|
Message-ID: <462ef488ad7dda9036f0b7d45941f7fb@smtp.hushmail.com>
Date: Fri, 1 Feb 2013 02:09:07 +0100
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: DMG (was: dmg2john)
On 1 Feb, 2013, at 1:59 , magnum <john.magnum@...hmail.com> wrote:
>
>> On 31 Jan, 2013, at 8:43 , Milen Rangelov <gat3way@...il.com> wrote:
>> > I would rather avoid the "zero" test BTW. This is what my initial version did and it did work for some of the images, it also gave out a lot of false negatives for others. This saves a lot of CPU work, but it does not work reliably unfortunately :(
>
> In addition to nulls, I added checks for "</plist>" and "jrnlhfs+", also 8 bytes each. 64 bits is a pretty low risk of false positive (especially at this speed). The koly is 8 bytes too as it reads an int after it (BTW it does an unaligned read of that int). The only really problematic check I see is "Apple". That's just 40 bits. And that one is not needed with the NULL test. Actually no other check is, from what I've seen so far.
>
> I will bump the nulls test to 16, and disable the rest for now. There is no way in hell you'll get 128 consecutive bits of 0 in random data. I'll also remove the FMT_NOT_EXACT unless -DDMG_DEBUG.
>
> How many nulls did you look for when you got false positives? It must have been fewer than 8, no?
Oh, you said false negatives. So I re-enabled the other tests again :-) But not the Apple one.
magnum
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.