XXD/HEXDUMP 分析TTF字体文件

之前呢，常常困惑于16bit这个概念，今天我们通过分析字体文件，来看看一些有意思的知识点。比如吧：

hexdump -C /Library/Fonts/Skia.ttf | less

1. hexdump 是一个将文件以16进制显示的命令
2. /Library/Fonts/Skia.ttf 是系统安装的一个字体

00000000  00 01 00 00 00 1c 01 00  00 04 01 b0 4f 53 2f 32  |............OS/2|
00000010  95 66 4f a4 00 00 03 0c  00 00 00 56 62 73 6c 6e  |.fO........Vbsln|
00000020  01 fb 06 fd 00 00 02 c4  00 00 00 48 63 6c 61 73  |...........Hclas|
00000030  ae 9b 63 45 00 00 40 a8  00 00 19 4a 63 6d 61 70  |..cE..@....Jcmap|
00000040  39 75 f3 08 00 00 10 58  00 00 04 fe 63 76 61 72  |9u.....X....cvar|
00000050  23 f3 73 b2 00 00 15 58  00 00 05 74 63 76 74 20  |#.s....X...tcvt |
00000060  59 2f 57 cd 00 00 05 1c  00 00 00 f2 66 64 73 63  |Y/W.........fdsc|
00000070  40 19 2b 35 00 00 02 5c  00 00 00 30 66 65 61 74  |@.+5...\...0feat|
00000080  00 7e 1e 9f 00 00 03 c4  00 00 00 a8 66 6d 74 78  |.~..........fmtx|
00000090  04 08 0c 40 00 00 01 cc  00 00 00 10 66 6f 6e 64  |...@........fond|
000000a0  1b 26 8e cd 00 00 1a cc  00 00 08 ec 66 70 67 6d  |.&..........fpgm|
000000b0  1f a6 7a 0e 00 00 02 14  00 00 00 24 66 76 61 72  |..z........$fvar|
000000c0  fa a6 2e 59 00 00 04 6c  00 00 00 b0 67 6c 79 66  |...Y...l....glyf|
000000d0  f7 f9 36 39 00 01 bf f0  00 01 39 3c 67 76 61 72  |..69......9<gvar|
000000e0  e0 6d 41 58 00 02 f9 2c  00 04 80 d2 68 65 61 64  |.mAX...,....head|
000000f0  a4 89 a8 99 00 00 02 8c  00 00 00 36 68 68 65 61  |...........6hhea|
00000100  0d 07 07 a7 00 00 02 38  00 00 00 24 68 6d 74 78  |.......8...$hmtx|
00000110  36 18 ec 63 00 00 23 b8  00 00 09 20 6b 65 72 6e  |6..c..#.... kern|
00000120  f1 a1 bc 4b 00 01 34 48  00 00 8b a6 6c 6f 63 61  |...K..4H....loca|
00000130  b6 46 08 43 00 00 0b b8  00 00 04 a0 6c 74 61 67  |.F.C........ltag|
00000140  51 2d 78 7a 00 00 01 dc  00 00 00 17 6d 61 78 70  |Q-xz........maxp|
00000150  03 45 02 e2 00 00 01 f4  00 00 00 20 6d 65 74 61  |.E......... meta|
00000160  db 09 cd 63 00 00 07 3c  00 00 02 1c 6d 6f 72 78  |...c...<....morx|
00000170  40 66 67 12 00 00 c1 08  00 00 73 40 6e 61 6d 65  |@fg.......s@name|

通过观察可以知道：

image.png

' 以下内容等于：OS/2
echo '\x4f\x53\x2f\x32' 
' ----------------------------------------------------------------'
OS/2

我们通过 xxd 命令来截取 TTF 前面的12字节：

xxd -l 14 /Library/Fonts/Skia.ttf | less
' ----------------------------------------------------------------'
00000000: 0001 0000 001c 0100 0004 01b0 4f53       ............OS

参考

1. https://www.hackingarticles.in/linux-for-pentester-xxd-privilege-escalation/
2. https://en.wikipedia.org/wiki/Hex_dump
3. https://www.suse.com/c/making-sense-hexdump/