I am writing a program (using Free Pascal, not C) that parses the header of eCryptfs files.
我正在编写一个程序(使用Free Pascal,而不是C)解析eCryptfs文件的头。
One of the values in the header starts at byte 7 and ends at 15 (an 8 byte value). It is of use to me because it's a value that uniquely identifies the files as eCryptfs files. So I am trying to code my app to recognise it when it finds such values in files.
头中的一个值以字节7开头,以15(一个8字节的值)结束。它对我来说是有用的,因为它是唯一标识文件为eCryptfs文件的值。所以,当我的应用程序在文件中发现这些值时,我正在尝试编写代码来识别它。
However, the marker itself is generated by XOR'ing a randomly generated 4 byte value (X) with another 4 byte static hex value of 0x3c81b7f5 (Y). The generated value is 4 bytes, Z. X + Z together form the 8 byte special marker. Y itself is not stored in the files header. So, seeing as the value 0x3c81b7f5 (Y) is never stored in the header, I can't code my application to look for it and seeing as the other 4 bytes are the XOR'd result of one static value with a another random one, I can't work out how it's recognised.
然而,该标记本身是由XOR'ing随机生成的4个字节值(X)生成的,另外4个字节的静态十六进制值为0x3c81b7f5 (Y)。生成的值为4字节,Z. X + Z一起构成8字节的特殊标记。Y本身不存储在文件头中。因此,当值0x3c81b7f5 (Y)从来没有存储在header中时,我不能编码我的应用程序去寻找它,因为其他4个字节是XOR的一个静态值与另一个随机值的结果,我无法计算出它是如何被识别的。
Having asked how the eCryptfs program recognises this value as "an eCryptfs file" at the eCryptfs Launchpad site (https://answers.launchpad.net/ecryptfs/+question/152821, one of the community referred me to the relevant C source code which I have linked to below. However, I don't understand C well enough to work out how it is recognising the special markers. Can anyone help me so I can code the same kind of recognition process into my own app? I don't want source code but I just want someone to explain how the C code is working out "Ah yes, that's an eCryptfs file right there!" so I know what I need to code my app to do.
在询问eCryptfs程序如何在eCryptfs Launchpad站点上识别这个值为“eCryptfs文件”时(https://answers.launchpad.net/ecryptfs/+question/152821,其中一个社区提到了我链接到下面的相关C源代码)。但是,我不太理解C,所以我不知道它是如何识别特殊标记的。有人能帮我吗?这样我就可以把同样的识别过程编码到我自己的应用程序里了?我不想要源代码,但我只是想要有人解释C代码是如何工作的“啊,是的,那是一个eCryptfs文件!”所以我知道我需要为我的应用程序编写代码。
http://fxr.watson.org/fxr/source/fs/ecryptfs/crypto.c?v=linux-2.6;im=excerpts#L1029
http://fxr.watson.org/fxr/source/fs/ecryptfs/crypto.c?v=linux 2.6;我= # L1029摘录
2 个解决方案
#1
4
What you're really interested in is this part here:
你真正感兴趣的是这部分:
m_1 = get_unaligned_be32(data);
m_2 = get_unaligned_be32(data + 4);
if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
return 1;
The get_unaligned_be32 function just converts four bytes from data to an unsigned four byte integer with possible byte order adjustments. The data + 4 in the second call to get_unaligned_be32 moves the address passed to get_unaligned_be32 up by four bytes:
get_unaligned_be32函数只将4个字节从数据转换为一个无符号的4字节整数,并有可能的字节顺序调整。在第二个调用get_unaligned_be32中的数据+ 4将地址传递给get_unaligned_be32,由4个字节:
[0][3][2][4][4][5][6][7]
^ ^
data data + 4
m_1 m_2 /* After adjusting byte order */
So, the first two lines just pull two unsigned integers out of the first eight bytes of data (possibly with byte order fixes).
因此,前两行仅从数据的前8字节中提取两个无符号整数(可能带有字节顺序修复)。
Then we have this expression:
然后是这个表达式:
(m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2
The ^ is just the XOR operator and MAGIC_ECRYPTFS_MARKER is 0x3c81b7f5 so this test is just XORing m_1 and 0x3c81b7f5 and seeing if it is equal to m_2; if this comparison is true then you have the right type of file.
^只是XOR运算符和MAGIC_ECRYPTFS_MARKER 0 x3c81b7f5所以这个测试只是XOR 1和0 x3c81b7f5和看看它等于m_2;如果这个比较是正确的,那么您就有了正确的文件类型。
#2
1
If by "X + Z together form the 8 byte special marker" you mean that they're concatenated, then you have the following:
如果“X + Z组合在一起形成8个字节的特殊标记”,你的意思是它们被连接在一起,那么你就有如下的:
Y = 0x3c81b7f5
X = some random value
Z = X ^ Y (also a random value, due to X being random)
Now, you have X and Z from the file header. If you xor them together,the following relation holds:
现在,在文件头中有X和Z。如果你和他们在一起,下面的关系是:
X ^ Z = X ^ (X ^ Y) = Y
So you should end up with the value 0x3c81b7f5.
所以最后应该得到值0x3c81b7f5。
#1
4
What you're really interested in is this part here:
你真正感兴趣的是这部分:
m_1 = get_unaligned_be32(data);
m_2 = get_unaligned_be32(data + 4);
if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
return 1;
The get_unaligned_be32 function just converts four bytes from data to an unsigned four byte integer with possible byte order adjustments. The data + 4 in the second call to get_unaligned_be32 moves the address passed to get_unaligned_be32 up by four bytes:
get_unaligned_be32函数只将4个字节从数据转换为一个无符号的4字节整数,并有可能的字节顺序调整。在第二个调用get_unaligned_be32中的数据+ 4将地址传递给get_unaligned_be32,由4个字节:
[0][3][2][4][4][5][6][7]
^ ^
data data + 4
m_1 m_2 /* After adjusting byte order */
So, the first two lines just pull two unsigned integers out of the first eight bytes of data (possibly with byte order fixes).
因此,前两行仅从数据的前8字节中提取两个无符号整数(可能带有字节顺序修复)。
Then we have this expression:
然后是这个表达式:
(m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2
The ^ is just the XOR operator and MAGIC_ECRYPTFS_MARKER is 0x3c81b7f5 so this test is just XORing m_1 and 0x3c81b7f5 and seeing if it is equal to m_2; if this comparison is true then you have the right type of file.
^只是XOR运算符和MAGIC_ECRYPTFS_MARKER 0 x3c81b7f5所以这个测试只是XOR 1和0 x3c81b7f5和看看它等于m_2;如果这个比较是正确的,那么您就有了正确的文件类型。
#2
1
If by "X + Z together form the 8 byte special marker" you mean that they're concatenated, then you have the following:
如果“X + Z组合在一起形成8个字节的特殊标记”,你的意思是它们被连接在一起,那么你就有如下的:
Y = 0x3c81b7f5
X = some random value
Z = X ^ Y (also a random value, due to X being random)
Now, you have X and Z from the file header. If you xor them together,the following relation holds:
现在,在文件头中有X和Z。如果你和他们在一起,下面的关系是:
X ^ Z = X ^ (X ^ Y) = Y
So you should end up with the value 0x3c81b7f5.
所以最后应该得到值0x3c81b7f5。