├── ZlibDecompress.py ├── LZMADecompress.py ├── ZlibCompress.py ├── LZMACompress.py ├── README.md ├── LICENSE └── IdentifyingCompressionAlgorithms.md /ZlibDecompress.py: -------------------------------------------------------------------------------- 1 | import zlib 2 | import sys 3 | import argparse 4 | 5 | print('\033[0;32m'+"Zlib file decompressor : " + '1.0' + " Updated: " + 'May 15, 2018' +'\033[0;39m') 6 | parser = argparse.ArgumentParser(description='\033[0;31m'+'Decompress a zlib file'+'\033[0;39m') 7 | parser.add_argument("-input", metavar='file', type=str, default="file.zlib", help='Input zlib file (default: %(default)s)') 8 | parser.add_argument("-output", metavar='file', type=str, default="file.out", help='Output decompressed file (default: %(default)s)') 9 | args = parser.parse_args() 10 | 11 | str_object1 = open(args.input, 'rb').read() 12 | str_object2 = zlib.decompress(str_object1) 13 | f = open(args.output, 'wb') 14 | f.write(str_object2) 15 | f.close() 16 | -------------------------------------------------------------------------------- /LZMADecompress.py: -------------------------------------------------------------------------------- 1 | # Easier to run using Python 3 2 | try: 3 | import lzma 4 | except ImportError: 5 | from backports import lzma 6 | import sys 7 | import argparse 8 | 9 | print('\033[0;32m'+"LZMA file decompressor : " + '1.0' + " Updated: " + 'May 15, 2018' +'\033[0;39m') 10 | parser = argparse.ArgumentParser(description='\033[0;31m'+'Decompress a file using LZMA'+'\033[0;39m') 11 | parser.add_argument("-input", metavar='file', type=str, default="file.lzma", help='Input file to LZMA decompress (default: %(default)s)') 12 | parser.add_argument("-output", metavar='file', type=str, default="file3.out", help='Output decompressed file (default: %(default)s)') 13 | args = parser.parse_args() 14 | 15 | binary_object1 = open(args.input, 'rb').read() 16 | binary_object2 = lzma.decompress(binary_object1) 17 | with open(args.output, 'wb') as f: 18 | f.write(binary_object2) -------------------------------------------------------------------------------- /ZlibCompress.py: -------------------------------------------------------------------------------- 1 | import zlib 2 | import sys 3 | import argparse 4 | 5 | 6 | print('\033[0;32m'+"Zlib file compressor : " + '1.0' + " Updated: " + 'May 15, 2018' +'\033[0;39m') 7 | parser = argparse.ArgumentParser(description='\033[0;31m'+'Compress a zlib file'+'\033[0;39m') 8 | parser.add_argument("-input", metavar='file', type=str, default="file.out", help='Input file to compress (default: %(default)s)') 9 | parser.add_argument("-output", metavar='file', type=str, default="file.zlib", help='Output compressed zlib file (default: %(default)s)') 10 | parser.add_argument("-compressionLevel", type=int, default=9, help='ZLib Compression level, in 0-9 or -1 (default: %(default)s)') 11 | args = parser.parse_args() 12 | 13 | str_object1 = open(args.input, 'rb').read() 14 | str_object2 = zlib.compress(str_object1, args.compressionLevel) 15 | f = open(args.output, 'wb') 16 | f.write(str_object2) 17 | f.close() -------------------------------------------------------------------------------- /LZMACompress.py: -------------------------------------------------------------------------------- 1 | # Easier to run using Python 3 2 | try: 3 | import lzma 4 | except ImportError: 5 | from backports import lzma 6 | import sys 7 | import argparse 8 | 9 | print('\033[0;32m'+"LZMA file compressor : " + '1.0' + " Updated: " + 'May 15, 2018' +'\033[0;39m') 10 | parser = argparse.ArgumentParser(description='\033[0;31m'+'Compress a file using LZMA'+'\033[0;39m') 11 | parser.add_argument("-input", metavar='file', type=str, default="file.out", help='Input file to compress (default: %(default)s)') 12 | parser.add_argument("-output", metavar='file', type=str, default="file.lzma", help='Output compressed LZMA file (default: %(default)s)') 13 | parser.add_argument("-format", type=int, default=1, help='LZMA compression format mode: ALONE = 2, AUTO = 0, RAW = 3, XZ = 1 (default: %(default)s)') 14 | parser.add_argument("-check", type=int, default=0, help='LZMA integrity check type NONE = 0, CRC32 = 1, CRC64 = 4, ID_MAX = 15, SHA256 = 10, UNKNOWN = 16 (default: %(default)s)') 15 | parser.add_argument("-preset", type=int, default=None, help='LZMA compression level preset, an integer between 0 and 9. Also can be OR-ed with the constant preset EXTREME Constant 2147483648 (default: %(default)s)') 16 | parser.add_argument("-lzma1", action='store_true', help='Use LZMA version 1 (default: XZ compression mode)') 17 | parser.add_argument("-lzma2", action='store_true', help='Use LZMA version 2 (default: XZ compression mode)') 18 | parser.add_argument("-rawlzma1", action='store_true', help='Use Raw LZMA version 1 (default: XZ compression mode)') 19 | parser.add_argument("-rawarm", action='store_true', help='Use Raw LZMA ARM (default: XZ compression mode)') 20 | args = parser.parse_args() 21 | 22 | binary_object1 = open(args.input, 'rb').read() 23 | 24 | if args.lzma1 is True: 25 | props = lzma._encode_filter_properties({'id': lzma.FILTER_LZMA1}) 26 | lzma_comp = lzma.LZMACompressor(lzma.FORMAT_ALONE, filters=[ 27 | lzma._decode_filter_properties(lzma.FILTER_LZMA1, props) 28 | ], preset=args.preset) 29 | binary_object2 = lzma_comp.compress(binary_object1) 30 | lzma_comp.flush() 31 | elif args.lzma2 is True: 32 | props = lzma._encode_filter_properties({'id': lzma.FILTER_LZMA2}) 33 | lzma_comp = lzma.LZMACompressor(lzma.FORMAT_RAW, filters=[ 34 | lzma._decode_filter_properties(lzma.FILTER_LZMA2, props) 35 | ], preset=args.preset) 36 | binary_object2 = lzma_comp.compress(binary_object1) 37 | lzma_comp.flush() 38 | elif args.rawlzma1 is True: 39 | props = lzma._encode_filter_properties({'id': lzma.FILTER_LZMA1}) 40 | lzma_comp = lzma.LZMACompressor(lzma.FORMAT_RAW, filters=[ 41 | lzma._decode_filter_properties(lzma.FILTER_LZMA1, props) 42 | ], preset=args.preset) 43 | binary_object2 = lzma_comp.compress(binary_object1) 44 | lzma_comp.flush() 45 | elif args.rawarm is True: 46 | props = lzma._encode_filter_properties({'id': lzma.FILTER_ARM}) 47 | lzma_comp = lzma.LZMACompressor(lzma.FORMAT_RAW, filters=[ 48 | lzma._decode_filter_properties(lzma.FILTER_ARM, props) 49 | ],preset=args.preset) 50 | binary_object2 = lzma_comp.compress(binary_object1) 51 | lzma_comp.flush() 52 | else: 53 | binary_object2 = lzma.compress(binary_object1, format=args.format, preset=args.preset) 54 | 55 | with open(args.output, 'wb') as f: 56 | f.write(binary_object2) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Firmware Reverse Engineering 2 | I am by no means an expert at Firmware Reverse engineering. In fact, what I don’t know about Firmware development and reverse engineering could probably fill a library. However, things that I learn and know I try to keep here for future reference. 3 | 4 | # Firmware Analysis Steps 5 | ## Step 1 – Collect the firmware 6 | Firmware updates from a vendors website is often the easiest place to get a hold of the firmware of a device. 7 | Alternatively, you can try to pull the firmware off the device. Here is a list of some common ways to pull firmware off a device (note that capabilities on a device will vary) 8 | 1. SCP/SFTP/FTP/TFTP – If you are lucky the device will implement some kind of file transfer protocol interface which can be enabled and used to upload and download firmware and files from a device. 9 | 2. JTAG implementations typically allow you to read/write memory, and flash chips are typically "mapped" into memory at some pre-defined address (finding that address is usually a matter of Googling, experience, and trial and error); thus, you can use tools like UrJTAG and OpenOCD to read the contents of flash. 10 | 3. Serial / UART - These provide you with a command line interface either to a Linux console or a limited CLI (Command Line Interface) environment. Some bootloaders (e.g., U-Boot) do allow you to read/write flash/memory, and will dump the ASCII hex to your terminal window. You then would need to parse the hexdump and convert it into actual binary values. 11 | 12 | 4. SPI – Using a tool like the BusPirate / The Shikra, you can connect to the EEPROM firmware chip and pull the image directly from the chip. 13 | 5. Snarfing - Extracting the content of a hardware chip is known as "snarf"ing. To snarf the contents of a chip, you need a ROM reader/programmer. This is a destructive method of pulling the data as often you need to desolder the chip from the board and chances are the device will no longer work after you are done with it. 14 | 15 | ## Step 2 – Identify the firmware image 16 | If you are lucky, Binwalk can provide insights into the contents of the firmware image. 17 | ``` 18 | root@kali:~# binwalk -B dd-wrt.v24-13064_VINT_mini.bin 19 | 20 | DECIMAL HEX DESCRIPTION 21 | ------------------------------------------------------------------------------------------------------------------- 22 | 0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 2945024 bytes, CRC32: 0x4D27FDC4 flags: 0x0, version: 1 23 | 28 0x1C gzip compressed data, from Unix, NULL date: Wed Dec 31 19:00:00 1969, max compression 24 | 2472 0x9A8 LZMA compressed data, properties: 0x6E, dictionary size: 2097152 bytes, uncompressed size: 2084864 bytes 25 | 622592 0x98000 Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 2320835 bytes, 547 inodes, blocksize: 131072 bytes, created: Mon Nov 2 07:24:06 2009 26 | ``` 27 | However, if you find binwalk does not provide you with any feedback, it is time to rollup your sleeves and dig deeper. 28 | ``` 29 | root@kali:~# binwalk firmware.bin 30 | DECIMAL HEXADECIMAL DESCRIPTION 31 | -------------------------------------------------------------------------------- 32 | ``` 33 | We can use the binwalk Entropy analysis tool to check and see if the binary looks to be Encrypted or Compressed 34 | ``` 35 | root@kali:~/Desktop/1# binwalk -E firmware.bin 36 | 37 | DECIMAL HEXADECIMAL ENTROPY 38 | -------------------------------------------------------------------------------- 39 | 0 0x0 Rising entropy edge (0.993183) 40 | ``` 41 | The results display an entropy graph that has a line along the 1 value, which is telling us there is lots of randomness to the file and it is likely encrypted or compressed. 42 | If we are lucky the Linux file command will recognize the compression format: 43 | ``` 44 | root@kali:~/Desktop/1# file firmware.bin 45 | firmware.bin: data 46 | ``` 47 | In this case, the format is not recognized by the file command and we need to take a look at the binary contents to better understand it. 48 | ## Step 3 – Decrypt the firmware 49 | Often we find that the firmware is encrypted with a simply XOR algorithm and the XOR encryption key can usually be reverse engineered out of the boot loader. 50 | 51 | 52 | ## Step 4 – Decompress the firmware 53 | If the firmware appears to be compressed, we will need to identify the method of compression. 54 | We can do this by examining the file header: 55 | ``` 56 | root@kali:~/Desktop/1# xxd -l 64 firmware.bin 57 | 00000000: 5d00 0080 00ff ffff ffff ffff ff00 2e80 ]............... 58 | 00000010: 2c02 0065 b59b b60c 226d 652c b122 d769 ,..e...."me,.".i 59 | 00000020: 18e6 8bf4 5bac cc71 1ed1 62cd 1623 ae7c ....[..q..b..#.| 60 | 00000030: a3f3 7df1 7dd7 38e5 e1f1 7d04 3002 bdfc ..}.}.8...}.0...``` 61 | ``` 62 | 63 | If we compare this header to the headers listed in the Identifying Compression Algorithms, we can see this is an LZMA. 64 | If the file conforms to a standard LZMA file format, it is easy to extract the data from it: 65 | 66 | ``` 67 | root@kali:~/ # lzma -d firmware.bin 68 | root@kali:~/ # 69 | ``` 70 | Sadly, this is rarely the case. Often we will see a customized implementation of various compression algorithms. 71 | ``` 72 | root@kali:~/Desktop/1# lzma -d firmware.bin 73 | lzma: firmware.bin: File format not recognized 74 | ``` 75 | In this case we need to take a good look at the binary content of the firmware image. 76 | 77 | ## Step 5 – Reverse Engineer the firmware 78 | Getting the correct offset value for the firmware can be tricky. 79 | 80 | 81 | ## References: 82 | A collection of great reference material 83 | * https://www.pentestpartners.com/security-blog/ewon-flexy-iot-router-a-deep-dive/ 84 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /IdentifyingCompressionAlgorithms.md: -------------------------------------------------------------------------------- 1 | # Identifying Compression Algorithms 2 | 3 | The following is a collection of Compression algorithm headers. This list was compiled to make it easier to visually idenfiy compression algorithms used in firmware. 4 | 5 | If you are having trouble identifying a particular compression algorithm, I have found 7zip to be extremely effective at idenfying most of them. We do run into odd cases such as non-standard implementations which can lead to many hours of wheel spinning. 6 | 7 | 8 | ## LZMA 9 | LZMA is a commonly used compression algorithm in firmware and has a wide range of flavours. 10 | There is no real magic file number for LZMA as it is not really a file format. Rather it is a compression algorithm. 11 | We often the the default LZMA bitflag 0x5d at the start of a LZMA file, but this can change depending on the bit options selected. 12 | 13 | The value at offset 3 indicates which of the nine compression modes (1-9) are used: 14 | 15 | 1 => 5d 00 00 **01** 00 16 | 17 | 2 => 5d 00 00 **10** 00 18 | 19 | 3 => 5d 00 00 **08** 00 20 | 21 | 4 => 5d 00 00 **10** 00 22 | 23 | 5 => 5d 00 00 **20** 00 24 | 25 | 6 => 5d 00 00 **40** 00 26 | 27 | 7 => 5d 00 00 **80** 00 28 | 29 | 8 => 5d 00 00 **00** 01 30 | 31 | 9 => 5d 00 00 **00** 02 32 | 33 | 34 | 0x5d at the beginning (it's a flag), a 32bit field (size of the dictionary) and the lzma data. 35 | The raw lzma stream usually starts with a 0x00 (offset 0x5) 36 | Note: if you use "comptype lzma_compress" in QuickBMS to compress data, your output will start with 0x2c instead of 0x5d, I modified the dump to make everything easier for you. 37 | ``` 38 | 5d 00 00 00 08 00 44 94 a6 b1 a9 14 37 65 03 e8 ].....D.....7e.. 39 | 61 4e b5 0a 29 f7 bc f4 0a 39 10 76 ec 9c fe 41 aN..)....9.v...A 40 | 1a 6a 07 81 ce e1 e0 58 3f 2f a1 6a c9 03 2d 24 .j.....X?/.j..-$ 41 | 38 74 b0 3d 19 ab 33 0c 73 57 75 94 da 8a ac 7e 8t.=..3.sWu....~ 42 | ``` 43 | 44 | ### LZMA1 Raw vs LZMA1 Alone 45 | LZMA1 Raw format drops the bitflag at offset 0 and the other compression information flags. It appears to simple drop the 13 byte prefix entirely and jump right into the compression. 46 | 47 | LZMA1 Alone 48 | ``` 49 | 5d 00 00 80 00 ff ff ff ff ff ff ff ff 00 26 1b ].............&. 50 | ca 46 67 5a f2 21 e7 04 34 68 e1 8a 7a 8b dd 4d .FgZ.!..4h..z..M 51 | 87 fb c8 fa 50 c6 ff 38 b8 4c e5 4c f5 7a f4 c3 ....P..8.L.L.z.. 52 | d2 71 4b 74 db eb 04 c5 9d 35 83 3f 0a fc 78 b5 .qKt.....5.?..x. 53 | ``` 54 | 55 | LZMA1 Raw 56 | ``` 57 | 00 26 1b ca 46 67 5a f2 21 e7 04 34 68 e1 8a 7a .&..FgZ.!..4h..z 58 | 8b dd 4d 87 fb c8 fa 50 c6 ff 38 b8 4c e5 4c f5 ..M....P..8.L.L. 59 | 7a f4 c3 d2 71 4b 74 db eb 04 c5 9d 35 83 3f 0a z...qKt.....5.?. 60 | fc 78 b5 da 20 c0 cb 87 35 42 df 8f ad ff 22 70 .x.. ...5B...."p 61 | 62 | ``` 63 | 64 | ### LZMA XZ Format 65 | xz is a lossless compression program and file format which incorporates the LZMA/LZMA2 compression algorithms. 66 | ``` 67 | fd 37 7a 58 5a 00 00 04 e6 d6 b4 46 02 00 21 01 .7zXZ......F..!. 68 | 16 00 00 00 74 2f e5 a3 e0 32 a7 0f 54 5d 00 26 ....t/...2..T].& 69 | 1b ca 46 67 5a f2 21 e7 04 34 68 e1 8a 7a 8b dd ..FgZ.!..4h..z.. 70 | 4d 87 fb c8 fa 50 c6 ff 38 b8 4c e5 4c f5 7a f4 M....P..8.L.L.z. 71 | c3 d2 71 4b 74 db eb 04 c5 9d 35 83 3f 0a fc 78 ..qKt.....5.?.. 72 | 73 | ``` 74 | 75 | 76 | ### lzma 86 head 77 | As before with a 64bit uncompressed size field before the compressed data. 78 | ``` 79 | 5d 00 00 00 08 cf 07 00 00 00 00 00 00 00 44 94 ].............D. 80 | a6 b1 a9 14 37 65 03 e8 61 4e b5 0a 29 f7 bc f4 ....7e..aN..)... 81 | 0a 39 10 76 ec 9c fe 41 1a 6a 07 81 ce e1 e0 58 .9.v...A.j.....X 82 | 3f 2f a1 6a c9 03 2d 24 38 74 b0 3d 19 ab 33 0c ?/.j..-$8t.=..3. 83 | ``` 84 | 85 | ### lzma 86 dec 86 | One byte more than lzma. 87 | ``` 88 | 5d 00 00 00 08 00 00 44 94 a6 b1 a9 14 37 65 03 ]......D.....7e. 89 | e8 61 4e b5 0a 29 f7 bc f4 0a 39 10 76 ec 9c fe .aN..)....9.v... 90 | 41 1a 6a 07 81 ce e1 e0 58 3f 2f a1 6a c9 03 2d A.j.....X?/.j..- 91 | 24 38 74 b0 3d 19 ab 33 0c 73 57 75 94 da 8a ac $8t.=..3.sWu.... 92 | ``` 93 | 94 | ### lzma 86 dec head 95 | All the fields seen before. 96 | ``` 97 | 5d 00 00 00 08 00 cf 07 00 00 00 00 00 00 00 44 ]..............D 98 | 94 a6 b1 a9 14 37 65 03 e8 61 4e b5 0a 29 f7 bc .....7e..aN..).. 99 | f4 0a 39 10 76 ec 9c fe 41 1a 6a 07 81 ce e1 e0 ..9.v...A.j..... 100 | 58 3f 2f a1 6a c9 03 2d 24 38 74 b0 3d 19 ab 33 X?/.j..-$8t.=..3 101 | ``` 102 | 103 | ### lzma efs 104 | Used by the ZIP file format. 105 | ``` 106 | 5d 00 00 00 08 00 00 05 00 00 44 94 a6 b1 a9 14 ].........D..... 107 | 37 65 03 e8 61 4e b5 0a 29 f7 bc f4 0a 39 10 76 7e..aN..)....9.v 108 | ec 9c fe 41 1a 6a 07 81 ce e1 e0 58 3f 2f a1 6a ...A.j.....X?/.j 109 | c9 03 2d 24 38 74 b0 3d 19 ab 33 0c 73 57 75 94 ..-$8t.=..3.sWu. 110 | ``` 111 | 112 | ### lzma without prop / headerless 113 | ``` 114 | 00 44 94 a6 b1 a9 14 37 65 03 e8 61 4e b5 0a 29 .D.....7e..aN..) 115 | f7 bc f4 0a 39 10 76 ec 9c fe 41 1a 6a 07 81 ce ....9.v...A.j... 116 | e1 e0 58 3f 2f a1 6a c9 03 2d 24 38 74 b0 3d 19 ..X?/.j..-$8t.=. 117 | ab 33 0c 73 57 75 94 da 8a ac 7e 5d 55 f3 19 4d .3.sWu....~]U..M 118 | ``` 119 | 120 | ### LZMA:23 without prop / headerless 121 | ``` 122 | 00 44 94 a6 b1 a9 14 37 65 03 e8 61 4e b5 0a 29 .D.....7e..aN..) 123 | f7 bc f4 0a 39 10 76 ec 9c fe 41 1a 6a 07 81 ce ....9.v...A.j... 124 | e1 e0 58 3f 2f a1 6a c9 03 2d 24 38 74 b0 3d 19 ..X?/.j..-$8t.=. 125 | ab 33 0c 73 57 75 94 da 8a ac 7e 5d 55 f3 19 4d .3.sWu....~]U..M 126 | ``` 127 | 128 | 129 | ### LZMA2 130 | ``` 131 | 132 | 18 e0 07 ce 02 fa 5d 00 44 94 05 c4 7a 27 f6 f7 ......].D...z'.. 133 | ee 89 8e 50 90 88 b3 aa cc 1b 2e 9b 5a d1 1a 08 ...P........Z... 134 | c2 69 96 f7 ad ab 24 88 1f 78 89 db 47 9f ab 1e .i....$..x..G... 135 | d5 ee e0 c1 8b b2 c9 82 e1 c5 12 78 20 65 03 85 ...........x e.. 136 | ``` 137 | 138 | ### LZMA2 headerless 139 | ``` 140 | e0 07 ce 02 fa 5d 00 44 94 05 c4 7a 27 f6 f7 ee .....].D...z'... 141 | 89 8e 50 90 88 b3 aa cc 1b 2e 9b 5a d1 1a 08 c2 ..P........Z.... 142 | 69 96 f7 ad ab 24 88 1f 78 89 db 47 9f ab 1e d5 i....$..x..G.... 143 | ee e0 c1 8b b2 c9 82 e1 c5 12 78 20 65 03 85 04 ..........x e... 144 | ``` 145 | 146 | ## SquashFS 147 | SquashFS can be easily opened using 7zip. 148 | ``` 149 | 00000000 73 68 73 71 7d 02 00 00 00 00 00 54 03 00 00 08 |shsq}......T....| 150 | 00000010 1c 71 b7 a0 12 71 b7 19 1f 73 00 18 03 00 00 00 |.q...q...s......| 151 | 00000020 38 72 10 00 c0 02 01 cf 54 b4 50 d4 0c 1f 10 00 |8r......T.P.....| 152 | 00000030 00 00 00 00 00 01 00 2c 00 00 00 02 00 a2 bf c2 |.......,........| 153 | 00000040 95 25 00 00 00 00 00 b6 95 25 00 00 00 00 00 be |.%.......%......| 154 | ``` 155 | 156 | ``` 157 | binwalk squashfs.bin 158 | DECIMAL HEX DESCRIPTION 159 | ------------------------------------------------------------------------------------------------------- 160 | 52 0x34 uImage header, header size: 64 bytes, header CRC: 0x1A27096C, created: Tue Nov 27 06:52:32 2012, image size: 3448768 bytes, Data Address: 0x80000000, Entry Point: 0x8023A000, data CRC: 0x584BBD98, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image" 161 | 116 0x74 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2445108 bytes 162 | 983092 0xF0034 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 2463170 bytes, 637 inodes, blocksize: 65536 bytes, created: Tue Nov 27 06:51:11 2012 163 | ``` 164 | 165 | ## CPIO 166 | CPIO (Copy in/out file archives) was originally developed as a tape backup mechanism many many years ago. It still exists across almost all Linux distributions which is why it is a popular way of compressing and archiving boot loaders. 167 | 168 | The magic number for a CPIO file has traditionally been the following: 169 | 170 | 30 37 30 37 30 070707 cpio archive 171 | 172 | 0143561 byte-swapped cpio archive 173 | 174 | 175 | However, I found a different header value in the version 2.11 cpio archive program: 176 | ``` 177 | root@kali:~/Pictures# cpio --version 178 | cpio (GNU cpio) 2.11 179 | Copyright (C) 2010 Free Software Foundation, Inc. 180 | ``` 181 | 182 | 183 | c7710108 cpio archive version 2.11 184 | 185 | 186 | ``` 187 | c7 71 01 08 65 91 a4 81 00 00 00 00 01 00 00 00 .q..e........... 188 | fc 5a 07 86 0e 00 00 00 00 00 63 70 69 6f 74 65 .Z........cpiote 189 | 73 74 2e 63 70 69 6f 00 c7 71 01 08 70 90 a4 81 st.cpio..q..p... 190 | 00 00 00 00 01 00 00 00 fc 5a 36 86 0f 00 00 00 .........Z6..... 191 | ``` 192 | 193 | 194 | ## Rar 195 | The RAR file format begins with Rar! 196 | 197 | ``` 198 | 52 61 72 21 1a 07 00 dd f2 da fd fa df 23 1d Rar!.........#. 199 | ``` 200 | Which is a break down of the following to describe an Archive Header: 201 | 202 | 0x6152 - HEAD_CRC 203 | 0x72 - HEAD_TYPE 204 | 0x1A21 - HEAD_FLAGS 205 | 0x0007 - HEAD_SIZE 206 | Older versions of the RAR file format have a magic number of : 207 | ``` 208 | 52 45 7e 5e 1a 07 00 dd f2 da fd fa df 23 1d RE~^.........#. 209 | ``` 210 | 211 | ## Tar 212 | Header of a tar file is 257 bytes and usally contains a filename, then is padded with NUL bytes to make it fill a 512 byte record. There is no "magic number" in the header, for file identification. 213 | 214 | 215 | |Offset | Field size | Field| 216 | | --- | --- | --- | 217 | |0 | 100 | File name| 218 | |100 | 8 | File mode| 219 | |108 | 8 | Owner's numeric user ID| 220 | |116 | 8 | Group's numeric user ID| 221 | |124 | 12 | File size in bytes (octal base)| 222 | |136 | 12 | Last modification time in numeric Unix time format (octal)| 223 | |148 | 8 | Checksum for header record| 224 | |156 | 1 | Link indicator (file type)| 225 | |157 | 100 | Name of linked file| 226 | 227 | 228 | ``` 229 | 76 65 72 69 6e 66 6f 2e 69 6e 69 00 00 00 00 00 verinfo.ini..... 230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 231 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 232 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 233 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 234 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 235 | 00 00 00 00 30 31 30 30 37 37 37 00 30 30 30 00 ....0100777.000 236 | ``` 237 | 238 | 239 | ## 7zip 240 | The 7Zip \*.7z file format starts with a 7z 241 | 242 | ``` 243 | 37 7a bc af 27 1c 00 04 f4 80 6a 5c 13 02 00 00 7z..'.....j\.... 244 | 00 00 00 00 62 00 00 00 00 00 00 00 1f aa 53 4b ....b.........SK 245 | e0 06 a7 02 0b 5d 00 2d 91 89 90 b3 b8 7e 4c d7 .....].-.....~L. 246 | 2f 3a c6 22 df 09 b3 44 99 89 bf 75 c9 d0 36 81 /:."...D...u..6. 247 | ``` 248 | 249 | 250 | ## zlib 251 | It starts with 0x78 (rarely also with 0x58). 252 | Use offzip to test if it's really zlib. 253 | ``` 254 | 78 da ed 8f 6b 48 53 61 1c c6 df 65 35 ed 32 8d x...kHSa...e5.2. 255 | 4a 49 9d 65 20 88 93 2d 13 ba a0 53 ab 85 5a b9 JI.e ..-...S..Z. 256 | 96 49 a2 76 d0 32 d7 cd a8 b9 72 a9 1d 2d fd 60 .I.v.2....r..-.` 257 | 65 84 a5 cd 4a 26 eb 2a 76 d9 64 5e 32 87 a7 bc e...J&.*v.d^2... 258 | ``` 259 | 260 | ## deflate 261 | Usually starts with 0xe*. 262 | Use "offzip -z -15" to test if it's really deflate. 263 | ``` 264 | ed 8f 6b 48 53 61 1c c6 df 65 35 ed 32 8d 4a 49 ..kHSa...e5.2.JI 265 | 9d 65 20 88 93 2d 13 ba a0 53 ab 85 5a b9 96 49 .e ..-...S..Z..I 266 | a2 76 d0 32 d7 cd a8 b9 72 a9 1d 2d fd 60 65 84 .v.2....r..-.`e. 267 | a5 cd 4a 26 eb 2a 76 d9 64 5e 32 87 a7 bc 2c 69 ..J&.*v.d^2...,i 268 | ``` 269 | 270 | ## lzo1x 271 | Parts of the original data are uncompressed. 272 | ``` 273 | 25 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 %.PNG........IHD 274 | 52 00 00 01 f4 6e 00 08 02 44 02 01 44 b4 48 dd R....n...D..D.H. 275 | 58 00 06 09 70 48 59 73 00 00 0e c4 6c 00 00 32 X...pHYs....l..2 276 | 01 95 2b 0e 1b 00 00 07 81 49 44 41 54 78 da ed ..+......IDATx.. 277 | ``` 278 | 279 | ## lzss 280 | Parts of the original data uncompressed. 281 | ``` 282 | ff 89 50 4e 47 0d 0a 1a 0a ff 00 00 00 0d 49 48 ..PNG.........IH 283 | 44 52 6f 00 00 01 f4 fe f1 08 02 f6 f0 ef 44 b4 DRo...........D. 284 | 48 dd f6 f0 09 70 48 bf 59 73 00 00 0e c4 17 01 H....pH.Ys...... 285 | 01 ff 95 2b 0e 1b 00 00 07 81 ff 49 44 41 54 78 ...+.......IDATx 286 | ``` 287 | 288 | ## Xmemcompress / LZX 289 | Usually it starts with 0xff. 290 | There are also some file formats created with the xbcompress tool, they start with 0x0F 0xF5 0x12 0xEE (lzx native) or 0x0F 0xF5 0x12 0xED (lzx decode). 291 | ``` 292 | ff 07 cf 03 4a 00 10 f3 7c 00 00 42 00 50 22 00 ....J...|..B.P". 293 | 00 5f 00 c1 41 0c 02 bb bd 70 b9 29 b3 1b db 8c ._..A....p.).... 294 | 38 f3 dc 0e b0 54 59 32 67 c5 9c 1b cf 8f 9c 2f 8....TY2g....../ 295 | 7b cc 73 26 2a 81 59 4f 89 2e 4a 11 da 90 31 03 {.s&*.YO..J...1. 296 | ``` 297 | 298 | ## Bzip2 299 | Fixed signature, BZh91. 300 | ``` 301 | 42 5a 68 39 31 41 59 26 53 59 c3 87 b9 ea 00 02 BZh91AY&SY...... 302 | 9e ff ff ff ff ef bf f2 5d f9 ef fe ff fd be ff ........]....... 303 | fe ff ff f8 fd 7f fb 7f bf df fb ff b5 f7 bf 9f ................ 304 | ff ff ff c0 02 9c 1a cc db 02 2a 90 d0 d0 1a 03 ..........*..... 305 | ``` 306 | 307 | ## gzip 308 | 0x1f 0x8b, note that usually it contains deflate data, rarely lzma and some rare games use also other types of compressions (quickbms automatically handles all of them). 309 | ``` 310 | 1f 8b 08 00 00 00 00 00 00 00 eb 0c f0 73 e7 e5 .............s.. 311 | 92 e2 62 60 60 e0 f5 f4 70 09 62 60 60 fc 02 c2 ..b``...p.b``... 312 | 1c 4c 40 11 97 2d 1e 77 81 14 67 81 47 64 31 03 .L@..-.w..g.Gd1. 313 | 03 df 11 10 66 9c aa cd 27 cd c0 c0 de e8 e9 e2 ....f...'....... 314 | ``` 315 | 316 | ## JCalg 317 | It starts with JC. 318 | ``` 319 | 4a 43 cf 07 00 00 84 a9 56 bb 14 6a e2 20 15 36 JC......V..j. .6 320 | 3c ea 03 45 26 1a 12 45 9a 14 1f 90 03 a4 20 42 <..E&..E...... B 321 | 09 a0 da 44 93 40 3b a0 3b 52 ac 18 b8 09 71 87 ...D.@;.;R....q. 322 | d0 dc 95 03 4a 00 81 8d 96 95 49 03 1f 24 97 6a ....J.....I..$.j 323 | ``` 324 | 325 | ## RNC 326 | "RNC" magic, version (1 and 2), uncompressed size. 327 | ``` 328 | 52 4e 43 01 00 00 07 cf 00 00 03 06 d5 26 b5 99 RNC..........&.. 329 | 00 00 20 21 12 9a 21 06 60 45 22 32 00 a6 40 64 .. !..!.`E"2..@d 330 | 04 80 80 64 00 42 89 50 4e 47 0d 0a 1a 0a 00 00 ...d.B.PNG...... 331 | 00 0d 49 48 44 52 00 00 01 f4 5f 2d 08 02 02 01 ..IHDR...._-.... 332 | ``` 333 | 334 | ## Zpaq 335 | "zPQ" magic, currently I have never seen this compression used in games. 336 | ``` 337 | 7a 50 51 01 01 c4 00 05 09 00 00 16 01 a0 03 05 zPQ............. 338 | 08 0d 01 08 10 02 08 12 03 08 13 04 08 13 05 08 ................ 339 | 14 06 04 16 18 03 11 08 13 09 03 0d 03 0d 03 0d ................ 340 | 03 0e 07 10 00 0f 18 ff 07 08 00 10 0a ff 06 00 ................ 341 | ``` 342 | 343 | ## Snappy 344 | Uncompressed size before the data. 345 | ``` 346 | cf 0f 4c 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 ..L.PNG........I 347 | 48 44 52 00 00 01 f4 01 04 50 08 02 00 00 00 44 HDR......P.....D 348 | b4 48 dd 00 00 00 09 70 48 59 73 00 00 0e c4 01 .H.....pHYs..... 349 | 04 f0 46 01 95 2b 0e 1b 00 00 07 81 49 44 41 54 ..F..+......IDAT 350 | ``` 351 | 352 | ## Gipfeli 353 | Small header with 32bit uncompressed size. 354 | ``` 355 | 02 cf 07 60 00 35 da 0c 80 28 06 40 13 03 75 00 ...`.5...(.@..u. 356 | 2a 01 02 38 00 d2 01 a8 04 ea 00 34 40 05 54 0d *..8.......4@.T. 357 | 6a 0b 40 73 0d 35 50 07 a0 2d a4 03 50 cc 35 48 j.@s.5P..-..P.5H 358 | 45 48 2d 00 cc ff 16 80 e6 1a b4 2d 00 07 c0 df EH-........-.... 359 | ``` 360 | 361 | ## LZG 362 | "LZG" magic and uncompressed size. 363 | ``` 364 | 4c 5a 47 00 00 07 cf 00 00 03 26 94 ed 70 6b 01 LZG.......&..pk. 365 | 12 18 23 24 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d ..#$.PNG........ 366 | 49 48 44 52 00 00 01 f4 24 62 08 02 23 0a 44 b4 IHDR....$b..#.D. 367 | 48 dd 24 c1 09 70 48 59 73 00 00 0e c4 24 62 01 H.$..pHYs....$b. 368 | ``` 369 | 370 | ## Doboz 371 | Small header with uncompressed size. 372 | ``` 373 | 08 cf 07 5a 03 00 00 90 90 89 50 4e 47 0d 0a 1a ...Z......PNG... 374 | 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 06 01 08 .....IHDR....... 375 | 02 48 44 b4 48 dd 1c 09 70 80 00 00 80 48 59 73 .HD.H...p....HYs 376 | 00 00 0e c4 06 01 01 95 2b 0e 1b 00 00 07 81 49 ........+......I 377 | ``` 378 | 379 | ## SFL block 380 | ``` 381 | 40 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 @...PNG........I 382 | 48 44 52 09 08 00 00 01 f4 00 41 08 02 01 20 44 HDR.......A... D 383 | b4 48 dd 00 70 09 70 48 02 00 59 73 00 00 0e c4 .H..p.pH..Ys.... 384 | 00 41 01 95 2b 0e 1b 00 00 07 81 00 00 49 44 41 .A..+........IDA 385 | ``` 386 | 387 | ## SFL bits 388 | ``` 389 | 0f 89 50 4e 47 0d 0a 1a 0a 84 0c 0d 49 48 44 52 ..PNG.......IHDR 390 | 83 00 08 f4 83 00 08 f4 03 01 84 0b 44 b4 48 dd ............D.H. 391 | 84 0c 09 70 48 59 73 83 09 0e c4 83 09 0e c4 00 ...pHYs......... 392 | 0b 95 2b 0e 1b 83 15 07 81 49 44 41 54 78 da ed ..+......IDATx.. 393 | ``` 394 | 395 | ## LZF 396 | ``` 397 | 13 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 ..PNG........IHD 398 | 52 00 00 01 f4 40 03 01 08 02 20 11 03 44 b4 48 R....@.... ..D.H 399 | dd 20 06 08 09 70 48 59 73 00 00 0e c4 40 03 1f . ...pHYs....@.. 400 | 01 95 2b 0e 1b 00 00 07 81 49 44 41 54 78 da ed ..+......IDATx.. 401 | ``` 402 | 403 | ## Brieflz 404 | ``` 405 | 89 00 00 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 ...PNG........IH 406 | 44 52 00 00 10 00 01 f4 03 08 02 00 00 00 44 b4 DR............D. 407 | 48 04 00 dd 00 00 00 09 70 48 59 73 00 00 0e c4 H.......pHYs.... 408 | 00 00 03 01 95 2b 0e 1b 00 00 07 81 49 44 41 54 .....+......IDAT 409 | ``` 410 | 411 | ## Falcom (used in the Ys series) 412 | 32bit compressed size at the beginning. 413 | ``` 414 | 3d 03 00 00 89 50 4e 47 0d 0a 1a 0a 0a 4a 00 01 =....PNG.....J.. 415 | 0d 49 48 44 52 07 01 f4 04 24 21 08 02 12 44 b4 .IHDR....$!...D. 416 | 48 dd 07 41 89 09 70 48 59 73 07 0e c4 04 a0 00 H..A..pHYs...... 417 | 01 95 2b 0e 1b 09 07 81 49 44 41 54 78 da 00 00 ..+.....IDATx... 418 | ``` 419 | 420 | ## LZ4 421 | Usually it starts with a 0xf* byte. 422 | ``` 423 | f0 05 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 ...PNG........IH 424 | 44 52 00 00 01 f4 04 00 f0 06 08 02 00 00 00 44 DR.............D 425 | b4 48 dd 00 00 00 09 70 48 59 73 00 00 0e c4 04 .H.....pHYs..... 426 | 00 f5 37 01 95 2b 0e 1b 00 00 07 81 49 44 41 54 ..7..+......IDAT 427 | ``` 428 | 429 | ## Yappy 430 | ``` 431 | 1f 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 ..PNG........IHD 432 | 52 00 00 01 f4 00 00 01 f4 08 02 00 00 00 44 b4 R.............D. 433 | 48 1f dd 00 00 00 09 70 48 59 73 00 00 0e c4 00 H......pHYs..... 434 | 00 0e c4 01 95 2b 0e 1b 00 00 07 81 49 44 41 54 .....+......IDAT 435 | ``` 436 | 437 | ## NitroSDK (Nintendo) 438 | The first byte is the type of compression: 0x00, 0x10, 0x11, 0x20, 0x40. 439 | ``` 440 | 10 cf 07 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 ......PNG....... 441 | 00 0d 49 48 44 52 09 00 00 01 f4 10 03 08 02 00 ..IHDR.......... 442 | 11 08 44 b4 48 dd 00 18 09 70 48 02 59 73 00 00 ..D.H....pH.Ys.. 443 | 0e c4 10 03 01 00 95 2b 0e 1b 00 00 07 81 00 49 .......+.......I 444 | ``` 445 | 446 | ## Oodle 447 | Usually it starts with the byte 0x8c. 448 | ``` 449 | 8c 0b 43 03 61 df 01 00 12 19 83 e0 b4 78 4b e0 ..C.a........xK. 450 | ab 74 91 77 97 86 13 9d 40 07 b7 d4 0d 76 5c 7d .t.w....@....v\} 451 | 56 81 8f 7c f0 33 c0 1a 9a fc 0d ad 47 80 4b fc V..|.3......G.K. 452 | 49 93 f9 fc 4c a6 b7 80 17 a4 bc 8c 07 f9 8d 31 I...L..........1 453 | ``` 454 | 455 | ## zstd 456 | It starts with a little endian 32bit magic number, when seen with a hex editor only the first byte (the low 8bit) is different because it depends by the version of the algorithm: 457 | ``` 458 | 1e b5 2f fd v0.1 459 | 22 b5 2f fd v0.2 460 | 23 b5 2f fd v0.3 461 | 24 b5 2f fd v0.4 462 | 25 b5 2f fd v0.5 463 | 26 b5 2f fd v0.6 464 | 27 b5 2f fd v0.7 465 | 28 b5 2f fd v0.8, current version 466 | ``` 467 | 468 | Sources: 469 | https://www.forensicswiki.org/wiki/RAR 470 | https://en.wikipedia.org/wiki/Tar_(computing) 471 | Much of this terrific information came from the following thread on Zenhax.com: 472 | http://zenhax.com/viewtopic.php?t=27 473 | 474 | 475 | 476 | --------------------------------------------------------------------------------