View Full Version : Reversing & Understanding a File Format

February 17th, 2013, 10:40
I'm trying to understand the file structure which is used by a dictionary.
Now I know that there are no recipes for that, but perhaps some tutorial in reversing simple file structures in order to get me started.

How long could it take me, or is it too advanced for me? I have been able to crack simple programs, but nothing advanced.

Any advice is appreciated.

February 17th, 2013, 13:01
I'm trying to do it on my own, but I don't understand something.
When CreateFileMappingA is called, automatically the file is written to. I saw it, right before the call to CreateFileMappingA, the file was 0 Kb, and right after the call, immediately the size became 200Kb.
What does CreateFileMappingA exactly do when it is called with PAGE_READWRITE ?
And where did those bytes come from?

February 18th, 2013, 07:23
Honestly, you can read, right ?


If you don't understand what an public api is doing, read the man page. This has nothing to do with reverse engineering, it's more related to enter a search term and check the results for something useful...

Think about it when you ask stuff in future. If the people here do not see that you do the obvious stuff on your own, nobody will help you. Please keep that in mind if you really want to get something useful out of this forum


February 18th, 2013, 16:52
I've already got past this part but its hard to understand the part where the app reads from the file.
How do I know when it is reading? What is it reading?
Perhaps that would be a long subject to treat in a single reply or thread. That's why I asked that perhaps someone could point me to some good tutorial.
Thanks for the reply though

February 19th, 2013, 00:50
since you say you got past the part you should now be clear that CreateFilemapping needs a file handle either a real existing files handle or an invalid handle value to use the page file

so that means you need to check what handle is passed to CreateFileMapping if it was 0xffffffff (-1) (INVALID_HANDLE_) then it means pagefile is used
else a real file is used

now for a file handle to be retrieved there must most probably be a CreateFile() you need to find that
and CreateFile takes a Filepath or Fileaname\Directory as its argument so you got your file

its as simple as that

to conquer unrelated and unknown pieces of equation best way is to forward engineer what you are trying to reverse engineer

try coding some pieces yourself and look at them in a debugger you will understand things better than waiting for a spoonfed answer from some cranky dude
in some dark corner of wild whole web

so msdn says to CreateFileMapping you need a File

lets make a file using c stream routines the most easiest way to create a file and fill it with some random stuff


char Buffer[] = {
"The Quick brown Fox Jumped Over the Well and drowned by its own sheer stupidity "
"it thought it was superfox and can jump from anywhere to anywhere well that must "
"be true it jumped from earth to hell was the fox stupid or was it ????????????? "
FILE *fp;
fp = fopen("filemap.txt","wb"; \\ opens a new file 0 byte sized for reading and writing in binary mode in local directory
fwrite(Buffer,1,sizeof(Buffer),fp); \\ we write some crap that we have in buffer to the newly opened file
fclose(fp); \\ close it done

so lets get a handle to this file so that we can feed it to CreatFilemapping



lets feed the handle to CreateFilemapping and wait for our lucky princess to turn up riding a mule wearing dark ugly skirt and a broken sheath in hand


HANDLE hMapFile;
if (( hMapFile = CreateFileMapping( hFile, NULL, PAGE_READWRITE, 0, 0x400, "Global\\MyMappedFile" ) ) == NULL)
HANDLE hEvent;
hEvent = CreateEvent(NULL,FALSE,FALSE,"Global\\MyEvent";

upto this point you simply wont / cant see the file contents
all this has done is created a potential for viewing the contents of the file

a place has been reserved for file contents to be viewed when you need

so your premise that CreateFileMapping reads some bytes from some files need to be reviewed and corrected now (google first and read before continuing)

so now that you googled you know to read / view the file contents you may need to MapViewOfFile
and it is called ViewOf File because it may not be coherent across multiple views acrosss multiple process with several methods of FileMapping

so with CreateFilemapping all you do is create a shared object that can be manipulated by different process including remote processes running in a different physical machine somewhere over the holed wiled web a potential subway for a swift footed virus / spyware / malware / wareware to do some thing

lets see how we can manipulate this map from a different process


if (( hOpenMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS,FALSE,"Global\\MyMappedFile")==NULL)
if (( Buffer = (PCHAR) MapViewOfFile(hOpenMapFile,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL)) == NULL)
strncat_s( Buffer, ....................);
if (( hEvent = OpenEvent(EVENT_ALL_ACCESS,FALSE,"Global\\MyEvent" ) == NULL)
if (( SetEvent(hEvent)) == NULL)

thats it you open the map and map the contents and then it is plain memory manipulation of the view to persist the views to actual file
you need to obey copyonWrite / map file size rules

and flush the view

if (( FlushViewOfFile(isFileMod,strlen(isFileMod))) == NULL)

February 19th, 2013, 09:24
thank you blabberer..I really appreciate it. I also want to add something to the part of the file size growing right after the call to CreateFileMappingA.

Since the dwMaximumSizeLow parameter was about 200000 decimal, and the file was just created (0Kb) it had to extend the file so that it could fit the mapping size, so it immediately got extended to around 200Kb.

As for the "forward engineering" part, I really liked it.
I'll keep that in mind and see what I get.

February 19th, 2013, 12:29
basic intro
"Definitive Guide to Exploring File Formats"

February 20th, 2013, 03:48
yes it is documented a pagefile also needs PAGE_FILE_GROW attributes set else mapping fails
insert a getchar after fclose() in the snippet



now go to the folder and check the file size it will be about 242 decimal bytes == (sizeof(Buffer));
now press enter key
and the file size will be 1 kb as i create a map for 0x400, == 1 kb
and if you open the file in a hex editor you will see the file is extended / filled with 0x00

February 20th, 2013, 07:28
thanks, you've helped me to understand a lot. I'll see what I can do now about that file and hopefully I'll manage to understand the way it works.