Cerbero Blog

CRAMFS Format Package

We are happy to announce support for CRAMFS file system images. The new CRAMFS Format package lets you browse and extract files from CRAMFS images directly within the application.

CRAMFS (Compressed ROM File System) is a simple, read-only compressed file system designed for Linux ROM devices. It compresses file data one page at a time using zlib, keeping the image compact while allowing random read access. CRAMFS is commonly found in embedded systems, firmware images, set-top boxes, and devices with limited flash storage. Having native support in Cerbero Suite means analysts can inspect firmware dumps and ROM images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

VBA Beautifier Package

We are happy to announce the beta release for commercial licenses of the VBA Beautifier package. It provides automated beautification and deobfuscation for VBA (Visual Basic for Applications) and VBS (VBScript) code, the most common macro language found in malicious Office documents.

VBA macros remain one of the primary initial access vectors in the threat landscape. Malware authors routinely apply layers of obfuscation. Manually cleaning up these scripts is tedious and error-prone. The VBA Beautifier helps to automate this process, turning obfuscated macro code into clean, readable output.

YAFFS Format Package

We are happy to announce support for YAFFS and YAFFS2 file system images. The new YAFFS Format package lets you browse and extract files from YAFFS flash dumps directly within the application.

YAFFS2 (Yet Another Flash File System 2) is a log-structured file system designed for NAND flash memory. It is widely used in embedded Linux devices such as Android phones, routers, set-top boxes, IoT hardware, and industrial controllers. YAFFS stores data in fixed-size chunks (pages) interleaved with spare (out-of-band) areas that contain metadata tags. Having native support in Cerbero Suite means analysts can inspect firmware dumps and flash images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools or knowing the NAND geometry parameters.

Lua Decompiler Package

We are happy to announce the beta release of the Lua Decompiler package. It reconstructs readable Lua source code from compiled Lua bytecode (.luac) files, covering all major Lua versions from 5.0 through 5.4. This package requires the installation of the LUAC Format package.

Compiled Lua bytecode is common across game engines, embedded firmware, IoT devices, and malware payloads. Disassembly alone is often enough for a rough understanding of a function, but reading dozens of instructions per line does not scale when a script spans thousands of opcodes. A decompiler bridges that gap: it turns register-level bytecode back into control flow a human can read, making review, patch development, and malware triage dramatically faster.

This is a beta release. The core reconstruction pipeline is stable and validated against a broad sample set across all supported Lua versions, but complex control flow patterns and heavily optimized bytecode may still produce suboptimal output. Feedback is welcome.

LUAC Format Package

We are happy to announce support for Lua compiled bytecode (LUAC) files. The new LUAC Format package parses and disassembles Lua bytecode across all major Lua versions, from 5.0 through 5.4.

Lua is one of the most widely embedded scripting languages. It powers game engines, network appliances, IoT firmware, and malware payloads alike. Compiled Lua bytecode (.luac) files are frequently encountered during firmware analysis, game modding, and malware reverse engineering. Having native LUAC support in Cerbero Suite means analysts can inspect bytecode structure and disassembly without external tools.

JFFS2 Format Package

We are happy to announce support for JFFS2 file system images. The new JFFS2 Format package lets you browse and extract files from JFFS2 images directly within the application.

JFFS2 (Journalling Flash File System v2) is a log-structured file system designed for raw NOR and NAND flash memory. It is widely used in embedded Linux devices such as routers, access points, IoT hardware, industrial controllers, and consumer electronics. JFFS2 stores data as a sequential log of nodes on flash, with each node carrying file metadata, directory entries, or compressed data fragments. Having native support in Cerbero Suite means analysts can inspect firmware dumps and flash images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

DMG Format Package

We are happy to announce support for Apple Disk Image (DMG) files. The new DMG Format package lets you inspect and extract the contents of DMG images directly within the application.

DMG is Apple’s native disk image format, widely used for distributing macOS software. A DMG file packages one or more partitions, each typically containing a file system such as APFS or HFS+. The data within these partitions is often compressed using algorithms like zlib, bzip2, LZFSE, LZMA, or ADC to reduce file size. Some DMG files are also encrypted with AES-128 or AES-256, requiring a password to access.

Having native DMG support in Cerbero Suite means analysts can examine macOS disk images encountered during forensic investigations, malware analysis, or software distribution review. Combined with our existing APFS and HFS+ support, this provides a complete pipeline for going from a DMG file all the way down to individual files within an APFS and HFS+ volumes.

APFS Format Package

We are happy to announce support for the Apple File System (APFS). The new APFS Format package lets you browse and extract files from APFS containers and volumes directly within the application.

APFS is Apple’s proprietary file system, introduced in 2017 as the default for macOS, iOS, watchOS, and tvOS. It replaced HFS+ with a modern design featuring copy-on-write metadata, space sharing across volumes, snapshots, clones, and transparent file compression. An APFS container holds one or more volumes that share the same underlying storage pool. Having native support in Cerbero Suite means analysts can inspect macOS and iOS disk images encountered during forensic investigations, malware analysis, or security research without needing external tools or a Mac.

UBI Format Package

We are happy to announce support for UBI images and the UBIFS file system. The new UBI Format package lets you inspect UBI volumes and browse UBIFS file systems directly within the application.

UBI (Unsorted Block Image) is a volume management layer for raw NAND flash memory, widely used in embedded Linux devices such as routers, IoT hardware, industrial controllers, and consumer electronics. A UBI image contains one or more logical volumes that may hold kernel images, SquashFS partitions, or UBIFS file systems. UBIFS is a log-structured file system designed specifically for UBI volumes, featuring a B-tree index and transparent data compression. Having native support in Cerbero Suite means analysts can inspect firmware dumps and flash images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

PowerShell Beautifier 4.0 Package

We are happy to announce version 4.0 of the PowerShell Beautifier package. This is a major release. Previous versions relied on a custom tokenizer which, lacking knowledge of the language grammar, could not always correctly classify tokens. This required extensive workaround code and inevitably led to edge cases where deobfuscation would fail.

Version 4.0 replaces the tokenizer with a real PowerShell parser. Every token is now correctly classified from the start, resulting in more reliable deobfuscation across the board: format strings, character expressions, encoded arrays, string manipulation, alias resolution and variable replacement all benefit from this improved foundation.