search

fkie-cad / fact_extractor

Standalone Utility for FACT-like extraction
GNU General Public License v3.0
80 stars 31 forks source link

add base/ascii85 unpacker #20

Closed jstucke closed 3 years ago

jstucke commented 4 years ago

ascii85 was found in samples (e.g. cafc32c77a1d7a0fc9ec939219be8d097cf84104f8382fa0425159f46f402192_37834625) and currently there is no unpacker

0xricksanchez commented 4 years ago

Decoding can be realized via the standard python library. However Ascii85 and Base85 use a different character set so we would need both.

# Default ASCII85 Encoding
In [5]: base64.a85encode(b'Hello World!')
Out[5]: b'87cURD]i,"Ebo80'

# ADOBE ASCII85 Encoding
# Interesting for e.g.: .ps or .eps files especially in printer firmware
In [4]: base64.a85encode(b'Hello World!', adobe=True)
Out[4]: b'<~87cURD]i,"Ebo80~>'

# Default Base85 Encoding
In [6]: base64.b85encode(b'Hello World!')
Out[6]: b'NM&qnZy;B1a%^NF'

Additionally there is a Z85 encoding (see: https://rfc.zeromq.org/spec:32/Z85/), which is a derivative of ASCII85. It is not yet in the base64 standard python library (see: https://bugs.python.org/issue31116).

Except for the Adobe variant the others seem to not have any trivial delimiter to grep for.

jstucke commented 3 years ago

resolved in #28