Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3CE2E479.2030900@student.gc.maricopa.edu>
Date: Wed, 15 May 2002 15:43:05 -0700
From: Mark Edgar <medgar AT student DOT gc DOT maricopa DOT edu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc2) Gecko/20020510
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Randall R Schulz <rrschulz AT cris DOT com>
CC: cygwin AT cygwin DOT com
Subject: Re: UPX & The "file" Command
References: <5 DOT 1 DOT 0 DOT 14 DOT 2 DOT 20020503220339 DOT 00b03f30 AT pop3 DOT cris DOT com>
Content-Type: multipart/mixed;
 boundary="------------020903040804080608030903"

--------------020903040804080608030903
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

> Anyway, I was wondering if someone who knows what the proper magic file 
> entries should be for detecting a UPX-compressed binary could supply 
> them (assuming there is a discernable signature for these files)?
> 
> Likewise, if the magic file entry (-ies) could be added or submitted to 
> the appropriate maintainer for inclusion in the Cygwin or the primary 
> "file" distribution, that would great.

Just by messing around with od, I was able to add a line to 
/usr/share/magic that detects UPX compressed PE-format executables.
Since this is the cygwin list, I assume you care only about PE-format 
executables.

My patch assumes (possibly incorrectly) that the UPX header always 
begins at offset 0640 (416 decimal)  in the file.  This is not so bad as 
the magic file that comes with the file package itself assumes 
incorrectly that the PE header always begins at offset 128.

The patch is attached.  The patch adds a single line to 
/usr/share/magic.  To apply it, execute EITHER

cd /; patch -p0 <magic-upx.patch
-OR-
cd /usr/share; patch -p2 <magic-upx.patch

Also note that for the change to take effect, you will also have to 
disable or rebuild the pre-compiled version of the magic file at 
/usr/share/magic.mgc.  You can disable it by renaming it.  Discovering 
how to rebuild this file is left as an exercise to the reader.

					-Mark

--------------020903040804080608030903
Content-Type: text/plain;
 name="magic-upx.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="magic-upx.patch"

--- usr/share/magic.orig	2002-05-15 15:30:05.000000000 -0700
+++ usr/share/magic	2002-05-15 15:30:34.000000000 -0700
@@ -4485,6 +4485,7 @@
 #>>>198	leshort		x	\b.%d,
 #>>>200	leshort		x	subsystem version %d
 #>>>202	leshort		x	\b.%d,
+>416	string		UPX1\0	UPX-compressed
 0	leshort		0x14c	MS Windows COFF Intel 80386 object file
 #>4	ledate		x	stamp %s
 0	leshort		0x166	MS Windows COFF MIPS R4000 object file


--------------020903040804080608030903
Content-Type: text/plain; charset=us-ascii

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/
--------------020903040804080608030903--