Ange

Different prints!

I'm looking for a 39C3 ticket for a relative.
No scammer please ;)

To check if a file starts with MZ or GIF, just use file/libmagic.
You don't need AI or Magika for that.
TrID has a lot of heuristics, but a lot of false positives.

Magika is useful in different ways, across binary and source types, and is quite fast. But not fit for weird files.

Magika is a fast file type identifier that covers many file types, binary formats or source texts.
It's not made to detect adversarial attacks.
It's useful for different things that classic binary scanning can't do at this speed.

Magika was trained on all file types with enough available samples.

GitHub - corkami/mitra: A generator of weird files (binary polyglots, near polyglots, polymocks...) A generator of weird files (binary polyglots, near polyglots, polymocks...) - corkami/mitra

Weird files are out of scope of Magika. It just wasn't trained on them.

It's trivial to inject some data in a file and keep it functional (w/ my tool Mitra, for example).
So take a JPG, inject a lot of JavaScript data, and ...guess what ?

Check it out: github.com/corkami/mitra

Fearsome File Formats Presented at 38C3 in Hamburg on the 28th December 2024. Video recording: https://media.ccc.de/v/38c3-fearsome-file-formats With so many open-sou…

Of course, it's possible to create weird files that will fool Magika and other tools.
Polymocks, polyglots...

I made quite a few - check my CCC talk last year:
speakerdeck.com/ange/fearsom...

Magika uses the first and last kilobytes of the files.
That way, if the file is slightly corrupted, the filetype might still be properly identified.
Magika returns several file types if needed.
It's one of its advantages, but a double-edged sword.

So file contents are used to determine the file type.
To check if the file starts with '\x7FELF', 'MZ' or 'GIF', you don't need IA.

But some file formats don't start with a clear 'magic' signature at offset zero.
And what if you also want to tell apart C++, RUST and HTML ?
No magic for source files

To identify file types, the worst way are file extensions:
the extension is stored in the filesystem entry, not in the file content.
It can be lost, modified, variable...

Almost all file formats are known under several file extensions:
.JPG/.JPEG, .ZIP/.APK/.DOCX, .EXE/.DLL, .ELF/.SO ...

Overview of file type identifiers Yara, LibMagic (file, binwalk, polyfile), TrID, Yara, Magika, PeID, Pronom, FDD, ShareMime, DiE... How do they work? What are their pros and cons, th…

In the process, I also studied in depth other file type identifiers, and I've been contributing to most of them before, including LibMagic, TrID...
Check my talk: speakerdeck.com/ange/overvie...

Hi newcomers: I've been contributing to Magika since 2023 (it became public in 2024).
Some clarifications regarding the recent Magika release...

Magika is useful in its own way, and used in production.
The recent Rust release doesn't change how Magika is fundamentally working.

Is there nowadays a better content extractor from PDF than the classic ‘pdftotext’ ?
Something (maybe ML-driven) that would handle tables, rows of text and formulas ?

I love the little details:
Drop and run, piezo sound…

Announcing Magika 1.0: now faster, smarter, and rebuilt in Rust

Public blog post:
opensource.googleblog.com/2025/11/anno...

Source: github.com/google/magika

Announcing Magika 1.0: now faster, smarter, and rebuilt in Rust

Magika 1.0 is released, available in Rust, TypeScript and Python, and supporting more than 200 file types.

If you’re into malware analysis, you should really give Malcat a try.
A great all-in-one tool with hex and structure views, disasm and decomp, integrated Yara, python scripting, similarities scanning...
Definitely worth trying!

Is there a good source for non-malicious executables? categorized and with some variety, across platforms, languages...?

Identifying obfuscated code through graph-based semantic analysis of binary code - Applied Network Science Protecting sensitive program content is a critical concern in various situations, ranging from legitimate use cases to unethical contexts. Obfuscation is one of the most used techniques to ensure such a protection. Consequently, attackers must first detect and characterize obfuscation before launching any attack against it. This paper investigates the problem of function-level obfuscation detection using graph-based approaches, comparing algorithms, from classical baselines to advanced techniques like Graph Neural Networks (GNN), on different feature choices. We consider various obfuscation types and obfuscators, resulting in two complex datasets. Our findings demonstrate that GNNs need meaningful features that capture aspects of function semantics to outperform baselines. Our approach shows satisfactory results, especially in a challenging 11-class classification task and in two practical binary analysis examples. It highlights how much obfuscation and optimization are intertwined in binary code and that a better comprehension of these two principles are fundamental in order to obtain better detection results.

Brand new paper with Roxane Cohen, Robin David (both from @quarkslab.bsky.social ) and Florian Yger on obfuscation detection in binary code doi.org/10.1007/s411... We show that carefully selected features can be leveraged by graph neural networks to outperform classical solutions.

Apple Preview 11.0 (macOS 15.5) does crash while opening gist.github.com/nst/373748f2... as x.pdf (malformed ICC profile).

[com.apple.Preview] CoreGraphics assert(cs != NULL) failed in img_pixels_for_destination: colorspace missing
CoreGraphics/Images/CGSImage.c:4029: failed assertion `cs != NULL'

Color coded display of a zlib compressed version of this post's text, rendered by the flateview demo

lynn.github.io/flateview/
Impressive. Visualizer of zlib (gzip) - paste in a paragraph or two of text.

Reminds me of @angealbertini.bsky.social's binary file-format illustrations (google 'corkami').

I have been learning more about PDFs than I really wanted to for maybe the absolutely most funny reason possible - letting agency forgery: mjg59.dreamwidth.org/73317.html

Enter Sandbox 30: Static Analysis gone wrong

www.hexacorn.com/blog/2025/09...

Grab your @phrack copy (beautiful 150 page color print) at @nullcon’s registration booth!

GitHub - corkami/mitra: A generator of weird files (binary polyglots, near polyglots, polymocks...) A generator of weird files (binary polyglots, near polyglots, polymocks...) - corkami/mitra

You can do that with my Mitra tool with the `--force` parameter (for arbitrary content injection) on ~40 standard formats (which covers many more subformats).
github.com/corkami/mitra

The One-Man APT, Part I: A Picture That Can Execute Code on the Target The One-Man APT, Part I: A Picture That Can Execute Code on the Target - Hackers Arise Have you ever wondered if it’s possible to replicate the stealthy behavior of a modern cyber‑attack using artificial intelligence? As part of my research, I focused on the techniques used by a Linux-b...

Bash script injection in a JPEG file:
hackers-arise.com/the-one-man-...

Today I have a more serious topic than usual, please consider reposting for reach:

My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]

OBS WebSocket to RCE | Jorian Woltjer Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an imag...

Just pushed a new frontend for my site, and a new post!
This one's about an tricky file write vulnerability on Windows in OBS. By crafting an image with very specific pixels, we can plant a backdoor on your PC all from an attacker's site by misconfiguring:
jorianwoltjer.com/blog/p/resea...

C'est surprenant effectivement, mais peut-être le PDF 1.7 contient de nombreuses informations supplémentaires (accessibilité, XML...) plus récentes.

I had a minor printing problem with an article where the last few letters of the longest lines of text were missing.
It was a small mental puzzle every 5-10 lines to guess the missing letters.
An interesting exercise to stay focused throughout the article.

Fun and informative, as always, thank you!