@Ange

3.3K Followers
196 Following
789 Posts
Reverse engineer, file formats expert.
Corkami, CPS2Shock, PoC||GTFO, Sha1tered, Magika...
Security engineer @ Google. He/him.
Githubhttps://github.com/angea
Githubhttps://github.com/corkami
Pronounshe/him
Ange1d ago
#Digital ⚓️ #Vagabond 🦈1d ago
Anyone have a copy of the NDSA levels of preservation that isn't a JPEG or PDF? (Markdown, HTML, or ASCII Table would be 👌) #digipre #LoP
AngeMar 26

An AI told me today that we’re in 2024, for no obvious reason: I had just asked to look for past occurrences of specific events.

I didn’t expect it to hallucinate on such a small and yet obvious fact.

Did you ever encounter such a trivially wrong hallucination?

AngeDec 26
On my way #39c3 #ICE612
AngeDec 10
Damien GuardDec 10

Oh dear the entire https://www.lyonlabs.org site is offline *and* excluded from archive.org.

It's a massive archive of vintage and modern GEOS and C64 material a lot of it seemingly not found elsewhere.

AngeNov 18
My relative is looking for a 39C3 ticket.
No scammers please ;)
Show threadAngeNov 14

To check if a file starts with MZ or GIF, just use file/libmagic.
You don't need AI or Magika for that.
TrID has a lot of heuristics, but a lot of false positives.

Magika is useful in different ways, across binary and source types, and is quite fast. But not useful against weird or adversary files.

Show threadAngeNov 14

Magika is a fast file type identifier that covers many file types, binary formats or source texts.
It's not made to detect adversarial attacks.
It's useful for different things that classic binary scanning can't do at this speed.

Magika was trained on all the file types with enough available samples.

Show threadAngeNov 14

Weird files are out of scope of Magika. It just wasn't trained on them.

It's trivial to inject some data in a file and keep it functional (w/ my tool Mitra, for example).
So take a JPG, inject a lot of JavaScript data, and ...guess what ?

Check it out: https://github.com/corkami/mitra

GitHub - corkami/mitra: A generator of weird files (binary polyglots, near polyglots, polymocks...)

A generator of weird files (binary polyglots, near polyglots, polymocks...) - corkami/mitra

GitHub
Show threadAngeNov 14

Of course, it's possible to create weird files that will fool Magika and other tools.
Polymocks, polyglots...

I made quite a few - check my CCC talk last year:
https://speakerdeck.com/ange/fearsome-file-formats-18374bc4-b3f2-429f-862e-2177ab4d7aae

Fearsome File Formats

Presented at 38C3 in Hamburg on the 28th December 2024. Video recording: https://media.ccc.de/v/38c3-fearsome-file-formats With so many open-sou…

Speaker Deck
Show threadAngeNov 14
Magika uses the first and last kilobytes of the files.
That way, if the file is slightly corrupted, the filetype might still be properly identified.
Magika returns several file types if needed.
It's one of its advantages, but a double-edged sword.