string \x66\x00\x00 LZMA compressed data, properties: 0x66, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x6C # ------------------------------------------------------------------ 0 string \x6C\x00\x00 LZMA compressed data, properties: 0x6C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x6D # ------------------------------------------------------------------ 0 string \x6D\x00\x00 LZMA compressed data, properties: 0x6D, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x6E # ------------------------------------------------------------------ 0 string \x6E\x00\x00 LZMA compressed data, properties: 0x6E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x75 # ------------------------------------------------------------------ 0 string \x75\x00\x00 LZMA compressed data, properties: 0x75, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x76 # ------------------------------------------------------------------ 0 string \x76\x00\x00 LZMA compressed data, properties: 0x76, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x7E # ------------------------------------------------------------------ 0 string \x7E\x00\x00 LZMA compressed data, properties: 0x7E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x87 # ------------------------------------------------------------------ 0 string \x87\x00\x00 LZMA compressed data, properties: 0x87, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x88 # ------------------------------------------------------------------ 0 string \x88\x00\x00 LZMA compressed data, properties: 0x88, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x89 # ------------------------------------------------------------------ 0 string \x89\x00\x00 LZMA compressed data, properties: 0x89, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x8A # ------------------------------------------------------------------ 0 string \x8A\x00\x00 LZMA compressed data, properties: 0x8A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x8B # ------------------------------------------------------------------ 0 string \x8B\x00\x00 LZMA compressed data, properties: 0x8B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x90 # ------------------------------------------------------------------ 0 string \x90\x00\x00 LZMA compressed data, properties: 0x90, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x91 # ------------------------------------------------------------------ 0 string \x91\x00\x00 LZMA compressed data, properties: 0x91, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x92 # ------------------------------------------------------------------ 0 string \x92\x00\x00 LZMA compressed data, properties: 0x92, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x93 # ------------------------------------------------------------------ 0 string \x93\x00\x00 LZMA compressed data, properties: 0x93, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x99 # ------------------------------------------------------------------ 0 string \x99\x00\x00 LZMA compressed data, properties: 0x99, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x9A # ------------------------------------------------------------------ 0 string \x9A\x00\x00 LZMA compressed data, properties: 0x9A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x9B # ------------------------------------------------------------------ 0 string \x9B\x00\x00 LZMA compressed data, properties: 0x9B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xA2 # ------------------------------------------------------------------ 0 string \xA2\x00\x00 LZMA compressed data, properties: 0xA2, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xA3 # ------------------------------------------------------------------ 0 string \xA3\x00\x00 LZMA compressed data, properties: 0xA3, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xAB # ------------------------------------------------------------------ 0 string \xAB\x00\x00 LZMA compressed data, properties: 0xAB, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB4 # ------------------------------------------------------------------ 0 string \xB4\x00\x00 LZMA compressed data, properties: 0xB4, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB5 # ------------------------------------------------------------------ 0 string \xB5\x00\x00 LZMA compressed data, properties: 0xB5, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB6 # ------------------------------------------------------------------ 0 string \xB6\x00\x00 LZMA compressed data, properties: 0xB6, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB7 # ------------------------------------------------------------------ 0 string \xB7\x00\x00 LZMA compressed data, properties: 0xB7, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB8 # ------------------------------------------------------------------ 0 string \xB8\x00\x00 LZMA compressed data, properties: 0xB8, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xBD # ------------------------------------------------------------------ 0 string \xBD\x00\x00 LZMA compressed data, properties: 0xBD, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xBE # ------------------------------------------------------------------ 0 string \xBE\x00\x00 LZMA compressed data, properties: 0xBE, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xBF # ------------------------------------------------------------------ 0 string \xBF\x00\x00 LZMA compressed data, properties: 0xBF, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC0 # ------------------------------------------------------------------ 0 string \xC0\x00\x00 LZMA compressed data, properties: 0xC0, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC6 # ------------------------------------------------------------------ 0 string \xC6\x00\x00 LZMA compressed data, properties: 0xC6, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC7 # ------------------------------------------------------------------ 0 string \xC7\x00\x00 LZMA compressed data, properties: 0xC7, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC8 # ------------------------------------------------------------------ 0 string \xC8\x00\x00 LZMA compressed data, properties: 0xC8, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xCF # ------------------------------------------------------------------ 0 string \xCF\x00\x00 LZMA compressed data, properties: 0xCF, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xD0 # ------------------------------------------------------------------ 0 string \xD0\x00\x00 LZMA compressed data, properties: 0xD0, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xD8 # ------------------------------------------------------------------ 0 string \xD8\x00\x00 LZMA compressed data, properties: 0xD8, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes binwalk-1.0/src/magic/bootloaders0000644000175000017500000000027312104542363015232 0ustar eveeve #---------------------------Bootloaders-------------------------------- # CFE bootloader 0 string CFE1CFE1 CFE boot loader, little endian 0 string 1EFC1EFC CFE boot loader, big endian binwalk-1.0/src/magic/archives0000644000175000017500000001016412104542363014521 0ustar eveeve# ----------------------------Archive Formats-------------------------------------- # POSIX tar archives 0 string ustar\000 POSIX tar archive{offset-adjust:-257} 0 string ustar\040\040\000 POSIX tar archive (GNU){offset-adjust:-257} # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 0 string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data{offset-adjust:-14} 0 string JARCS JAR (ARJ Software, Inc.) archive data # ARJ archiver (jason@jarthur.Claremont.EDU) 0 leshort 0xea60 ARJ archive data >5 byte x \b, v%d, >8 byte &0x04 multi-volume, >8 byte &0x10 slash-switched, >8 byte &0x20 backup, >34 string x original name: "%s", >7 byte 0 os: MS-DOS >7 byte 1 os: PRIMOS >7 byte 2 os: Unix >7 byte 3 os: Amiga >7 byte 4 os: Macintosh >7 byte 5 os: OS/2 >7 byte 6 os: Apple ][ GS >7 byte 7 os: Atari ST >7 byte 8 os: NeXT >7 byte 9 os: VAX/VMS >3 byte >0 %d] # RAR archiver (Greg Roelofs, newt@uchicago.edu) 0 string Rar! RAR archive data # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string \351,\001JAM JAM archive # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 0 string -lzs- LHa 2.x? archive data [lzs] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh\40- LHa 2.x? archive data [lh ] [NSRL|LHA2]{offset-adjust:-2} 0 string -lhd- LHa 2.x? archive data [lhd] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh2- LHa 2.x? archive data [lh2] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh3- LHa 2.x? archive data [lh3] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh4- LHa (2.x) archive data [lh4] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh5- LHa (2.x) archive data [lh5] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh6- LHa (2.x) archive data [lh6] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh7- LHa (2.x) archive data [lh7] [NSRL|LHA2]{offset-adjust:-2} # cpio archives # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. #0 string 070707 ASCII cpio archive (pre-SVR4 or odc) 0 string 070701 ASCII cpio archive (SVR4 with no CRC), >110 byte 0 invalid >110 string x file name: "%s" >54 string x {jump-to-offset:0x%.8s+112} 0 string 070702 ASCII cpio archive (SVR4 with CRC) >110 byte 0 invalid >110 string x file name: "%s" >54 string x {jump-to-offset:0x%.8s+112} # HP Printer Job Language # The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes # 0 string \033%-12345X@PJL HP Printer Job Language data >&0 string >\0 "%s" >>&0 string >\0 "%s" >>>&0 string >\0 "%s" >>>>&0 string >\0 "%s" #------------------------------------------------------------------------------ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # 0 belong 0xedabeedb RPM >4 byte x v%d >6 beshort 0 bin >6 beshort 1 src >8 beshort 1 i386 >8 beshort 2 Alpha >8 beshort 3 Sparc >8 beshort 4 MIPS >8 beshort 5 PowerPC >8 beshort 6 68000 >8 beshort 7 SGI >8 beshort 8 RS6000 >8 beshort 9 IA64 >8 beshort 10 Sparc64 >8 beshort 11 MIPSel >8 beshort 12 ARM >10 string x "%s" binwalk-1.0/src/magic/filesystems0000644000175000017500000004034312104542363015266 0ustar eveeve#--------------------File Systems--------------------- # Minix filesystems - Juan Cespedes 0x410 leshort 0x137f Minix filesystem >0x402 beshort !0 \b, %d zones >0x1e string minix \b, bootable 0x410 leshort 0x138f Minix filesystem, 30 char names 0x410 leshort 0x2468 Minix filesystem, version 2 0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names 0x410 leshort 0x4d5a Minix filesystem, version 3 0x410 leshort 0x4d6a Minix filesystem, version 3, 30 char names 0x410 beshort 0x137f Minix filesystem (big endian) >0x402 beshort !0 \b, %d zones >0x1e string minix \b, bootable 0x410 beshort 0x138f Minix filesystem (big endian), 30 char names 0x410 beshort 0x2468 Minix filesystem (big endian), version 2 0x410 beshort 0x2478 Minix filesystem (big endian), version 2, 30 char names 0x410 beshort 0x4d5a Minix filesystem (big endian), version 3 0x410 beshort 0x4d6a Minix filesystem (big endian), version 3, 30 char names # YAFFS 0 string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF YAFFS filesystem # EFS2 file system - jojo@utulsa.edu 0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian, >8 string !EFSSuper invalid, >4 leshort &1 NAND >4 leshort ^1 NOR >4 leshort x version 0x%x, >24 lelong x %d blocks, >16 lelong x 0x%x pages per block, >20 lelong x 0x%x bytes per page 0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian, >8 string !SSFErepu invalid, >4 beshort &1 NAND >4 beshort ^1 NOR >4 beshort x version 0x%x, >24 belong x %d blocks, >16 belong x 0x%x pages per block, >20 belong x 0x%x bytes per page # TROC file system 0 string TROC TROC filesystem, >4 lelong x %d file entries # PFS file system 0 string PFS/ PFS filesystem, >4 string x version "%s", >14 leshort x %d files # MPFS file system 0 string MPFS MPFS (Microchip) filesystem, >4 byte x version %d. >5 byte x \b%d, >6 leshort x %d file entries # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 CramFS filesystem, little endian >4 lelong <0 invalid >4 lelong x size %lu >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support >32 lelong x CRC 0x%x, >36 lelong x edition %lu, >40 lelong <0 invalid >40 lelong x %lu blocks, >44 lelong <0 invalid >44 lelong x %lu files >4 lelong x {jump-to-offset:%lu} >4 lelong x {file-size:%lu} 0 belong 0x28cd3d45 CramFS filesystem, big endian >4 belong <0 invalid >4 belong x size %lu >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support >32 belong x CRC 0x%x, >36 belong x edition %lu, >40 belong <0 invalid >40 belong x %lu blocks, >44 belong <0 invalid >44 belong x %lu files >4 belong x {jump-to-offset:%lu} >4 belong x {file-size:%lu} # JFFS2 file system # If used with binwalk's smart signature feature (on by default, -S to disable) # this signature can potentially lead to missing some JFFS2 file systems if there # are multiple JFFS2 file systems in a target file and there are no other identified # files in between the JFFS2 file systems. This is an unlikely scenario however, and # the below signatures are much improved in terms of readability and accuracy in the # vast majority of real world scenarios. 0 leshort 0x1985 JFFS2 filesystem, little endian{filter-include} >2 leshort !0xE001 >>2 leshort !0xE002 >>>2 leshort !0x2003 >>>>2 leshort !0x2004 >>>>>2 leshort !0x2006 >>>>>>2 leshort !0xE008 >>>>>>>2 leshort !0xE009 \b, invalid >(4.l) leshort !0x1985 >>(4.l+1) leshort !0x1985 >>>(4.l+2) leshort !0x1985 >>>>(4.l+3) leshort !0x1985 >>>>>(4.l) leshort !0xFFFF >>>>>>(4.l+1) leshort !0xFFFF >>>>>>>(4.l+2) leshort !0xFFFF >>>>>>>>(4.l+3) leshort !0xFFFF \b, invalid >4 lelong x {one-of-many}{jump-to-offset:%d} 0 beshort 0x1985 JFFS2 filesystem, big endian{filter-include} >2 beshort !0xE001 >>2 beshort !0xE002 >>>2 beshort !0x2003 >>>>2 beshort !0x2004 >>>>>2 beshort !0x2006 >>>>>>2 beshort !0xE008 >>>>>>>2 beshort !0xE009 \b, invalid >(4.L) beshort !0x1985 >>(4.L+1) beshort !0x1985 >>>(4.L+2) beshort !0x1985 >>>>(4.L+3) beshort !0x1985 >>>>>(4.L) beshort !0xFFFF >>>>>>(4.L+1) beshort !0xFFFF >>>>>>>(4.L+2) beshort !0xFFFF >>>>>>>>(4.L+3) beshort !0xFFFF \b, invalid >4 belong x {one-of-many}{jump-to-offset:%d} # Squashfs, big endian 0 string sqsh Squashfs filesystem, big endian, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >28 beshort 3 >>63 bequad x size: %lld bytes, >28 beshort >3 >>40 bequad x size: %lld bytes, >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs, little endian 0 string hsqs Squashfs filesystem, little endian, >28 leshort >10 invalid >28 leshort <1 invalid >30 leshort >10 invalid >28 leshort x version %d. >30 leshort x \b%d, >28 leshort >3 compression: >>20 leshort 1 \bgzip, >>20 leshort 2 \blzma, >>20 leshort 0 \binvalid, >>20 leshort >4 \binvalid, >28 leshort <3 >>8 lelong x size: %d bytes, >>8 lelong x {file-size:%d} >28 leshort 3 >>63 lequad x size: %lld bytes, >>63 lequad x {file-size:%lld} >28 leshort >3 >>40 lequad x size: %lld bytes, >>40 lequad x {file-size:%lld} >4 lelong x %d inodes, >28 leshort >3 >>12 lelong blocksize: %d bytes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort 2 >>51 lelong x blocksize: %d bytes, >28 leshort 3 >>51 lelong x blocksize: %d bytes, >28 leshort >3 >>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s >28 leshort <3 >>8 lelong x {jump-to-offset:%d} >28 leshort 3 >>63 lequad x {jump-to-offset:%lld} >28 leshort >3 >>40 lequad x {jump-to-offset:%lld} # Squashfs with LZMA compression 0 string sqlz Squashfs filesystem, big endian, lzma compression, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >>8 belong x {file-size:%d} >28 beshort 3 >>63 bequad x size: %lld bytes, >>63 bequad x {file-size:%lld} >28 beshort >3 >>40 bequad x size: %lld bytes, >>40 bequad x {file-size:%lld} >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs 3.3 LZMA signature 0 string qshs Squashfs filesystem, big endian, lzma signature, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >>8 belong x {file-size:%d} >28 beshort 3 >>63 bequad x size: %lld bytes, >>63 bequad x {file-size:%lld} >28 beshort >3 >>40 bequad x size: %lld bytes, >>40 bequad x {file-size:%lld} >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs for DD-WRT 0 string tqsh Squashfs filesystem, big endian, DD-WRT signature, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >>8 belong x {file-size:%d} >28 beshort 3 >>63 bequad x size: %lld bytes, >>63 bequad x {file-size:%lld} >28 beshort >3 >>40 bequad x size: %lld bytes, >>40 bequad x {file-size:%lld} >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs for DD-WRT 0 string hsqt Squashfs filesystem, little endian, DD-WRT signature, >28 leshort >10 invalid >28 leshort <1 invalid >30 leshort >10 invalid >28 leshort x version %d. >30 leshort x \b%d, >28 leshort >3 compression: >>20 leshort 1 \bgzip, >>20 leshort 2 \blzma, >>20 leshort 0 \binvalid, >>20 leshort >4 \binvalid, >28 leshort <3 >>8 lelong x size: %d bytes, >>8 lelong x {file-size:%d} >28 leshort 3 >>63 lequad x size: %lld bytes, >>63 lequad x {file-size:%lld} >28 leshort >3 >>40 lequad x size: %lld bytes, >>40 lequad x {file-size:%lld} >4 lelong x %d inodes, >28 leshort >3 >>12 lelong blocksize: %d bytes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort 2 >>51 lelong x blocksize: %d bytes, >28 leshort 3 >>51 lelong x blocksize: %d bytes, >28 leshort >3 >>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s >28 leshort <3 >>8 lelong x {jump-to-offset:%d} >28 leshort 3 >>63 lequad x {jump-to-offset:%lld} >28 leshort >3 >>40 lequad x {jump-to-offset:%lld} # Non-standard Squashfs signature found on some D-Link routers 0 string shsq Squashfs filesystem, little endian, non-standard signature, >28 leshort >10 invalid >28 leshort <1 invalid >30 leshort >10 invalid >28 leshort x version %d. >30 leshort x \b%d, >28 leshort >3 compression: >>20 leshort 1 \bgzip, >>20 leshort 2 \blzma, >>20 leshort 0 \binvalid, >>20 leshort >4 \binvalid, >28 leshort <3 >>8 lelong x size: %d bytes, >>8 lelong x {file-size:%d} >28 leshort 3 >>63 lequad x size: %lld bytes, >>63 lequad x {file-size:%lld} >28 leshort >3 >>40 lequad x size: %lld bytes, >>40 lequad x {file-size:%lld} >4 lelong x %d inodes, >28 leshort >3 >>12 lelong blocksize: %d bytes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort 2 >>51 lelong x blocksize: %d bytes, >28 leshort 3 >>51 lelong x blocksize: %d bytes, >28 leshort >3 >>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s >28 leshort <3 >>8 lelong x {jump-to-offset:%d} >28 leshort 3 >>63 lequad x {jump-to-offset:%lld} >28 leshort >3 >>40 lequad x {jump-to-offset:%lld} # ext2/ext3 filesystems - Andreas Dilger # ext4 filesystem - Eric Sandeen # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 0 leshort 0xEF53 Linux EXT filesystem,{filter-include}{offset-adjust:-0x438} >2 leshort >4 invalid state >2 leshort 3 invalid state >2 leshort <0 invalid state >4 leshort >3 invalid error behavior >4 leshort <0 invalid error behavior >4 lelong >1 invalid major revision >4 lelong <0 invalid major revision >4 lelong x rev %d >6 leshort x \b.%d # No journal? ext2 >36 lelong ^0x0000004 ext2 filesystem data >>2 leshort ^0x0000001 (mounted or unclean) # Has a journal? ext3 or ext4 >36 lelong &0x0000004 # and small INCOMPAT? >>40 lelong <0x0000040 # and small RO_COMPAT? >>>44 lelong <0x0000008 ext3 filesystem data # else large RO_COMPAT? >>>44 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? >>40 lelong >0x000003f ext4 filesystem data >48 belong x \b, UUID=%08x >52 beshort x \b-%04x >54 beshort x \b-%04x >56 beshort x \b-%04x >58 belong x \b-%08x >60 beshort x \b%04x >64 string >0 \b, volume name "%s" #romfs filesystems - Juan Cespedes 0 string -rom1fs-\0 romfs filesystem, version 1 >8 belong >10000000 invalid >8 belong x size: %d bytes, >16 string x {file-name:%s} >16 string x named "%s" >8 belong x {file-size:%d} >8 belong x {jump-to-offset:%d} # Wind River MemFS file system, found in some VxWorks devices 0 string owowowowowowowowowowowowowowow Wind River management filesystem, >30 string !ow invalid, >32 belong 1 compressed, >32 belong 2 plain text, >36 belong x %d files # netboot image - Juan Cespedes 0 lelong 0x1b031336L Netboot image, >4 lelong&0xFFFFFF00 0 >>4 lelong&0x100 0x000 mode 2 >>4 lelong&0x100 0x100 mode 3 >4 lelong&0xFFFFFF00 !0 unknown mode (invalid) binwalk-1.0/src/magic/images0000644000175000017500000002216612104542363014167 0ustar eveeve# Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian 0 string II\x2a\x00 TIFF image data, little-endian # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image >16 belong x \b, %ld x >20 belong x %ld, >24 byte x %d-bit >25 byte 0 grayscale, >25 byte 2 \b/color RGB, >25 byte 3 colormap, >25 byte 4 gray+alpha, >25 byte 6 \b/color RGBA, #>26 byte 0 deflate/32K, >28 byte 0 non-interlaced >28 byte 1 interlaced # GIF 0 string GIF8 GIF image data >4 string 7a \b, version 8"%s", >4 string 9a \b, version 8"%s", >6 leshort >0 %hd x >8 leshort >0 %hd #>10 byte &0x80 color mapped, #>10 byte&0x07 =0x00 2 colors #>10 byte&0x07 =0x01 4 colors #>10 byte&0x07 =0x02 8 colors #>10 byte&0x07 =0x03 16 colors #>10 byte&0x07 =0x04 32 colors #>10 byte&0x07 =0x05 64 colors #>10 byte&0x07 =0x06 128 colors #>10 byte&0x07 =0x07 256 colors # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) 0 string BM >14 leshort 12 PC bitmap, OS/2 1.x format >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 64 PC bitmap, OS/2 2.x format >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 40 PC bitmap, Windows 3.x format >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d >14 leshort 128 PC bitmap, Windows NT/2000 format >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d #------------------------------------------------------------------------------ # JPEG images # SunOS 5.5.1 had # # 0 string \377\330\377\340 JPEG file # 0 string \377\330\377\356 JPG file # # both of which turn into "JPEG image data" here. # 0 beshort 0xffd8 JPEG image data >6 string JFIF \b, JFIF standard # The following added by Erik Rossen 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these # tests are not fool-proof since some perfectly valid JPEGs are currently # impossible to specify in magic(4) format. # First, a little JFIF version info: >>11 byte x \b %d. >>12 byte x \b%02d # Next, the resolution or aspect ratio of the image: #>>13 byte 0 \b, aspect ratio #>>13 byte 1 \b, resolution (DPI) #>>13 byte 2 \b, resolution (DPCM) #>>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte !0 \b, thumbnail %dx >>>19 byte x \b%d # EXIF moved down here to avoid reporting a bogus version number, # and EXIF version number printing added. # - Patrik R=E5dman >6 string Exif \b, EXIF standard # Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. # All possible combinations of entries have to be enumerated, since no looping # is possible. And both endians are possible... # The combinations included below are from real-world JPEGs. # Little-endian >>12 string II # IFD 0 Entry #5: >>>70 leshort 0x8769 # EXIF IFD Entry #1: >>>>(78.l+14) leshort 0x9000 >>>>>(78.l+23) byte x %c >>>>>(78.l+24) byte x \b.%c >>>>>(78.l+25) byte !0x30 \b%c # IFD 0 Entry #9: >>>118 leshort 0x8769 # EXIF IFD Entry #3: >>>>(126.l+38) leshort 0x9000 >>>>>(126.l+47) byte x %c >>>>>(126.l+48) byte x \b.%c >>>>>(126.l+49) byte !0x30 \b%c # IFD 0 Entry #10 >>>130 leshort 0x8769 # EXIF IFD Entry #3: >>>>(138.l+38) leshort 0x9000 >>>>>(138.l+47) byte x %c >>>>>(138.l+48) byte x \b.%c >>>>>(138.l+49) byte !0x30 \b%c # EXIF IFD Entry #4: >>>>(138.l+50) leshort 0x9000 >>>>>(138.l+59) byte x %c >>>>>(138.l+60) byte x \b.%c >>>>>(138.l+61) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(138.l+62) leshort 0x9000 >>>>>(138.l+71) byte x %c >>>>>(138.l+72) byte x \b.%c >>>>>(138.l+73) byte !0x30 \b%c # IFD 0 Entry #11 >>>142 leshort 0x8769 # EXIF IFD Entry #3: >>>>(150.l+38) leshort 0x9000 >>>>>(150.l+47) byte x %c >>>>>(150.l+48) byte x \b.%c >>>>>(150.l+49) byte !0x30 \b%c # EXIF IFD Entry #4: >>>>(150.l+50) leshort 0x9000 >>>>>(150.l+59) byte x %c >>>>>(150.l+60) byte x \b.%c >>>>>(150.l+61) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(150.l+62) leshort 0x9000 >>>>>(150.l+71) byte x %c >>>>>(150.l+72) byte x \b.%c >>>>>(150.l+73) byte !0x30 \b%c # Big-endian >>12 string MM # IFD 0 Entry #9: >>>118 beshort 0x8769 # EXIF IFD Entry #1: >>>>(126.L+14) beshort 0x9000 >>>>>(126.L+23) byte x %c >>>>>(126.L+24) byte x \b.%c >>>>>(126.L+25) byte !0x30 \b%c # EXIF IFD Entry #3: >>>>(126.L+38) beshort 0x9000 >>>>>(126.L+47) byte x %c >>>>>(126.L+48) byte x \b.%c >>>>>(126.L+49) byte !0x30 \b%c # IFD 0 Entry #10 >>>130 beshort 0x8769 # EXIF IFD Entry #3: >>>>(138.L+38) beshort 0x9000 >>>>>(138.L+47) byte x %c >>>>>(138.L+48) byte x \b.%c >>>>>(138.L+49) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(138.L+62) beshort 0x9000 >>>>>(138.L+71) byte x %c >>>>>(138.L+72) byte x \b.%c >>>>>(138.L+73) byte !0x30 \b%c # IFD 0 Entry #11 >>>142 beshort 0x8769 # EXIF IFD Entry #4: >>>>(150.L+50) beshort 0x9000 >>>>>(150.L+59) byte x %c >>>>>(150.L+60) byte x \b.%c >>>>>(150.L+61) byte !0x30 \b%c # Here things get sticky. We can do ONE MORE marker segment with # indirect addressing, and that's all. It would be great if we could # do pointer arithemetic like in an assembler language. Christos? # And if there was some sort of looping construct to do searches, plus a few # named accumulators, it would be even more effective... # At least we can show a comment if no other segments got inserted before: >(4.S+5) byte 0xFE >>(4.S+8) string >\0 \b, comment: "%s" # FIXME: When we can do non-byte counted strings, we can use that to get # the string's count, and fix Debian bug #283760 #>(4.S+5) byte 0xFE \b, comment #>>(4.S+6) beshort x \b length=%d #>>(4.S+8) string >\0 \b, "%s" # Or, we can show the encoding type (I've included only the three most common) # and image dimensions if we are lucky and the SOFn (image segment) is here: >(4.S+5) byte 0xC0 \b, baseline >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d >(4.S+5) byte 0xC1 \b, extended sequential >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d >(4.S+5) byte 0xC2 \b, progressive >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d # I've commented-out quantisation table reporting. I doubt anyone cares yet. #>(4.S+5) byte 0xDB \b, quantisation table #>>(4.S+6) beshort x \b length=%d #>14 beshort x \b, %d x #>16 beshort x \b %d binwalk-1.0/src/magic/kernels0000644000175000017500000000144512104542363014362 0ustar eveeve #-------------------------Kernels------------------------------------- # Linux kernel boot images, from Albert Cahalan # and others such as Axel Kohlmeyer # and Nicolás Lichtmaier # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image >514 string !HdrS (invalid) # Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a). # Commonly found in decompressed embedded kernel binaries. 0 string Linux\ version\ Linux kernel version >14 byte 0 invalid >14 byte !0 >>14 string x "%s >>45 string x \b%s >>76 string x \b%s >>107 string x \b%s" binwalk-1.0/src/magic/sql0000644000175000017500000000437612104542363013524 0ustar eveeve#------------------------------------------------------------------------------ # $File: sql,v 1.6 2009/09/19 16:28:12 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" # Recognize some MySQL files. # 0 beshort 0xfe01 MySQL table definition file >2 string <1 invalid >2 string >\11 invalid >2 byte x Version %d 0 string \xfe\xfe\x03 MySQL MISAM index file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \xfe\xfe\x07 MySQL MISAM compressed data file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \xfe\xfe\x05 MySQL ISAM index file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \xfe\xfe\x06 MySQL ISAM compressed data file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \376bin MySQL replication log #------------------------------------------------------------------------------ # iRiver H Series database file # From Ken Guest # As observed from iRivNavi.iDB and unencoded firmware # 0 string iRivDB iRiver Database file >11 string >\0 Version "%s" >39 string iHP-100 [H Series] #------------------------------------------------------------------------------ # SQLite database files # Ken Guest , Ty Sarna, Zack Weinberg # # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # # Version 2 used this format: 0 string **\x20This\x20file\x20contains\x20an\x20SQLite SQLite 2.x database # Version 3 of SQLite allows applications to embed their own "user version" # number in the database. Detect this and distinguish those files. 0 string SQLite\x20format\x203 >60 string _MTN Monotone source repository >60 belong !0 SQLite 3.x database, user version %u >60 belong 0 SQLite 3.x database binwalk-1.0/src/magic/firmware0000644000175000017500000002522212104542363014532 0ustar eveeve #--------------------------Firmware Formats--------------------------- # uImage file # From: Craig Heffner, U-Boot image.h header definitions file 0 belong 0x27051956 uImage header, header size: 64 bytes, >4 belong x header CRC: 0x%X, >8 bedate x created: %s, >12 belong x image size: %d bytes, >16 belong x Data Address: 0x%X, >20 belong x Entry Point: 0x%X, >24 belong x data CRC: 0x%X, #>28 byte x OS type: %d, >28 byte 0 OS: invalid OS, >28 byte 1 OS: OpenBSD, >28 byte 2 OS: NetBSD, >28 byte 3 OS: FreeBSD, >28 byte 4 OS: 4.4BSD, >28 byte 5 OS: Linux, >28 byte 6 OS: SVR4, >28 byte 7 OS: Esix, >28 byte 8 OS: Solaris, >28 byte 9 OS: Irix, >28 byte 10 OS: SCO, >28 byte 11 OS: Dell, >28 byte 12 OS: NCR, >28 byte 13 OS: LynxOS, >28 byte 14 OS: VxWorks, >28 byte 15 OS: pSOS, >28 byte 16 OS: QNX, >28 byte 17 OS: Firmware, >28 byte 18 OS: RTEMS, >28 byte 19 OS: ARTOS, >28 byte 20 OS: Unity OS, #>29 byte x CPU arch: %d, >29 byte 0 CPU: invalid OS, >29 byte 1 CPU: Alpha, >29 byte 2 CPU: ARM, >29 byte 3 CPU: Intel x86, >29 byte 4 CPU: IA64, >29 byte 5 CPU: MIPS, >29 byte 6 CPU: MIPS 64 bit, >29 byte 7 CPU: PowerPC, >29 byte 8 CPU: IBM S390, >29 byte 9 CPU: SuperH, >29 byte 10 CPU: Sparc, >29 byte 11 CPU: Sparc 64 bit, >29 byte 12 CPU: M68K, >29 byte 13 CPU: Nios-32, >29 byte 14 CPU: MicroBlaze, >29 byte 15 CPU: Nios-II, >29 byte 16 CPU: Blackfin, >29 byte 17 CPU: AVR, >29 byte 18 CPU: STMicroelectronics ST200, #>30 byte x image type: %d, >30 byte 0 image type: invalid Image, >30 byte 1 image type: Standalone Program, >30 byte 2 image type: OS Kernel Image, >30 byte 3 image type: RAMDisk Image, >30 byte 4 image type: Multi-File Image, >30 byte 5 image type: Firmware Image, >30 byte 6 image type: Script file, >30 byte 7 image type: Filesystem Image, >30 byte 8 image type: Binary Flat Device Tree Blob #>31 byte x compression type: %d, >31 byte 0 compression type: none, >31 byte 1 compression type: gzip, >31 byte 2 compression type: bzip2, >31 byte 3 compression type: lzma, >32 string x image name: "%s" #IMG0 header, found in VxWorks-based Mercury router firmware 0 string IMG0 IMG0 (VxWorks) header, >4 belong x size: %d #Mediatek bootloader signature #From xp-dev.com 0 string BOOTLOADER! Mediatek bootloader #CSYS header formats 0 string CSYS\x00 CSYS header, little endian, >8 lelong x size: %d 0 string CSYS\x80 CSYS header, big endian, >8 belong x size: %d # wrgg firmware image 0 string wrgg02 WRGG firmware header, >6 string x name: "%s", >48 string x root device: "%s" # trx image file 0 string HDR0 TRX firmware header, little endian, header size: 28 bytes, >4 lelong x image size: %d bytes, >8 lelong x CRC32: 0x%X >12 lelong x flags/version: 0x%X 0 string 0RDH TRX firmware header, big endian, header size: 28 bytes, >4 belong x image size: %d bytes, >8 belong x CRC32: 0x%X >12 belong x flags/version: 0x%X # Ubicom firmware image 0 belong 0xFA320080 Ubicom firmware header, >12 belong x checksum: 0x%X, >24 belong x image size: %d # The ROME bootloader is used by several RealTek-based products. # Unfortunately, the magic bytes are specific to each product, so # separate signatures must be created for each one. # Netgear KWGR614 ROME image 0 string G614 Realtek firmware header (ROME bootloader), >4 beshort 0xd92f image type: KFS, >4 beshort 0xb162 image type: RDIR, >4 beshort 0xea43 image type: BOOT, >4 beshort 0x8dc9 image type: RUN, >4 beshort 0x2a05 image type: CCFG, >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, >6 byte x header version: %d, #month >10 byte x created: %d/ #day >12 byte x \b%d/ #year >8 beshort x \b%d, >16 belong x image size: %d bytes, >22 byte x body checksum: 0x%X, >23 byte x header checksum: 0x%X # Linksys WRT54GX ROME image 0 belong 0x59a0e842 Realtek firmware header (ROME bootloader) >4 beshort 0xd92f image type: KFS, >4 beshort 0xb162 image type: RDIR, >4 beshort 0xea43 image type: BOOT, >4 beshort 0x8dc9 image type: RUN, >4 beshort 0x2a05 image type: CCFG, >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, >6 byte x header version: %d, #month >10 byte x created: %d/ #day >12 byte x \b%d/ #year >8 beshort x \b%d, >16 belong x image size: %d bytes, >22 byte x body checksum: 0x%X, >23 byte x header checksum: 0x%X # PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images. 0 string --PaCkImGs-- PackImg section delimiter tag, >16 lelong x little endian size: %d bytes; >16 belong x big endian size: %d bytes #------------------------------------------------------------------------------ # Broadcom header format # 0 string BCRM Broadcom header, >4 lelong x number of sections: %d, >>8 lelong 18 first section type: flash >>8 lelong 19 first section type: disk >>8 lelong 21 first section type: tag # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # http://ftg.lbl.gov/checkpoint 0 string Ck0\0\0R\0\0\0 BLCR >16 lelong 1 x86 >16 lelong 3 alpha >16 lelong 5 x86-64 >16 lelong 7 ARM >8 lelong x context data (little endian, version %d) 0 string \0\0\0C\0\0\0R BLCR >16 belong 2 SPARC >16 belong 4 ppc >16 belong 6 ppc64 >16 belong 7 ARMEB >16 belong 8 SPARC64 >8 belong x context data (big endian, version %d) # Aculab VoIP firmware # From: Mark Brown 0 string VoIP\x20Startup\x20and Aculab VoIP firmware >35 string x format "%s" #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file 0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From Albert Cahalan # really le32 operation,destination,payloadsize (but quite predictable) # 01 00 00 00 00 00 00 c0 00 02 00 00 0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion. # Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom >38 string x V%.4s # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string CRfs COBALT boot rom data (Flat boot rom or file system) # # Motorola S-Records, from Gerd Truschinski 0 string S0 Motorola S-Record; binary data in text format # -------------------------------- # Microsoft Xbox data file formats 0 string XIP0 XIP, Microsoft Xbox data 0 string XTF0 XTF, Microsoft Xbox data #Windows CE 0 string CECE Windows CE RTOS{offset-adjust:-64} # -------------------------------- # ZynOS ROM header format # From openwrt zynos.h. 0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6} #>0 belong x load address 0x%X, >3 byte <0x7F rom image type: >>3 byte <1 invalid, >>3 byte >7 invalid, >>3 byte 1 ROMIMG, >>3 byte 2 ROMBOOT, >>3 byte 3 BOOTEXT, >>3 byte 4 ROMBIN, >>3 byte 5 ROMDIR, >>3 byte 6 6, >>3 byte 7 ROMMAP, >3 byte >0x7F ram image type: >>3 byte >0x82 invalid, >>3 byte 0x80 RAM, >>3 byte 0x81 RAMCODE, >>3 byte 0x82 RAMBOOT, >4 belong >0x40000000 invalid >4 belong <0 invalid >4 belong 0 invalid >4 belong x uncompressed size: %d, >8 belong >0x40000000 invalid >8 belong <0 invalid >8 belong 0 invalid >8 belong x compressed size: %d, >14 beshort x uncompressed checksum: 0x%X, >16 beshort x compressed checksum: 0x%X, >12 byte x flags: 0x%X, >12 byte &0x40 uncompressed checksum is valid, >12 byte &0x80 the binary is compressed, >>12 byte &0x20 compressed checksum is valid, >35 belong x memory map table address: 0x%X # Firmware header used by some VxWorks-based Cisco products 0 string CI032.00 Cisco VxWorks firmware header, >8 lelong >1024 invalid >8 lelong <0 invalid >8 lelong x header size: %d bytes, >32 lelong >1024 invalid >32 lelong <0 invalid >32 lelong x number of files: %d, >48 lelong <0 invalid >48 lelong x image size: %d, >64 string x firmware version: "%s" # Firmware header used by some TV's 0 string FNIB ZBOOT firmware header, header size: 32 bytes, >8 lelong x load address: 0x%.8X, >12 lelong x start address: 0x%.8X, >16 lelong x checksum: 0x%.8X, >20 lelong x version: 0x%.8X, >24 lelong <1 invalid >24 lelong x image size: %d bytes # Firmware header used by several D-Link routers (and probably others) 0 string \x5e\xa3\xa4\x17 DLOB firmware header, >(7.b+12) string !\x5e\xa3\xa4\x17 invalid, #>>12 string x %s, >(7.b+40) string x boot partition: "%s" # TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format 0 string TP-LINK\x20Technologies TP-Link firmware header,{offset-adjust:-4} #>-4 lelong x header version: %d, >0x94 beshort x firmware version: %d. >0x96 beshort x \b%d. >0x98 beshort x \b%d, >0x18 string x image version: "%s", #>0x74 belong x image size: %d bytes, >0x3C belong x product ID: 0x%X, >0x40 belong x product version: %d, >0x70 belong x kernel load address: 0x%X, >0x74 belong x kernel entry point: 0x%X, >0x7C belong x kernel offset: %d, >0x80 belong x kernel length: %d, >0x84 belong x rootfs offset: %d, >0x88 belong x rootfs length: %d, >0x8C belong x bootloader offset: %d, >0x90 belong x bootloader length: %d binwalk-1.0/src/setup.py0000755000175000017500000000147112104542363013430 0ustar eveeve#!/usr/bin/env python from os import listdir, path from distutils.core import setup # Generate a new magic file from the files in the magic directory print "generating binwalk magic file" magic_files = listdir("magic") magic_files.sort() fd = open("binwalk/magic/binwalk", "wb") for magic in magic_files: fpath = path.join("magic", magic) if path.isfile(fpath): fd.write(open(fpath).read()) fd.close() # The data files to install along with the binwalk module install_data_files = ["magic/*", "config/*"] # Install the binwalk module, script and support files setup( name = "binwalk", version = "1.0", description = "Firmware analysis tool", author = "Craig Heffner", url = "http://binwalk.googlecode.com", packages = ["binwalk"], package_data = {"binwalk" : install_data_files}, scripts = ["bin/binwalk"], ) binwalk-1.0/src/binwalk/0000755000175000017500000000000012104542363013337 5ustar eveevebinwalk-1.0/src/binwalk/parser.py0000644000175000017500000002570612104542363015217 0ustar eveeveimport os.path import tempfile from common import str2int class MagicParser: ''' Class for loading, parsing and creating libmagic-compatible magic files. This class is primarily used internally by the Binwalk class, and a class instance of it is available via the Binwalk.parser object. One useful method however, is file_from_string(), which will generate a temporary magic file from a given signature string: import binwalk bw = binwalk.Binwalk() # Create a temporary magic file that contains a single entry with a signature of '\\x00FOOBAR\\xFF', and append the resulting # temporary file name to the list of magic files in the Binwalk class instance. bw.magic_files.append(bw.parser.file_from_string('\\x00FOOBAR\\xFF', display_name='My custom signature')) bw.scan('firmware.bin') All magic files generated by this class will be deleted when the class deconstructor is called. ''' SHORT_SIZE = 2 SHORTS = ['beshort', 'leshort', 'byte'] BIG_ENDIAN = 'big' LITTLE_ENDIAN = 'little' MAGIC_STRING_FORMAT = "%d\tstring\t%s\t%s\n" DEFAULT_DISPLAY_NAME = "Raw string signature" WILDCARD = 'x' # If libmagic returns multiple results, they are delimited with this string. RESULT_SEPERATOR = "\\012- " # Size of the keys used in the matches set. Limited to 2 # as the key is the magic signature of a given magic file entry. # Entries can have variable length signatures, but the lowest # common demonitor is 2, so the first two bytes of the signature # is used as the key. Does this result in collisions and false # positives? Yes. But false positives are filtered out by the # MagicFilter class. The main purpose of MagicParser.match is to # limit the number of calls to libmagic without itself incurring # large computational overhead. And for that purpose, this is # quite effective. MATCH_INDEX_SIZE = 2 def __init__(self, filter=None, smart=None): ''' Class constructor. @filter - Instance of the MagicFilter class. May be None if the parse/parse_file methods are not used. @smart - Instance of the SmartSignature class. May be None if the parse/parse_file methods are not used. Returns None. ''' self.matches = set([]) self.signatures = {} self.sigset = {} self.filter = filter self.smart = smart self.raw_fd = None self.signature_count = 0 self.fd = tempfile.NamedTemporaryFile() def __del__(self): ''' Class deconstructor. ''' self.cleanup() def cleanup(self): ''' Cleans up any tempfiles created by the class instance. Returns None. ''' # Clean up the tempfiles try: self.fd.close() except: pass try: self.raw_fd.close() except: pass def file_from_string(self, signature_string, offset=0, display_name=DEFAULT_DISPLAY_NAME): ''' Generates a magic file from a signature string. @signature_string - The string signature to search for. @offset - The offset at which the signature should occur. @display_name - The text to display when the signature is found. Returns the name of the generated temporary magic file. ''' self.raw_fd = tempfile.NamedTemporaryFile() self.raw_fd.write(self.MAGIC_STRING_FORMAT % (offset, signature_string, display_name)) self.raw_fd.seek(0) return self.raw_fd.name def parse(self, file_name, filter_short_signatures=True, pre_filter_signatures=True): ''' Parses magic file(s) and contatenates them into a single temporary magic file while simultaneously removing filtered signatures. @file_name - Magic file, or list of magic files, to parse. @filter_short_signatures - Set to False to include entries with short (2 byte) magic signatures. @pre_filter_signatures - Set to False to disable smart signature keywords. Returns the name of the generated temporary magic file, which will be automatically deleted when the class deconstructor is called. ''' if type(file_name) == type([]): files = file_name else: files = [file_name] for fname in files: if os.path.exists(fname): self.parse_file(fname, filter_short_signatures, pre_filter_signatures) self.fd.seek(0) return self.fd.name def parse_file(self, file_name, filter_short_signatures=True, pre_filter_signatures=True): ''' Parses a magic file and appends valid signatures to the temporary magic file, as allowed by the existing filter rules. @file_name - Magic file to parse. @filter_short_signatures - Set to False to include entries with short (2 byte) magic signatures. @pre_filter_signatures - Set to False to disable smart signature keywords. Returns None. ''' # Default to not including signature entries until we've # found what looks like a valid entry. include = False line_count = 0 try: for line in open(file_name).readlines(): line_count += 1 # Check if this is the first line of a signature entry entry = self._parse_line(line) if entry is not None: # Once an entry is identified, default to excluding the entry include = False if pre_filter_signatures: # If the smart signature include keyword is specified for this entry, # add an include filter for this signature description. if self.smart.include(entry['description']): self.filter.include(entry['description'], exclusive=False) include = True # If we haven't already explicitly included this entry, and we are # filtering out short signatures and this is a short signature, then # add an exclude filter for this signature description if not include and filter_short_signatures and self._is_short(entry): self.filter.exclude(entry['description']) # If this signature is marked for inclusion, include it. if self.filter.filter(entry['description']) == self.filter.FILTER_INCLUDE: include = True if include: self.signature_count += 1 if not self.signatures.has_key(entry['offset']): self.signatures[entry['offset']] = [] if entry['condition'][:self.MATCH_INDEX_SIZE] not in self.signatures[entry['offset']]: self.signatures[entry['offset']].append(entry['condition'][:self.MATCH_INDEX_SIZE]) # Keep writing lines of the signature to the temporary magic file until # we detect a signature that should not be included. if include: self.fd.write(line) except Exception, e: raise Exception("Error parsing magic file '%s' on line %d: %s" % (file_name, line_count, str(e))) # Generate a dictionary of offsets with a set of signatures for (offset, siglist) in self.signatures.iteritems(): self.sigset[offset] = set(siglist) def _is_short(self, entry): ''' Determines if a signature entry has a short (2 byte) signature or not. @entry - Entry dictionary, as returned by self._parse_line(). Returns True if the signature is short, False if not short. ''' if entry['type'] in self.SHORTS: return True elif 'string' in entry['type']: if len(entry['condition'].decode('string_escape')) <= self.SHORT_SIZE: return True return False def _parse_line(self, line): ''' Parses a signature line into its four parts (offset, type, condition and description), looking for the first line of a given signature. @line - The signature line to parse. Returns a dictionary with the respective line parts populated if the line is the first of a signature. Returns a dictionary with all parts set to None if the line is not the first of a signature. ''' entry = { 'offset' : '', 'type' : '', 'condition' : '', 'description' : '', 'length' : 0 } # Quick and dirty pre-filter. We are only concerned with the first line of a # signature, which will always start with a number. Make sure the first byte of # the line is a number; if not, don't process. if line[:1] < '0' or line[:1] > '9': return None try: # Split the line into white-space separated parts. # For this to work properly, replace escaped spaces ('\ ') with '\x20'. # This means the same thing, but doesn't confuse split(). line_parts = line.replace('\\ ', '\\x20').split() entry['offset'] = line_parts[0] entry['type'] = line_parts[1] # The condition line may contain escaped sequences, so be sure to decode it properly. entry['condition'] = line_parts[2].decode('string_escape') entry['description'] = ' '.join(line_parts[3:]) except Exception, e: raise Exception("%s :: %s", (str(e), line)) # We've already verified that the first character in this line is a number, so this *shouldn't* # throw an exception, but let's catch it just in case... try: entry['offset'] = str2int(entry['offset']) except Exception, e: raise Exception("%s :: %s", (str(e), line)) # If this is a string, get the length of the string if 'string' in entry['type']: entry['length'] = len(entry['condition']) # Else, we need to jump through a few more hoops... else: # Default to little endian, unless the type field starts with 'be'. # This assumes that we're running on a little endian system... if entry['type'].startswith('be'): endianess = self.BIG_ENDIAN else: endianess = self.LITTLE_ENDIAN # Try to convert the condition to an integer. This does not allow # for more advanced conditions for the first line of a signature, # but needing that is rare. if entry['condition'] != self.WILDCARD: try: intval = str2int(entry['condition'].strip('L')) except Exception, e: raise Exception("Failed to evaluate condition for '%s' type: '%s', condition: '%s', error: %s" % (entry['description'], entry['type'], entry['condition'], str(e))) else: intval = 0 entry['length'] = 1 # How long is the field type? if entry['type'] == 'byte': entry['length'] = 1 elif 'short' in entry['type']: entry['length'] = 2 elif 'long' in entry['type']: entry['length'] = 4 elif 'quad' in entry['type']: entry['length'] = 8 # Convert the integer value to a string of the appropriate endianess entry['condition'] = self._to_string(intval, entry['length'], endianess) return entry def build_signature_set(self): ''' Builds a list of signature tuples. Returns a list of tuples in the format: [(, [set of 2-byte signatures])]. ''' signatures = [] for (offset, sigset) in self.sigset.iteritems(): signatures.append((offset, sigset)) signatures.sort() return signatures def _to_string(self, value, size, endianess): ''' Converts an integer value into a raw string. @value - The integer value to convert. @size - Size, in bytes, of the integer value. @endianess - One of self.LITTLE_ENDIAN | self.BIG_ENDIAN. Returns a raw string containing value. ''' data = "" for i in range(0, size): data += chr((value >> (8*i)) & 0xFF) if endianess != self.LITTLE_ENDIAN: data = data[::-1] return data def split(self, data): ''' Splits multiple libmagic results in the data string into a list of separate results. @data - Data string returned from libmagic. Returns a list of result strings. ''' try: return data.split(self.RESULT_SEPERATOR) except: return [] binwalk-1.0/src/binwalk/__init__.py0000644000175000017500000003547412104542363015465 0ustar eveeveimport os import magic from config import * from update import * from filter import * from parser import * from smartsig import * from extractor import * from prettyprint import * from common import file_size class Binwalk: ''' Primary Binwalk class. Interesting class objects: self.filter - An instance of the MagicFilter class. self.extractor - An instance of the Extractor class. self.parser - An instance of the MagicParser class. self.display - An instance of the PrettyPrint class. self.magic_files - A list of magic file path strings to use whenever the scan() method is invoked. self.scan_length - The total number of bytes to be scanned. self.total_scanned - The number of bytes that have already been scanned. ''' # Default libmagic flags. Basically disable anything we don't need in the name of speed. DEFAULT_FLAGS = magic.MAGIC_NO_CHECK_TEXT | magic.MAGIC_NO_CHECK_ENCODING | magic.MAGIC_NO_CHECK_APPTYPE | magic.MAGIC_NO_CHECK_TOKENS # The MAX_SIGNATURE_SIZE limits the amount of data available to a signature. # While most headers/signatures are far less than this value, some may reference # pointers in the header structure which may point well beyond the header itself. # Passing the entire remaining buffer to libmagic is resource intensive and will # significantly slow the scan; this value represents a reasonable buffer size to # pass to libmagic which will not drastically affect scan time. MAX_SIGNATURE_SIZE = 8092 # Max number of bytes to process at one time. Everyone should have 50MB of memory, right? READ_BLOCK_SIZE = 50 * 1024 * 1024 # Minimum verbosity level at which to enable extractor verbosity. VERY_VERBOSE = 2 # Scan every byte by default. DEFAULT_BYTE_ALIGNMENT = 1 def __init__(self, magic_files=[], flags=magic.MAGIC_NONE, log=None, quiet=False, verbose=0): ''' Class constructor. @magic_files - A list of magic files to use. @flags - Flags to pass to magic_open. [TODO: Might this be more appropriate as an argument to load_signaures?] @log - Output PrettyPrint data to log file as well as to stdout. @quiet - If set to True, supress PrettyPrint output to stdout. @verbose - Verbosity level. Returns None. ''' self.flags = self.DEFAULT_FLAGS | flags self.magic_files = magic_files self.verbose = verbose self.total_scanned = 0 self.scan_length = 0 self.total_read = 0 self.magic = None self.mfile = None # Instantiate the config class so we can access file/directory paths self.config = Config() # Use the system default magic file if no other was specified if not self.magic_files or self.magic_files is None: # Append the user's magic file first so that those signatures take precedence self.magic_files = [ self.config.paths['user'][self.config.BINWALK_MAGIC_FILE], self.config.paths['system'][self.config.BINWALK_MAGIC_FILE], ] # Only set the extractor verbosity if told to be very verbose if self.verbose >= self.VERY_VERBOSE: extractor_verbose = True else: extractor_verbose = False # Create an instance of the PrettyPrint class, which can be used to print results to screen/file. self.display = PrettyPrint(log=log, quiet=quiet, verbose=verbose, bwalk=self) # Create MagicFilter and Extractor class instances. These can be used to: # # o Create include/exclude filters # o Specify file extraction rules to be applied during a scan # self.filter = MagicFilter() self.extractor = Extractor(verbose=extractor_verbose) # Create SmartSignature and MagicParser class instances. These are mostly for internal use. self.smart = SmartSignature(self.filter) self.parser = MagicParser(self.filter, self.smart) def __del__(self): ''' Class deconstructor. ''' self.cleanup() def cleanup(self): ''' Cleanup any temporary files generated by the internal instance of MagicParser. Returns None. ''' try: self.parser.cleanup() except: pass def load_signatures(self, magic_files=[], pre_filter_signatures=True, filter_short_signatures=True): ''' Load signatures from magic file(s). Called automatically by Binwalk.scan() with all defaults, if not already called manually. @magic_files - A list of magic files to use (default: self.magic_files). @pre_filter_signatures - Set to False to disable pre-filtering of signatures before invoking libmagic. @filter_short_signatures - Set to True to include signatures with short (<= 2 byte) magic strings. Returns None. ''' # Disable pre filtering in the smart signature class instance. # This is also checked by Binwalk.scan() before performing pre-filtering. self.smart.pre_filter = pre_filter_signatures # The magic files specified here override any already set if magic_files and magic_files is not None: self.magic_files = magic_files # Parse the magic file(s) and initialize libmagic self.mfile = self.parser.parse(self.magic_files, filter_short_signatures=filter_short_signatures, pre_filter_signatures=pre_filter_signatures) self.magic = magic.open(self.flags) self.magic.load(self.mfile) def scan(self, target_file, offset=0, length=0, align=DEFAULT_BYTE_ALIGNMENT, show_invalid_results=False, callback=None): ''' Performs a Binwalk scan on the target file. @target_file - File to scan. @offset - Starting offset at which to start the scan. @length - Number of bytes to scan. @align - Look for signatures every align bytes. @show_invalid_results - Set to True to display invalid results. @callback - Callback function to be invoked when matches are found. The callback function is passed two arguments: a list of result dictionaries containing the scan results (one result per dict), and the offset at which those results were identified. Example callback function: def my_callback(offset, results): print "Found %d results at offset %d:" % (len(results), offset) for result in results: print "\t%s" % result['description'] binwalk.Binwalk(callback=my_callback).scan("firmware.bin") Upon completion, the scan method returns a sorted list of tuples containing a list of results dictionaries and the offsets at which those results were identified: scan_items = [ (0, [{description : "LZMA compressed data..."}]), (112, [{description : "gzip compressed data..."}]) ] See SmartSignature.parse for a more detailed description of the results dictionary structure. ''' scan_results = {} self.total_read = 0 self.total_scanned = 0 self.scan_length = length self.filter.show_invalid_results = show_invalid_results # Load the default signatures if self.load_signatures has not already been invoked if self.magic is None: self.load_signatures() # Get a local copy of the signature sets generated by self.parser.build_signature_set. # This is accessed heavily throughout the scan, and there is less overhead for accessing local variables in Python. signature_set = self.parser.build_signature_set() # Need the total size of the target file, even if we aren't scanning the whole thing fsize = file_size(target_file) # Open the target file and seek to the specified start offset fd = open(target_file) fd.seek(offset) # If no length was specified, make the length the size of the target file minus the starting offset if self.scan_length == 0: self.scan_length = fsize - offset # Sanity check on the byte alignment; default to 1 if align <= 0: align = 1 # Main loop, scan through all the data while True: i = 0 # Read in the next block of data from the target file and make sure it's valid (data, dlen) = self._read_block(fd) if data is None or dlen == 0: break # The total number of bytes scanned could be bigger than the total number # of bytes read from the file under the following circumstances: # # o The previous dlen was not a multiple of align # o A previous result specified a jump offset that was beyond the end of the # then current data block # # If this is the case, we need to index into this data block appropriately in order to # resume the scan from the appropriate offset, and adjust dlen accordingly. bufindex = self.total_scanned - self.total_read if bufindex > 0: # If the total_scanned > total_read, then the total_scanned offset is in a subsequent block. # Set i to bufindex, which will cause i to be greater than dlen and this block will be skipped. i = bufindex elif bufindex < 0: # If the total_scanned offset is less than total_read, then the total_scanned offset is # somewhere inside this block. Set i to index into the block appropriately. i = dlen + bufindex else: # If the total_scanned offset ends at the end of this block, don't scan any of this block i = dlen # Scan through each block of data looking for signatures while i < dlen: smart = {} results = [] results_offset = -1 pre_filter_ok = False smart_jump_done = False # Pre-filter data by checking to see if the parser thinks this might be a valid match. # This eliminates unnecessary calls into libmagic, which are very expensive. # # Ideally, this should be done in the MagicParser class, but function calls are expensive. # Doing it here greatly decreases the scan time. if self.smart.pre_filter: for (sig_offset, sigset) in signature_set: if data[i+sig_offset:i+sig_offset+self.parser.MATCH_INDEX_SIZE] in sigset: pre_filter_ok = True break else: pre_filter_ok = True if pre_filter_ok: # Pass the data to libmagic, and split out multiple results into a list for magic_result in self.parser.split(self.magic.buffer(data[i:i+self.MAX_SIGNATURE_SIZE])): # Some file names are not NULL byte terminated, but rather their length is # specified in a size field. To ensure these are not marked as invalid due to # non-printable characters existing in the file name, parse the filename(s) and # trim them to the specified filename length, if one was specified. magic_result = self.smart._parse_raw_strings(magic_result) # Make sure this is a valid result before further processing if not self.filter.invalid(magic_result): # The smart filter parser returns a dictionary of keyword values and the signature description. smart = self.smart.parse(magic_result) # Validate the jump value and check if the response description should be displayed if smart['jump'] > -1 and self._should_display(smart['description']): # If multiple results are returned and one of them has smart['jump'] set to a non-zero value, # the calculated results offset will be wrong since i will have been incremented. Only set the # results_offset value when the first match is encountered. if results_offset < 0: results_offset = offset + smart['adjust'] + self.total_scanned # Double check to make sure the smart['adjust'] value is sane. # If it makes results_offset negative, then it is not sane. if results_offset >= 0: # Extract the result, if it matches one of the extract rules and is not a delayed extract. if self.extractor.enabled and not (self.extractor.delayed and smart['delay']): # If the signature did not specify a size, extract to the end of the file. if smart['size'] == 0: smart['size'] = fsize-results_offset smart['extract'] = self.extractor.extract( results_offset, smart['description'], target_file, smart['size'], name=smart['name']) # This appears to be a valid result, so append it to the results list. results.append(smart) # Jump to the offset specified by jump. Only do this once, so that if multiple results # are returned each of which specify a jump offset, only the first will be honored. if smart['jump'] > 0 and not smart_jump_done: # Once a jump offset has been honored, we need to start scanning every byte since the # jump offset may have thrown off the original alignment. In terms of speed this is fine, # since the jump offset usually saves more time anyway. If this is not what the user # wanted/intended, disabling pre filtering will disable jump offset processing completely. align = self.DEFAULT_BYTE_ALIGNMENT smart_jump_done = True i += (smart['jump'] - align) self.total_scanned += (smart['jump'] - align) # Did we find any valid results? if results_offset >= 0: scan_results[results_offset] = results if callback is not None: callback(results_offset, results) # Track the number of bytes scanned in this block, and the total number of bytes scanned. i += align self.total_scanned += align # Sort the results before returning them scan_items = scan_results.items() scan_items.sort() # Do delayed extraction, if specified. if self.extractor.enabled and self.extractor.delayed: scan_items = self.extractor.delayed_extract(scan_items, target_file, fsize) return scan_items def _should_display(self, data): ''' Determines if a result string should be displayed to the user or not. @data - Display string. Returns True if the string should be displayed. Returns False if the string should not be displayed. ''' return (data and data is not None and not self.filter.invalid(data) and self.filter.filter(data) != self.filter.FILTER_EXCLUDE) def _read_block(self, fd): ''' Reads in a block of data from the target file. @fd - File object for the target file. Returns a tuple of (file block data, block data length). ''' dlen = 0 data = None # Read in READ_BLOCK_SIZE plus MAX_SIGNATURE_SIZE bytes, but return a max dlen value # of READ_BLOCK_SIZE. This ensures that there is a MAX_SIGNATURE_SIZE buffer at the # end of the returned data in case a signature is found at or near data[dlen]. rlen = self.READ_BLOCK_SIZE + self.MAX_SIGNATURE_SIZE if self.total_read < self.scan_length: data = fd.read(rlen) if data and data is not None: # Get the actual length of the read in data dlen = len(data) # If we've read in more data than the scan length, truncate the dlen value if (self.total_read + dlen) >= self.scan_length: dlen = self.scan_length - self.total_read # If dlen is the expected rlen size, it should be set to READ_BLOCK_SIZE elif dlen == rlen: dlen = self.READ_BLOCK_SIZE # Increment self.total_read to reflect the amount of data that has been read # for processing (actual read size is larger of course, due to the MAX_SIGNATURE_SIZE # buffer of data at the end of each block). self.total_read += dlen # Seek to the self.total_read offset so the next read can pick up where this one left off fd.seek(self.total_read) return (data, dlen) binwalk-1.0/src/binwalk/filter.py0000644000175000017500000001463012104542363015202 0ustar eveeveimport common from smartsig import SmartSignature class MagicFilter: ''' Class to filter libmagic results based on include/exclude rules and false positive detection. An instance of this class is available via the Binwalk.filter object. Example code which creates include, exclude, and grep filters before running a Binwalk scan: import binwalk bw = binwalk.Binwalk() # Include all signatures whose descriptions contain the string 'filesystem' in the first line of the signature, even if those signatures are normally excluded. # Note that if exclusive=False was specified, this would merely add these signatures to the default signatures. # Since exclusive=True (the default) has been specified, ONLY those matching signatures will be loaded; all others will be ignored. bw.filter.include('filesystem') # Exclude all signatures whose descriptions contain the string 'jffs2', even if those signatures are normally included. # In this case, we are now searching for all filesystem signatures, except JFFS2. bw.filter.exclude('jffs2') # Add a grep filter. Unlike the include and exclude filters, it does not affect which results are returned by Binwalk.scan(), but it does affect which results # are printed by Binwalk.display.results(). This is particularly useful for cases like the bincast scan, where multiple lines of results are returned per offset, # but you only want certian ones displayed. In this case, only file systems whose description contain the string '2012' will be displayed. bw.filter.grep(filters=['2012']) bw.scan('firmware.bin') ''' # If the result returned by libmagic is "data" or contains the text # 'invalid' or a backslash are known to be invalid/false positives. DATA_RESULT = "data" INVALID_RESULTS = ["invalid", "\\"] INVALID_RESULT = "invalid" NON_PRINTABLE_RESULT = "\\" FILTER_INCLUDE = 0 FILTER_EXCLUDE = 1 def __init__(self, show_invalid_results=False): ''' Class constructor. @show_invalid_results - Set to True to display results marked as invalid. Returns None. ''' self.filters = [] self.grep_filters = [] self.show_invalid_results = show_invalid_results self.exclusive_filter = False self.smart = SmartSignature(self) def include(self, match, exclusive=True): ''' Adds a new filter which explicitly includes results that contain the specified matching text. @match - Case insensitive text, or list of texts, to match. @exclusive - If True, then results that do not explicitly contain a FILTER_INCLUDE match will be excluded. If False, signatures that contain the FILTER_INCLUDE match will be included in the scan, but will not cause non-matching results to be excluded. Returns None. ''' include_filter = { 'type' : self.FILTER_INCLUDE, 'filter' : '' } if type(match) != type([]): matches = [match] else: matches = match for m in matches: if m: if exclusive and not self.exclusive_filter: self.exclusive_filter = True include_filter['filter'] = m.lower() self.filters.append(include_filter) def exclude(self, match): ''' Adds a new filter which explicitly excludes results that contain the specified matching text. @match - Case insensitive text, or list of texts, to match. Returns None. ''' exclude_filter = { 'type' : self.FILTER_EXCLUDE, 'filter' : '' } if type(match) != type([]): matches = [match] else: matches = match for m in matches: if m: exclude_filter['filter'] = m.lower() self.filters.append(exclude_filter) def filter(self, data): ''' Checks to see if a given string should be excluded from or included in the results. Called internally by Binwalk.scan(). @data - String to check. Returns FILTER_INCLUDE if the string should be included. Returns FILTER_EXCLUDE if the string should be excluded. ''' data = data.lower() # Loop through the filters to see if any of them are a match. # If so, return the registered type for the matching filter (FILTER_INCLUDE | FILTER_EXCLUDE). for f in self.filters: if f['filter'] in data: return f['type'] # If there was not explicit match and exclusive filtering is enabled, return FILTER_EXCLUDE. if self.exclusive_filter: return self.FILTER_EXCLUDE return self.FILTER_INCLUDE def invalid(self, data): ''' Checks if the given string contains invalid data. Called internally by Binwalk.scan(). @data - String to validate. Returns True if data is invalid, False if valid. ''' # A result of 'data' is never ever valid. if data == self.DATA_RESULT: return True # If showing invalid results, just return False. if self.show_invalid_results: return False # Don't include quoted strings or keyword arguments in this search, as # strings from the target file may legitimately contain the INVALID_RESULT text. if self.INVALID_RESULT in common.strip_quoted_strings(self.smart._strip_tags(data)): return True # There should be no non-printable data in any of the data if self.NON_PRINTABLE_RESULT in data: return True return False def grep(self, data=None, filters=[]): ''' Add or check case-insensitive grep filters against the supplied data string. @data - Data string to check grep filters against. Not required if filters is specified. @filters - Filter, or list of filters, to add to the grep filters list. Not required if data is specified. Returns None if data is not specified. If data is specified, returns True if the data contains a grep filter, or if no grep filters exist. If data is specified, returns False if the data does not contain any grep filters. ''' # Add any specified filters to self.grep_filters if filters: if type(filters) != type([]): gfilters = [filters] else: gfilters = filters for gfilter in gfilters: # Filters are case insensitive self.grep_filters.append(gfilter.lower()) # Check the data against all grep filters until one is found if data is not None: # If no grep filters have been created, always return True if not self.grep_filters: return True # Filters are case insensitive data = data.lower() # If a filter exists in data, return True for gfilter in self.grep_filters: if gfilter in data: return True # Else, return False return False return None def clear(self): ''' Clears all include, exclude and grep filters. Retruns None. ''' self.filters = [] self.grep_filters = [] binwalk-1.0/src/binwalk/smartsig.py0000644000175000017500000002112612104542363015544 0ustar eveeveimport re from common import str2int, get_quoted_strings class SmartSignature: ''' Class for parsing smart signature tags in libmagic result strings. This class is intended for internal use only, but a list of supported 'smart keywords' that may be used in magic files is available via the SmartSignature.KEYWORDS dictionary: from binwalk import SmartSignature for (i, keyword) in SmartSignature().KEYWORDS.iteritems(): print keyword ''' KEYWORD_DELIM_START = "{" KEYWORD_DELIM_END = "}" KEYWORDS = { 'jump' : '%sjump-to-offset:' % KEYWORD_DELIM_START, 'filename' : '%sfile-name:' % KEYWORD_DELIM_START, 'filesize' : '%sfile-size:' % KEYWORD_DELIM_START, 'raw-string' : '%sraw-string:' % KEYWORD_DELIM_START, # This one is special and must come last in a signature block 'raw-size' : '%sraw-string-length:' % KEYWORD_DELIM_START, 'adjust' : '%soffset-adjust:' % KEYWORD_DELIM_START, 'delay' : '%sextract-delay:' % KEYWORD_DELIM_START, 'raw-replace' : '%sraw-replace%s' % (KEYWORD_DELIM_START, KEYWORD_DELIM_END), 'one-of-many' : '%sone-of-many%s' % (KEYWORD_DELIM_START, KEYWORD_DELIM_END), 'include' : '%sfilter-include%s' % (KEYWORD_DELIM_START, KEYWORD_DELIM_END), 'exclude' : '%sfilter-exclude%s' % (KEYWORD_DELIM_START, KEYWORD_DELIM_END), } def __init__(self, filter, pre_filter_signatures=True): ''' Class constructor. @filter - Instance of the MagicFilter class. @pre_filter_signatures - Set to False to disable the pre-filtering of magic signatures. Returns None. ''' self.filter = filter self.last_one_of_many = None self.pre_filter_signatures = pre_filter_signatures def parse(self, data): ''' Parse a given data string for smart signature keywords. If any are found, interpret them and strip them. @data - String to parse, as returned by libmagic. Returns a dictionary of parsed values. ''' results = { 'description' : '', # The libmagic data string, stripped of all keywords 'name' : '', # The original name of the file, if known 'delay' : '', # Extract delay description 'extract' : '', # Name of the extracted file, filled in by Binwalk.Scan. 'jump' : 0, # The relative offset to resume the scan from 'size' : 0, # The size of the file, if known 'adjust' : 0, # The relative offset to add to the reported offset } # If pre-filtering is disabled, or the result data is not valid (i.e., potentially malicious), # don't parse anything, just return the raw data as the description. if not self.pre_filter_signatures or not self._is_valid(data): results['description'] = data else: # Parse the offset-adjust value. This is used to adjust the reported offset at which # a signature was located due to the fact that MagicParser.match expects all signatures # to be located at offset 0, which some wil not be. results['adjust'] = self._get_math_arg(data, 'adjust') # Parse the file-size value. This is used to determine how many bytes should be extracted # when extraction is enabled. If not specified, everything to the end of the file will be # extracted (see Binwalk.scan). try: results['size'] = str2int(self._get_keyword_arg(data, 'filesize')) except: pass results['delay'] = self._get_keyword_arg(data, 'delay') # Parse the string for the jump-to-offset keyword. # This keyword is honored, even if this string result is one of many. results['jump'] = self._get_math_arg(data, 'jump') # If this is one of many, don't do anything and leave description as a blank string. # Else, strip all keyword tags from the string and process additional keywords as necessary. if not self._one_of_many(data): results['name'] = self._get_keyword_arg(data, 'filename').strip('"') results['description'] = self._strip_tags(data) return results def _is_valid(self, data): ''' Validates that result data does not contain smart keywords in file-supplied strings. @data - Data string to validate. Returns True if data is OK. Returns False if data is not OK. ''' # All strings printed from the target file should be placed in strings, else there is # no way to distinguish between intended keywords and unintended keywords. Get all the # quoted strings. quoted_data = get_quoted_strings(data) # Check to see if there was any quoted data, and if so, if it contained the keyword starting delimiter if quoted_data and self.KEYWORD_DELIM_START in quoted_data: # If so, check to see if the quoted data contains any of our keywords. # If any keywords are found inside of quoted data, consider the keywords invalid. for (name, keyword) in self.KEYWORDS.iteritems(): if keyword in quoted_data: return False return True def _one_of_many(self, data): ''' Determines if a given data string is one result of many. @data - String result data. Returns True if the string result is one of many. Returns False if the string result is not one of many. ''' if not self.filter.invalid(data): if self.last_one_of_many is not None and data.startswith(self.last_one_of_many): return True if self.KEYWORDS['one-of-many'] in data: # Only match on the data before the first comma, as that is typically unique and static self.last_one_of_many = data.split(',')[0] else: self.last_one_of_many = None return False def _get_keyword_arg(self, data, keyword): ''' Retrieves the argument for keywords that specify arguments. @data - String result data, as returned by libmagic. @keyword - Keyword index in KEYWORDS. Returns the argument string value on success. Returns a blank string on failure. ''' arg = '' if self.KEYWORDS.has_key(keyword) and self.KEYWORDS[keyword] in data: arg = data.split(self.KEYWORDS[keyword])[1].split(self.KEYWORD_DELIM_END)[0] return arg def _get_math_arg(self, data, keyword): ''' Retrieves the argument for keywords that specifiy mathematical expressions as arguments. @data - String result data, as returned by libmagic. @keyword - Keyword index in KEYWORDS. Returns the resulting calculated value. ''' value = 0 arg = self._get_keyword_arg(data, keyword) if arg: for string_int in arg.split('+'): try: value += str2int(string_int) except: pass return value def _jump(self, data): ''' Obtains the jump-to-offset value of a signature, if any. @data - String result data. Returns the offset to jump to. ''' offset = 0 offset_str = self._get_keyword_arg(data, 'jump') if offset_str: try: offset = str2int(offset_str) except: pass return offset def _parse_raw_strings(self, data): ''' Process strings that aren't NULL byte terminated, but for which we know the string length. This should be called prior to any other smart parsing functions. @data - String to parse. Returns a parsed string. ''' if self.pre_filter_signatures and self._is_valid(data): # Get the raw string keyword arg raw_string = self._get_keyword_arg(data, 'raw-string') # Was a raw string keyword specified? if raw_string: # Get the raw string length arg raw_size = self._get_keyword_arg(data, 'raw-size') # Is the raw string length arg is a numeric value? if re.match('^-?[0-9]+$', raw_size): # Replace all instances of raw-replace in data with raw_string[:raw_size] # Also strip out everything after the raw-string keyword, including the keyword itself. # Failure to do so may (will) result in non-printable characters and this string will be # marked as invalid when it shouldn't be. data = data[:data.find(self.KEYWORDS['raw-string'])].replace(self.KEYWORDS['raw-replace'], '"' + raw_string[:str2int(raw_size)] + '"') return data def include(self, data): ''' Determines if a result should be included or excluded. @data - String result data. Returns True if the include smart tag is present. Returns False if the exclude smart tag is present. Returns None if neither smart tags are present. ''' # Validate keywords before checking for the include/exclude keywords. if self.pre_filter_signatures and self._is_valid(data): if self.KEYWORDS['exclude'] in data: return False elif self.KEYWORDS['include'] in data: return True return None def _strip_tags(self, data): ''' Strips the smart tags from a result string. @data - String result data. Returns a sanitized string. ''' if self.pre_filter_signatures: for (name, keyword) in self.KEYWORDS.iteritems(): start = data.find(keyword) if start != -1: end = data[start:].find(self.KEYWORD_DELIM_END) if end != -1: data = data.replace(data[start:start+end+1], "") return data binwalk-1.0/src/binwalk/common.py0000644000175000017500000000415412104542363015205 0ustar eveeve# Common functions. import os import re def file_size(filename): ''' Obtains the size of a given file. @filename - Path to the file. Returns the size of the file. ''' # Using open/lseek works on both regular files and block devices fd = os.open(filename, os.O_RDONLY) try: return os.lseek(fd, 0, os.SEEK_END) except Exception, e: raise Exception("file_size failed to obtain the size of '%s': %s" % (filename, str(e))) finally: os.close(fd) def str2int(string): ''' Attempts to convert string to a base 10 integer; if that fails, then base 16. @string - String to convert to an integer. Returns the integer value on success. Throws an exception if the string cannot be converted into either a base 10 or base 16 integer value. ''' try: return int(string) except: return int(string, 16) def strip_quoted_strings(string): ''' Strips out data in between double quotes. @string - String to strip. Returns a sanitized string. ''' # This regex removes all quoted data from string. # Note that this removes everything in between the first and last double quote. # This is intentional, as printed (and quoted) strings from a target file may contain # double quotes, and this function should ignore those. However, it also means that any # data between two quoted strings (ex: '"quote 1" you won't see me "quote 2"') will also be stripped. return re.sub(r'\"(.*)\"', "", string) def get_quoted_strings(string): ''' Returns a string comprised of all data in between double quotes. @string - String to get quoted data from. Returns a string of quoted data on success. Returns a blank string if no quoted data is present. ''' try: # This regex grabs all quoted data from string. # Note that this gets everything in between the first and last double quote. # This is intentional, as printed (and quoted) strings from a target file may contain # double quotes, and this function should ignore those. However, it also means that any # data between two quoted strings (ex: '"quote 1" non-quoted data "quote 2"') will also be included. return re.findall(r'\"(.*)\"', string)[0] except: return '' binwalk-1.0/src/binwalk/config/0000755000175000017500000000000012104542363014604 5ustar eveevebinwalk-1.0/src/binwalk/config/extract.conf0000644000175000017500000000231712104542363017130 0ustar eveeve################################################################################################################# # Default extract rules loaded when --extract is specified. # # :: # # Note that %e is a place holder for the extracted file name. ################################################################################################################# # Assumes these utilities are installed in $PATH. gzip compressed data:gz:gzip -d -f '%e' lzma compressed data:7z:7zr e -y '%e' bzip2 compressed data:bz2:bzip2 -d -f '%e' zip archive data:zip:jar xf '%e' # jar does a better job of unzipping than unzip does... posix tar archive:tar:tar xvf '%e' # These assume the firmware-mod-kit is installed to /opt/firmware-mod-kit. # If not, change the file paths appropriately. squashfs filesystem:squashfs:/opt/firmware-mod-kit/trunk/unsquashfs_all.sh '%e' jffs2 filesystem:jffs2:/opt/firmware-mod-kit/trunk/src/jffs2/unjffs2 '%e' # requires root cpio archive:cpio:/opt/firmware-mod-kit/trunk/uncpio.sh '%e' # Extract, but don't run anything ext2 filesystem:ext2 romfs filesystem:romfs cramfs filesystem:cramfs private key:key binwalk-1.0/src/binwalk/config.py0000644000175000017500000001125512104542363015162 0ustar eveeveimport os class Config: ''' Binwalk configuration class, used for accessing user and system file paths. After instatiating the class, file paths can be accessed via the self.paths dictionary. System file paths are listed under the 'system' key, user file paths under the 'user' key. For example, to get the path to both the user and system binwalk magic files: from binwalk import Config conf = Config() user_binwalk_file = conf.paths['user'][conf.BINWALK_MAGIC_FILE] system_binwalk_file = conf.paths['system'][conf.BINWALK_MAGIC_FILE] There is also an instance of this class available via the Binwalk.config object: import binwalk bw = binwalk.Binwalk() user_binwalk_file = bw.config.paths['user'][conf.BINWALK_MAGIC_FILE] system_binwalk_file = bw.config.paths['system'][conf.BINWALK_MAGIC_FILE] Valid file names under both the 'user' and 'system' keys are as follows: o BINWALK_MAGIC_FILE - Path to the default binwalk magic file. o BINCAST_MAGIC_FILE - Path to the bincast magic file (used when -C is specified with the command line binwalk script) o BINARCH_MAGIC_FILE - Path to the binarch magic file (used when -A is specified with the command line binwalk script) o EXTRACT_FILE - Path to the extract configuration file (used when -e is specified with the command line binwalk script) ''' # Release version VERSION = "1.0" # Sub directories BINWALK_USER_DIR = ".binwalk" BINWALK_MAGIC_DIR = "magic" BINWALK_CONFIG_DIR = "config" # File names EXTRACT_FILE = "extract.conf" BINWALK_MAGIC_FILE = "binwalk" BINCAST_MAGIC_FILE = "bincast" BINARCH_MAGIC_FILE = "binarch" def __init__(self): ''' Class constructor. Enumerates file paths and populates self.paths. ''' # Path to the user binwalk directory self.user_dir = self._get_user_dir() # Path to the system wide binwalk directory self.system_dir = self._get_system_dir() # Dictionary of all absolute user/system file paths self.paths = { 'user' : {}, 'system' : {}, } # Build the paths to all user-specific files self.paths['user'][self.BINWALK_MAGIC_FILE] = self._user_file(self.BINWALK_MAGIC_DIR, self.BINWALK_MAGIC_FILE) self.paths['user'][self.BINCAST_MAGIC_FILE] = self._user_file(self.BINWALK_MAGIC_DIR, self.BINCAST_MAGIC_FILE) self.paths['user'][self.BINARCH_MAGIC_FILE] = self._user_file(self.BINWALK_MAGIC_DIR, self.BINARCH_MAGIC_FILE) self.paths['user'][self.EXTRACT_FILE] = self._user_file(self.BINWALK_CONFIG_DIR, self.EXTRACT_FILE) # Build the paths to all system-wide files self.paths['system'][self.BINWALK_MAGIC_FILE] = self._system_file(self.BINWALK_MAGIC_DIR, self.BINWALK_MAGIC_FILE) self.paths['system'][self.BINCAST_MAGIC_FILE] = self._system_file(self.BINWALK_MAGIC_DIR, self.BINCAST_MAGIC_FILE) self.paths['system'][self.BINARCH_MAGIC_FILE] = self._system_file(self.BINWALK_MAGIC_DIR, self.BINARCH_MAGIC_FILE) self.paths['system'][self.EXTRACT_FILE] = self._system_file(self.BINWALK_CONFIG_DIR, self.EXTRACT_FILE) def _get_system_dir(self): ''' Find the directory where the binwalk module is installed on the system. ''' try: root = __file__ if os.path.islink(root): root = os.path.realpath(root) return os.path.dirname(os.path.abspath(root)) except: return '' def _get_user_dir(self): ''' Get the user's home directory. ''' try: # This should work in both Windows and Unix environments return os.getenv('USERPROFILE') or os.getenv('HOME') except: return '' def _file_path(self, dirname, filename): ''' Builds an absolute path and creates the directory and file if they don't already exist. @dirname - Directory path. @filename - File name. Returns a full path of 'dirname/filename'. ''' if not os.path.exists(dirname): try: os.makedirs(dirname) except: pass fpath = os.path.join(dirname, filename) if not os.path.exists(fpath): try: open(fpath, "w").close() except: pass return fpath def _user_file(self, subdir, basename): ''' Gets the full path to the 'subdir/basename' file in the user binwalk directory. @subdir - Subdirectory inside the user binwalk directory. @basename - File name inside the subdirectory. Returns the full path to the 'subdir/basename' file. ''' return self._file_path(os.path.join(self.user_dir, self.BINWALK_USER_DIR, subdir), basename) def _system_file(self, subdir, basename): ''' Gets the full path to the 'subdir/basename' file in the system binwalk directory. @subdir - Subdirectory inside the system binwalk directory. @basename - File name inside the subdirectory. Returns the full path to the 'subdir/basename' file. ''' return self._file_path(os.path.join(self.system_dir, subdir), basename) binwalk-1.0/src/binwalk/magic/0000755000175000017500000000000012104542363014417 5ustar eveevebinwalk-1.0/src/binwalk/magic/binarch0000644000175000017500000000132612104542363015752 0ustar eveeve# MIPS prologue # addiu $sp, -XX # 27 BD FF XX 1 string \377\275\47 MIPSEL function prologue 0 string \47\275\377 MIPS function prologue # MIPS epilogue # jr $ra 0 belong 0x03e00008 MIPS function epilogue 0 lelong 0x03e00008 MIPSEL function epilogue # PowerPC epilogue # blr 0 belong 0x4E800020 PowerPC big endian function epilogue 0 lelong 0x4E800020 PowerPC little endian function epilogue # ARM prologue # STMFD SP!, {XX} 0 beshort 0xE92D ARMEB function prologue 2 leshort 0xE92D ARM function prologue # ARM epilogue # LDMFD SP!, {XX} 0 beshort 0xE8BD ARMEB function epilogue 2 leshort 0xE8BD ARM function epilogue # x86 epilogue # push ebp # move ebp, esp 0 string \x55\x89\xE5 Intel x86 function epilogue binwalk-1.0/src/binwalk/magic/bincast0000644000175000017500000000043712104542363015771 0ustar eveeve0 belong x Hex: 0x%.8X #0 string x String: %s 0 lelong x Little Endian Long: %d 0 belong x Big Endian Long: %d 0 leshort x Little Endian Short: %d 0 beshort x Big Endian Short: %d 0 ledate x Little Endian Date: %s 0 bedate x Big Endian Date: %s binwalk-1.0/src/binwalk/magic/binwalk0000644000175000017500000061120312104542363015774 0ustar eveeve# ----------------------------Archive Formats-------------------------------------- # POSIX tar archives 0 string ustar\000 POSIX tar archive{offset-adjust:-257} 0 string ustar\040\040\000 POSIX tar archive (GNU){offset-adjust:-257} # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 0 string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data{offset-adjust:-14} 0 string JARCS JAR (ARJ Software, Inc.) archive data # ARJ archiver (jason@jarthur.Claremont.EDU) 0 leshort 0xea60 ARJ archive data >5 byte x \b, v%d, >8 byte &0x04 multi-volume, >8 byte &0x10 slash-switched, >8 byte &0x20 backup, >34 string x original name: "%s", >7 byte 0 os: MS-DOS >7 byte 1 os: PRIMOS >7 byte 2 os: Unix >7 byte 3 os: Amiga >7 byte 4 os: Macintosh >7 byte 5 os: OS/2 >7 byte 6 os: Apple ][ GS >7 byte 7 os: Atari ST >7 byte 8 os: NeXT >7 byte 9 os: VAX/VMS >3 byte >0 %d] # RAR archiver (Greg Roelofs, newt@uchicago.edu) 0 string Rar! RAR archive data # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string \351,\001JAM JAM archive # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 0 string -lzs- LHa 2.x? archive data [lzs] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh\40- LHa 2.x? archive data [lh ] [NSRL|LHA2]{offset-adjust:-2} 0 string -lhd- LHa 2.x? archive data [lhd] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh2- LHa 2.x? archive data [lh2] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh3- LHa 2.x? archive data [lh3] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh4- LHa (2.x) archive data [lh4] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh5- LHa (2.x) archive data [lh5] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh6- LHa (2.x) archive data [lh6] [NSRL|LHA2]{offset-adjust:-2} 0 string -lh7- LHa (2.x) archive data [lh7] [NSRL|LHA2]{offset-adjust:-2} # cpio archives # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. #0 string 070707 ASCII cpio archive (pre-SVR4 or odc) 0 string 070701 ASCII cpio archive (SVR4 with no CRC), >110 byte 0 invalid >110 string x file name: "%s" >54 string x {jump-to-offset:0x%.8s+112} 0 string 070702 ASCII cpio archive (SVR4 with CRC) >110 byte 0 invalid >110 string x file name: "%s" >54 string x {jump-to-offset:0x%.8s+112} # HP Printer Job Language # The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes # 0 string \033%-12345X@PJL HP Printer Job Language data >&0 string >\0 "%s" >>&0 string >\0 "%s" >>>&0 string >\0 "%s" >>>>&0 string >\0 "%s" #------------------------------------------------------------------------------ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # 0 belong 0xedabeedb RPM >4 byte x v%d >6 beshort 0 bin >6 beshort 1 src >8 beshort 1 i386 >8 beshort 2 Alpha >8 beshort 3 Sparc >8 beshort 4 MIPS >8 beshort 5 PowerPC >8 beshort 6 68000 >8 beshort 7 SGI >8 beshort 8 RS6000 >8 beshort 9 IA64 >8 beshort 10 Sparc64 >8 beshort 11 MIPSel >8 beshort 12 ARM >10 string x "%s" #---------------------------Bootloaders-------------------------------- # CFE bootloader 0 string CFE1CFE1 CFE boot loader, little endian 0 string 1EFC1EFC CFE boot loader, big endian #------------------Compression Formats----------------------------- # AFX compressed files (Wolfram Kleff) 0 string -afx- AFX compressed file data{offset-adjust:-2} # bzip2 0 string BZh91AY&SY bzip2 compressed data, block size = 900k 0 string BZh81AY&SY bzip2 compressed data, block size = 800k 0 string BZh71AY&SY bzip2 compressed data, block size = 700k 0 string BZh61AY&SY bzip2 compressed data, block size = 600k 0 string BZh51AY&SY bzip2 compressed data, block size = 500k 0 string BZh41AY&SY bzip2 compressed data, block size = 400k 0 string BZh31AY&SY bzip2 compressed data, block size = 300k 0 string BZh21AY&SY bzip2 compressed data, block size = 200k 0 string BZh11AY&SY bzip2 compressed data, block size = 100k # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, >>13 byte 1 LZO1X-1, >>13 byte 2 LZO1X-1(15), >>13 byte 3 LZO1X-999, ## >>22 bedate >0 last modified: %s, >>14 byte =0x00 os: MS-DOS >>14 byte =0x01 os: Amiga >>14 byte =0x02 os: VMS >>14 byte =0x03 os: Unix >>14 byte =0x05 os: Atari >>14 byte =0x06 os: OS/2 >>14 byte =0x07 os: MacOS >>14 byte =0x0A os: Tops/20 >>14 byte =0x0B os: WinNT >>14 byte =0x0E os: Win32 >9 beshort >0x0939 >>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x10 - version 1. >>9 byte&0xf0 =0x20 - version 2. >>9 beshort&0x0fff x \b%03x, >>15 byte 1 LZO1X-1, >>15 byte 2 LZO1X-1(15), >>15 byte 3 LZO1X-999, ## >>25 bedate >0 last modified: %s, >>17 byte =0x00 os: MS-DOS >>17 byte =0x01 os: Amiga >>17 byte =0x02 os: VMS >>17 byte =0x03 os: Unix >>17 byte =0x05 os: Atari >>17 byte =0x06 os: OS/2 >>17 byte =0x07 os: MacOS >>17 byte =0x0A os: Tops/20 >>17 byte =0x0B os: WinNT >>17 byte =0x0E os: Win32 # lzip 0 string LZIP lzip compressed data >4 byte x \b, version: %d # LZO 0 string \211LZO\000\015\012\032\012 LZO compressed data # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # http://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7-zip archive data, >6 byte x version %d >7 byte x \b.%d # standard unix compress 0 beshort 0x1f9d compress'd data >2 byte&0x80 >0 block compressed >2 byte&0x1f !16 invalid >2 byte&0x1f x %d bits # http://tukaani.org/xz/xz-file-format.txt 0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213\x08 gzip compressed data >3 byte &0x01 \b, ASCII >3 byte &0x02 \b, has CRC >3 byte &0x04 \b, extra field >3 byte&0xC =0x08 >>10 string x \b{file-name:%s} >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x04 \b, from VM/CMS >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte =0x07 \b, from MacOS >9 byte =0x08 \b, from Z-System >9 byte =0x09 \b, from CP/M >9 byte =0x0A \b, from TOPS/20 >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS >9 byte >0x0D \b, invalid source >9 byte <0 \b, invalid source >3 byte &0x20 \b, encrypted (invalid) # Dates before 1992 are invalid, unless of course you're DD-WRT in which # case you don't know how to set a date in your gzip files. Brilliant. >4 lelong =0 \b, NULL date: >4 lelong <0 \b, invalid date: >4 lelong >0 >>4 lelong <694224000 \b, invalid date: >>4 lelong =694224000 \b, invalid date: >>4 lelong >694224000 \b, last modified: >4 ledate x %s >8 byte 2 \b, max compression >8 byte 4 \b, max speed # Zlib signatures 0 beshort 0x789C zlib compressed data 0 beshort 0x78DA zlib compressed data 0 beshort 0x7801 zlib compressed data # Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) # ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\003\004 Zip archive data, >4 byte 0x00 v0.0 >4 byte 0x09 at least v0.9 to extract, >4 byte 0x0a at least v1.0 to extract, >4 byte 0x0b at least v1.1 to extract, >0x161 string WINZIP WinZIP self-extracting, >4 byte 0x14 >>30 ubelong !0x6d696d65 at least v2.0 to extract, >18 lelong !0 >>18 lelong <0 invalid >>18 lelong x compressed size: %d, >22 lelong !0 >>22 lelong <0 invalid >>22 lelong x uncompressed size: %d,{extract-delay:end of zip archive} >30 string x {file-name:{raw-replace}}name: {raw-replace} >26 leshort x {raw-string-length:%d} >30 string x {raw-string:%s >61 string x \b%s >92 string x \b%s >123 string x \b%s >154 string x \b%s} # ZIP footer 0 string PK\x05\x06 End of Zip archive >20 leshort x {offset-adjust:22+%d} >20 leshort >0 >>20 leshort x \b, comment: {raw-replace} >>20 leshort x {raw-string-length:%d} >>22 string x {raw-string:%s} # New LZMA format signature 0 string \xFFLZMA\x00 LZMA compressed data (new), >6 byte&0x10 0 single-block stream >6 byte&0x10 0x10 multi-block stream # See lzma file for LZMA signatures # Type: OpenSSL certificates/key files # From: Nicolas Collignon 0 string -----BEGIN\x20CERTIFICATE----- PEM certificate 0 string -----BEGIN\x20CERTIFICATE\x20REQ PEM certificate request 0 string -----BEGIN\x20RSA\x20PRIVATE PEM RSA private key 0 string -----BEGIN\x20DSA\x20PRIVATE PEM DSA private key # Type: OpenSSH key files # From: Nicolas Collignon 0 string SSH\x20PRIVATE\x20KEY OpenSSH RSA1 private key, >28 string >\0 version "%s" 0 string ssh-dss\x20 OpenSSH DSA public key 0 string ssh-rsa\x20 OpenSSH RSA public key # Type: Certificates/key files in DER format # From: Gert Hulselmans 0 string \x30\x82 Private key in DER format (PKCS#8), >4 string !\x02\x01\x00 invalid, >>2 beshort x header length: 4, sequence length: %d 0 string \x30\x82 Certificate in DER format (x509 v3), >4 string !\x30\x82 invalid, >>2 beshort x header length: 4, sequence length: %d # GnuPG # The format is very similar to pgp 0 string \001gpg GPG key trust database >4 byte x version %d 0 beshort 0x9901 GPG key public ring # This magic is not particularly good, as the keyrings don't have true # magic. Nevertheless, it covers many keyrings. #------------------------------------------------------------------------------ # Mavroyanopoulos Nikos # mcrypt: file(1) magic for mcrypt 2.2.x; 0 string \0m\3 mcrypt 2.5 encrypted data, >4 byte 0 invalid >4 string >\0 algorithm: "%s", >>&1 leshort <1 invalid >>&1 leshort >0 keysize: %d bytes, >>>&0 byte 0 invalid >>>&0 string >\0 mode: "%s", 0 string \0m\2 mcrypt 2.2 encrypted data, >3 byte 0 algorithm: blowfish-448, >3 byte 1 algorithm: DES, >3 byte 2 algorithm: 3DES, >3 byte 3 algorithm: 3-WAY, >3 byte 4 algorithm: GOST, >3 byte 6 algorithm: SAFER-SK64, >3 byte 7 algorithm: SAFER-SK128, >3 byte 8 algorithm: CAST-128, >3 byte 9 algorithm: xTEA, >3 byte 10 algorithm: TWOFISH-128, >3 byte 11 algorithm: RC2, >3 byte 12 algorithm: TWOFISH-192, >3 byte 13 algorithm: TWOFISH-256, >3 byte 14 algorithm: blowfish-128, >3 byte 15 algorithm: blowfish-192, >3 byte 16 algorithm: blowfish-256, >3 byte 100 algorithm: RC6, >3 byte 101 algorithm: IDEA, >3 byte <0 invalid algorithm >3 byte >101 invalid algorithm, >3 byte >16 >>3 byte <100 invalid algorithm, >4 byte 0 mode: CBC, >4 byte 1 mode: ECB, >4 byte 2 mode: CFB, >4 byte 3 mode: OFB, >4 byte 4 mode: nOFB, >4 byte <0 invalid mode, >4 byte >4 invalid mode, >5 byte 0 keymode: 8bit >5 byte 1 keymode: 4bit >5 byte 2 keymode: SHA-1 hash >5 byte 3 keymode: MD5 hash >5 byte <0 invalid keymode >5 byte >3 invalid keymode #------------------------------------------------------------------------------ # pgp: file(1) magic for Pretty Good Privacy # #0 beshort 0x9900 PGP key public ring #0 beshort 0x9501 PGP key security ring #0 beshort 0x9500 PGP key security ring #0 beshort 0xa600 PGP encrypted data 0 string -----BEGIN\040PGP PGP armored data >15 string PUBLIC\040KEY\040BLOCK- public key block >15 string MESSAGE- message >15 string SIGNED\040MESSAGE- signed message >15 string PGP\040SIGNATURE- signature #------------------Standard file formats------------------------------------ #------------------------------------------------------------------------------ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string \177ELF ELF >4 byte 0 invalid class >4 byte 1 32-bit # only for MIPS - in the future, the ABI field of e_flags should be used. >>18 leshort 8 >>>36 lelong &0x20 N32 >>18 leshort 10 >>>36 lelong &0x20 N32 >>18 beshort 8 >>>36 belong &0x20 N32 >>18 beshort 10 >>>36 belong &0x20 N32 >4 byte 2 64-bit >5 byte 0 invalid byte order >5 byte 1 LSB # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. >>18 leshort 8 # only for 32-bit >>>4 byte 1 >>>>36 lelong&0xf0000000 0x00000000 MIPS-I >>>>36 lelong&0xf0000000 0x10000000 MIPS-II >>>>36 lelong&0xf0000000 0x20000000 MIPS-III >>>>36 lelong&0xf0000000 0x30000000 MIPS-IV >>>>36 lelong&0xf0000000 0x40000000 MIPS-V >>>>36 lelong&0xf0000000 0x60000000 MIPS32 >>>>36 lelong&0xf0000000 0x70000000 MIPS64 >>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 lelong&0xf0000000 0x00000000 MIPS-I >>>>48 lelong&0xf0000000 0x10000000 MIPS-II >>>>48 lelong&0xf0000000 0x20000000 MIPS-III >>>>48 lelong&0xf0000000 0x30000000 MIPS-IV >>>>48 lelong&0xf0000000 0x40000000 MIPS-V >>>>48 lelong&0xf0000000 0x60000000 MIPS32 >>>>48 lelong&0xf0000000 0x70000000 MIPS64 >>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2 >>16 leshort 0 no file type, >>16 leshort 1 relocatable, >>16 leshort 2 executable, >>16 leshort 3 shared object, # Core handling from Peter Tobias # corrections by Christian 'Dr. Disk' Hechelmann >>16 leshort 4 core file # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort &0xff00 processor-specific, >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, >>18 leshort 3 Intel 80386, >>18 leshort 4 Motorola >>>36 lelong &0x01000000 68000 - invalid byte order, >>>36 lelong &0x00810000 CPU32 - invalid byte order, >>>36 lelong 0 68020 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 6 Intel 80486, >>18 leshort 7 Intel 80860, >>18 leshort 8 MIPS, >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS (deprecated), >>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 15 PA-RISC - invalid byte order, >>>50 leshort 0x0214 2.0 >>>48 leshort &0x0008 (LP64), >>18 leshort 16 nCUBE, >>18 leshort 17 Fujitsu VPP500, >>18 leshort 18 SPARC32PLUS, >>18 leshort 20 PowerPC, >>18 leshort 22 IBM S/390, >>18 leshort 36 NEC V800, >>18 leshort 37 Fujitsu FR20, >>18 leshort 38 TRW RH-32, >>18 leshort 39 Motorola RCE, >>18 leshort 40 ARM, >>18 leshort 41 Alpha, >>18 leshort 0xa390 IBM S/390 (obsolete), >>18 leshort 42 Hitachi SH, >>18 leshort 43 SPARC V9 - invalid byte order, >>18 leshort 44 Siemens Tricore Embedded Processor, >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort 46 Hitachi H8/300, >>18 leshort 47 Hitachi H8/300H, >>18 leshort 48 Hitachi H8S, >>18 leshort 49 Hitachi H8/500, >>18 leshort 50 IA-64 (Intel 64 bit architecture) >>18 leshort 51 Stanford MIPS-X, >>18 leshort 52 Motorola Coldfire, >>18 leshort 53 Motorola M68HC12, >>18 leshort 62 AMD x86-64, >>18 leshort 75 Digital VAX, >>18 leshort 97 NatSemi 32k, >>18 leshort 0x9026 Alpha (unofficial), >>20 lelong 0 invalid version >>20 lelong 1 version 1 >>36 lelong 1 MathCoPro/FPU/MAU Required >5 byte 2 MSB # only for MIPS - see comment in little-endian section above. >>18 beshort 8 # only for 32-bit >>>4 byte 1 >>>>36 belong&0xf0000000 0x00000000 MIPS-I >>>>36 belong&0xf0000000 0x10000000 MIPS-II >>>>36 belong&0xf0000000 0x20000000 MIPS-III >>>>36 belong&0xf0000000 0x30000000 MIPS-IV >>>>36 belong&0xf0000000 0x40000000 MIPS-V >>>>36 belong&0xf0000000 0x60000000 MIPS32 >>>>36 belong&0xf0000000 0x70000000 MIPS64 >>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 belong&0xf0000000 0x00000000 MIPS-I >>>>48 belong&0xf0000000 0x10000000 MIPS-II >>>>48 belong&0xf0000000 0x20000000 MIPS-III >>>>48 belong&0xf0000000 0x30000000 MIPS-IV >>>>48 belong&0xf0000000 0x40000000 MIPS-V >>>>48 belong&0xf0000000 0x60000000 MIPS32 >>>>48 belong&0xf0000000 0x70000000 MIPS64 >>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2 >>16 beshort 0 no file type, >>16 beshort 1 relocatable, >>16 beshort 2 executable, >>16 beshort 3 shared object, >>16 beshort 4 core file, #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) belong >0 (signal %d), >>16 beshort &0xff00 processor-specific, >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, >>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 4 Motorola >>>36 belong &0x01000000 68000, >>>36 belong &0x00810000 CPU32, >>>36 belong 0 68020, >>18 beshort 5 Motorola 88000, >>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 7 Intel 80860, >>18 beshort 8 MIPS, >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS (deprecated), >>18 beshort 11 RS6000, >>18 beshort 15 PA-RISC >>>50 beshort 0x0214 2.0 >>>48 beshort &0x0008 (LP64) >>18 beshort 16 nCUBE, >>18 beshort 17 Fujitsu VPP500, >>18 beshort 18 SPARC32PLUS, >>>36 belong&0xffff00 &0x000100 V8+ Required, >>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, >>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required, >>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 cisco 7500, >>18 beshort 22 IBM S/390, >>18 beshort 24 cisco SVIP, >>18 beshort 25 cisco 7200, >>18 beshort 36 NEC V800 or cisco 12000, >>18 beshort 37 Fujitsu FR20, >>18 beshort 38 TRW RH-32, >>18 beshort 39 Motorola RCE, >>18 beshort 40 ARM, >>18 beshort 41 Alpha, >>18 beshort 42 Hitachi SH, >>18 beshort 43 SPARC V9, >>18 beshort 44 Siemens Tricore Embedded Processor, >>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 beshort 46 Hitachi H8/300, >>18 beshort 47 Hitachi H8/300H, >>18 beshort 48 Hitachi H8S, >>18 beshort 49 Hitachi H8/500, >>18 beshort 50 Intel Merced Processor, >>18 beshort 51 Stanford MIPS-X, >>18 beshort 52 Motorola Coldfire, >>18 beshort 53 Motorola M68HC12, >>18 beshort 73 Cray NV1, >>18 beshort 75 Digital VAX, >>18 beshort 97 NatSemi 32k, >>18 beshort 0x9026 Alpha (unofficial), >>18 beshort 0xa390 IBM S/390 (obsolete), >>18 beshort 0xde3d Ubicom32, >>20 belong 0 invalid version >>20 belong 1 version 1 >>36 belong 1 MathCoPro/FPU/MAU Required # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # like proper ELF, but extracting the string had bad results. >4 byte <0x80 >>8 string >\0 ("%s") >8 string \0 >>7 byte 0 (SYSV) >>7 byte 1 (HP-UX) >>7 byte 2 (NetBSD) >>7 byte 3 (GNU/Linux) >>7 byte 4 (GNU/Hurd) >>7 byte 5 (86Open) >>7 byte 6 (Solaris) >>7 byte 7 (Monterey) >>7 byte 8 (IRIX) >>7 byte 9 (FreeBSD) >>7 byte 10 (Tru64) >>7 byte 11 (Novell Modesto) >>7 byte 12 (OpenBSD) >>7 byte 97 (ARM) >>7 byte 255 (embedded) # XXX - according to Microsoft's spec, at an offset of 0x3c in a # PE-format executable is the offset in the file of the PE header; # unfortunately, that's a little-endian offset, and there's no way # to specify an indirect offset with a specified byte order. # So, for now, we assume the standard MS-DOS stub, which puts the # PE header at 0x80 = 128. # # Required OS version and subsystem version were 4.0 on some NT 3.51 # executables built with Visual C++ 4.0, so it's not clear that # they're interesting. The user version was 0.0, but there's # probably some linker directive to set it. The linker version was # 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). # # many of the compressed formats were extraced from IDARC 1.23 source code # 0 string MZ Microsoft >0x18 leshort <0x40 MS-DOS executable >0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows >>&18 leshort&0x2000 >0 (DLL) >>&88 leshort 0 (unknown subsystem) >>&88 leshort 1 (native) >>&88 leshort 2 (GUI) >>&88 leshort 3 (console) >>&88 leshort 7 (POSIX) >>&0 leshort 0x0 unknown processor >>&0 leshort 0x14c Intel 80386 >>&0 leshort 0x166 MIPS R4000 >>&0 leshort 0x184 Alpha >>&0 leshort 0x268 Motorola 68000 >>&0 leshort 0x1f0 PowerPC >>&0 leshort 0x290 PA-RISC >>&18 leshort&0x0100 >0 32-bit >>&18 leshort&0x1000 >0 system file >>&228 lelong >0 \b, Mono/.Net assembly >>&0xf4 search/0x140 \x0\x40\x1\x0 >>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive >30 string Copyright\x201989-1990\x20PKWARE\x20Inc. Self-extracting PKZIP archive # Is next line correct? One might expect "Corp." not "Copr." If it is right, add a note to that effect. >30 string PKLITE\x20Copr. Self-extracting PKZIP archive >0x18 leshort >0x3f >>(0x3c.l) string PE\0\0 PE >>>(0x3c.l+25) byte 1 \b32 executable >>>(0x3c.l+25) byte 2 \b32+ executable # hooray, there's a DOS extender using the PE format, with a valid PE # executable inside (which just prints a message and exits if run in win) >>>(0x3c.l+92) leshort <10 >>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender >>>>(8.s*16) string !32STUB for MS Windows >>>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) >>>>>(0x3c.l+92) leshort 0 (unknown subsystem) >>>>>(0x3c.l+92) leshort 1 (native) >>>>>(0x3c.l+92) leshort 2 (GUI) >>>>>(0x3c.l+92) leshort 3 (console) >>>>>(0x3c.l+92) leshort 7 (POSIX) >>>(0x3c.l+92) leshort 10 (EFI application) >>>(0x3c.l+92) leshort 11 (EFI boot service driver) >>>(0x3c.l+92) leshort 12 (EFI runtime driver) >>>(0x3c.l+92) leshort 13 (XBOX) >>>(0x3c.l+4) leshort 0x0 unknown processor >>>(0x3c.l+4) leshort 0x14c Intel 80386 >>>(0x3c.l+4) leshort 0x166 MIPS R4000 >>>(0x3c.l+4) leshort 0x184 Alpha >>>(0x3c.l+4) leshort 0x268 Motorola 68000 >>>(0x3c.l+4) leshort 0x1f0 PowerPC >>>(0x3c.l+4) leshort 0x290 PA-RISC >>>(0x3c.l+4) leshort 0x200 Intel Itanium >>>(0x3c.l+22) leshort&0x0100 >0 32-bit >>>(0x3c.l+22) leshort&0x1000 >0 system file >>>(0x3c.l+232) lelong >0 Mono/.Net assembly >>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed >>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed >>>>(0x3c.l+0xf8) search/0x140 UPX2 >>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>>(0x3c.l+0xf8) search/0x140 .idata >>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive >>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .rsrc >>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive >>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive >>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive >>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .data >>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed >>>>>(0x3c.l+0xf7) byte x >>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive >>>>(0x3c.l+0xf8) search/0x140 .reloc >>>>>(&0xe.l+(-4)) search/0x180 PK\3\4 \b, ZIP self-extracting archive (WinZip) >>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>>>0x30 string Inno \b, InnoSetup self-extracting archive >>(0x3c.l) string !PE\0\0 MS-DOS executable >>(0x3c.l) string NE \b, NE >>>(0x3c.l+0x36) byte 0 (unknown OS) >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte >3 (unknown OS) >>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender >>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) >>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) >>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive >>>(0x3c.l+0x70) search/0x80 WinZip(R)\x20Self-Extractor \b, ZIP self-extracting archive (WinZip) >>(0x3c.l) string LX\0\0 \b, LX >>>(0x3c.l+0x0a) leshort <1 (unknown OS) >>>(0x3c.l+0x0a) leshort 1 for OS/2 >>>(0x3c.l+0x0a) leshort 2 for MS Windows >>>(0x3c.l+0x0a) leshort 3 for DOS >>>(0x3c.l+0x0a) leshort >3 (unknown OS) >>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) >>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) >>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) >>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) >>>(0x3c.l+0x08) leshort 1 i80286 >>>(0x3c.l+0x08) leshort 2 i80386 >>>(0x3c.l+0x08) leshort 3 i80486 >>>(8.s*16) string emx \b, emx >>>>&1 string x "%s" >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive #------------------------------------------------------------------------------ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter # # Additional fields added by Craig Heffner # 0 string bFLT BFLT executable >4 belong x version %ld, >4 belong 4 >8 belong x code offset: 0x%.8X, >12 belong x data segment starts at: 0x%.8X, >16 belong x bss segment starts at: 0x%.8X, >20 belong x bss segment ends at: 0x%.8X, >24 belong x stack size: %d bytes, >28 belong x relocation records start at: 0x%.8X, >32 belong x number of reolcation records: %d, >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata #----------------------------------------------------------------- # MIPS COFF file formats # 0 beshort 0x0160 MIPSEB ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0162 MIPSEL-BE ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d >22 byte x \b.%ld # 0 beshort 0x6001 MIPSEB-LE ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d >22 byte x \b.%ld # 0 beshort 0x6201 MIPSEL ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # MIPS 2 additions # 0 beshort 0x0163 MIPSEB MIPS-II ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # MIPS 3 additions # 0 beshort 0x0140 MIPSEB MIPS-III ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x180 MIPSEB Ucode 0 beshort 0x182 MIPSEL-BE Ucode # Windows CE package files 0 string MSCE\0\0\0\0 Microsoft WinCE installer >20 lelong 0 \b, architecture-independent >20 lelong 103 \b, Hitachi SH3 >20 lelong 104 \b, Hitachi SH4 >20 lelong 0xA11 \b, StrongARM >20 lelong 4000 \b, MIPS R4000 >20 lelong 10003 \b, Hitachi SH3 >20 lelong 10004 \b, Hitachi SH3E >20 lelong 10005 \b, Hitachi SH4 >20 lelong 70001 \b, ARM 7TDMI >52 leshort 1 \b, 1 file >52 leshort >1 \b, %u files >56 leshort 1 \b, 1 registry entry >56 leshort >1 \b, %u registry entries #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytiä ) 0 string XBEH XBE, Microsoft Xbox executable # probabilistic checks whether signed or not >0x0004 ulelong =0x0 >>&2 ulelong =0x0 >>>&2 ulelong =0x0 \b, not signed >0x0004 ulelong >0 >>&2 ulelong >0 >>>&2 ulelong >0 \b, signed # expect base address of 0x10000 >0x0104 ulelong =0x10000 >>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions >>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007 >>>(0x0118-0x0FF60) ulelong >0 (regions: >>>>(0x0118-0x0FF60) ulelong &0x00000001 NA >>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan >>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World >>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer >>>(0x0118-0x0FF60) ulelong >0 \b) #------------------------------------------------------------------------------ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K # 0 beshort 0x0208 mc68k COFF >18 beshort ^00000020 object >18 beshort &00000020 executable >12 belong >0 not stripped >168 string .lowmem Apple toolbox >20 beshort 0407 (impure) >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0421 (standalone) 0 beshort 0x0209 mc68k executable (shared) >12 belong >0 not stripped 0 beshort 0x020A mc68k executable (shared demand paged) >12 belong >0 not stripped # # Motorola/UniSoft 68K Binary Compatibility Standard (BCS) # 0 beshort 0x022A 68K BCS executable # # 88K # # Motorola/88Open BCS # 0 beshort 0x022B 88K BCS executable #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : 0 string PS-X\x20EXE Sony Playstation executable # Area: >113 string x ("%s") #------------------------------------------------------------------------------ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code # # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. 0 beshort 0x8501 cisco IOS >0 belong&0xffffff00 0x85011400 microcode >0 belong&0xffffff00 0x8501cb00 experimental microcode >7 string >\0 for "%s" # EST flat binary format (which isn't, but anyway) # From: Mark Brown 0 string ESTFBINR EST flat binary # These are not the binaries themselves, but string references to them # are a strong indication that they exist elsewhere... #0 string /bin/busybox Busybox string reference: "%s"{one-of-many} #0 string /bin/sh Shell string reference: "%s"{one-of-many} #--------------------File Systems--------------------- # Minix filesystems - Juan Cespedes 0x410 leshort 0x137f Minix filesystem >0x402 beshort !0 \b, %d zones >0x1e string minix \b, bootable 0x410 leshort 0x138f Minix filesystem, 30 char names 0x410 leshort 0x2468 Minix filesystem, version 2 0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names 0x410 leshort 0x4d5a Minix filesystem, version 3 0x410 leshort 0x4d6a Minix filesystem, version 3, 30 char names 0x410 beshort 0x137f Minix filesystem (big endian) >0x402 beshort !0 \b, %d zones >0x1e string minix \b, bootable 0x410 beshort 0x138f Minix filesystem (big endian), 30 char names 0x410 beshort 0x2468 Minix filesystem (big endian), version 2 0x410 beshort 0x2478 Minix filesystem (big endian), version 2, 30 char names 0x410 beshort 0x4d5a Minix filesystem (big endian), version 3 0x410 beshort 0x4d6a Minix filesystem (big endian), version 3, 30 char names # YAFFS 0 string \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF YAFFS filesystem # EFS2 file system - jojo@utulsa.edu 0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian, >8 string !EFSSuper invalid, >4 leshort &1 NAND >4 leshort ^1 NOR >4 leshort x version 0x%x, >24 lelong x %d blocks, >16 lelong x 0x%x pages per block, >20 lelong x 0x%x bytes per page 0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian, >8 string !SSFErepu invalid, >4 beshort &1 NAND >4 beshort ^1 NOR >4 beshort x version 0x%x, >24 belong x %d blocks, >16 belong x 0x%x pages per block, >20 belong x 0x%x bytes per page # TROC file system 0 string TROC TROC filesystem, >4 lelong x %d file entries # PFS file system 0 string PFS/ PFS filesystem, >4 string x version "%s", >14 leshort x %d files # MPFS file system 0 string MPFS MPFS (Microchip) filesystem, >4 byte x version %d. >5 byte x \b%d, >6 leshort x %d file entries # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 CramFS filesystem, little endian >4 lelong <0 invalid >4 lelong x size %lu >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support >32 lelong x CRC 0x%x, >36 lelong x edition %lu, >40 lelong <0 invalid >40 lelong x %lu blocks, >44 lelong <0 invalid >44 lelong x %lu files >4 lelong x {jump-to-offset:%lu} >4 lelong x {file-size:%lu} 0 belong 0x28cd3d45 CramFS filesystem, big endian >4 belong <0 invalid >4 belong x size %lu >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support >32 belong x CRC 0x%x, >36 belong x edition %lu, >40 belong <0 invalid >40 belong x %lu blocks, >44 belong <0 invalid >44 belong x %lu files >4 belong x {jump-to-offset:%lu} >4 belong x {file-size:%lu} # JFFS2 file system # If used with binwalk's smart signature feature (on by default, -S to disable) # this signature can potentially lead to missing some JFFS2 file systems if there # are multiple JFFS2 file systems in a target file and there are no other identified # files in between the JFFS2 file systems. This is an unlikely scenario however, and # the below signatures are much improved in terms of readability and accuracy in the # vast majority of real world scenarios. 0 leshort 0x1985 JFFS2 filesystem, little endian{filter-include} >2 leshort !0xE001 >>2 leshort !0xE002 >>>2 leshort !0x2003 >>>>2 leshort !0x2004 >>>>>2 leshort !0x2006 >>>>>>2 leshort !0xE008 >>>>>>>2 leshort !0xE009 \b, invalid >(4.l) leshort !0x1985 >>(4.l+1) leshort !0x1985 >>>(4.l+2) leshort !0x1985 >>>>(4.l+3) leshort !0x1985 >>>>>(4.l) leshort !0xFFFF >>>>>>(4.l+1) leshort !0xFFFF >>>>>>>(4.l+2) leshort !0xFFFF >>>>>>>>(4.l+3) leshort !0xFFFF \b, invalid >4 lelong x {one-of-many}{jump-to-offset:%d} 0 beshort 0x1985 JFFS2 filesystem, big endian{filter-include} >2 beshort !0xE001 >>2 beshort !0xE002 >>>2 beshort !0x2003 >>>>2 beshort !0x2004 >>>>>2 beshort !0x2006 >>>>>>2 beshort !0xE008 >>>>>>>2 beshort !0xE009 \b, invalid >(4.L) beshort !0x1985 >>(4.L+1) beshort !0x1985 >>>(4.L+2) beshort !0x1985 >>>>(4.L+3) beshort !0x1985 >>>>>(4.L) beshort !0xFFFF >>>>>>(4.L+1) beshort !0xFFFF >>>>>>>(4.L+2) beshort !0xFFFF >>>>>>>>(4.L+3) beshort !0xFFFF \b, invalid >4 belong x {one-of-many}{jump-to-offset:%d} # Squashfs, big endian 0 string sqsh Squashfs filesystem, big endian, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >28 beshort 3 >>63 bequad x size: %lld bytes, >28 beshort >3 >>40 bequad x size: %lld bytes, >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs, little endian 0 string hsqs Squashfs filesystem, little endian, >28 leshort >10 invalid >28 leshort <1 invalid >30 leshort >10 invalid >28 leshort x version %d. >30 leshort x \b%d, >28 leshort >3 compression: >>20 leshort 1 \bgzip, >>20 leshort 2 \blzma, >>20 leshort 0 \binvalid, >>20 leshort >4 \binvalid, >28 leshort <3 >>8 lelong x size: %d bytes, >>8 lelong x {file-size:%d} >28 leshort 3 >>63 lequad x size: %lld bytes, >>63 lequad x {file-size:%lld} >28 leshort >3 >>40 lequad x size: %lld bytes, >>40 lequad x {file-size:%lld} >4 lelong x %d inodes, >28 leshort >3 >>12 lelong blocksize: %d bytes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort 2 >>51 lelong x blocksize: %d bytes, >28 leshort 3 >>51 lelong x blocksize: %d bytes, >28 leshort >3 >>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s >28 leshort <3 >>8 lelong x {jump-to-offset:%d} >28 leshort 3 >>63 lequad x {jump-to-offset:%lld} >28 leshort >3 >>40 lequad x {jump-to-offset:%lld} # Squashfs with LZMA compression 0 string sqlz Squashfs filesystem, big endian, lzma compression, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >>8 belong x {file-size:%d} >28 beshort 3 >>63 bequad x size: %lld bytes, >>63 bequad x {file-size:%lld} >28 beshort >3 >>40 bequad x size: %lld bytes, >>40 bequad x {file-size:%lld} >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs 3.3 LZMA signature 0 string qshs Squashfs filesystem, big endian, lzma signature, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >>8 belong x {file-size:%d} >28 beshort 3 >>63 bequad x size: %lld bytes, >>63 bequad x {file-size:%lld} >28 beshort >3 >>40 bequad x size: %lld bytes, >>40 bequad x {file-size:%lld} >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs for DD-WRT 0 string tqsh Squashfs filesystem, big endian, DD-WRT signature, >28 beshort >10 invalid >28 beshort <1 invalid >30 beshort >10 invalid >28 beshort x version %d. >30 beshort x \b%d, >28 beshort >3 compression: >>20 beshort 1 \bgzip, >>20 beshort 2 \blzma, >>20 beshort 0 \binvalid, >>20 beshort >4 \binvalid, >28 beshort <3 >>8 belong x size: %d bytes, >>8 belong x {file-size:%d} >28 beshort 3 >>63 bequad x size: %lld bytes, >>63 bequad x {file-size:%lld} >28 beshort >3 >>40 bequad x size: %lld bytes, >>40 bequad x {file-size:%lld} >4 belong x %d inodes, >28 beshort >3 >>12 belong blocksize: %d bytes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort 2 >>51 belong x blocksize: %d bytes, >28 beshort 3 >>51 belong x blocksize: %d bytes, >28 beshort >3 >>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s >28 beshort <3 >>8 belong x {jump-to-offset:%d} >28 beshort 3 >>63 bequad x {jump-to-offset:%lld} >28 beshort >3 >>40 bequad x {jump-to-offset:%lld} # Squashfs for DD-WRT 0 string hsqt Squashfs filesystem, little endian, DD-WRT signature, >28 leshort >10 invalid >28 leshort <1 invalid >30 leshort >10 invalid >28 leshort x version %d. >30 leshort x \b%d, >28 leshort >3 compression: >>20 leshort 1 \bgzip, >>20 leshort 2 \blzma, >>20 leshort 0 \binvalid, >>20 leshort >4 \binvalid, >28 leshort <3 >>8 lelong x size: %d bytes, >>8 lelong x {file-size:%d} >28 leshort 3 >>63 lequad x size: %lld bytes, >>63 lequad x {file-size:%lld} >28 leshort >3 >>40 lequad x size: %lld bytes, >>40 lequad x {file-size:%lld} >4 lelong x %d inodes, >28 leshort >3 >>12 lelong blocksize: %d bytes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort 2 >>51 lelong x blocksize: %d bytes, >28 leshort 3 >>51 lelong x blocksize: %d bytes, >28 leshort >3 >>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s >28 leshort <3 >>8 lelong x {jump-to-offset:%d} >28 leshort 3 >>63 lequad x {jump-to-offset:%lld} >28 leshort >3 >>40 lequad x {jump-to-offset:%lld} # Non-standard Squashfs signature found on some D-Link routers 0 string shsq Squashfs filesystem, little endian, non-standard signature, >28 leshort >10 invalid >28 leshort <1 invalid >30 leshort >10 invalid >28 leshort x version %d. >30 leshort x \b%d, >28 leshort >3 compression: >>20 leshort 1 \bgzip, >>20 leshort 2 \blzma, >>20 leshort 0 \binvalid, >>20 leshort >4 \binvalid, >28 leshort <3 >>8 lelong x size: %d bytes, >>8 lelong x {file-size:%d} >28 leshort 3 >>63 lequad x size: %lld bytes, >>63 lequad x {file-size:%lld} >28 leshort >3 >>40 lequad x size: %lld bytes, >>40 lequad x {file-size:%lld} >4 lelong x %d inodes, >28 leshort >3 >>12 lelong blocksize: %d bytes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort 2 >>51 lelong x blocksize: %d bytes, >28 leshort 3 >>51 lelong x blocksize: %d bytes, >28 leshort >3 >>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s >28 leshort <3 >>8 lelong x {jump-to-offset:%d} >28 leshort 3 >>63 lequad x {jump-to-offset:%lld} >28 leshort >3 >>40 lequad x {jump-to-offset:%lld} # ext2/ext3 filesystems - Andreas Dilger # ext4 filesystem - Eric Sandeen # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 0 leshort 0xEF53 Linux EXT filesystem,{filter-include}{offset-adjust:-0x438} >2 leshort >4 invalid state >2 leshort 3 invalid state >2 leshort <0 invalid state >4 leshort >3 invalid error behavior >4 leshort <0 invalid error behavior >4 lelong >1 invalid major revision >4 lelong <0 invalid major revision >4 lelong x rev %d >6 leshort x \b.%d # No journal? ext2 >36 lelong ^0x0000004 ext2 filesystem data >>2 leshort ^0x0000001 (mounted or unclean) # Has a journal? ext3 or ext4 >36 lelong &0x0000004 # and small INCOMPAT? >>40 lelong <0x0000040 # and small RO_COMPAT? >>>44 lelong <0x0000008 ext3 filesystem data # else large RO_COMPAT? >>>44 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? >>40 lelong >0x000003f ext4 filesystem data >48 belong x \b, UUID=%08x >52 beshort x \b-%04x >54 beshort x \b-%04x >56 beshort x \b-%04x >58 belong x \b-%08x >60 beshort x \b%04x >64 string >0 \b, volume name "%s" #romfs filesystems - Juan Cespedes 0 string -rom1fs-\0 romfs filesystem, version 1 >8 belong >10000000 invalid >8 belong x size: %d bytes, >16 string x {file-name:%s} >16 string x named "%s" >8 belong x {file-size:%d} >8 belong x {jump-to-offset:%d} # Wind River MemFS file system, found in some VxWorks devices 0 string owowowowowowowowowowowowowowow Wind River management filesystem, >30 string !ow invalid, >32 belong 1 compressed, >32 belong 2 plain text, >36 belong x %d files # netboot image - Juan Cespedes 0 lelong 0x1b031336L Netboot image, >4 lelong&0xFFFFFF00 0 >>4 lelong&0x100 0x000 mode 2 >>4 lelong&0x100 0x100 mode 3 >4 lelong&0xFFFFFF00 !0 unknown mode (invalid) #--------------------------Firmware Formats--------------------------- # uImage file # From: Craig Heffner, U-Boot image.h header definitions file 0 belong 0x27051956 uImage header, header size: 64 bytes, >4 belong x header CRC: 0x%X, >8 bedate x created: %s, >12 belong x image size: %d bytes, >16 belong x Data Address: 0x%X, >20 belong x Entry Point: 0x%X, >24 belong x data CRC: 0x%X, #>28 byte x OS type: %d, >28 byte 0 OS: invalid OS, >28 byte 1 OS: OpenBSD, >28 byte 2 OS: NetBSD, >28 byte 3 OS: FreeBSD, >28 byte 4 OS: 4.4BSD, >28 byte 5 OS: Linux, >28 byte 6 OS: SVR4, >28 byte 7 OS: Esix, >28 byte 8 OS: Solaris, >28 byte 9 OS: Irix, >28 byte 10 OS: SCO, >28 byte 11 OS: Dell, >28 byte 12 OS: NCR, >28 byte 13 OS: LynxOS, >28 byte 14 OS: VxWorks, >28 byte 15 OS: pSOS, >28 byte 16 OS: QNX, >28 byte 17 OS: Firmware, >28 byte 18 OS: RTEMS, >28 byte 19 OS: ARTOS, >28 byte 20 OS: Unity OS, #>29 byte x CPU arch: %d, >29 byte 0 CPU: invalid OS, >29 byte 1 CPU: Alpha, >29 byte 2 CPU: ARM, >29 byte 3 CPU: Intel x86, >29 byte 4 CPU: IA64, >29 byte 5 CPU: MIPS, >29 byte 6 CPU: MIPS 64 bit, >29 byte 7 CPU: PowerPC, >29 byte 8 CPU: IBM S390, >29 byte 9 CPU: SuperH, >29 byte 10 CPU: Sparc, >29 byte 11 CPU: Sparc 64 bit, >29 byte 12 CPU: M68K, >29 byte 13 CPU: Nios-32, >29 byte 14 CPU: MicroBlaze, >29 byte 15 CPU: Nios-II, >29 byte 16 CPU: Blackfin, >29 byte 17 CPU: AVR, >29 byte 18 CPU: STMicroelectronics ST200, #>30 byte x image type: %d, >30 byte 0 image type: invalid Image, >30 byte 1 image type: Standalone Program, >30 byte 2 image type: OS Kernel Image, >30 byte 3 image type: RAMDisk Image, >30 byte 4 image type: Multi-File Image, >30 byte 5 image type: Firmware Image, >30 byte 6 image type: Script file, >30 byte 7 image type: Filesystem Image, >30 byte 8 image type: Binary Flat Device Tree Blob #>31 byte x compression type: %d, >31 byte 0 compression type: none, >31 byte 1 compression type: gzip, >31 byte 2 compression type: bzip2, >31 byte 3 compression type: lzma, >32 string x image name: "%s" #IMG0 header, found in VxWorks-based Mercury router firmware 0 string IMG0 IMG0 (VxWorks) header, >4 belong x size: %d #Mediatek bootloader signature #From xp-dev.com 0 string BOOTLOADER! Mediatek bootloader #CSYS header formats 0 string CSYS\x00 CSYS header, little endian, >8 lelong x size: %d 0 string CSYS\x80 CSYS header, big endian, >8 belong x size: %d # wrgg firmware image 0 string wrgg02 WRGG firmware header, >6 string x name: "%s", >48 string x root device: "%s" # trx image file 0 string HDR0 TRX firmware header, little endian, header size: 28 bytes, >4 lelong x image size: %d bytes, >8 lelong x CRC32: 0x%X >12 lelong x flags/version: 0x%X 0 string 0RDH TRX firmware header, big endian, header size: 28 bytes, >4 belong x image size: %d bytes, >8 belong x CRC32: 0x%X >12 belong x flags/version: 0x%X # Ubicom firmware image 0 belong 0xFA320080 Ubicom firmware header, >12 belong x checksum: 0x%X, >24 belong x image size: %d # The ROME bootloader is used by several RealTek-based products. # Unfortunately, the magic bytes are specific to each product, so # separate signatures must be created for each one. # Netgear KWGR614 ROME image 0 string G614 Realtek firmware header (ROME bootloader), >4 beshort 0xd92f image type: KFS, >4 beshort 0xb162 image type: RDIR, >4 beshort 0xea43 image type: BOOT, >4 beshort 0x8dc9 image type: RUN, >4 beshort 0x2a05 image type: CCFG, >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, >6 byte x header version: %d, #month >10 byte x created: %d/ #day >12 byte x \b%d/ #year >8 beshort x \b%d, >16 belong x image size: %d bytes, >22 byte x body checksum: 0x%X, >23 byte x header checksum: 0x%X # Linksys WRT54GX ROME image 0 belong 0x59a0e842 Realtek firmware header (ROME bootloader) >4 beshort 0xd92f image type: KFS, >4 beshort 0xb162 image type: RDIR, >4 beshort 0xea43 image type: BOOT, >4 beshort 0x8dc9 image type: RUN, >4 beshort 0x2a05 image type: CCFG, >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, >6 byte x header version: %d, #month >10 byte x created: %d/ #day >12 byte x \b%d/ #year >8 beshort x \b%d, >16 belong x image size: %d bytes, >22 byte x body checksum: 0x%X, >23 byte x header checksum: 0x%X # PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images. 0 string --PaCkImGs-- PackImg section delimiter tag, >16 lelong x little endian size: %d bytes; >16 belong x big endian size: %d bytes #------------------------------------------------------------------------------ # Broadcom header format # 0 string BCRM Broadcom header, >4 lelong x number of sections: %d, >>8 lelong 18 first section type: flash >>8 lelong 19 first section type: disk >>8 lelong 21 first section type: tag # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # http://ftg.lbl.gov/checkpoint 0 string Ck0\0\0R\0\0\0 BLCR >16 lelong 1 x86 >16 lelong 3 alpha >16 lelong 5 x86-64 >16 lelong 7 ARM >8 lelong x context data (little endian, version %d) 0 string \0\0\0C\0\0\0R BLCR >16 belong 2 SPARC >16 belong 4 ppc >16 belong 6 ppc64 >16 belong 7 ARMEB >16 belong 8 SPARC64 >8 belong x context data (big endian, version %d) # Aculab VoIP firmware # From: Mark Brown 0 string VoIP\x20Startup\x20and Aculab VoIP firmware >35 string x format "%s" #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file 0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From Albert Cahalan # really le32 operation,destination,payloadsize (but quite predictable) # 01 00 00 00 00 00 00 c0 00 02 00 00 0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion. # Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\x20Networks\x20Inc.\nFirmware\x20v Paged COBALT boot rom >38 string x V%.4s # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string CRfs COBALT boot rom data (Flat boot rom or file system) # # Motorola S-Records, from Gerd Truschinski 0 string S0 Motorola S-Record; binary data in text format # -------------------------------- # Microsoft Xbox data file formats 0 string XIP0 XIP, Microsoft Xbox data 0 string XTF0 XTF, Microsoft Xbox data #Windows CE 0 string CECE Windows CE RTOS{offset-adjust:-64} # -------------------------------- # ZynOS ROM header format # From openwrt zynos.h. 0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6} #>0 belong x load address 0x%X, >3 byte <0x7F rom image type: >>3 byte <1 invalid, >>3 byte >7 invalid, >>3 byte 1 ROMIMG, >>3 byte 2 ROMBOOT, >>3 byte 3 BOOTEXT, >>3 byte 4 ROMBIN, >>3 byte 5 ROMDIR, >>3 byte 6 6, >>3 byte 7 ROMMAP, >3 byte >0x7F ram image type: >>3 byte >0x82 invalid, >>3 byte 0x80 RAM, >>3 byte 0x81 RAMCODE, >>3 byte 0x82 RAMBOOT, >4 belong >0x40000000 invalid >4 belong <0 invalid >4 belong 0 invalid >4 belong x uncompressed size: %d, >8 belong >0x40000000 invalid >8 belong <0 invalid >8 belong 0 invalid >8 belong x compressed size: %d, >14 beshort x uncompressed checksum: 0x%X, >16 beshort x compressed checksum: 0x%X, >12 byte x flags: 0x%X, >12 byte &0x40 uncompressed checksum is valid, >12 byte &0x80 the binary is compressed, >>12 byte &0x20 compressed checksum is valid, >35 belong x memory map table address: 0x%X # Firmware header used by some VxWorks-based Cisco products 0 string CI032.00 Cisco VxWorks firmware header, >8 lelong >1024 invalid >8 lelong <0 invalid >8 lelong x header size: %d bytes, >32 lelong >1024 invalid >32 lelong <0 invalid >32 lelong x number of files: %d, >48 lelong <0 invalid >48 lelong x image size: %d, >64 string x firmware version: "%s" # Firmware header used by some TV's 0 string FNIB ZBOOT firmware header, header size: 32 bytes, >8 lelong x load address: 0x%.8X, >12 lelong x start address: 0x%.8X, >16 lelong x checksum: 0x%.8X, >20 lelong x version: 0x%.8X, >24 lelong <1 invalid >24 lelong x image size: %d bytes # Firmware header used by several D-Link routers (and probably others) 0 string \x5e\xa3\xa4\x17 DLOB firmware header, >(7.b+12) string !\x5e\xa3\xa4\x17 invalid, #>>12 string x %s, >(7.b+40) string x boot partition: "%s" # TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format 0 string TP-LINK\x20Technologies TP-Link firmware header,{offset-adjust:-4} #>-4 lelong x header version: %d, >0x94 beshort x firmware version: %d. >0x96 beshort x \b%d. >0x98 beshort x \b%d, >0x18 string x image version: "%s", #>0x74 belong x image size: %d bytes, >0x3C belong x product ID: 0x%X, >0x40 belong x product version: %d, >0x70 belong x kernel load address: 0x%X, >0x74 belong x kernel entry point: 0x%X, >0x7C belong x kernel offset: %d, >0x80 belong x kernel length: %d, >0x84 belong x rootfs offset: %d, >0x88 belong x rootfs length: %d, >0x8C belong x bootloader offset: %d, >0x90 belong x bootloader length: %d # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian 0 string II\x2a\x00 TIFF image data, little-endian # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image >16 belong x \b, %ld x >20 belong x %ld, >24 byte x %d-bit >25 byte 0 grayscale, >25 byte 2 \b/color RGB, >25 byte 3 colormap, >25 byte 4 gray+alpha, >25 byte 6 \b/color RGBA, #>26 byte 0 deflate/32K, >28 byte 0 non-interlaced >28 byte 1 interlaced # GIF 0 string GIF8 GIF image data >4 string 7a \b, version 8"%s", >4 string 9a \b, version 8"%s", >6 leshort >0 %hd x >8 leshort >0 %hd #>10 byte &0x80 color mapped, #>10 byte&0x07 =0x00 2 colors #>10 byte&0x07 =0x01 4 colors #>10 byte&0x07 =0x02 8 colors #>10 byte&0x07 =0x03 16 colors #>10 byte&0x07 =0x04 32 colors #>10 byte&0x07 =0x05 64 colors #>10 byte&0x07 =0x06 128 colors #>10 byte&0x07 =0x07 256 colors # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) 0 string BM >14 leshort 12 PC bitmap, OS/2 1.x format >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 64 PC bitmap, OS/2 2.x format >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 40 PC bitmap, Windows 3.x format >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d >14 leshort 128 PC bitmap, Windows NT/2000 format >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d #------------------------------------------------------------------------------ # JPEG images # SunOS 5.5.1 had # # 0 string \377\330\377\340 JPEG file # 0 string \377\330\377\356 JPG file # # both of which turn into "JPEG image data" here. # 0 beshort 0xffd8 JPEG image data >6 string JFIF \b, JFIF standard # The following added by Erik Rossen 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these # tests are not fool-proof since some perfectly valid JPEGs are currently # impossible to specify in magic(4) format. # First, a little JFIF version info: >>11 byte x \b %d. >>12 byte x \b%02d # Next, the resolution or aspect ratio of the image: #>>13 byte 0 \b, aspect ratio #>>13 byte 1 \b, resolution (DPI) #>>13 byte 2 \b, resolution (DPCM) #>>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte !0 \b, thumbnail %dx >>>19 byte x \b%d # EXIF moved down here to avoid reporting a bogus version number, # and EXIF version number printing added. # - Patrik R=E5dman >6 string Exif \b, EXIF standard # Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. # All possible combinations of entries have to be enumerated, since no looping # is possible. And both endians are possible... # The combinations included below are from real-world JPEGs. # Little-endian >>12 string II # IFD 0 Entry #5: >>>70 leshort 0x8769 # EXIF IFD Entry #1: >>>>(78.l+14) leshort 0x9000 >>>>>(78.l+23) byte x %c >>>>>(78.l+24) byte x \b.%c >>>>>(78.l+25) byte !0x30 \b%c # IFD 0 Entry #9: >>>118 leshort 0x8769 # EXIF IFD Entry #3: >>>>(126.l+38) leshort 0x9000 >>>>>(126.l+47) byte x %c >>>>>(126.l+48) byte x \b.%c >>>>>(126.l+49) byte !0x30 \b%c # IFD 0 Entry #10 >>>130 leshort 0x8769 # EXIF IFD Entry #3: >>>>(138.l+38) leshort 0x9000 >>>>>(138.l+47) byte x %c >>>>>(138.l+48) byte x \b.%c >>>>>(138.l+49) byte !0x30 \b%c # EXIF IFD Entry #4: >>>>(138.l+50) leshort 0x9000 >>>>>(138.l+59) byte x %c >>>>>(138.l+60) byte x \b.%c >>>>>(138.l+61) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(138.l+62) leshort 0x9000 >>>>>(138.l+71) byte x %c >>>>>(138.l+72) byte x \b.%c >>>>>(138.l+73) byte !0x30 \b%c # IFD 0 Entry #11 >>>142 leshort 0x8769 # EXIF IFD Entry #3: >>>>(150.l+38) leshort 0x9000 >>>>>(150.l+47) byte x %c >>>>>(150.l+48) byte x \b.%c >>>>>(150.l+49) byte !0x30 \b%c # EXIF IFD Entry #4: >>>>(150.l+50) leshort 0x9000 >>>>>(150.l+59) byte x %c >>>>>(150.l+60) byte x \b.%c >>>>>(150.l+61) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(150.l+62) leshort 0x9000 >>>>>(150.l+71) byte x %c >>>>>(150.l+72) byte x \b.%c >>>>>(150.l+73) byte !0x30 \b%c # Big-endian >>12 string MM # IFD 0 Entry #9: >>>118 beshort 0x8769 # EXIF IFD Entry #1: >>>>(126.L+14) beshort 0x9000 >>>>>(126.L+23) byte x %c >>>>>(126.L+24) byte x \b.%c >>>>>(126.L+25) byte !0x30 \b%c # EXIF IFD Entry #3: >>>>(126.L+38) beshort 0x9000 >>>>>(126.L+47) byte x %c >>>>>(126.L+48) byte x \b.%c >>>>>(126.L+49) byte !0x30 \b%c # IFD 0 Entry #10 >>>130 beshort 0x8769 # EXIF IFD Entry #3: >>>>(138.L+38) beshort 0x9000 >>>>>(138.L+47) byte x %c >>>>>(138.L+48) byte x \b.%c >>>>>(138.L+49) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(138.L+62) beshort 0x9000 >>>>>(138.L+71) byte x %c >>>>>(138.L+72) byte x \b.%c >>>>>(138.L+73) byte !0x30 \b%c # IFD 0 Entry #11 >>>142 beshort 0x8769 # EXIF IFD Entry #4: >>>>(150.L+50) beshort 0x9000 >>>>>(150.L+59) byte x %c >>>>>(150.L+60) byte x \b.%c >>>>>(150.L+61) byte !0x30 \b%c # Here things get sticky. We can do ONE MORE marker segment with # indirect addressing, and that's all. It would be great if we could # do pointer arithemetic like in an assembler language. Christos? # And if there was some sort of looping construct to do searches, plus a few # named accumulators, it would be even more effective... # At least we can show a comment if no other segments got inserted before: >(4.S+5) byte 0xFE >>(4.S+8) string >\0 \b, comment: "%s" # FIXME: When we can do non-byte counted strings, we can use that to get # the string's count, and fix Debian bug #283760 #>(4.S+5) byte 0xFE \b, comment #>>(4.S+6) beshort x \b length=%d #>>(4.S+8) string >\0 \b, "%s" # Or, we can show the encoding type (I've included only the three most common) # and image dimensions if we are lucky and the SOFn (image segment) is here: >(4.S+5) byte 0xC0 \b, baseline >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d >(4.S+5) byte 0xC1 \b, extended sequential >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d >(4.S+5) byte 0xC2 \b, progressive >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d # I've commented-out quantisation table reporting. I doubt anyone cares yet. #>(4.S+5) byte 0xDB \b, quantisation table #>>(4.S+6) beshort x \b length=%d #>14 beshort x \b, %d x #>16 beshort x \b %d #-------------------------Kernels------------------------------------- # Linux kernel boot images, from Albert Cahalan # and others such as Axel Kohlmeyer # and Nicolás Lichtmaier # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image >514 string !HdrS (invalid) # Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a). # Commonly found in decompressed embedded kernel binaries. 0 string Linux\ version\ Linux kernel version >14 byte 0 invalid >14 byte !0 >>14 string x "%s >>45 string x \b%s >>76 string x \b%s >>107 string x \b%s" # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5D # ------------------------------------------------------------------ 0 string \x5D\x00\x00 LZMA compressed data, properties: 0x5D, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x01 # ------------------------------------------------------------------ 0 string \x01\x00\x00 LZMA compressed data, properties: 0x01, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x02 # ------------------------------------------------------------------ 0 string \x02\x00\x00 LZMA compressed data, properties: 0x02, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x03 # ------------------------------------------------------------------ 0 string \x03\x00\x00 LZMA compressed data, properties: 0x03, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x04 # ------------------------------------------------------------------ 0 string \x04\x00\x00 LZMA compressed data, properties: 0x04, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x09 # ------------------------------------------------------------------ 0 string \x09\x00\x00 LZMA compressed data, properties: 0x09, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x0A # ------------------------------------------------------------------ 0 string \x0A\x00\x00 LZMA compressed data, properties: 0x0A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x0B # ------------------------------------------------------------------ 0 string \x0B\x00\x00 LZMA compressed data, properties: 0x0B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x0C # ------------------------------------------------------------------ 0 string \x0C\x00\x00 LZMA compressed data, properties: 0x0C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x12 # ------------------------------------------------------------------ 0 string \x12\x00\x00 LZMA compressed data, properties: 0x12, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x13 # ------------------------------------------------------------------ 0 string \x13\x00\x00 LZMA compressed data, properties: 0x13, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x14 # ------------------------------------------------------------------ 0 string \x14\x00\x00 LZMA compressed data, properties: 0x14, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x1B # ------------------------------------------------------------------ 0 string \x1B\x00\x00 LZMA compressed data, properties: 0x1B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x1C # ------------------------------------------------------------------ 0 string \x1C\x00\x00 LZMA compressed data, properties: 0x1C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x24 # ------------------------------------------------------------------ 0 string \x24\x00\x00 LZMA compressed data, properties: 0x24, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x2D # ------------------------------------------------------------------ 0 string \x2D\x00\x00 LZMA compressed data, properties: 0x2D, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x2E # ------------------------------------------------------------------ 0 string \x2E\x00\x00 LZMA compressed data, properties: 0x2E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x2F # ------------------------------------------------------------------ 0 string \x2F\x00\x00 LZMA compressed data, properties: 0x2F, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x30 # ------------------------------------------------------------------ 0 string \x30\x00\x00 LZMA compressed data, properties: 0x30, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x31 # ------------------------------------------------------------------ 0 string \x31\x00\x00 LZMA compressed data, properties: 0x31, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x36 # ------------------------------------------------------------------ 0 string \x36\x00\x00 LZMA compressed data, properties: 0x36, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x37 # ------------------------------------------------------------------ 0 string \x37\x00\x00 LZMA compressed data, properties: 0x37, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x38 # ------------------------------------------------------------------ 0 string \x38\x00\x00 LZMA compressed data, properties: 0x38, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x39 # ------------------------------------------------------------------ 0 string \x39\x00\x00 LZMA compressed data, properties: 0x39, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x3F # ------------------------------------------------------------------ 0 string \x3F\x00\x00 LZMA compressed data, properties: 0x3F, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x40 # ------------------------------------------------------------------ 0 string \x40\x00\x00 LZMA compressed data, properties: 0x40, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x41 # ------------------------------------------------------------------ 0 string \x41\x00\x00 LZMA compressed data, properties: 0x41, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x48 # ------------------------------------------------------------------ 0 string \x48\x00\x00 LZMA compressed data, properties: 0x48, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x49 # ------------------------------------------------------------------ 0 string \x49\x00\x00 LZMA compressed data, properties: 0x49, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x51 # ------------------------------------------------------------------ 0 string \x51\x00\x00 LZMA compressed data, properties: 0x51, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5A # ------------------------------------------------------------------ 0 string \x5A\x00\x00 LZMA compressed data, properties: 0x5A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5B # ------------------------------------------------------------------ 0 string \x5B\x00\x00 LZMA compressed data, properties: 0x5B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5C # ------------------------------------------------------------------ 0 string \x5C\x00\x00 LZMA compressed data, properties: 0x5C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x5E # ------------------------------------------------------------------ 0 string \x5E\x00\x00 LZMA compressed data, properties: 0x5E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x63 # ------------------------------------------------------------------ 0 string \x63\x00\x00 LZMA compressed data, properties: 0x63, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x64 # ------------------------------------------------------------------ 0 string \x64\x00\x00 LZMA compressed data, properties: 0x64, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x65 # ------------------------------------------------------------------ 0 string \x65\x00\x00 LZMA compressed data, properties: 0x65, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x66 # ------------------------------------------------------------------ 0 string \x66\x00\x00 LZMA compressed data, properties: 0x66, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x6C # ------------------------------------------------------------------ 0 string \x6C\x00\x00 LZMA compressed data, properties: 0x6C, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x6D # ------------------------------------------------------------------ 0 string \x6D\x00\x00 LZMA compressed data, properties: 0x6D, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x6E # ------------------------------------------------------------------ 0 string \x6E\x00\x00 LZMA compressed data, properties: 0x6E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x75 # ------------------------------------------------------------------ 0 string \x75\x00\x00 LZMA compressed data, properties: 0x75, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x76 # ------------------------------------------------------------------ 0 string \x76\x00\x00 LZMA compressed data, properties: 0x76, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x7E # ------------------------------------------------------------------ 0 string \x7E\x00\x00 LZMA compressed data, properties: 0x7E, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x87 # ------------------------------------------------------------------ 0 string \x87\x00\x00 LZMA compressed data, properties: 0x87, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x88 # ------------------------------------------------------------------ 0 string \x88\x00\x00 LZMA compressed data, properties: 0x88, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x89 # ------------------------------------------------------------------ 0 string \x89\x00\x00 LZMA compressed data, properties: 0x89, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x8A # ------------------------------------------------------------------ 0 string \x8A\x00\x00 LZMA compressed data, properties: 0x8A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x8B # ------------------------------------------------------------------ 0 string \x8B\x00\x00 LZMA compressed data, properties: 0x8B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x90 # ------------------------------------------------------------------ 0 string \x90\x00\x00 LZMA compressed data, properties: 0x90, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x91 # ------------------------------------------------------------------ 0 string \x91\x00\x00 LZMA compressed data, properties: 0x91, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x92 # ------------------------------------------------------------------ 0 string \x92\x00\x00 LZMA compressed data, properties: 0x92, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x93 # ------------------------------------------------------------------ 0 string \x93\x00\x00 LZMA compressed data, properties: 0x93, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x99 # ------------------------------------------------------------------ 0 string \x99\x00\x00 LZMA compressed data, properties: 0x99, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x9A # ------------------------------------------------------------------ 0 string \x9A\x00\x00 LZMA compressed data, properties: 0x9A, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0x9B # ------------------------------------------------------------------ 0 string \x9B\x00\x00 LZMA compressed data, properties: 0x9B, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xA2 # ------------------------------------------------------------------ 0 string \xA2\x00\x00 LZMA compressed data, properties: 0xA2, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xA3 # ------------------------------------------------------------------ 0 string \xA3\x00\x00 LZMA compressed data, properties: 0xA3, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xAB # ------------------------------------------------------------------ 0 string \xAB\x00\x00 LZMA compressed data, properties: 0xAB, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB4 # ------------------------------------------------------------------ 0 string \xB4\x00\x00 LZMA compressed data, properties: 0xB4, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB5 # ------------------------------------------------------------------ 0 string \xB5\x00\x00 LZMA compressed data, properties: 0xB5, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB6 # ------------------------------------------------------------------ 0 string \xB6\x00\x00 LZMA compressed data, properties: 0xB6, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB7 # ------------------------------------------------------------------ 0 string \xB7\x00\x00 LZMA compressed data, properties: 0xB7, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xB8 # ------------------------------------------------------------------ 0 string \xB8\x00\x00 LZMA compressed data, properties: 0xB8, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xBD # ------------------------------------------------------------------ 0 string \xBD\x00\x00 LZMA compressed data, properties: 0xBD, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xBE # ------------------------------------------------------------------ 0 string \xBE\x00\x00 LZMA compressed data, properties: 0xBE, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xBF # ------------------------------------------------------------------ 0 string \xBF\x00\x00 LZMA compressed data, properties: 0xBF, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC0 # ------------------------------------------------------------------ 0 string \xC0\x00\x00 LZMA compressed data, properties: 0xC0, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC6 # ------------------------------------------------------------------ 0 string \xC6\x00\x00 LZMA compressed data, properties: 0xC6, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC7 # ------------------------------------------------------------------ 0 string \xC7\x00\x00 LZMA compressed data, properties: 0xC7, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xC8 # ------------------------------------------------------------------ 0 string \xC8\x00\x00 LZMA compressed data, properties: 0xC8, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xCF # ------------------------------------------------------------------ 0 string \xCF\x00\x00 LZMA compressed data, properties: 0xCF, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xD0 # ------------------------------------------------------------------ 0 string \xD0\x00\x00 LZMA compressed data, properties: 0xD0, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes # ------------------------------------------------------------------ # Signature for LZMA compressed data with valid properties byte 0xD8 # ------------------------------------------------------------------ 0 string \xD8\x00\x00 LZMA compressed data, properties: 0xD8, # These are all the valid dictionary sizes supported by LZMA utils. >1 lelong !65536 >>1 lelong !131072 >>>1 lelong !262144 >>>>1 lelong !524288 >>>>>1 lelong !1048576 >>>>>>1 lelong !2097152 >>>>>>>1 lelong !4194304 >>>>>>>>1 lelong !8388608 >>>>>>>>>1 lelong !16777216 >>>>>>>>>>1 lelong !33554432 invalid >1 lelong x dictionary size: %d bytes, # Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely. >5 lequad <1 invalid >5 lequad >0x40000000 invalid # These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely. # Since most false positives are the result of repeating sequences of bytes (such as executable instructions), # marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives. >1 lelong 65536 >>5 lequad 65536 invalid >1 lelong 131072 >>5 lequad 131072 invalid >1 lelong 262144 >>5 lequad 262144 invalid >1 lelong 524288 >>5 lequad 524288 invalid >1 lelong 1048576 >>5 lequad 1048576 invalid >1 lelong 2097152 >>5 lequad 2097152 invalid >1 lelong 4194304 >>5 lequad 4194304 invalid >1 lelong 8388608 >>5 lequad 8388608 invalid >1 lelong 16777216 >>5 lequad 16777216 invalid >1 lelong 33554432 >>5 lequad 33554432 invalid >5 lequad x uncompressed size: %lld bytes #------------------------------------------------------------------------------ # $File: sql,v 1.6 2009/09/19 16:28:12 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" # Recognize some MySQL files. # 0 beshort 0xfe01 MySQL table definition file >2 string <1 invalid >2 string >\11 invalid >2 byte x Version %d 0 string \xfe\xfe\x03 MySQL MISAM index file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \xfe\xfe\x07 MySQL MISAM compressed data file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \xfe\xfe\x05 MySQL ISAM index file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \xfe\xfe\x06 MySQL ISAM compressed data file >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d 0 string \376bin MySQL replication log #------------------------------------------------------------------------------ # iRiver H Series database file # From Ken Guest # As observed from iRivNavi.iDB and unencoded firmware # 0 string iRivDB iRiver Database file >11 string >\0 Version "%s" >39 string iHP-100 [H Series] #------------------------------------------------------------------------------ # SQLite database files # Ken Guest , Ty Sarna, Zack Weinberg # # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # # Version 2 used this format: 0 string **\x20This\x20file\x20contains\x20an\x20SQLite SQLite 2.x database # Version 3 of SQLite allows applications to embed their own "user version" # number in the database. Detect this and distinguish those files. 0 string SQLite\x20format\x203 >60 string _MTN Monotone source repository >60 belong !0 SQLite 3.x database, user version %u >60 belong 0 SQLite 3.x database binwalk-1.0/src/binwalk/prettyprint.py0000644000175000017500000001066112104542363016321 0ustar eveeveimport sys import hashlib from datetime import datetime class PrettyPrint: ''' Class for printing Binwalk results to screen/log files. An instance of PrettyPrint is available via the Binwalk.display object. The PrettyPrint.results() method is of particular interest, as it is suitable for use as a Binwalk.scan() callback function, and can be used to print Binwalk.scan() results to stdout, a log file, or both. Example usage: import binwalk bw = binwalk.Binwalk() bw.display.header() bw.scan('firmware.bin', callback=bw.display.results) bw.display.footer() ''' def __init__(self, log=None, quiet=False, bwalk=None, verbose=0): ''' Class constructor. @log - Output log file. @quiet - If True, results will not be displayed to screen. @bwalk - The Binwalk class instance. @verbose - If set to True, target file information will be displayed when file_info() is called. Returns None. ''' self.fp = None self.log =log self.quiet = quiet self.binwalk = bwalk self.verbose = verbose if self.log is not None: self.fp = open(log, "w") def __del__(self): ''' Class deconstructor. ''' # Close the log file. try: self.fp.close() except: pass def _log(self, data): ''' Log data to the log file. ''' if self.fp is not None: self.fp.write(data) def _pprint(self, data): ''' Print data to stdout and the log file. ''' if not self.quiet: sys.stdout.write(data) self._log(data) def _file_md5(self, file_name): ''' Generate an MD5 hash of the specified file. ''' md5 = hashlib.md5() with open(file_name, 'rb') as f: for chunk in iter(lambda: f.read(128*md5.block_size), b''): md5.update(chunk) return md5.hexdigest() def file_info(self, file_name): ''' Prints detailed info about the specified file, including file name, scan time and the file's MD5 sum. Called internally by self.header if self.verbose is not 0. @file_name - The path to the target file. Returns None. ''' self._pprint("\n") self._pprint("Scan Time: %s\n" % datetime.now().strftime("%Y-%m-%d %H:%M:%S")) self._pprint("Signatures: %d\n" % self.binwalk.parser.signature_count) self._pprint("Target File: %s\n" % file_name) self._pprint("MD5 Checksum: %s\n" % self._file_md5(file_name)) def header(self, file_name=None): ''' Prints the Binwalk header, typically used just before starting a scan. @file_name - If specified, and if self.verbose > 0, then detailed file info will be included in the header. Returns None. ''' if self.verbose and file_name is not None: self.file_info(file_name) self._pprint("\nDECIMAL \tHEX \tDESCRIPTION\n") self._pprint("-------------------------------------------------------------------------------------------------------\n") def footer(self): ''' Prints the Binwalk footer, typically used just after completing a scan. Returns None. ''' self._pprint("\n") def results(self, offset, results): ''' Prints the results of a scan. Suitable for use as a callback function for Binwalk.scan(). @offset - The offset at which the results were found. @results - A list of libmagic result strings. Returns None. ''' offset_printed = False for info in results: # Check for any grep filters before printing if self.binwalk is not None and self.binwalk.filter.grep(info['description']): # Only display the offset once per list of results if not offset_printed: self._pprint("%-10d\t0x%-8X\t%s\n" % (offset, offset, info['description'])) offset_printed = True else: self._pprint("%s\t %s\t%s\n" % (' '*10, ' '*8, info['description'])) binwalk-1.0/src/binwalk/update.py0000644000175000017500000000344312104542363015177 0ustar eveeveimport urllib2 from config import * class Update: ''' Class for updating Binwalk configuration and signatures files from the subversion trunk. Example usage: from binwalk import Update Update().update() ''' BASE_URL = "http://binwalk.googlecode.com/svn/trunk/src/binwalk/" MAGIC_PREFIX = "magic/" CONFIG_PREFIX = "config/" def __init__(self): ''' Class constructor. ''' self.config = Config() def update(self): ''' Updates all system wide signatures and config files. Returns None. ''' self.update_binwalk() self.update_bincast() self.update_binarch() self.update_extract() def _do_update_from_svn(self, prefix, fname): ''' Updates the specified file to the latest version of that file in SVN. @prefix - The URL subdirectory where the file is located. @fname - The name of the file to update. Returns None. ''' url = self.BASE_URL + prefix + fname try: data = urllib2.urlopen(url).read() open(self.config.paths['system'][fname], "wb").write(data) except Exception, e: raise Exception("Update._do_update_from_svn failed to update file '%s': %s" % (url, str(e))) def update_binwalk(self): ''' Updates the binwalk signature file. Returns None. ''' self._do_update_from_svn(self.MAGIC_PREFIX, self.config.BINWALK_MAGIC_FILE) def update_bincast(self): ''' Updates the bincast signature file. Returns None. ''' self._do_update_from_svn(self.MAGIC_PREFIX, self.config.BINCAST_MAGIC_FILE) def update_binarch(self): ''' Updates the binarch signature file. Returns None. ''' self._do_update_from_svn(self.MAGIC_PREFIX, self.config.BINARCH_MAGIC_FILE) def update_extract(self): ''' Updates the extract.conf file. Returns None. ''' self._do_update_from_svn(self.CONFIG_PREFIX, self.config.EXTRACT_FILE) binwalk-1.0/src/binwalk/extractor.py0000644000175000017500000002565212104542363015736 0ustar eveeveimport os import sys import shlex import tempfile import subprocess from config import * from common import file_size class Extractor: ''' Extractor class, responsible for extracting files from the target file and executing external applications, if requested. An instance of this class is accessible via the Binwalk.extractor object. Example usage: import binwalk bw = binwalk.Binwalk() # Create extraction rules for scan results containing the string 'gzip compressed data' and 'filesystem'. # The former will be saved to disk with a file extension of 'gz' and the command 'gunzip ' will be executed (note the %e placeholder). # The latter will be saved to disk with a file extension of 'fs' and no command will be executed. # These rules will take precedence over subsequent rules with the same match string. bw.extractor.add_rule(['gzip compressed data:gz:gunzip %e', 'filesystem:fs']) # Load the extraction rules from the default extract.conf file(s). bw.extractor.load_defaults() # Run the binwalk scan. bw.scan('firmware.bin') ''' # Extract rules are delimited with a colon. # :[:] RULE_DELIM = ':' # Comments in the extract.conf files start with a pound COMMENT_DELIM ='#' # Place holder for the extracted file name in the command FILE_NAME_PLACEHOLDER = '%e' def __init__(self, verbose=False): ''' Class constructor. @verbose - Set to True to display the output from any executed external applications. Returns None. ''' self.config = Config() self.enabled = False self.delayed = False self.verbose = verbose self.extract_rules = {} self.remove_after_execute = False def add_rule(self, rule): ''' Adds a set of rules to the extraction rule list. @rule - Rule string, or list of rule strings, in the format :[:] Returns None. ''' r = { 'extension' : '', 'cmd' : '' } if type(rule) != type([]): rules = [rule] else: rules = rule for rule in rules: r['cmd'] = '' r['extension'] = '' try: values = self._parse_rule(rule) match = values[0].lower() r['extension'] = values[1] r['cmd'] = values[2] except: pass # Verify that the match string and file extension were retrieved. # Only add the rule if it is a new one (first come, first served). if match and r['extension'] and not self.extract_rules.has_key(match): self.extract_rules[match] = {} self.extract_rules[match]['cmd'] = r['cmd'] self.extract_rules[match]['extension'] = r['extension'] # Once any rule is added, set self.enabled to True self.enabled = True def enable_delayed_extract(self, tf=None): ''' Enables / disables the delayed extraction feature. This feature ensures that certian supported file types will not contain extra data at the end of the file when they are extracted, but also means that these files will not be extracted until the end of the scan. @tf - Set to True to enable, False to disable. Returns the current delayed extraction setting. ''' if tf is not None: self.delayed = tf return self.delayed def load_from_file(self, fname): ''' Loads extraction rules from the specified file. @fname - Path to the extraction rule file. Returns None. ''' try: # Process each line from the extract file, ignoring comments for rule in open(fname).readlines(): self.add_rule(rule.split(self.COMMENT_DELIM, 1)[0]) except Exception, e: raise Exception("Extractor.load_from_file failed to load file '%s': %s" % (fname, str(e))) def load_defaults(self): ''' Loads default extraction rules from the user and system extract.conf files. Returns None. ''' # Load the user extract file first to ensure its rules take precedence. extract_files = [ self.config.paths['user'][self.config.EXTRACT_FILE], self.config.paths['system'][self.config.EXTRACT_FILE], ] for extract_file in extract_files: try: self.load_from_file(extract_file) except Exception, e: if self.verbose: raise Exception("Extractor.load_defaults failed to load file '%s': %s" % (extract_file, str(e))) def cleanup_extracted_files(self, tf=None): ''' Set the action to take after a file is extracted. @tf - If set to True, extracted files will be cleaned up after running a command against them. If set to False, extracted files will not be cleaned up after running a command against them. If set to None or not specified, the current setting will not be changed. Returns the current cleanup status (True/False). ''' if tf is not None: self.remove_after_execute = tf return self.remove_after_execute def extract(self, offset, description, file_name, size, name=None): ''' Extract an embedded file from the target file, if it matches an extract rule. Called automatically by Binwalk.scan(). @offset - Offset inside the target file to begin the extraction. @description - Description of the embedded file to extract, as returned by libmagic. @file_name - Path to the target file. @size - Number of bytes to extract. @name - Name to save the file as. Returns the name of the extracted file (blank string if nothing was extracted). ''' cleanup_extracted_fname = True rule = self._match(description) if rule is not None: fname = self._dd(file_name, offset, size, rule['extension'], output_file_name=name) if rule['cmd']: # Many extraction utilities will extract the file to a new file, just without # the file extension (i.e., myfile.7z => myfile). If the presumed resulting # file name already exists before executing the extract command, do not attempt # to clean it up even if its resulting file size is 0. if self.remove_after_execute: extracted_fname = os.path.splitext(fname)[0] if os.path.exists(extracted_fname): cleanup_extracted_fname = False # Execute the specified command against the extracted file self._execute(rule['cmd'], fname) # Only clean up files if remove_after_execute was specified if self.remove_after_execute: # Remove the original file that we extracted try: os.unlink(fname) except: pass # If the command worked, assume it removed the file extension from the extracted file # If the extracted file name file exists and is empty, remove it if cleanup_extracted_fname and os.path.exists(extracted_fname) and file_size(extracted_fname) == 0: try: os.unlink(extracted_fname) except: pass else: fname = '' return fname def delayed_extract(self, results, file_name, size): ''' Performs a delayed extraction (see self.enable_delayed_extract). Called internally by Binwalk.Scan(). @results - A list of dictionaries of all the scan results. @file_name - The path to the scanned file. @size - The size of the scanned file. Returns an updated results list containing the names of the newly extracted files. ''' index = 0 info_count = 0 nresults = results for (offset, infos) in results: info_count = 0 for info in infos: ninfos = infos if info['delay']: end_offset = self._entry_offset(index, results, info['delay']) if end_offset == -1: extract_size = size else: extract_size = (end_offset - offset) ninfos[info_count]['extract'] = self.extract(offset, info['description'], file_name, extract_size, info['name']) nresults[index] = (offset, ninfos) info_count += 1 index += 1 return nresults def _entry_offset(self, index, entries, description): ''' Gets the offset of the first entry that matches the description. @index - Index into the entries list to begin searching. @entries - Dictionary of result entries. @description - Case insensitive description. Returns the offset, if a matching description is found. Returns -1 if a matching description is not found. ''' description = description.lower() for (offset, infos) in entries[index:]: for info in infos: if info['description'].lower().startswith(description): return offset return -1 def _match(self, description): ''' Check to see if the provided description string matches an extract rule. Called internally by self.extract(). @description - Description string to check. Returns the associated rule dictionary if a match is found. Returns None if no match is found. ''' description = description.lower() for (m, rule) in self.extract_rules.iteritems(): if m in description: return rule return None def _parse_rule(self, rule): ''' Parses an extraction rule. @rule - Rule string. Returns an array of ['', '', '']. ''' return rule.strip().split(self.RULE_DELIM, 2) def _dd(self, file_name, offset, size, extension, output_file_name=None): ''' Extracts a file embedded inside the target file. @file_name - Path to the target file. @offset - Offset inside the target file where the embedded file begins. @size - Number of bytes to extract. @extension - The file exension to assign to the extracted file on disk. @output_file_name - The requested name of the output file. Returns the extracted file name. ''' # Default extracted file name is . altname = "%X.%s" % (offset, extension) if not output_file_name or output_file_name is None: fname = altname else: fname = "%s.%s" % (output_file_name, extension) # Sanitize output file name of invalid/dangerous characters (like file paths) fname = os.path.basename(fname) try: # Open the target file and seek to the offset fdin = open(file_name, "rb") fdin.seek(offset) # Open the extracted file try: fdout = open(fname, "wb") except: # Fall back to the alternate name if the requested name fails fname = altname fdout = open(fname, "wb") # Read size bytes from target file and write it to the extracted file fdout.write(fdin.read(size)) # Cleanup fdout.close() fdin.close() except Exception, e: raise Exception("Extractor.dd failed to extract data from '%s' to '%s': %s" % (file_name, fname, str(e))) return fname def _execute(self, cmd, fname): ''' Execute a command against the specified file. @cmd - Command to execute. @fname - File to run command against. Returns None. ''' tmp = None # If not in verbose mode, create a temporary file to redirect stdout and stderr to if not self.verbose: tmp = tempfile.TemporaryFile() try: # Replace all instances of FILE_NAME_PLACEHOLDER in the command with fname cmd = cmd.replace(self.FILE_NAME_PLACEHOLDER, fname) # Execute. subprocess.call(shlex.split(cmd), stdout=tmp, stderr=tmp) except Exception, e: sys.stderr.write("WARNING: Extractor.execute failed to run '%s': %s\n" % (cmd, str(e))) if tmp is not None: tmp.close() binwalk-1.0/src/support/0000755000175000017500000000000012104542363013424 5ustar eveevebinwalk-1.0/src/support/lzma_gen.py0000755000175000017500000000501112104542363015572 0ustar eveeve#!/usr/bin/env python # Generates LZMA signatures for each valid LZMA property in the properties list. properties = [ 0x5D, 0x01, 0x02, 0x03, 0x04, 0x09, 0x0A, 0x0B, 0x0C, 0x12, 0x13, 0x14, 0x1B, 0x1C, 0x24, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x36, 0x37, 0x38, 0x39, 0x3F, 0x40, 0x41, 0x48, 0x49, 0x51, 0x5A, 0x5B, 0x5C, 0x5E, 0x63, 0x64, 0x65, 0x66, 0x6C, 0x6D, 0x6E, 0x75, 0x76, 0x7E, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x90, 0x91, 0x92, 0x93, 0x99, 0x9A, 0x9B, 0xA2, 0xA3, 0xAB, 0xB4, 0xB5, 0xB6, 0xB7, 0xB8, 0xBD, 0xBE, 0xBF, 0xC0, 0xC6, 0xC7, 0xC8, 0xCF, 0xD0, 0xD8, ] common_properties = [0x5D, 0x6D] dictionary_sizes = [ 65536, 131072, 262144, 524288, 1048576, 2097152, 4194304, 8388608, 16777216, 33554432, ] for fbyte in properties: # if fbyte not in common_properties: # fexclude = '{filter-exclude}' # else: # fexclude = '' fexclude = '' sig = '\n# ------------------------------------------------------------------\n' sig += '# Signature for LZMA compressed data with valid properties byte 0x%.2X\n' % fbyte sig += '# ------------------------------------------------------------------\n' sig += '0\t\tstring\t\\x%.2X\\x00\\x00\tLZMA compressed data, properties: 0x%.2X,%s\n' % (fbyte, fbyte, fexclude) sig += '\n# These are all the valid dictionary sizes supported by LZMA utils.\n' for i in range(0, len(dictionary_sizes)): if i < 6: indent = '\t\t' else: indent = '\t' if i == len(dictionary_sizes)-1: invalid = 'invalid' else: invalid = '' sig += '%s1%slelong\t!%d\t%s\n' % ('>'*(i+1), indent, dictionary_sizes[i], invalid) sig += '>1\t\tlelong\tx\t\tdictionary size: %d bytes,\n' sig += '\n# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.\n' sig += '>5\t\tlequad\t<1\t\tinvalid\n' sig += '>5\t\tlequad\t>0x40000000\tinvalid\n' sig += '\n# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.\n' sig += '# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),\n' sig += '# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.\n' for dsize in dictionary_sizes: if dsize < 16777216: indent = '\t\t' else: indent = '\t' sig += '>1\t\tlelong\t%d\n' % dsize sig += '>>5\t\tlequad\t%d%sinvalid\n' % (dsize, indent) sig += '>5\t\tlequad\tx\t\tuncompressed size: %lld bytes\n' print sig binwalk-1.0/docs/0000755000175000017500000000000012104542363012051 5ustar eveevebinwalk-1.0/docs/README0000644000175000017500000002307012104542363012733 0ustar eveeveDESCRIPTION Binwalk is a tool for searching a given binary image for embedded file types. Specifically, it was designed for identifying files embedded inside of firmware images. Binwalk file signatures are compatible with the magic signatures used by the Unix file utility. Binwalk includes customized/improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc. Binwalk can scan for executable code by searching for opcodes associated with the function prologues/epiloges of various architectures. Binwalk can display the value of each file offset in various data types (long, short, date, etc). This is useful for identifying unknown firmware header fields such as date and length values. Binwalk can extract embedded files from firmware images and invoke external applications for further analysis, decompression or extraction. INSTALLATION To install binwalk, run the following command from the src directory: # python setup.py install DEPENDENCIES Binwalk is currently supported on the Linux and Mac OSX platforms. Binwalk depends on the libmagic library (version 5.05 or newer) and its corresponding magic Python module. Debian users can install these dependencies via apt-get: $ sudo apt-get install libmagic1 python-magic Note that some distributions/platforms may not have libmagic readily available, or may use an older version of libmagic that is incompatible with binwalk. In this case, you may download the source code for the file utility at: ftp://ftp.astron.com/pub/file/ Follow the file utility's documentation to build and install both libmagic and the Python magic module. BASIC USAGE The only required options to binwalk are the file(s) that you want to search: $ binwalk firmware1.bin firmware2.bin firmware3.bin Binwalk signatures and system-wide configuration files can be updated to the latest from the SVN trunk with the --update option (this likely will need to be run as root): # binwalk --update To see more verbose information about the file being scanned, specify the --verbose option. This option is automatically enabled if more than one target file is specified on the command line: $ binwalk --verbose firmware.bin Output can be logged to a file with the --file option: $ binwalk --file=binwalk.log firmware.bin Output to stdout can be suppressed with the --quiet option: $ binwalk --file=binwalk.log --quiet firmware.bin By default, scans start at the first byte of the specified file (offset 0) and end at the end of the specified file. These settings can be controlled with the --offset and --length options, respectively. For example, the following command will scan 128 bytes starting at offset 64: $ binwalk --offset=64 --length=128 firmware.bin By default, binwalk will scan every byte for possible signatures. To scan every 2 bytes, 4 bytes, 8 bytes, etc, use the --align option: $ binwalk --align=4 firmware.bin By default binwalk will use the signatures from the magic.binwalk file, but you may specify an alternate signature file with the --magic option: $ binwalk --magic=/usr/share/misc/magic firmware.bin To search for a sequence of bytes without creating a signature file, use the --raw-bytes option: $ binwalk --raw-bytes="\x00\x01\x02\x03" firmware.bin TYPES OF SCANS By default binwalk will scan for file signatures inside the specified target file(s), however, other types of scans are also supported. To scan for known x86/MIPS/ARM/PPC opcodes, use the --opcodes option: $ binwalk --opcodes firmware.bin To cast each offset in the file as various data types (big/little endian shorts/longs, date fields, etc), use the --cast option (best used with the --length / --offset options): $ binwalk --cast --length=64 firmware.bin CONTROLLING SCAN BEHAVIOR Some signatures - notably those whose magic signatures are less than 3 bytes - are excluded by default from binwalk scans. These can be individually included with the --include option, or globally with --all (multiple --include options may be specified): $ binwalk --include=minix firmware.bin $ binwalk --all firmware.bin By default results marked as invalid are not displayed. They can be displayed by specifying the --show-invalid option: $ binwalk --show-invalid firmware.bin By default binwalk will stop scanning for signatures at any given offset once a valid signature has been found at that offset. To display all signatures that match at all offsets, use the --keep-going option: $ binwalk --keep-going firmware.bin FILTERING SCAN RESULTS It may at times be desirable to exclude certian signatures from the scan results. This can be done with the --exclude option (multiple --exclude options may be specified): $ binwalk --exclude='lzma compressed data' firmware.bin It may at times be desirable to only search for a certian signature or group of signatures. This can be done with the --search option (multiple --search options may be specified): $ binwalk --search=filesystem firmware.bin The --grep option is useful for filtering output that contains multiple results per line, such as occurs with the --cast option: $ binwalk --cast --grep=2012 firmware.bin EXTRACTING FILES Binwalk can extract matches found inside the target file(s), and optionally execute an external command each time a file is extracted using the --dd option. At a minimum, a string to search for in the output description and a file extension must be specified. A command to execute may also be specified. These three fields are colon delimited. To extract all matches that contain the text 'gzip compressed data' and save them with a file extension of 'gz': $ binwalk --dd='gzip compressed data:gz' firmware.bin To extract all matches that contain the text 'gzip compressed data', save them with a file extension of 'gz' and execute the 'gunzip' command against the extracted file (note the use of the %e place holder for the path to the extracted file): $ binwalk --dd='gzip compressed data:gz:gunzip %e' firmware.bin There are some file types that are commonly extracted, and specifying a --dd option for each one is tiresome. The -e option will load extract rules from the system/user extract.conf file (see the CONFIGURATION FILES section below): $ binwalk -e firmware.bin To specify a different extraction rule file, use --extract: $ binwalk --extract=./my_extract.conf firmware.bin Extracting files with --dd or --extract can leave a lot of uneccessary files laying around. These can be automatically cleaned up with the --rm option. If specified, any extracted file that had a command run against it will be deleted after the command has finished execution. Additionally, if files created by the executed command are 0 bytes in size, they will also be removed: $ binwalk --rm firmware.bin Some file types do not specify their file size in their header, but rather rely on a footer or delimiter to signify the end of the file. When extracted these files will by default be copied from the start of the header to the end of the target file. If there are many of these files, this can take up unecessary disk space. For those files which are supported, specifying the --delay option will delay the extraction of these files until the end of the file can be found: $ binwalk --delay firmware.bin DISPLAYING SCAN PROGRESS Some scans can take some time to complete and may not display many results during this time. You can press the enter key at any time to force binwalk to display its current scan progress: $ binwalk -v firmware.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------ Progress: 1595 / 12074736 (0.01%) Progress: 8015 / 12074736 (0.07%) Progress: 12424 / 12074736 (0.10%) SIGNATURE FILES There are three signature files used by binwalk: o magic/binwalk - The default signature file. o magic/binarch - The signature file used with --opcodes. o magic/bincast - The signature file used with --cast. Users may create their own signatures that will be added to the respective system-wide files when performing a scan. This is as easy as editing the following files in the user home directory: o .binwalk/magic/binwalk o .binwalk/magic/binarch o .binwalk/magic/bincast Although the system-wide signature files can also be altered, the system-wide signature files will be overwritten when upgrading binwalk, or using the --update option. The user files will not be touched however, and will survive these updates. CONFIGURATION FILES There is one configuration file used by binwalk only when the --extract option is specified: o config/extract.conf This file contains a list of extract rules, identical to the arguments that would be passed to the --dd option. Users can override and add to this list of extract rules by adding their own rules to the following file in the user home directory: o .binwalk/config/extract.conf Note that when overriding a system-wide extract rule, the 'type' field in the user extract rule must exactly match the 'type' field in the system-wide extract rule. Although the system-wide extract.conf file can also be altered, this file will be overwritten when upgrading binwalk or using the --update option. The user extract.conf file will not be touched however, and will survive these updates. MORE INFORMATION For more detailed and up to date information, visit the binwalk wiki page at: http://code.google.com/p/binwalk/wiki/TableOfContents binwalk-1.0/docs/API0000644000175000017500000000722212104542363012410 0ustar eveeveDESCRIPTION The binwalk python module can be used by any python script to programatically perform binwalk scans and obtain the results of those scans. The classes, methods and objects in the binwalk modules are documented via pydoc, including examples, so those interested in using the binwalk module are encouraged to look there. However, several common usage examples are provided here to help jump-start development efforts. BASIC SCAN This is the simplest scan, and is equivalent to running binwalk on the command line with no additional arguments. Note the use of the cleanup() method, which will ensure all temporary files generated by binwalk are cleaned up: from binwalk import Binwalk binwalk = Binwalk() results = binwalk.scan('firmware.bin') binwalk.cleanup() The scan() method will return a list of tuples, one tuple for each offset in the target file where a matching signature was found. The first element of each tuple is the offset into the file at which the match was found. The second tuple is a list of dictionaries (depending on the binwalk options, there may be more than one match for a given offset); each dictionary describes a matching signature: results = [ (0, [{description : "LZMA compressed data..."}]), (112, [{description : "gzip compressed data..."}]), ] A callback function may also be specified. The callback function is called as soon as a match is identified. It is passed two arguments: the offset at which the match was found, and a list of dictionaries as described above: from binwalk import Binwalk def my_callback(offset, results): print "Found %d results at offset %d:" % (len(results), offset) for result in results: print " %s" % result['description'] binwalk = Binwalk(callback=my_callback) binwalk.scan('firmware.bin') binwalk.cleanup() ADDING FILTERS Include and exclude filters may be specified which operate identically to the --include, --exclude and --search binwalk command line options: from binwalk import Binwalk binwalk = Binwalk() # Adds a normally excluded signature to the existing list of signatures (same as --include) binwalk.filter.include('minix', exclusive=False) # Exclusively filters out all signatures except those containing the string 'filesystem' (same as --search) binwalk.filter.include('filesystem') # Excludes all results that contain the string 'jffs2' (same as --exclude) binwalk.filter.exclude('jffs2') binwalk.scan('firmware') EXTRACTING FILES Extract rules may be specified which operate identically to the --dd and --extract binwalk command line options. To add a custom extract rule, or a list of extract rules (such as with the --dd option): from binwalk import Binwalk binwalk = Binwalk() # Extract results containing the string 'gzip' with a file extension of 'gz' and run the gunzip command binwalk.extractor.add_rule('gzip:gz:gunzip %e') # Extract 'gzip' and 'filesystem' results binwalk.extractor.add_rule(['gzip:gz', 'filesystem:fs']) binwalk.scan('firmware') To load the default extraction rules from the extract.conf file (such as with the --extract option): from binwalk import Binwalk binwalk = Binwalk() binwalk.extractor.load_defaults() binwalk.Scan('firmware.bin') To enabled delayed file extraction (such as with the --delay option): from binwalk import Binwalk binwalk = Binwalk() binwalk.extractor.enable_delayed_extract(True) binwalk.Scan('firmware.bin') To enable file cleanup after extraction (such as with the --rm option): from binwalk import Binwalk binwalk = Binwalk() binwalk.extractor.cleanup_extracted_files(True) binwalk.Scan('firmware.bin') binwalk-1.0/docs/COPYING0000644000175000017500000000206312104542363013105 0ustar eveeveThe MIT License Copyright (c) 2010 Craig Heffner Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.