> Anyway, I was wondering if someone who knows what the proper magic file > entries should be for detecting a UPX-compressed binary could supply > them (assuming there is a discernable signature for these files)? > > Likewise, if the magic file entry (-ies) could be added or submitted to > the appropriate maintainer for inclusion in the Cygwin or the primary > "file" distribution, that would great.
Just by messing around with od, I was able to add a line to /usr/share/magic that detects UPX compressed PE-format executables. Since this is the cygwin list, I assume you care only about PE-format executables. My patch assumes (possibly incorrectly) that the UPX header always begins at offset 0640 (416 decimal) in the file. This is not so bad as the magic file that comes with the file package itself assumes incorrectly that the PE header always begins at offset 128. The patch is attached. The patch adds a single line to /usr/share/magic. To apply it, execute EITHER cd /; patch -p0 <magic-upx.patch -OR- cd /usr/share; patch -p2 <magic-upx.patch Also note that for the change to take effect, you will also have to disable or rebuild the pre-compiled version of the magic file at /usr/share/magic.mgc. You can disable it by renaming it. Discovering how to rebuild this file is left as an exercise to the reader. -Mark
--- usr/share/magic.orig 2002-05-15 15:30:05.000000000 -0700 +++ usr/share/magic 2002-05-15 15:30:34.000000000 -0700 @@ -4485,6 +4485,7 @@ #>>>198 leshort x \b.%d, #>>>200 leshort x subsystem version %d #>>>202 leshort x \b.%d, +>416 string UPX1\0 UPX-compressed 0 leshort 0x14c MS Windows COFF Intel 80386 object file #>4 ledate x stamp %s 0 leshort 0x166 MS Windows COFF MIPS R4000 object file
-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/