获取二进制文件的格式方面的介绍性文字

http://stackoverflow.com/questions/1026066/how-to-analyze-binary-file

 

 

Reverse engineering a binary file when you have some idea of what it represents is a very time consuming process. If you have no idea what it is then it will be even harder.

It is possible though, but you have to have a pretty good reason for doing so.

The first step would be to open it up in a hex editor of your choice and see if you can find any English text to point you in the direction of what the file is even supposed to represent. From there, Google "Reverse Engineering binary files", there are much more knowledgeable people than me that have written guides about it.

 

 

The "strings" program from GNU binutils is very useful. It will print the strings of printable characters in a file, quite often giving a clue to what a file contains or a program does.

 

3

For my hobby project I had to reverse engineer some old game files. My approaches were:

• Have a good hex editor.
• Look for readable words in the binary file. Note how their distribution is. If the distance between them is constant you know it is a listing.
• Look for 2-3 consequent zeros. Might indicate an int32 value.
• Some dwords might be pointers into the file.
• Try to identify reoccurring patterns in the file.
• Seeing lots of C0-CF might indicate RLE compressed data.

 

3

If the data represents serialized Delphi objects, you should start reading about the Delphi serialization process. If that's the case, I think your best bet would be to load it using Delphi and continue your analysis from the IDE. Some informations about Delphi serialization can be found here.

EDIT: if the file does contain serialized delphi objects, then you should write a small delphi program that loads it, and "convert" the data yourself to something neutral, like xml. If you manage to do this, you should check and see if delphi supports serializing to xml. Then, you could access those objects from any language.

 

 

If you have access to the application that creates the file, you can apply changes to the application, then save the file and see the effects (Keep in mind that numbers are probably stored in little endian):

• First create the file repeatedly. If the files are not binary equal, the current date/time is probably stored in the area where hte differences occur.
• Maybe you want to repeat that with the software running under different environments, to see if OS version etc are stored, but this is rather unusual.
• Next you can try to change single variables and create several files that only differ in the value of this variable. This helps you identify where this variable is stored.
• That way you can also exclude variables that are not stored in the file: If you change them, but the files created are identical, they are not stored.

In order to test the hypotheses you worked out with the steps above, edit one of the files and have the application read it.

If you don't have access to the application itself, I suggest that you forget about it and find another way to solve your problem. There is a very high probability that it will be faster...

 

 

0

Try these:

1. Deserialize data: analyze how it's compiled your exe (try File Analyzer). Try to deserialize the binary data with the language discovered. Then serialize it in a xml format (language-indipendent) that every programming language can understand
2. Analyze the binary data: try to save various versions of the file with little variation and use a diff program to analyze the meaning of every bit with an hex editor. Use it in conjunction with binary hacking techniques (like How to crack a Binary File Format by Frans Faase)
3. Reverse Engineer the application: try getting code using reverse engineering tools for the programming language used for build the app (found with File Analyzer). Otherwise use disassembler analysis tool like IDA Pro Disassembler

 

why vote down? what it's wrong?? – Ricibald Jun 22 '09 at 14:41

maybe you should have marked an answer, instead of providing a summary of what was said. – Geo Jun 23 '09 at 9:33

I think that all are "partial" answer. So I reconstruct a summary and if there are no answer I will mark this summary as the answer – Ricibald Jun 23 '09 at 9:39

Yeah, except none of them were your own. – Geo Jun 23 '09 at 11:01

Ok, so this question will never have an answer! If you want, copy and paste this answer. I will be very happy to mark your answer! And you will be very happy too! I'm not interested about reputation, I only want to mark an answer for this question. And you? What is your real interest? – Ricibald Jun 23 '09 at 11:29

show 3 more comments