1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
#------------------------------------------------------------
# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $
# Various android related magic entries
#------------------------------------------------------------
# Dalvik .dex format. http://retrodev.com/android/dexformat.html
# From <mkf@google.com> "Mike Fleming"
# Fixed to avoid regexec 17 errors on some dex files
# From <diff@lookout.com> "Tim Strazzere"
0 string dex\n
>0 regex dex\n[0-9]{2}\0 Dalvik dex file
>4 string >000 version %s
0 string dey\n
>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)
>4 string >000 version %s
# Android bootimg format
# From https://android.googlesource.com/\
# platform/system/core/+/master/mkbootimg/bootimg.h
# https://github.com/djrbliss/loki/blob/master/loki.h#L43
0 string ANDROID! Android bootimg
>1024 string LOKI \b, LOKI'd
>>1028 lelong 0 \b (boot)
>>1028 lelong 1 \b (recovery)
>8 lelong >0 \b, kernel
>>12 lelong >0 \b (%#x)
>16 lelong >0 \b, ramdisk
>>20 lelong >0 \b (%#x)
>24 lelong >0 \b, second stage
>>28 lelong >0 \b (%#x)
>36 lelong >0 \b, page size: %d
>38 string >0 \b, name: %s
>64 string >0 \b, cmdline (%s)
# Android Backup archive
# From: Ariel Shkedi
# Update: Joerg Jenderek
# URL: https://github.com/android/platform_frameworks_base/blob/\
# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\
# android/server/BackupManagerService.java#L2367
# Reference: https://sourceforge.net/projects/adbextractor/
# android-backup-extractor/perl/backupencrypt.pl
# Note: only unix line feeds "\n" found
# After the header comes a tar file
# If compressed, the entire tar file is compressed with JAVA deflate
#
# Include the version number hardcoded with the magic string to avoid
# false positives
0 string/b ANDROID\ BACKUP\n Android Backup
# maybe look for some more characteristics like linefeed '\n' or version
#>16 string \n
# No mime-type defined officially
!:mime application/x-google-ab
!:ext ab
# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)
>15 string >\0 \b, version %s
# "1" on 3rd line means compressed
>17 string 0\n \b, Not-Compressed
>17 string 1\n \b, Compressed
# The 4th line is encryption "none" or "AES-256"
# any string as long as it's not the word none (which is matched below)
>19 string none\n \b, Not-Encrypted
# look for backup content after line with encryption info
#>>19 search/7 \n
# data part after header for not encrypted Android Backup
#>>>&0 ubequad x \b, content %#16.16llx...
# look for zlib compressed by ./compress after message with 1 space at end
#>>>&0 indirect x \b; contains
# look for tar archive block by ./archive for package name manifest
>>288 string ustar \b; contains
>>>31 use tar-file
# look for zip/jar archive by ./archive ./zip after message with 1 space at end
#>>2079 search/1025/s PK\003\004 \b; contains
#>>>&0 indirect x
>19 string !none
>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s)
# Commented out because they don't seem useful to print
# (but they are part of the header - the tar file comes after them):
# The 5th line is User Password Salt (128 Hex)
# string length too high with standard src configuration
#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s"
#>>>&1 regex/1l .* \b, Password salt: %s
# The 6th line is Master Key Checksum Salt (128 Hex)
#>>>>&1 regex/1l .* \b, Master salt: %s
# The 7th line is Number of PBDKF2 Rounds (10000)
#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s
# The 8th line is User key Initialization Vector (IV) (32 Hex)
#>>>>>>&1 regex/1l .* \b, IV: %s
#>>>>>>&1 regex/1l .* \b, IV: %s
# The 9th line is Master IV+Key+Checksum (192 Hex)
#>>>>>>>&1 regex/1l .* \b, Key: %s
# look for new line separator char after line number 9
#>>>0x204 ubyte 0x0a NL found
#>>>>&1 ubequad x \b, Content magic %16.16llx
# *.pit files by Joerg Jenderek
# https://forum.xda-developers.com/showthread.php?p=9122369
# https://forum.xda-developers.com/showthread.php?t=816449
# Partition Information Table for Samsung's smartphone with Android
# used by flash software Odin
0 ulelong 0x12349876
# 1st pit entry marker
>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
# minimal 13 and maximal 18 PIT entries found
>>4 ulelong <128 Partition Information Table for Samsung smartphone
>>>4 ulelong x \b, %d entries
# 1. pit entry
>>>4 ulelong >0 \b; #1
>>>0x01C use PIT-entry
>>>4 ulelong >1 \b; #2
>>>0x0A0 use PIT-entry
>>>4 ulelong >2 \b; #3
>>>0x124 use PIT-entry
>>>4 ulelong >3 \b; #4
>>>0x1A8 use PIT-entry
>>>4 ulelong >4 \b; #5
>>>0x22C use PIT-entry
>>>4 ulelong >5 \b; #6
>>>0x2B0 use PIT-entry
>>>4 ulelong >6 \b; #7
>>>0x334 use PIT-entry
>>>4 ulelong >7 \b; #8
>>>0x3B8 use PIT-entry
>>>4 ulelong >8 \b; #9
>>>0x43C use PIT-entry
>>>4 ulelong >9 \b; #10
>>>0x4C0 use PIT-entry
>>>4 ulelong >10 \b; #11
>>>0x544 use PIT-entry
>>>4 ulelong >11 \b; #12
>>>0x5C8 use PIT-entry
>>>4 ulelong >12 \b; #13
>>>>0x64C use PIT-entry
# 14. pit entry
>>>4 ulelong >13 \b; #14
>>>>0x6D0 use PIT-entry
>>>4 ulelong >14 \b; #15
>>>0x754 use PIT-entry
>>>4 ulelong >15 \b; #16
>>>0x7D8 use PIT-entry
>>>4 ulelong >16 \b; #17
>>>0x85C use PIT-entry
# 18. pit entry
>>>4 ulelong >17 \b; #18
>>>0x8E0 use PIT-entry
0 name PIT-entry
# garbage value implies end of pit entries
>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
# skip empty partition name
>>0x24 ubyte !0
# partition name
>>>0x24 string >\0 %-.32s
# flags
>>>0x0C ulelong&0x00000002 2 \b+RW
# partition ID:
# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER
# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW
>>>0x08 ulelong x (%#x)
# filename
>>>0x44 string >\0 "%-.64s"
#>>>0x18 ulelong >0
# blocksize in 512 byte units ?
#>>>>0x18 ulelong x \b, %db
# partition size in blocks ?
#>>>>0x22 ulelong x \b*%d
# Android sparse img format
# From https://android.googlesource.com/\
# platform/system/core/+/master/libsparse/sparse_format.h
0 lelong 0xed26ff3a Android sparse image
>4 leshort x \b, version: %d
>6 leshort x \b.%d
>16 lelong x \b, Total of %d
>12 lelong x \b %d-byte output blocks in
>20 lelong x \b %d input chunks.
# Android binary XML magic
# In include/androidfw/ResourceTypes.h:
# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
# The strength is increased to avoid misidentifying as Targa image data
0 lelong 0x00080003 Android binary XML
!:strength +1
# Android cryptfs footer
# From https://android.googlesource.com/\
# platform/system/vold/+/refs/heads/master/cryptfs.h
0 lelong 0xd0b5b1c4 Android cryptfs footer
>4 leshort x \b, version: %d
>6 leshort x \b.%d
# Android Vdex format
# From https://android.googlesource.com/\
# platform/art/+/master/runtime/vdex_file.h
0 string vdex Android vdex file,
>4 string >000 verifier deps version: %s,
>8 string >000 dex section version: %s,
>12 lelong >0 number of dex files: %d,
>16 lelong >0 verifier deps size: %d
# Android Vdex format, dexfile is currently being updated
# by android system
# From https://android.googlesource.com/\
# platform/art/+/master/dex2oat/dex2oat.cc
0 string wdex Android vdex file, being processed by dex2oat,
>4 string >000 verifier deps version: %s,
>8 string >000 dex section version: %s,
>12 lelong >0 number of dex files: %d,
>16 lelong >0 verifier deps size: %d
# Disassembled DEX files
0 string/t .class\x20
>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali)
!:ext smali
# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm
# Reference: https://android.googlesource.com/platform/frameworks/support/\
# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
# src/main/java/androidx/profileinstaller/ProfileTranscoder.java
# Reference: https://android.googlesource.com/platform/frameworks/support/\
# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
# src/main/java/androidx/profileinstaller/ProfileVersion.java
0 string pro\x00
>0 regex pro\x000[0-9][0-9]\x00 Android ART profile
!:ext prof
>>4 string 001\x00 \b, version 001 N
>>4 string 005\x00 \b, version 005 O
>>4 string 009\x00 \b, version 009 O MR1
>>4 string 010\x00 \b, version 010 P
>>4 string 015\x00 \b, version 015 S
0 string prm\x00
>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata
!:ext profm
>>4 string 001\x00 \b, version 001 N
>>4 string 002\x00 \b, version 002
# Android package resource table (ARSC): resources.arsc
# Reference: https://android.googlesource.com/platform/tools/base/\
# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\
# src/main/java/com/google/devrel/gmscore/tools/apk/arsc
# 00: resource table type = 0x0002 (2) + header size = 12 (2)
# 04: chunk size (4, skipped)
# 08: #packages (4)
0 ulelong 0x000c0002 Android package resource table (ARSC)
!:ext arsc
>8 ulelong !1 \b, %d packages
# 12: string pool type = 0x0001 (2) + header size = 28 (2)
# 16: chunk size (4, skipped)
# 20: #strings (4), #styles (4), flags (4)
>12 ulelong 0x001c0001
>>20 ulelong !0 \b, %d string(s)
>>24 ulelong !0 \b, %d style(s)
>>28 ulelong &1 \b, sorted
>>28 ulelong &256 \b, utf8
# extracted APK Signing Block
-16 string APK\x20Sig\x20Block\x2042 APK Signing Block
|