Fingerprinting .jnilib files
Landon J Fuller
landonf at plausible.coop
Tue Aug 19 03:24:19 UTC 2014
On Aug 16, 2014, at 3:07 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> Maybe this is a bit off-topic here, but I'm not sure where else I
> could ask.
>
> Apprently, for Darwin, there are tons of JNI libraries out there which
> are probably Mach-O files in disguise, but start with the 0xCAFEBABE
> magic number. Not surprisingly, various class file parser choke on
> them. Is there are a way, based on the file header, to tell these
> .jnilib files from genuine Java class files?
Mach-O's fat_header just happens to use same magic number :-)
A very simple heuristic would be to check the nfat_arch value:
struct fat_header {
uint32_t magic;
uint32_t nfat_arch; // big endian
};
vs:
struct class_file {
uint32_t magic;
uint16_t minor_version;
uint16_t major_version;
}
The *smallest* possible class file version is 46.0 (Java 1.2), which, if interpreted as a big endian uint32_t nfat_arch, would simply be `46'.
The *earliest* possible class file version is 45.3 (Java 1.1) -- nfat_arch would be 196653.
So:
- If you see a binary with an nfat_arch value of < 46, it's a Mach-O binary, not a class file.
- If you see a binary with an nfat_arch of >= 46, you either found the most portable Mach-O executable ever produced, or it's a Java class file.
If you want a more certain answer, just parse the fat_arch and Mach-O headers; it's a pretty sure bet that, given a Java class file, you won't see the correct Mach-O header magic numbers, and that many of the fat sections will extend beyond the actual length of the file.
-landonf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.openjdk.java.net/pipermail/bsd-port-dev/attachments/20140818/4f94c01e/signature.asc>
More information about the bsd-port-dev
mailing list