CODEWITHSUNDEEP
binaryhex
Maxence
Maxence

Reputation: 313

Decoding a hex file

I would like to use a webservice who deliver a binary file with some data, I know the result but I don't know how I can decode this binary with a script.

Here is my binary : https://pastebin.com/3vnM8CVk

0a39 0a06 3939 3831 3438 1206 4467 616d
6178 1a0b 6361 7264 6963 6f6e 5f33 3222
0d54 6865 204f 6c64 2047 7561 7264 2a02
....

Some part are in ASCII so it easy to catch, at the end of the file you got vehicle name in ASCII and some data, it should be kill/victory/battle/XP/Money data but I don't understand how I can decode these hexa value, I tried to compare 2 vehicles who got same kills but I don't see any match.

There is a way to decode these data ?

Thanks :)

Hello guys, after 1 year I started again to find a solution, so here is the structure of the packet I guessed : (the part between [ ] I still don't know what is it for)

[52 37 08 01 10] 4E [18] EA [01 25] AB AA AA 3E [28] D4 [01 30] EC [01 38] 88 01 [40] 91 05 [48] 9F CA 22 [50] F5 C2 9A 02 [5A 12]
                  |       |             |            |          |           |         |            |               |
                  Victories             Victory Ratio|          |           Air target|            Xp              Money earned
                          |                          |          |                     Ground Target
                          Battles                    Deaths     Respawns

So here is the result :

Is there a special way to calculate the result of a long hex like this ? F5 C2 9A 02 (should be arround 4.63M)

I tell you a bit more :

I know the result, but I don't know how to calculate it with these hex from the packet.

If I check a packet with a small amout of money or XP to be compatible with one hex :

[52 1E 08 01 10] 01 [18] [01 25] 00 00 80 3F [28] 01 [30] 01 [48] 24 [50] 6E [5A 09]

6E = 110 Money earned

24 = 36 XP earned

Another exemple :

[52 21 08 01 10] 02 [18] 03 [25] AB AA 2A 3F [28] 02 [30] 03 [40] 01 [48] 78 [50] C7 08 [5A 09]

XP earned = hex 78 = 120

Money earned = hex C7 08 = 705

How C7 08 can do 705 decimal ?

Here is the full content in case but I know how to isolate just these part I don't need to decode all these hex data : https://pastebin.com/vAKPynNb

Upvotes: 3

Views: 10095

Answers (3)

Tarun Lalwani
Tarun Lalwani

Reputation: 146630

What you have asked is nothing but how to reverse engineer a binary file. Lot of threads already on SO

Reverse engineer a binary dictionary file to extract strings

Tools to help reverse engineer binary file formats

https://reverseengineering.stackexchange.com/questions/3495/what-tools-exist-for-excavating-data-structures-from-flat-binary-files

http://www.iwriteiam.nl/Ha_HTCABFF.html

The final take out on all is that no single solution for you, you need to spend effort to figure it out. There are tools to help you, but don't expect a magic wand tool to give you the structure/data.

Upvotes: 2

Yılmaz Durmaz
Yılmaz Durmaz

Reputation: 3034

Any kind of file read operation is done in text or binary format with basic file handlers. And some languages offer type reading of int, float etc. or arrays of them.

The complex operations behind these reading are almost always kept hidden from normal users. And then the user has to learn more when it comes to read/write operations of data structures.

In this case, OFFSET and SEEK are the words one must find value and act accordingly. whence data read, it must be converted to suitable data type too.

The following code shows basics for these operations to write data and read blocks to get numbers back. It is written in PHP as the OP has commented in the question he uses PHP.

Offset is calculated with these byte values to be 11: char: 1 byte, short: 2 bytes, int: 4 bytes, float: 4 bytes.

<?php
$filename = "testdata.dat";
$filehandle = fopen($filename, "w+");
$data=["test string","another test string",77,777,77777,7.77];
fwrite($filehandle,$data[0]);
fwrite($filehandle,$data[1]);
$numbers=array_slice($data,2);
fwrite($filehandle,pack("c1s1i1f1",...$numbers));
fwrite($filehandle,"end"); // gives 3 to offset
fclose($filehandle);

$filename = "testdata.dat";
$filehandle = fopen($filename, "rb+");
$offset=filesize($filename)-11-3;
fseek($filehandle,$offset);
$numberblock= fread($filehandle,11);
$numbersback=unpack("c1a/s1b/i1c/f1d",$numberblock);
var_dump($numbersback);
fclose($filehandle);
?>

Once this example understood, the rest is to find the data structure in the requested file. I had written another example but it uses assumptions. I leave the rest to readers to find what assumptions I made here. Be careful though: I know nothing about real structure and values will not be correct.

 <?php
 $filename = "testfile";
 $filehandle = fopen($filename, "rb");

 $offset=17827-2*41;  //filesize minus 2 user area
 fseek($filehandle,$offset);
 print $user1 = fread($filehandle, 41);echo "<br>";
 $user1pr=unpack("s1kill/s1victory/s1battle/s1XP/s1Money/f1Life",$user1);
 var_dump($user1pr); echo "<br>";

 fseek($filehandle,$offset+41);
 print $user2 = fread($filehandle, 41);echo "<br>";
 $user2pr=unpack("s1kill/s1victory/s1battle/i1XP/i1Money/f1Life",$user2);
 var_dump($user2pr); echo "<br>";

 echo "<br><br>";
 $repackeduser2=pack("s3i2f1",$user2pr["kill"],$user2pr["victory"],
     $user2pr["battle"],$user2pr["XP"],$user2pr["Money"],
     $user2pr["Life"]
 );
 print $user2 . "<br>" .$repackeduser2;
 print "<br>3*s1=6bytes, 2*i=6bytes, 1*f=*bytes (machine dependent)<br>";

 print pack("s1",$user2pr["kill"]) ."<br>";
 print pack("s1",$user2pr["victory"]) ."<br>";
 print pack("s1",$user2pr["battle"]) ."<br>";
 print pack("i1",$user2pr["XP"]) ."<br>";
 print pack("i1",$user2pr["Money"]) ."<br>";
 print pack("f1",$user2pr["Life"]) ."<br>";


 fclose($filehandle);
 ?>

PS: pack and unpack uses machine dependent size for some data types such as int and float, so be careful with working them. Read Official PHP:pack and PHP:unpack manuals.

Upvotes: 1

Josh Bradley
Josh Bradley

Reputation: 1974

This looks more like the hexdump of a binary file. Some methods of converting hex to strings resulted in the same scrambled output. Only some lines are readable like this...

Dgamaxcardicon_32" The Old Guard

As @Tarun Lalwani said, you would have to know the structure of this data to get the in plaintext.

If you have access to the raw binary, you could try using strings https://serverfault.com/questions/51477/linux-command-to-find-strings-in-binary-or-non-ascii-file

Upvotes: 0

Related Questions