Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tools to help reverse engineer binary file formats

What tools are available to aid in decoding unknown binary data formats?

I know Hex Workshop and 010 Editor both support structures. These are okay to a limited extent for a known fixed format but get difficult to use with anything more complicated, especially for unknown formats. I guess I'm looking at a module for a scripting language or a scriptable GUI tool.

For example, I'd like to be able to find a structure within a block of data from limited known information, perhaps a magic number. Once I've found a structure, then follow known length and offset words to find other structures. Then repeat this recursively and iteratively where it makes sense.

In my dreams, perhaps even automatically identify possible offsets and lengths based on what I've already told the system!

like image 807
Mat Avatar asked Jan 29 '09 18:01

Mat


2 Answers

Here are some tips that come to mind:

From my experience, interactive scripting languages (I use Python) can be a great help. You can write a simple framework to deal with binary streams and some simple algorithms. Then you can write scripts that will take your binary and check various things. For example:

Do some statistical analysis on various parts. Random data, for example, will tell you that this part is probably compressed/encrypted. Zeros may mean padding between parts. Scattered zeros may mean integer values or Unicode strings and so on. Try to spot various offsets. Try to convert parts of the binary into 2 or 4 byte integers or into floats, print them and see if they make sence. Write some functions that will search for repeating or very similar parts in the data, this way you can easily spot headers.

Try to find as many strings as possible, try different encodings (c strings, pascal strings, utf8/16, etc.). There are some good tools for that (I think that Hex Workshop has such a tool). Strings can tell you a lot.

Good luck!

like image 62
Untrots Avatar answered Sep 19 '22 11:09

Untrots


For Mac OS X, there's a great tool that's even better than my iBored: Synalyze It! (http://www.synalysis.net/)

Compared to iBored, it is better suited for non-blocked files, while also giving full control over structures, including scriptability (with Lua). And it visualizes structures better, too.

like image 44
Thomas Tempelmann Avatar answered Sep 21 '22 11:09

Thomas Tempelmann