Reverse Engineering

File Signature

Also known as Magic Bytes/Header

Most files can also be recognized by a magic value in the file start/end.

  • Manipulating headers can lead to incorrect detection and maybe processing.

  • Some OS use the magic headers instead of the file extension.

  • Also known as File Signatures.

Some magic values:

  • Office Documents: D0 CF 11 E0

  • ELF: 7F E L F

  • JPG: FF D8

  • PNG: 89 P N G 0D 0A 1A 0A

  • Java class: CA FE BA BE

Sometimes, magic headers are reused

  • PK.. (50 4B 03 04) is the magic for ZIP files.

Actually, pptx are zip files.

Magic Headers can be manipulated if the content is known.

  • PyInstaller allows the conversion of a Python application to an executable application.

    • It packs the pyc files into a container. The container is extracted on runtime and compiled python code is executed.

    • Headers are omitted from pyc files. If a header is added, the extracted file executes as a standard pyc file.

  • Direct Visualization may help.

    • Direct byte visualization, Mapping to an image, Entropy Analysis, Tuples.

PreviousFile extensionsNextContent Type Obfuscation

Last updated