T, -minsn= Minimum number of consecutive instructions to be considered valid (default: 500) Y, -disasm Identify the CPU architecture of a file using the capstone disassembler Two additional methods that haven't been mentioned yet.īinwalk's disassembly scan (note: must have capstone installed) Disassembly Scan Options: So, for files that are bigger than 15 or 16kB, I´d choose another compressor: PPMD, Bzip. If your XX + A01 is bigger than this, Gzip, Zip, etc., won´t give you good results.
Opcode 0xed in binary zip#
Ex.: smaller NCD were A03, A05, B02, B06, B07 -> B go 3 votes, so I´d say it´s a x86.Ĭompressors based on the Zip construction have a limitation of 32kB: the way they compress things, they just consider 32kB at time. The second best method was to do some voting: get the 5 smaller NCD results, and see which architecture got more votes. In my Master degree I got better results always using the smaller NCD value. So, if you´ll be testing files of 5 to 10k, I´d get test files of 2.5k, 5k, 7.5k, 10k, 12.5k. When you compare a file with bigger or smaller ones, NCD won´t do it´s magic. Your unknow and your test files must have a similar size. Let´s say that the B07 file gave you the smaller NCD. You´ll do that for every file, so you´ll have 20 NCD results for SPARC, 20 for x86. So you´ll have a NCD value: it´ll lie between 0 and 1, and use as many decimals places as you can, because sometimes the difference is in the 7th or 8th digit. Min() and max() -> you calculate the compressed size of XX and A01, and use the minimum and maximum that you get. In linux, you could do a ´cat XX A01 > XXA01´. You append the A01 file to the end of the XX file.
XX + A01 -> means that you concatenate things. For example, 8763 bytes, so Z(something) = 8763. Z( something ) -> means that you compress the something with Gzip and get the file size after compression. Your x86 files: B01, B02, etc.Ĭhoose your preferred compression tool (I used Gzip, but see remarks at the end of this answer). You have 20 files for SPARC and you call them A01, A02, A03, and so on. I´ve always done in by hand, when it comes to NCD. I´d pick the best (smaller) NCD and would then verify it if is was a real match (let´s say, trying to run it on the discovered architecture). When confronted with a program that I wanted to know which architecture it is, I´d compute it´s NCD against all my examples. Would take 20 programs for each architecture you want to know, with variable sizes, and save them. I´ve studied something called Normalized Compression Distance - NCD - some time ago, and I'd give it a try if I had a problem similar to yours. When you have a hammer, all the problems look like nails.
0 kommentar(er)
