Fingerprinting .jnilib files

Landon J Fuller landonf at plausible.coop
Tue Aug 19 03:24:19 UTC 2014


On Aug 16, 2014, at 3:07 PM, Florian Weimer <fw at deneb.enyo.de> wrote:

> Maybe this is a bit off-topic here, but I'm not sure where else I
> could ask.
> 
> Apprently, for Darwin, there are tons of JNI libraries out there which
> are probably Mach-O files in disguise, but start with the 0xCAFEBABE
> magic number.  Not surprisingly, various class file parser choke on
> them.  Is there are a way, based on the file header, to tell these
> .jnilib files from genuine Java class files?

Mach-O's fat_header just happens to use same magic number :-)

A very simple heuristic would be to check the nfat_arch value:

	struct fat_header {
	        uint32_t        magic;
	        uint32_t        nfat_arch; // big endian
	};

vs:

	struct class_file {
		uint32_t magic;
		uint16_t minor_version;
		uint16_t major_version;
	}

The *smallest* possible class file version is 46.0 (Java 1.2), which, if interpreted as a big endian uint32_t nfat_arch, would simply be `46'.
The *earliest* possible class file version is 45.3 (Java 1.1) -- nfat_arch would be 196653.

So:
	- If you see a binary with an nfat_arch value of < 46, it's a Mach-O binary, not a class file.
	- If you see a binary with an nfat_arch of >= 46, you either found the most portable Mach-O executable ever produced, or it's a Java class file.

If you want a more certain answer, just parse the fat_arch and Mach-O headers; it's a pretty sure bet that, given a Java class file, you won't see the correct Mach-O header magic numbers, and that many of the fat sections will extend beyond the actual length of the file.

-landonf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.openjdk.java.net/pipermail/bsd-port-dev/attachments/20140818/4f94c01e/signature.asc>


More information about the bsd-port-dev mailing list