def createFields(self):
yield String(self,
"signature",
3,
"SWF format signature",
charset="ASCII")
yield UInt8(self, "version")
yield filesizeHandler(UInt32(self, "filesize"))
if self["signature"].value != "CWS":
yield RECT(self, "rect")
yield FixedFloat16(self, "frame_rate")
yield UInt16(self, "frame_count")
while not self.eof:
yield Tag(self, "tag[]")
else:
size = (self.size - self.current_size) // 8
if has_deflate:
data = Deflate(Bytes(self, "compressed_data", size), False)
def createInputStream(cis, source=None, **args):
stream = cis(source=source)
header = StringInputStream("FWS" +
self.stream.readBytes(3 * 8, 5))
args.setdefault("tags", []).append(("class", SwfFile))
return ConcatStream((header, stream),
source=stream.source,
**args)
data.setSubIStream(createInputStream)
yield data
else:
yield Bytes(self, "compressed_data", size)
def createFields(self):
yield Bytes(self, "jmp", 3, "Jump instruction (to skip over header on boot)")
yield Bytes(self, "oem_name", 8, "OEM Name (padded with spaces)")
yield UInt16(self, "sector_size", "Bytes per sector")
yield UInt8 (self, "cluster_size", "Sectors per cluster")
yield UInt16(self, "reserved_sectors", "Reserved sector count (including boot sector)")
yield UInt8 (self, "fat_nb", "Number of file allocation tables")
yield UInt16(self, "max_root", "Maximum number of root directory entries")
yield UInt16(self, "sectors1", "Total sectors (if zero, use 'sectors2')")
yield UInt8 (self, "media_desc", "Media descriptor")
yield UInt16(self, "fat_size", "Sectors per FAT")
yield UInt16(self, "track_size", "Sectors per track")
yield UInt16(self, "head_nb", "Number of heads")
yield UInt32(self, "hidden", "Hidden sectors")
yield UInt32(self, "sectors2", "Total sectors (if greater than 65535)")
if self.parent.version == 32:
yield UInt32(self, "fat32_size", "Sectors per FAT")
yield UInt16(self, "fat_flags", "FAT Flags")
yield UInt16(self, "version", "Version")
yield UInt32(self, "root_start", "Cluster number of root directory start")
yield UInt16(self, "inf_sector", "Sector number of FS Information Sector")
yield UInt16(self, "boot_copy", "Sector number of a copy of this boot sector")
yield NullBytes(self, "reserved[]", 12, "Reserved")
yield UInt8(self, "phys_drv", "Physical drive number")
yield NullBytes(self, "reserved[]", 1, 'Reserved ("current head")')
yield UInt8(self, "sign", "Signature")
yield textHandler(UInt32(self, "serial", "ID (serial number)"), hexadecimal)
yield String(self, "label", 11, "Volume Label", strip=' ', charset="ASCII")
yield String(self, "fs_type", 8, "FAT file system type", strip=' ', charset="ASCII")
yield Bytes(self, "code", 510-self.current_size/8, "Operating system boot code")
yield Bytes(self, "trail_sig", 2, "Signature (0x55 0xAA)")
def createFields(self):
yield Bytes(self, "jump", 3, "Intel x86 jump instruction")
yield String(self, "name", 8)
yield BiosParameterBlock(self, "bios", "BIOS parameters")
yield textHandler(UInt8(self, "physical_drive", "(0x80)"), hexadecimal)
yield NullBytes(self, "current_head", 1)
yield textHandler(
UInt8(self, "ext_boot_sig", "Extended boot signature (0x80)"),
hexadecimal)
yield NullBytes(self, "unused", 1)
yield UInt64(self, "nb_sectors")
yield UInt64(self, "mft_cluster", "Cluster location of MFT data")
yield UInt64(self, "mftmirr_cluster",
"Cluster location of copy of MFT")
yield UInt8(self, "cluster_per_mft", "MFT record size in clusters")
yield NullBytes(self, "reserved[]", 3)
yield UInt8(self, "cluster_per_index", "Index block size in clusters")
yield NullBytes(self, "reserved[]", 3)
yield textHandler(UInt64(self, "serial_number"), hexadecimal)
yield textHandler(UInt32(self, "checksum", "Boot sector checksum"),
hexadecimal)
yield Bytes(self, "boot_code", 426)
yield Bytes(self, "mbr_magic", 2,
r"Master boot record magic number (\x55\xAA)")
def createFields(self):
yield FIB(self, "FIB", "File Information Block")
padding = (self['FIB/fcMin'].value - self.current_size // 8)
if padding:
yield NullBytes(self, "padding[]", padding)
if self['FIB/ccpText'].value:
yield Bytes(self, "text", self['FIB/ccpText'].value)
if self['FIB/ccpFtn'].value:
yield Bytes(self, "text_footnote", self['FIB/ccpFtn'].value)
if self['FIB/ccpHdr'].value:
yield Bytes(self, "text_header", self['FIB/ccpHdr'].value)
if self['FIB/ccpMcr'].value:
yield Bytes(self, "text_macro", self['FIB/ccpMcr'].value)
if self['FIB/ccpAtn'].value:
yield Bytes(self, "text_annotation", self['FIB/ccpAtn'].value)
padding = (self['FIB/fcMax'].value - self.current_size // 8)
if padding:
yield RawBytes(self, "padding[]", padding)
sepx_size = (self['FIB/pnChpFirst'].value * 512 -
self.current_size // 8)
if sepx_size:
yield SEPXGroup(self, "sepx", sepx_size)
def createFields(self):
yield Bytes(self, "filetype", 4, "File type (INDX)")
yield Bytes(self, "fileversion", 4, "File version (0?00)")
yield UInt32(self, "offset[0]")
yield UInt32(self, "offset[1]")
self.seekByte(self['offset[0]'].value)
yield AVCHDINDX_0(self, "chunk[]")
self.seekByte(self['offset[1]'].value)
yield AVCHDChunkWithHeader(self, "chunk[]")
def createFields(self):
yield textHandler(UInt64(self, "id"), hexadecimal)
if self["id"].value == 0xe7ffdeffe7ffdeff: # indicates that secure area is decrypted
yield Bytes(self, "fixed[]", 6) # always \xff\xde\xff\xe7\xff\xde
yield Crc16(self, "header_crc16", self.stream.readBytes(self.absolute_address+(16*8), 2048-16))
yield RawBytes(self, "unknown[]", 2048-16-2)
yield Bytes(self, "fixed[]", 2) # always \0\0
else:
yield RawBytes(self, "encrypted[]", 2048-8)
def createFields(self):
yield Bytes(self, "filetype", 4, "File type (MOBJ)")
yield Bytes(self, "fileversion", 4, "File version (0?00)")
yield RawBytes(self, "unknown[]", 32)
yield UInt32(self, "size")
yield UInt32(self, "unknown[]")
yield UInt16(self, "count")
yield textHandler(UInt32(self, "unknown_id"), hexadecimal)
for i in xrange(1, self['count'].value):
yield AVCHDMOBJ_Chunk(self, "movie_object[]")
def createFields(self):
yield UInt16(self, "size")
self._size = (self['size'].value+2)*8
yield Bytes(self, "clip_id", 5)
yield Bytes(self, "clip_type", 4)
yield RawBytes(self, "unknown[]", 3)
yield UInt32(self, "clip_start_time[]", "clip start time (units unknown)")
yield UInt32(self, "clip_end_time[]", "clip end time (units unknown)")
yield RawBytes(self, "unknown[]", 10)
yield AVCHDMPLS_PlayItem(self, "playitem")
def createFields(self):
datas = {}
for entry in self._ifd:
if type(entry) != IFDEntry:
continue
for c in entry:
if c.name != "offset":
continue
self.seekByte(c.value, False)
desc = "data of ifd entry " + entry.name,
entryType = BasicIFDEntry.ENTRY_FORMAT[entry["type"].value]
count = entry["count"].value
if entryType == String:
yield String(self, entry.name, count, desc, "\0",
"ISO-8859-1")
else:
d = Data(self, entry.name, desc, entryType, count)
datas[d.name] = d
yield d
break
# image data
if "strip_ofs" in datas and "strip_byte" in datas:
for i in xrange(datas["strip_byte"]._count):
self.seekByte(
datas["strip_ofs"]["value[" + str(i) + "]"].value, False)
yield Bytes(self, "strip[]",
datas["strip_byte"]["value[" + str(i) + "]"].value)
def createFields(self):
yield Bytes(self, "magic", 8, "File magic (BOMStore)")
yield UInt32(self, "version") # ?
yield UInt32(self, "num_objects")
yield UInt32(self, "trailer_offset")
yield UInt32(self, "trailer_size")
yield UInt32(self, "header_offset")
yield UInt32(self, "header_size")
yield RawBytes(self, "object[]", 512-32, "Null object (size 0, offset 0)") # null object
self.seekByte(self['trailer_offset'].value)
yield BomTrailer(self, "trailer")
self.seekByte(self['header_offset'].value)
yield RawBytes(self, "header", self['header_size'].value)
for entry in self['trailer'].array('entry'):
if entry['size'].value == 0:
continue
self.seekByte(entry['offset'].value)
yield RawBytes(self, "object[]", entry['size'].value)
for entry in self['trailer'].array('trail'):
self.seekByte(entry['offset'].value)
yield RawBytes(self, "trail[]", entry['size'].value)
def createFields(self):
yield Bytes(self, "signature", 4, r'ELF signature ("\x7fELF")')
yield Enum(UInt8(self, "class", "Class"), self.CLASS_NAME)
if self["class"].value == 1:
ElfLongWord = UInt32
else:
ElfLongWord = UInt64
yield Enum(UInt8(self, "endian", "Endian"), self.ENDIAN_NAME)
yield UInt8(self, "file_version", "File version")
yield Enum(UInt8(self, "osabi_ident", "OS/syscall ABI identification"),
self.OSABI_NAME)
yield UInt8(self, "abi_version", "syscall ABI version")
yield String(self, "pad", 7, "Pad")
yield Enum(UInt16(self, "type", "File type"), self.TYPE_NAME)
yield Enum(UInt16(self, "machine", "Machine type"), self.MACHINE_NAME)
yield UInt32(self, "version", "ELF format version")
yield textHandler(ElfLongWord(self, "entry", "Entry point"),
hexadecimal)
yield ElfLongWord(self, "phoff", "Program header file offset")
yield ElfLongWord(self, "shoff", "Section header file offset")
yield UInt32(self, "flags", "Architecture-specific flags")
yield UInt16(self, "ehsize", "Elf header size (this header)")
yield UInt16(self, "phentsize", "Program header entry size")
yield UInt16(self, "phnum", "Program header entry count")
yield UInt16(self, "shentsize", "Section header entry size")
yield UInt16(self, "shnum", "Section header entry count")
yield UInt16(self, "shstrndx", "Section header string table index")
def createFields(self):
# Read chunk header
yield Bytes(self, "signature", 3, r"Property signature (\x8E\xAD\xE8)")
if self["signature"].value != "\x8E\xAD\xE8":
raise ParserError("Invalid property signature")
yield UInt8(self, "version", "Signature version")
yield NullBytes(self, "reserved", 4, "Reserved")
yield UInt32(self, "count", "Count")
yield UInt32(self, "size", "Size")
# Read item header
items = []
for i in range(0, self["count"].value):
item = ItemHeader(self, "item[]")
yield item
items.append(item)
# Sort items by their offset
items.sort(sortRpmItem)
# Read item content
start = self.current_size / 8
for item in items:
offset = item["offset"].value
diff = offset - (self.current_size / 8 - start)
if 0 < diff:
yield NullBytes(self, "padding[]", diff)
yield ItemContent(self, "content[]", item)
size = start + self["size"].value - self.current_size / 8
if 0 < size:
yield NullBytes(self, "padding[]", size)
def createFields(self):
yield Bytes(self, "signature", 6, "Signature Header")
yield UInt8(self, "major_ver", "Archive major version")
yield UInt8(self, "minor_ver", "Archive minor version")
yield textHandler(UInt32(self, "start_hdr_crc", "Start header CRC"),
hexadecimal)
yield StartHeader(self, "start_hdr", "Start header")
def createFields(self):
yield Bytes(self, "header", 4, r"PE header signature (PE\0\0)")
if self["header"].value != "PE\0\0":
raise ParserError("Invalid PE header signature")
yield Enum(UInt16(self, "cpu", "CPU type"), self.cpu_name)
yield UInt16(self, "nb_section", "Number of sections")
yield TimestampUnix32(self, "creation_date", "Creation date")
yield UInt32(self, "ptr_to_sym", "Pointer to symbol table")
yield UInt32(self, "nb_symbols", "Number of symbols")
yield UInt16(self, "opt_hdr_size", "Optional header size")
yield Bit(self, "reloc_stripped",
"If true, don't contain base relocations.")
yield Bit(self, "exec_image", "Executable image?")
yield Bit(self, "line_nb_stripped", "COFF line numbers stripped?")
yield Bit(self, "local_sym_stripped",
"COFF symbol table entries stripped?")
yield Bit(self, "aggr_ws", "Aggressively trim working set")
yield Bit(self, "large_addr",
"Application can handle addresses greater than 2 GB")
yield NullBits(self, "reserved", 1)
yield Bit(self, "reverse_lo",
"Little endian: LSB precedes MSB in memory")
yield Bit(self, "32bit", "Machine based on 32-bit-word architecture")
yield Bit(self, "is_stripped", "Debugging information removed?")
yield Bit(
self, "swap",
"If image is on removable media, copy and run from swap file")
yield PaddingBits(self, "reserved2", 1)
yield Bit(self, "is_system", "It's a system file")
yield Bit(self, "is_dll", "It's a dynamic-link library (DLL)")
yield Bit(self, "up", "File should be run only on a UP machine")
yield Bit(self, "reverse_hi", "Big endian: MSB precedes LSB in memory")
def createFields(self):
yield Bytes(self, "signature", 4, r"RealAudio identifier ('.ra\xFD')")
yield UInt16(self, "version", "Version")
if self["version"].value == 3:
yield UInt16(self, "header_size", "Header size")
yield RawBytes(self, "Unknown1", 10)
yield UInt32(self, "data_size", "Data size")
yield Metadata(self, "metadata")
yield UInt8(self, "Unknown2")
yield PascalString8(self, "FourCC")
audio_size = self["data_size"].value
else: # version = 4
yield UInt16(self, "reserved1", "Reserved, should be 0")
yield String(self, "ra4sig", 4, "'.ra4' signature")
yield UInt32(self, "filesize", "File size (minus 40 bytes)")
yield UInt16(self, "version2", "Version 2 (always equal to version)")
yield UInt32(self, "headersize", "Header size (minus 16)")
yield UInt16(self, "codec_flavor", "Codec flavor")
yield UInt32(self, "coded_frame_size", "Coded frame size")
yield RawBytes(self, "unknown1", 12)
yield UInt16(self, "subpacketh", "Subpacket h (?)")
yield UInt16(self, "frame_size", "Frame size")
yield UInt16(self, "sub_packet_size", "Subpacket size")
yield UInt16(self, "unknown2", "Unknown")
yield displayHandler(UInt16(self, "sample_rate", "Sample rate"), humanFrequency)
yield UInt16(self, "unknown3", "Unknown")
yield UInt16(self, "sample_size", "Sample size")
yield UInt16(self, "channels", "Channels")
yield PascalString8(self, "Interleaving ID String")
yield PascalString8(self, "FourCC")
yield RawBytes(self, "unknown4", 3)
yield Metadata(self, "metadata")
audio_size = (self["filesize"].value + 40) - (self["headersize"].value + 16)
if 0 < audio_size:
yield RawBytes(self, "audio_data", audio_size)
def createFields(self):
yield FIB(self, "FIB", "File Information Block")
table = getOLE2Parser(self.ole2,
"table" + str(self["FIB/fWhichTblStm"].value))
padding = (self['FIB/fcMin'].value - self.current_size // 8)
if padding:
yield NullBytes(self, "padding[]", padding)
# Guess whether the file uses UTF16 encoding.
is_unicode = False
if self['FIB/array2/ccpText'].value * 2 == self[
'FIB/fcMax'].value - self['FIB/fcMin'].value:
is_unicode = True
for fieldname, textname in [('Text', 'text'), ('Ftn', 'text_footnote'),
('Hdr', 'text_header'),
('Mcr', 'text_macro'),
('Atn', 'text_annotation'),
('Edn', 'text_endnote'),
('Txbx', 'text_textbox'),
('HdrTxbx', 'text_header_textbox')]:
size = self['FIB/array2/ccp' + fieldname].value
if size:
if is_unicode:
yield String(self, textname, size * 2, charset="UTF-16-LE")
else:
yield Bytes(self, textname, size)
padding = (self['FIB/fcMax'].value - self.current_size // 8)
if padding:
yield RawBytes(self, "padding[]", padding)
def createFields(self):
yield Bytes(self, "endian", 2, "Endian (0xFF 0xFE for Intel)")
yield UInt16(self, "format", "Format (0)")
yield UInt8(self, "os_version")
yield UInt8(self, "os_revision")
yield Enum(UInt16(self, "os_type"), OS_NAME)
yield GUID(self, "format_id")
yield UInt32(self, "section_count")
if MAX_SECTION_COUNT < self["section_count"].value:
raise ParserError("OLE2: Too much sections (%s)" %
self["section_count"].value)
section_indexes = []
for index in xrange(self["section_count"].value):
section_index = SummaryIndex(self, "section_index[]")
yield section_index
section_indexes.append(section_index)
for section_index in section_indexes:
self.seekByte(section_index["offset"].value)
yield SummarySection(self, "section[]")
size = (self.size - self.current_size) // 8
if 0 < size:
yield NullBytes(self, "end_padding", size)
def createFields(self):
yield Bytes(self, "sync", 3)
yield textHandler(UInt8(self, "tag"), hexadecimal)
if self.parser:
if self.parser != PackHeader:
yield UInt16(self, "length")
if not self["length"].value:
return
yield self.parser(self, "content")
def createFields(self):
# Gzip header
yield Bytes(self, "signature", 2, r"GZip file signature (\x1F\x8B)")
yield Enum(UInt8(self, "compression", "Compression method"),
self.COMPRESSION_NAME)
# Flags
yield Bit(self, "is_text", "File content is probably ASCII text")
yield Bit(self, "has_crc16", "Header CRC16")
yield Bit(self, "has_extra", "Extra informations (variable size)")
yield Bit(self, "has_filename", "Contains filename?")
yield Bit(self, "has_comment", "Contains comment?")
yield NullBits(self, "reserved[]", 3)
yield TimestampUnix32(self, "mtime", "Modification time")
# Extra flags
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "slowest",
"Compressor used maximum compression (slowest)")
yield Bit(self, "fastest", "Compressor used the fastest compression")
yield NullBits(self, "reserved[]", 5)
yield Enum(UInt8(self, "os", "Operating system"), self.os_name)
# Optional fields
if self["has_extra"].value:
yield UInt16(self, "extra_length", "Extra length")
yield RawBytes(self, "extra", self["extra_length"].value, "Extra")
if self["has_filename"].value:
yield CString(self, "filename", "Filename", charset="ISO-8859-1")
if self["has_comment"].value:
yield CString(self, "comment", "Comment")
if self["has_crc16"].value:
yield textHandler(UInt16(self, "hdr_crc16", "CRC16 of the header"),
hexadecimal)
if self._size is None: # TODO: is it possible to handle piped input?
raise NotImplementedError()
# Read file
size = (self._size - self.current_size) // 8 - 8 # -8: crc32+size
if 0 < size:
if self["has_filename"].value:
filename = self["filename"].value
else:
for tag, filename in self.stream.tags:
if tag == "filename" and filename.endswith(".gz"):
filename = filename[:-3]
break
else:
filename = None
yield Deflate(SubFile(self, "file", size, filename=filename))
# Footer
yield textHandler(
UInt32(self, "crc32", "Uncompressed data content CRC32"),
hexadecimal)
yield filesizeHandler(UInt32(self, "size", "Uncompressed size"))
def createFields(self):
yield Bytes(self, "filetype", 4, "File type (HDMV)")
yield Bytes(self, "fileversion", 4, "File version (0?00)")
yield UInt32(self, "offset[]")
yield UInt32(self, "offset[]")
yield UInt32(self, "offset[]")
yield UInt32(self, "offset[]")
yield UInt32(self, "offset[]")
self.seekByte(self['offset[0]'].value)
yield AVCHDGenericChunk(self, "chunk[]")
self.seekByte(self['offset[1]'].value)
yield AVCHDCLPI_1(self, "chunk[]")
self.seekByte(self['offset[2]'].value)
yield AVCHDGenericChunk(self, "chunk[]")
self.seekByte(self['offset[3]'].value)
yield AVCHDGenericChunk(self, "chunk[]")
self.seekByte(self['offset[4]'].value)
yield AVCHDChunkWithHeader(self, "chunk[]")
def createFields(self):
yield Bytes(self, "magic", 4, "Mach-O signature")
yield Enum(Int32(self, "cputype"), CPU_TYPE)
yield Int32(self, "cpusubtype")
yield Enum(UInt32(self, "filetype"), FILE_TYPE)
yield UInt32(self, "ncmds")
yield UInt32(self, "sizeofcmds")
yield UInt32(self, "flags")
if self.parent.is64bit:
yield UInt32(self, "reserved")
def createFields(self):
yield Bytes(self, "signature", 4, "Usually the magic is 'FILE'")
yield UInt16(self, "usa_ofs", "Update Sequence Array offset")
yield UInt16(self, "usa_count", "Update Sequence Array count")
yield UInt64(self, "lsn", "$LogFile sequence number for this record")
yield UInt16(self, "sequence_number",
"Number of times this mft record has been reused")
yield UInt16(self, "link_count", "Number of hard links")
yield UInt16(self, "attrs_offset",
"Byte offset to the first attribute")
yield MFT_Flags(self, "flags")
yield UInt32(self, "bytes_in_use",
"Number of bytes used in this record")
yield UInt32(self, "bytes_allocated",
"Number of bytes allocated for this record")
yield UInt64(self, "base_mft_record")
yield UInt16(self, "next_attr_instance")
# The below fields are specific to NTFS 3.1+ (Windows XP and above)
yield NullBytes(self, "reserved", 2)
yield UInt32(self, "mft_record_number", "Number of this mft record")
padding = self.seekByte(self["attrs_offset"].value, relative=True)
if padding:
yield padding
while not self.eof:
addr = self.absolute_address + self.current_size
if self.stream.readBytes(addr, 4) == "\xFF\xFF\xFF\xFF":
yield Bytes(self, "attr_end_marker", 8)
break
yield Attribute(self, "attr[]")
size = self["bytes_in_use"].value - self.current_size // 8
if size:
yield RawBytes(self, "end_rawdata", size)
size = (self.size - self.current_size) // 8
if size:
yield RawBytes(self, "end_padding", size,
"Unused but allocated bytes")
def createFields(self):
yield PascalString32UTF16(self, "filename")
yield Bytes(self, "property", 4)
yield Bytes(self, "type", 4)
type = self['type'].value
if type == 'long':
yield UInt32(self, "value")
elif type == 'shor':
yield NullBytes(self, "padding", 2)
yield UInt16(self, "value")
elif type == 'bool':
yield UInt8(self, "value")
elif type == 'blob':
yield UInt32(self, "size")
yield SubFile(self, "value", self['size'].value)
elif type == 'type':
yield Bytes(self, "value", 4)
elif type == 'ustr':
yield PascalString32UTF16(self, "value")
else:
raise ParserError("Unknown record type %s" % type)
def parseFontHeader(self):
yield UInt16(self, "maj_ver", "Major version")
yield UInt16(self, "min_ver", "Minor version")
yield UInt16(self, "font_maj_ver", "Font major version")
yield UInt16(self, "font_min_ver", "Font minor version")
yield textHandler(UInt32(self, "checksum"), hexadecimal)
yield Bytes(self, "magic", 4, r"Magic string (\x5F\x0F\x3C\xF5)")
if self["magic"].value != "\x5F\x0F\x3C\xF5":
raise ParserError("TTF: invalid magic of font header")
# Flags
yield Bit(self, "y0", "Baseline at y=0")
yield Bit(self, "x0", "Left sidebearing point at x=0")
yield Bit(self, "instr_point", "Instructions may depend on point size")
yield Bit(self, "ppem", "Force PPEM to integer values for all")
yield Bit(self, "instr_width", "Instructions may alter advance width")
yield Bit(self, "vertical", "e laid out vertically?")
yield PaddingBits(self, "reserved[]", 1)
yield Bit(self, "linguistic", "Requires layout for correct linguistic rendering?")
yield Bit(self, "gx", "Metamorphosis effects?")
yield Bit(self, "strong", "Contains strong right-to-left glyphs?")
yield Bit(self, "indic", "contains Indic-style rearrangement effects?")
yield Bit(self, "lossless", "Data is lossless (Agfa MicroType compression)")
yield Bit(self, "converted", "Font converted (produce compatible metrics)")
yield Bit(self, "cleartype", "Optimised for ClearType")
yield Bits(self, "adobe", 2, "(used by Adobe)")
yield UInt16(self, "unit_per_em", "Units per em")
if not(16 <= self["unit_per_em"].value <= 16384):
raise ParserError("TTF: Invalid unit/em value")
yield UInt32(self, "created_high")
yield TimestampMac32(self, "created")
yield UInt32(self, "modified_high")
yield TimestampMac32(self, "modified")
yield UInt16(self, "xmin")
yield UInt16(self, "ymin")
yield UInt16(self, "xmax")
yield UInt16(self, "ymax")
# Mac style
yield Bit(self, "bold")
yield Bit(self, "italic")
yield Bit(self, "underline")
yield Bit(self, "outline")
yield Bit(self, "shadow")
yield Bit(self, "condensed", "(narrow)")
yield Bit(self, "expanded")
yield PaddingBits(self, "reserved[]", 9)
yield UInt16(self, "lowest", "Smallest readable size in pixels")
yield Enum(UInt16(self, "font_dir", "Font direction hint"), DIRECTION_NAME)
yield Enum(UInt16(self, "ofst_format"), {0: "short offsets", 1: "long"})
yield UInt16(self, "glyph_format", "(=0)")
def createFields(self):
yield Bytes(self, "signature", 2, "New executable signature (NE)")
yield UInt8(self, "link_ver", "Linker version number")
yield UInt8(self, "link_rev", "Linker revision number")
yield UInt16(self, "entry_table_ofst", "Offset to the entry table")
yield UInt16(self, "entry_table_size", "Length (in bytes) of the entry table")
yield PaddingBytes(self, "reserved[]", 4)
yield Bit(self, "is_dll", "Is a dynamic-link library (DLL)?")
yield Bit(self, "is_win_app", "Is a Windows application?")
yield PaddingBits(self, "reserved[]", 9)
yield Bit(self, "first_seg_code", "First segment contains code that loads the application?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "link_error", "Load even if linker detects errors?")
yield NullBits(self, "reserved[]", 1)
yield Bit(self, "is_lib", "Is a library module?")
yield UInt16(self, "auto_data_seg", "Automatic data segment number")
yield filesizeHandler(UInt16(self, "local_heap_size", "Initial size (in bytes) of the local heap"))
yield filesizeHandler(UInt16(self, "stack_size", "Initial size (in bytes) of the stack"))
yield textHandler(UInt32(self, "cs_ip", "Value of CS:IP"), hexadecimal)
yield textHandler(UInt32(self, "ss_sp", "Value of SS:SP"), hexadecimal)
yield UInt16(self, "nb_entry_seg_tab", "Number of entries in the segment table")
yield UInt16(self, "nb_entry_modref_tab", "Number of entries in the module-reference table")
yield filesizeHandler(UInt16(self, "size_nonres_name_tab", "Number of bytes in the nonresident-name table"))
yield UInt16(self, "seg_tab_ofs", "Segment table offset")
yield UInt16(self, "rsrc_ofs", "Resource offset")
yield UInt16(self, "res_name_tab_ofs", "Resident-name table offset")
yield UInt16(self, "mod_ref_tab_ofs", "Module-reference table offset")
yield UInt16(self, "import_tab_ofs", "Imported-name table offset")
yield UInt32(self, "non_res_name_tab_ofs", "Nonresident-name table offset")
yield UInt16(self, "nb_mov_ent_pt", "Number of movable entry points")
yield UInt16(self, "log2_sector_size", "Log2 of the segment sector size")
yield UInt16(self, "nb_rsrc_seg", "Number of resource segments")
yield Bit(self, "unknown_os_format", "Operating system format is unknown")
yield PaddingBits(self, "reserved[]", 1)
yield Bit(self, "os_windows", "Operating system is Microsoft Windows")
yield NullBits(self, "reserved[]", 6)
yield Bit(self, "is_win20_prot", "Is Windows 2.x application running in version 3.x protected mode")
yield Bit(self, "is_win20_font", "Is Windows 2.x application supporting proportional fonts")
yield Bit(self, "fast_load", "Contains a fast-load area?")
yield NullBits(self, "reserved[]", 4)
yield UInt16(self, "fastload_ofs", "Fast-load area offset (in sector)")
yield UInt16(self, "fastload_size", "Fast-load area length (in sector)")
yield NullBytes(self, "reserved[]", 2)
yield textHandler(UInt16(self, "win_version", "Expected Windows version number"), hexadecimal)
def createFields(self):
yield UInt32(self, "size")
self._size = (self['size'].value + 4) * 8
yield UInt32(self, "unknown[]", "24")
yield UInt32(self, "unknown[]", "1")
yield UInt32(self, "unknown[]", "0x10000100")
yield UInt32(self, "unknown[]", "24")
yield UInt32(self, "size2")
assert self['size'].value == self['size2'].value + 20
yield Bytes(self, "magic", 4)
yield RawBytes(self, "unknown[]", 36)
for field in self.TYPES[self['magic'].value](self):
yield field
def createFields(self):
# Signature
yield Bytes(self, "ole_id", 8, "OLE object signature")
header = Header(self, "header")
yield header
# Configure values
self.sector_size = (8 << header["bb_shift"].value)
self.fat_count = header["bb_count"].value
self.items_per_bbfat = self.sector_size / SECT.static_size
self.ss_size = (8 << header["sb_shift"].value)
self.items_per_ssfat = self.items_per_bbfat
# Read DIFAT (one level of indirection)
yield DIFat(self, "difat", header["db_start"].value,
header["db_count"].value, "Double Indirection FAT")
# Read FAT (one level of indirection)
for field in self.readBFAT():
yield field
# Read SFAT
for field in self.readSFAT():
yield field
# Read properties
chain = self.getChain(self["header/bb_start"].value)
prop_per_sector = self.sector_size // Property.static_size
self.properties = []
for block in chain:
self.seekBlock(block)
for index in xrange(prop_per_sector):
property = Property(self, "property[]")
yield property
self.properties.append(property)
# Parse first property
for index, property in enumerate(self.properties):
if index == 0:
name, parser = 'root', RootEntry
else:
try:
name, parser = PROPERTY_NAME[property["name"].value]
except LookupError:
name = property.name + "content"
parser = RawParser
for field in self.parseProperty(property, name, parser):
yield field
def createFields(self):
# Header
yield UInt16(self, "version", "Version (=1)")
yield Bytes(self, "endian", 2, "Endian (\\xfe\\xff for little endian)")
yield UInt8(self, "os_version")
yield UInt8(self, "os_revision")
yield Enum(UInt16(self, "os"), OS_NAME)
yield Int32(self, "unused", "(=-1)")
yield GUID(self, "clsid")
# User type
yield PascalString32(self, "user_type", strip="\0")
# Clipboard format
if self["os"].value == OS_MAC:
yield Int32(self, "unused[]", "(=-2)")
yield String(self, "clipboard_format", 4)
else:
yield PascalString32(self, "clipboard_format", strip="\0")
if self._current_size // 8 == self.datasize:
return
#-- OLE 2.01 ---
# Program ID
yield PascalString32(self, "prog_id", strip="\0")
if self["os"].value != OS_MAC:
# Magic number
yield textHandler(
UInt32(self, "magic", "Magic number (0x71B239F4)"),
hexadecimal)
# Unicode version
yield PascalStringWin32(self, "user_type_unicode", strip="\0")
yield PascalStringWin32(self,
"clipboard_format_unicode",
strip="\0")
yield PascalStringWin32(self, "prog_id_unicode", strip="\0")
size = self.datasize - (
self._current_size // 8
) # _current_size because current_size returns _current_max_size
if size:
yield NullBytes(self, "end_padding", size)
if self.datasize < self.size // 8:
yield RawBytes(self, "slack_space",
(self.size // 8) - self.datasize)
def createFields(self):
yield Bytes(self, "id", 4, "Tcpdump identifier")
yield UInt16(self, "maj_ver", "Major version")
yield UInt16(self, "min_ver", "Minor version")
yield Int32(self, "this_zone", "GMT to local time zone correction")
yield Int32(self, "sigfigs", "accuracy of timestamps")
yield UInt32(self, "snap_len", "max length saved portion of each pkt")
yield Enum(UInt32(self, "link_type", "data link type"),
self.LINK_TYPE_DESC)
link = self["link_type"].value
if link not in self.LINK_TYPE:
raise ParserError("Unknown link type: %s" % link)
name, parser = self.LINK_TYPE[link]
while self.current_size < self.size:
yield Packet(self, "packet[]", parser, name)
def createFields(self):
yield Bytes(self, "magic", 4, description="Always Bud1")
yield UInt32(self, "allocator_offset")
yield UInt32(self, "allocator_size")
yield UInt32(
self,
"allocator_offset_backup",
description=
"Finder will refuse to read the file if this does not match the first copy"
)
for i in xrange(4):
yield BlockAddress(
self,
"block_address_copy[]",
description="Copies of block addresses defined in the allocator"
)
