我正在尝试解压缩使用Mac 10.10的HFS +实现中的一种压缩算法进行压缩的Mach-O二进制文件。基本上,该文件具有“ com.apple.decmpfs”属性,表示该文件是压缩类型8。然后,该文件的压缩内容存储在文件的资源派生文件中。上面有任何可识别的标头。有人认识到它,或者有任何想法可能是什么吗?下面是对/bin/bash压缩版本的前0x200字节和在Mac OS下查看的同一文件的前0x200字节的转储。 )似乎在压缩版本中。
压缩(CF FA ED FE的前0x200字节):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 

00000000  E0 01 CF FA ED FE 07 00 00 01 03 00 00 80 02 00  à.Ïúíþ.......€.. 
00000010  00 00 12 00 04 E8 E8 06 00 00 85 00 20 00 08 01  .....èè...…. ... 
00000020  40 04 19 46 48 EB 5F 5F 50 41 47 45 5A 45 52 4F  @..FHë__PAGEZERO 
00000030  00 38 01 F7 9E 01 00 F0 0C 08 48 8E 28 02 E5 54  .8.÷ž..ð..HŽ(.åT 
00000040  45 58 54 00 38 01 F3 10 40 9E 60 08 F8 20 10 46  EXT.8.ó.@ž`.ø .F 
00000050  07 46 05 48 0D 06 10 88 E5 74 65 78 74 00 30 01  .F.H...ˆåtext.0. 
00000060  38 50 F6 9E EC 0B C8 10 5F 1C 07 F5 50 0A 02 20  8Pöžì.È._..õP.. 
00000070  01 E4 04 00 80 00 FA F1 E8 5F 5F 73 74 75 62 73  .ä..€.úñè__stubs 
00000080  00 F8 38 50 F6 CE 4C 28 07 F1 CE 62 04 00 F1 28  .ø8PöÎL(.ñÎb..ñ( 
00000090  10 28 01 60 50 08 6E 06 F5 E7 5F 68 65 6C 70 65  .(.`P.n.õç_helpe 
000000A0  72 FA F9 9E B0 2C 9E 5E 07 08 10 38 A0 F0 04 E7  rúùž°,ž^...8 ð.ç 
000000B0  63 73 74 72 69 6E 67 FA FD 9E 0E 34 9E 61 F8 08  cstringúýž.4žaø. 
000000C0  10 38 01 F2 38 5C F3 18 50 C9 41 6F 6E 73 F6 38  .8.ò8\ó.PÉAonsö8 
000000D0  50 F6 CE 70 2C 08 F1 9E F0 21 08 10 20 FB 38 01  PöÎp,.ñžð!.. û8. 
000000E0  FB ED 5F 5F 75 6E 77 69 6E 64 5F 69 6E 66 6F 38  ûí__unwind_info8 
000000F0  50 F9 9E 60 4E 9E 94 11 08 10 38 94 F6 38 01 F2  Pùž`Nž”...8”ö8.ò 
00000100  0A 28 56 78 E4 44 41 54 41 FA F1 58 48 60 9E 00  .(VxäDATAúñXH`ž. 
00000110  E0 32 30 5E B0 08 F6 60 08 03 08 01 E4 5F 5F 67  à20^°.ö`....ä__g 
00000120  6F 3A 27 F1 38 50 FF 9E 38 01 F4 58 0A 03 10 01  o:'ñ8Pÿž8.ôX.... 
00000130  09 D0 98 01 BB 00 F4 EF 5F 5F 6E 6C 5F 73 79 6D  .И.».ôï__nl_sym 
00000140  62 6F 6C 5F 70 74 72 38 50 F7 9E 38 61 9E 10 00  bol_ptr8P÷ž8až.. 
00000150  08 10 38 50 F6 6E E2 F5 9E 6C 61 F0 06 66 48 9E  ..8Pönâõžlað.fHž 
00000160  D8 05 6E 48 F7 08 E8 98 01 E4 00 F4 39 D8 F8 38  Ø.nH÷.è˜.ä.ô9Øø8 
00000170  50 F4 9E 20 67 9E 88 26 08 10 39 D8 F0 04 E5 64  Pôž gžˆ&..9Øð.åd 
00000180  61 74 61 00 30 01 38 50 F6 9E B0 8D 9E 04 79 08  ata.0.8Pöž°.ž.y. 
00000190  10 38 50 F0 04 E6 63 6F 6D 6D 6F 6E FA FE CE C0  .8Pð.æcommonúþÎÀ 
000001A0  06 09 F1 C8 01 68 0E 00 F5 38 50 F2 6E 01 F9 9B  ..ñÈ.h..õ8Pòn.ù› 
000001B0  B6 62 73 F4 38 50 F8 9E 30 15 9E 10 21 F0 10 3C  ¶bsô8Pøž0.ž.!ð.< 
000001C0  E8 E7 4C 49 4E 4B 45 44 49 2A C4 58 48 40 9E 00  èçLINKEDI*ÄXH@ž. 
000001D0  A0 F1 90 07 10 09 96 A0 87 11 88 38 4C F2 45 48   ñ....– ‡.ˆ8LòEH 
000001E0  22 48 09 30 00 28 41 B1 50 C8 3B 50 13 09 F5 08  "H.0.(A±PÈ;P..õ. 
000001F0  01 40 10 F0 EA 08 0C 00 00 F8 1F 09 00 F8 33 1B  .@.ðê....ø...ø3.

未压缩(__PAGEZERO的前0x200字节):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 

00000000  CF FA ED FE 07 00 00 01 03 00 00 80 02 00 00 00  Ïúíþ.......€.... 
00000010  12 00 00 00 E8 06 00 00 85 00 20 00 00 00 00 00  ....è...…. ..... 
00000020  19 00 00 00 48 00 00 00 5F 5F 50 41 47 45 5A 45  ....H...__PAGEZE 
00000030  52 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 00  RO.............. 
00000040  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................ 
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
00000060  00 00 00 00 00 00 00 00 19 00 00 00 28 02 00 00  ............(... 
00000070  5F 5F 54 45 58 54 00 00 00 00 00 00 00 00 00 00  __TEXT.......... 
00000080  00 00 00 00 01 00 00 00 00 60 08 00 00 00 00 00  .........`...... 
00000090  00 00 00 00 00 00 00 00 00 60 08 00 00 00 00 00  .........`...... 
000000A0  07 00 00 00 05 00 00 00 06 00 00 00 00 00 00 00  ................ 
000000B0  5F 5F 74 65 78 74 00 00 00 00 00 00 00 00 00 00  __text.......... 
000000C0  5F 5F 54 45 58 54 00 00 00 00 00 00 00 00 00 00  __TEXT.......... 
000000D0  EC 0B 00 00 01 00 00 00 5F 1C 07 00 00 00 00 00  ì......._....... 
000000E0  EC 0B 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ì............... 
000000F0  00 04 00 80 00 00 00 00 00 00 00 00 00 00 00 00  ...€............ 
00000100  5F 5F 73 74 75 62 73 00 00 00 00 00 00 00 00 00  __stubs......... 
00000110  5F 5F 54 45 58 54 00 00 00 00 00 00 00 00 00 00  __TEXT.......... 
00000120  4C 28 07 00 01 00 00 00 62 04 00 00 00 00 00 00  L(......b....... 
00000130  4C 28 07 00 01 00 00 00 00 00 00 00 00 00 00 00  L(.............. 
00000140  08 04 00 80 00 00 00 00 06 00 00 00 00 00 00 00  ...€............ 
00000150  5F 5F 73 74 75 62 5F 68 65 6C 70 65 72 00 00 00  __stub_helper... 
00000160  5F 5F 54 45 58 54 00 00 00 00 00 00 00 00 00 00  __TEXT.......... 
00000170  B0 2C 07 00 01 00 00 00 5E 07 00 00 00 00 00 00  °,......^....... 
00000180  B0 2C 07 00 02 00 00 00 00 00 00 00 00 00 00 00  °,.............. 
00000190  00 04 00 80 00 00 00 00 00 00 00 00 00 00 00 00  ...€............ 
000001A0  5F 5F 63 73 74 72 69 6E 67 00 00 00 00 00 00 00  __cstring....... 
000001B0  5F 5F 54 45 58 54 00 00 00 00 00 00 00 00 00 00  __TEXT.......... 
000001C0  0E 34 07 00 01 00 00 00 61 F8 00 00 00 00 00 00  .4......aø...... 
000001D0  0E 34 07 00 00 00 00 00 00 00 00 00 00 00 00 00  .4.............. 
000001E0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
000001F0  5F 5F 63 6F 6E 73 74 00 00 00 00 00 00 00 00 00  __const......... 
00000200  5F 5F 54 45 58 54 00 00 00 00 00 00 00 00 00 00  __TEXT..........

提前!

评论

这闻起来像旧的LZ / LZW压缩。与使用位的现代实现不同,此实现按字节压缩。这就是为什么您可以在压缩数据中标识原始文本的片段的原因。
@Jongware也是我的想法。不过,我还没有运气将其固定到特定的算法。

#1 楼

好的...似乎是LZVN压缩。根据Igor的建议,我在Mac上运行了kextstat,但是仅列出了以下内容:


com.apple.AppleFSCompression.AppleFSCompressionTypeZlib

“无数据”压缩中的字符串竟然是类型5:AppleFSCompressionTypeDataless.kext。搜索类型8相同的字符串,我发现此日志:

com_apple_AppleFSCompression_AppleFSCompressionTypeLZVN  <class com_apple_AppleFSCompression_AppleFSCompressionTypeLZVN, id 0x10000025d, !registered, !matched, active, busy 0, retain 4>
      |   {
      |     "IOProbeScore" = 0x0
      |     "CFBundleIdentifier" = "com.apple.AppleFSCompression.AppleFSCompressionTypeLZVN"
      |     "IOMatchCategory" = "com_apple_AppleFSCompression_AppleFSCompressionTypeLZVN"
      |     "IOClass" = "com_apple_AppleFSCompression_AppleFSCompressionTypeLZVN"
      |     "IOProviderClass" = "IOResources"
      |     "com.apple.AppleFSCompression.providesType10" = Yes
      |     "com.apple.AppleFSCompression.providesType9" = Yes
      |     "com.apple.AppleFSCompression.providesType8" = Yes
      |     "IOResourceMatch" = "IOBSD"
      |     "com.apple.AppleFSCompression.providesType7" = Yes
      |   }


变色龙人似乎已经解决了这些问题:trunk / CHANGES

编辑:Apple刚刚发布了一个开源实现:https://github.com/lzfse/lzfse

评论

forge.voodooprojects.org/p/chameleon/source/tree/HEAD/trunk/…目前与UFS有关。在该CHANGES文件的其他地方,我看到“-ErmaC:将decompress_lzvn函数重命名为lzvn_decode,紧跟Apple源名称。”。

– Graham Perrin
16年1月30日在7:57
不知道这是否重要,但我刚刚了解到最新的磁盘映像格式也将lzfse用于压缩映像(请参见man hdiutil)。

–托马斯·坦佩尔曼(Thomas Tempelmann)
17年9月21日在21:24

#2 楼

根据这篇文章,您可以使用afscexpand工具解压缩此类文件。如果您更喜欢硬方法,则xnu源代码可能会有所帮助。

评论

嗨,Igor,不幸的是,这篇文章没有涉及压缩算法的细节。您可以在decompfs.c源代码中看到它们支持注册多种类型的压缩算法。类型1是无压缩的,类型4使用zlib。此数据被标记为类型8,似乎缺少我所知道的任何标头。

–路加·奎纳(Luke Quinane)
15年2月13日在8:46
然后,我想您需要找到对register_decmpfs_decompressor的所有调用,并找到注册类型8的调用。我想这将是kexts之一。

–伊戈尔·斯科钦斯基♦
15年2月13日在10:43