使用 hexdump 进行文件分析 - 未知容器

逆向工程 二元分析 文件格式 十六进制
2021-06-17 03:17:35

我有一个由安卓手机生成的备份文件。但是,如果没有原始软件,我不知道文件类型或如何提取内容。我曾尝试使用 hexdump 搜索常见文件头,但由于我是这个主题的新手,我不知道如何继续。

我知道以下几点: - 文件必须是某种容器或压缩档案 - 文件被分成多个部分(userdata_xxxx.backup、userdata_xxxx.backup1、...) - 文件以以下内容开头:

00000000 53 3a 79 0e 63 9a 67 f3 a2 22 ff 40 64 51 5d 5a |S:ycg.".@dQ]Z|
00000010 61 18 d0 b8 7b 5b 6c 13 c7 72 17 60 00 ee ed e1 |a...{[l..r.`....|
00000020 51 d0 97 59 a6 40 aa d9 b6 c3 09 cf aa 8a 79 ff |Q..Y.@........y.|
00000030 5f 7c dc d0 09 7e 11 56 e3 58 38 c7 03 a0 67 ea |_|...~.V.X8...g.|
00000040 f5 b3 04 fa 65 fc 85 ae c0 db eb 38 00 58 53 af |....e......8.XS.|
00000050 8a 8d 1d c9 65 eb 1e 1a 2c 19 c7 62 62 71 8b c9 |....e...,..bbq..|
00000060 ac cc 0e c5 6f bd 92 5d 69 9e 88 28 ef af d9 54 |....o..]i..(...T|
00000070 21 33 59 60 5f 77 e7 0e 8b 70 03 f1 b3 e3 5b ce |!3Y`_w...p....[.|
00000080 57 ff b5 13 cb 3c f1 84 4a 5f 25 e7 80 c0 b9 a5 |W....;.-.._....p&.|
00000100 1e 7e 7d 41 37 df a0 55 0e 7a f3 64 74 e2 6b ca |.~}A7..Uzdt.k.|
00000110 4f 4f 9f 32 11 cb d3 3d 6c 29 72 55 72 08 66 a5 |OO.2...=l)rUr.f.|
00000120 2c 67 33 74 6a 82 88 01 90 ce 63 54 83 f3 63 5e |,g3tj.....cT..c^|
00000130 8e 4e 53 4e 8e bd ec 57 4f ed 69 4f f0 92 9e ef |.NSN...WO.iO....|
00000140 9d 60 24 57 a0 32 ed 0a 2e f5 00 cb 4e e3 7a 69 |.`$W.2......N.zi|
00000150 7a cc b7 54 51 24 00 6b 94 df 86 78 cd a0 50 db |z..TQ$.k...x..P.|
00000160 bf 9d fa 9e 91 91 64 f8 9c 89 ed 28 0b 65 fd d1 |......d....(.e..|
00000170 ef f3 dc f8 24 61 c6 08 70 d9 31 04 6f 56 cc 81 |....$a..p.1.oV..|
00000180 2b 8b da 4a c2 86 98 70 c0 12 3d d5 8a 64 f6 45 |+..J...p..=..dE|
00000190 17 14 2c 20 9f 4c 96 4e 56 8c 19 5e fa c4 af 19 |.., .L.NV..^....|
000001a0 22 20 48 4c e4 9d 7f d3 e2 63 ec 12 2b a1 7a 76 |" HL.....c..+.zv|
000001b0 cb 97 28 c1 49 62 d8 84 34 33 90 2e 34 35 e5 0c |..(.Ib..43..45..|
000001c0 84 6b 56 95 46 6d c2 77 12 d4 c5 58 19 e9 ce 26 |.kV.Fm.w...X...&|
000001d0 6b e5 88 1c b7 d0 40 f8 dd 50 ab c6 00 b5 c5 12 |k.....@..P......|
000001e0 fe d2 8d 62 d6 06 4e e2 50 21 94 1c c2 44 b6 fa |...b..NP!...D..|
000001f0 b9 51 91 5b 00 fa 2d 78 10 40 f4 66 c5 a2 85 3d |.Q.[..-x.@.f...=|
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
00000600 90 d2 1a 00 80 3f 6b 00 00 10 00 00 12 68 09 00 |.....?k......h..|
00000610 f9 72 19 00 00 00 00 00 02 00 00 00 02 00 00 00 |.r.........|
00000620 00 80 00 00 00 80 00 00 f0 1f 00 00 54 52 7b 59 |................TR{Y|
00000630 55 52 7b 59 4a 00 ff ff 53 ef 01 00 02 00 00 00 |UR{YJ...S.......|
00000640 71 a8 41 59 00 00 00 00 00 00 00 00 01 00 00 00 |q.AY............|
00000650 1a 27 00 00 0b 00 00 00 00 01 00 00 1c 00 00 00 |..................|
00000660 46 00 00 00 13 00 00 00 57 f8 f4 bc ab f4 65 5f |F.......W.....e_|
00000670 bf 67 94 6f c0 f9 f2 5b 00 00 00 00 00 00 00 00 |.go..[........|
00000680 00 00 00 00 00 00 00 00 2f 64 61 74 61 00 00 00 |......../数据...| //data是文件必须包含的目录
00000690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
000006c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 |................|
000006d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
000006e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
000006f0 00 00 00 00 00 00 00 00 00 00 00 00 02 01 20 00 |................ .|
00000700 00 00 00 00 00 00 00 00 00 00 00 00 0a f3 02 00 |................|
00000710 03 00 00 00 00 00 00 00 00 00 00 00 fe 7d 00 00 |................}..|
00000720 01 02 01 00 fe 7d 00 00 02 02 00 00 01 02 6b 00 |.....}........k.|
00000730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
00000750 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 1c 00 ||
...
  • 文件中必须有图像,jpeg 图像如下所示:
...
0060a7e0 25 39 37 2b 46 ca e9 ce 56 4e 6e 31 b2 b5 94 db |%97+F...VNn1....|
0060a7f0 77 4d b8 ca a3 ff d9 00 00 00 00 00 00 00 00 00 |wM ...............| //JPEG页脚,第一张图片到此结束
0060a800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
0060b000 c8 d7 79 0a 69 c7 60 00 23 10 00 00 07 80 00 06 |..yi`.#.......|
0060b010 05 07 03 40 1f 40 1f 00 04 80 00 ff ff ff 00 00 |...@.@.........|
0060b020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
0060c000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 |......JFIF......| //JPEG头,下一张图片开始
0060c010 00 01 00 00 ff db 00 43 00 01 01 01 01 01 01 01 |.......C......|
0060c020 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ||
*
0060c050 01 01 01 01 01 01 01 01 01 ff db 00 43 01 01 01 |................C...|
0060c060 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ||
*
0060c090 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff c0 |................|
0060c0a0 00 11 08 00 60 00 60 03 01 22 00 02 11 01 03 11 |....`.`....."......|
0060c0b0 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 ||
0060c0c0 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 |................|
0060c0d0 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 ||
0060c0e0 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 |......}......!|
0060c0f0 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 |1A..Qa."q.2....#|
0060c100 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 |B...R..$3br....|
0060c110 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a |...%&'()*456789:|
0060c120 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a |CDEFGHIJSTUVWXYZ|
0060c130 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a |cdefghijstuvwxyz|
...
  • 文本文件似乎未压缩存储,内容可以读取
...
00677230 69 63 2c 20 49 6e 63 2e 2c 20 53 6f 6e 79 2f 41 |ic, Inc., Sony/A|
00677240 54 56 20 4d 75 73 69 63 20 50 75 62 6c 69 73 68 |电视音乐出版|
00677250 69 6e 67 20 4c 4c 43 22 7d 2c 22 68 69 64 65 68 |ing LLC"},"hideh|
00677260 65 61 64 65 72 22 3a 66 61 6c 73 65 7d 2c 22 62 |eader":false},"b|
00677270 65 61 63 6f 6e 64 61 74 61 22 3a 7b 22 70 72 6f |eacondata":{"pro|
00677280 76 69 64 65 72 6e 61 6d 65 22 3a 22 4c 79 72 69 |vidername":"Lyri|
00677290 63 73 22 7d 7d 2c 7b 22 69 64 22 3a 22 66 61 63 |cs"}},{"id":"fac|
006772a0 65 62 6f 6f 6b 22 2c 22 74 79 70 65 22 3a 22 73 |ebook","type":"s|
006772b0 70 6f 6e 73 6f 72 65 64 22 2c 22 70 72 6f 76 69 |赞助","provi|
006772c0 64 65 72 6e 61 6d 65 22 3a 22 66 61 63 65 62 6f |dername":"facebo|
006772d0 6f 6b 22 2c 22 73 69 74 65 6b 65 79 22 3a 22 74 |ok","sitekey":"t|
...
  • 所有文件都以类似的方式开始,至少前几个字符是相同的
//文件2
00000000 53 3a 79 0e 63 9a 67 f3 a2 22 ff 40 3a 53 5f 0b |S:ycg.".@:S_.|
00000010 a0 3c e4 5b b9 38 e2 70 97 7d 7b 6b 99 2f 93 eb |.'.0T.......|
00000090 bc 0f 24 1d 3d d7 42 91 56 17 c6 c5 09 ad 6a 2f |..$.=.BV....j/|
000000a0 3f cd 0d ae ab cc 89 2f 7d 92 de 91 7b dc 8c 60 |?....../}...{..`|
000000b0 48 f5 74 17 3a c5 57 8d dc c8 d0 83 71 5a c5 8b |Ht:.W.....qZ..|
000000c0 b8 ea ae b5 49 16 77 2a d0 6b 97 ca 8f 3f 28 77 |....Iw*.k...?(w|
000000d0 e3 5a ef 8c 71 df 0e 9e 6b 77 d6 1c 79 6d e9 22 |.Z..q...kw..ym."|
000000e0 16 62 f5 2e 05 21 16 e3 1b 39 a1 1f f5 55 59 72 |.b...!...9...UYr|
000000f0 a4 e5 87 50 d5 b2 f4 0c 9b 4b 19 7a c4 b9 b6 70 |...P.....Kz..p|
00000100 f7 44 54 f2 27 03 25 e1 95 80 b2 e3 ff dd 3e 13 |.DT.'.%......>.|
00000110 54 de 14 fa bb f3 07 b7 db 99 0c 7b 0e 56 7e 72 |T..........{.V~r|
00000120 02 ef de fd b2 48 b3 72 39 e5 39 08 01 74 85 37 |.....H.r9.9..t.7|
00000130 9c 6e 56 62 0d 15 8c 22 c3 ad 61 a5 ba 87 f7 0d |.nVb..."..a.....|
00000140 5c 8e 54 84 0f b9 9e 9c 36 ea 41 db e8 c3 cb e7 |\.T.....6.A....|
00000150 72 1d 94 75 e9 d8 13 48 fa eb fd 61 cb 2f d3 64 |r..u...H...a./.d|
00000160 55 d0 23 d7 c0 64 5d 1c a2 55 e7 31 be 2b f3 76 |U.#..d]..U.1.+.v|
00000170 9a e2 c1 db b4 22 ce 40 52 12 00 21 8b c4 9e cb |.....".@R..!....|
00000180 e2 26 82 fd b2 a0 b6 3b 19 1f 37 d0 25 8a 62 1a |.&.....;..7.%.b.|
00000190 b2 ab 95 12 e7 f9 4b 49 a6 45 07 b0 09 c0 7b 9b |......KI.E....{.|
000001a0 25 1e 56 de 2b 94 2e eb e3 04 47 09 c7 18 06 10 |%.V.+.....G.....|
000001b0 50 30 4c e2 40 a8 0d ae 1a 6e a6 33 e8 d3 f6 e4 |P0L.@....n.3....|
000001c0 63 e5 8d bd 0a 2f de ce 93 1c 0a a5 85 a9 6d 2c |c..../........m,|
000001d0 16 d9 38 f0 86 cf 08 b9 56 a6 4a 6c b6 dd d4 24 |..8.....V.Jl...$|
000001e0 03 c6 dc 61 3c 7f df 6c b9 6d ce 59 35 16 5d 8d |...afB|
00000320 25 7b 61 71 92 26 b8 88 de 47 12 5a b6 25 aa 52 |%{aq.&...GZ%.R|
00000330 94 77 bf 96 7f 37 f7 ef e5 31 7b 7c 7e ea f8 dc |.w...7...1{|~...|
00000340 df 6d 8b d1 c6 11 b0 30 a2 00 ae ea 4a 0a 0f 38 |.m.....0....J..8|
00000350 e6 eb f9 e9 a5 00 8e 43 65 1a fc b5 a0 2f 53 89 |.......Ce..../S.|
00000360 2a e0 51 10 75 5a 0b 39 14 11 d9 00 b8 30 92 96 |*.Q.uZ.9.....0..|

[更新] - 有时,文件名可以在文件数据之前读取

...
0060ea30 d7 34 52 94 39 a5 cc a4 9f ff d9 00 00 00 00 00 |.4R.9.........| //JPEG页脚
0060ea40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
0060f200 2f 65 74 63 2f 2e 74 70 2f 74 68 65 72 6d 61 6c |/etc/.tp/thermal| //文件路径
0060f210 2e 63 6f 6e 66 0a 30 00 00 00 00 00 00 00 00 00 |.conf.0.........|
0060f220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ||
*
00610200 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 |......JFIF......| //下一个JPEG开始
00610210 00 01 00 00 ff db 00 43 00 01 01 01 01 01 01 01 |.......C......|
00610220 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ||
*
00610250 01 01 01 01 01 01 01 01 01 ff db 00 43 01 01 01 |................C...|
00610260 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ||
*
00610290 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff c0 |................|
006102a0 00 11 08 00 60 00 60 03 01 22 00 02 11 01 03 11 |....`.`.."......|
006102b0 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 ||
006102c0 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 |................|
006102d0 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 ||
006102e0 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 |......}......!|
006102f0 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 |1A..Qa."q.2....#|
00610300 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 |B...R..$3br....|
00610310 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a |...%&'()*456789:|
00610320 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a |CDEFGHIJSTUVWXYZ|
00610330 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a |cdefghijstuvwxyz|
...

如果您需要更多信息或更多片段,请告诉我。出于隐私原因,我不想发布整个文件,因为它也太大了,无法上传。我对您关于如何继续分析文件或解压缩文件的想法很感兴趣。

更新 2:到目前为止我尝试过的:

  • 将所有文件附加在一起,首先从第一个文件中删除 512 个字节,然后从所有文件中删除 512 个字节。两次尝试的结果:

    mount -t ext4 combine.img /mnt/ext4_image/
    有效(命令无输出,文件已挂载),但目录为空。使用支持 ext4 的应用程序在 windows 上尝试了相同的操作,显示一个名为“data”的空目录。

  • 使用 simg2img:

simg2img组合.img组合.raw

输出:

标题 magi 中的稀疏文件格式无效
无法读取稀疏文件
  • 用 tar/gunzip 解包:文件似乎不是 tar/zip 文件,尝试使用和不使用 512 字节的偏移量。
1个回答

根据Android.SE上的这篇文章,库存备份是 .tar.gz 或simg(稀疏 ext4 图像)。因此,以下应该有效:

  1. 将多个.backupN文件合并为一个
  2. 截断前 512 个字节(它可能包含一些非关键元数据)
  3. 尝试用 tar/gzip 解压。如果不起作用,请转到下一步。
  4. 运行simg2img
  5. 挂载为 ext4fs 映像或使用提取程序。
其它你可能感兴趣的问题
上一篇如何使用radare2调试挂起应用程序? 下一篇DLL 注入两次不起作用