PDA

View Full Version : Editing a PNG file with custom header information?


swifty
February 28th, 2013, 08:55
Hi all,

I have been working on a little hobby to mod my car stereo so that I can re-skin the GUI.
I've gotten into the unit and have the skin file for the shell application (this unit runs on WinCE).

The skin file is one 18MB file that contains PNG/BMP and a bunch of various language infos etc.
I have written a program that works through the file and extracts all the different parts into their own files, I can successfully put all of these files back together and it still works on the stereo.

However - the images inside the file appear to be PNG (the naming from the strings present in the file suggest this), but the images themselves do not appear to have a standard PNG header.
There is an 80 byte header on each of the image files before the image data starts - the first bytes of this are not consistent for all files (eg. it doesn't start with 42 4D like BMP to specify file type)
The first few bytes specify the dimensions of the image, but I have no idea about the rest....

My goal is to edit this file, but maintain (or restore) the correct header info so that it still works in the application.

I've learnt a lot while trying to do this, but I've hit my limit of understanding and hope someone can help me figure out the header on these files.

I have put one of the images here in-case anyone wants to have a look at it - http://dl.dropbox.com/u/6618363/6.sample_out_1435.raw
I can successfully taken the 80 byte header off, and replaced it with a self made bitmap header - and the image displays OK in MS Paint (obviously transparency doesn't work), but then this doesn't really help me getting it back into the right format

I'd appreciate anyones input (bear in mind this is the first time I've ever done something like this though! )

Cheers!

Kayaker
February 28th, 2013, 11:08
You may already be aware of this, but 010 Editor has templates for PNG files. While it may not fully parse your custom version, you may be able to deduce something by comparing the graphical breakdown from a standard png to your structure. I notice there's also a "PNG 1.2" as well as a PNG template, you may want to look at them both.http://www.sweetscape.com/010editor/templates/

disavowed
February 28th, 2013, 15:18
Quote:
[Originally Posted by swifty;94326]I've gotten into the unit and have the skin file for the shell application (this unit runs on WinCE).

Given that you were able to get the skin file, why not also grab the code that parses the skin file and see reverse engineer it to see how it handles the image file headers?

swifty
February 28th, 2013, 16:04
Thanks for the responses.

I have taken a look using the templates in 010 editor, as expected it doesn't parse the custom images. But I loaded a normal PNG in and compared the start of the file.. but there is not really any pattern that I can find in common.

I wouldn't really know where to start in reversing the whole program... it took me long enough to just get the right bits of out this single file :-p

edit - @disavowed; Your post got me thinking.. so I started looking at the exports for some DLL's used by the application, and there is a DLL called UIDesigner that has a function called UIGetBitmap!
Need to do some more digging, but maybe that could help?!

swifty
March 1st, 2013, 05:52
I looked at this a little bit more this morning before going to work, I can open the executable for the 'frontend' application in winhex and searched for the name of the skin file (sample.dui) - I found it, and directly after, there is some more text which says 'OpenDUI'.

However, I'm stuck on where to go now... I've tried to open the executable in a few disassembler (not that i'd know what I was doing there!) but it seems they don't support ARM applications.
Any pointers on what I can use for WinCE executables? - so far I've only found Ida Pro (the paid one) but I don't have a copy of that.

blabberer
March 1st, 2013, 07:35
as a generic way or what the seasoned industry veterans term as standard operating procedure (sop) for this kind of work is to run several monitors in the background in logging mode before loading the file in debugger that also has logging enabled to generate voluminous records that could be sedded awked and grepped

try running processmonitor , debugview , ollydbg with log enabled for a start
process monitor can log file events, registry events ,thread / process / creation deletion events and profiling events
in ollydbg you can set blind conditions on code that are common like say fread in or a bit more deeper like NtReadFile with arguments
some where someone will definitely be trapped and all it takes is one break to unravel the flow

some blind observations on the .raw you uploaded
the system i downloaded had an association for .raw with photoshop it seems so it had an icon and i could double click it (no work on my part )
Code:

C:\>reg query hkcr\.raw
HKEY_CLASSES_ROOT\.raw
<NO NAME> REG_SZ Photoshop.RAWFile
C:\>reg query hkcr\Photoshop.rawfile /s
HKEY_CLASSES_ROOT\Photoshop.rawfile
HKEY_CLASSES_ROOT\Photoshop.rawfile\DefaultIcon
<NO NAME> REG_SZ C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe,1
HKEY_CLASSES_ROOT\Photoshop.rawfile\shell\open\command
<NO NAME> REG_SZ C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe "%1"
C:\>


so before double clicking i ran procmon in default mode double clicked the .raw answered some questions by photoshop saved the result as .bmp closed photoshop and disabled capturing

now i can filter for some clues about .raw

total events that happened in the mean time are 266680
and events that have .raw in path are 832 if you filter out registry
pure file system activity that has .raw in path are 146
those that were done by photoshop are 59
and you have IRP_MJ_READ only 3 events

Code:

Path Operation Detail
C:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw IRP_MJ_READ Offset: 0, Length: 1,024
C:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw IRP_MJ_READ Offset: 0, Length: 32,768
C:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw IRP_MJ_READ Offset: 0, Length: 1,024



out of the the three only one event has an userstack with photoshop

Code:

0 fltMgr.sys FltpPerformPreCallbacks + 0x2d4 0xf74b4888 C:\WINDOWS\System32\Drivers\fltMgr.sys
1 fltMgr.sys FltpPassThroughInternal + 0x32 0xf74b62a0 C:\WINDOWS\System32\Drivers\fltMgr.sys
2 fltMgr.sys FltpPassThrough + 0x1c2 0xf74b6c48 C:\WINDOWS\System32\Drivers\fltMgr.sys
3 fltMgr.sys FltpDispatch + 0x10d 0xf74b7059 C:\WINDOWS\System32\Drivers\fltMgr.sys
4 ntkrnlpa.exe IopfCallDriver + 0x31 0x804ee129 C:\WINDOWS\system32\ntkrnlpa.exe
5 aswMon2.SYS aswMon2.SYS + 0xac7 0xa8f8cac7 C:\WINDOWS\System32\Drivers\aswMon2.SYS
6 ntkrnlpa.exe IopfCallDriver + 0x31 0x804ee129 C:\WINDOWS\system32\ntkrnlpa.exe
7 ntkrnlpa.exe NtReadFile + 0x580 0x80571d9c C:\WINDOWS\system32\ntkrnlpa.exe
8 ntkrnlpa.exe KiFastCallEntry + 0xf8 0x8053d658 C:\WINDOWS\system32\ntkrnlpa.exe
9 kernel32.dll _lread + 0x19 0x7c835417 C:\WINDOWS\system32\kernel32.dll
10 Photoshp.exe Photoshp.exe + 0x6cd509 0xacd509 C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe


and there you have an entrance into the fort at 0xacd509 or a sure fire decorative capital city gate welcoming any and every tourist at _lread

next logical step is to ATTACH TO (if you want to be blind as ps may have anti debugging) photoshop equivalent of

Code:

C:\>f:\odbg110\OLLYDBG.EXE "c:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe" "
c:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw"


shift+f4
Code:

Breakpoints, item 9
Address=7C8353FE kernel32._lread
Module=kernel32
Active=Log "poking the raw file"
Disassembly=MOV EDI, EDI

and f9


there you have the logs

Code:


Log data
Address Message
7C8353FE CALL to _lread from Photoshp.00ACD503
hFile = 000005BC (window)
Buffer = 05B12A08
BufSize = 8000 (32768.)
7C8353FE CALL to _lread from Photoshp.00ACD503
hFile = 000005BC (window)
Buffer = 05B1AA08
BufSize = 8000 (32768.)
7C8353FE CALL to _lread from Photoshp.00ACD503
hFile = 000005BC (window)
Buffer = 05B12A08
BufSize = 8000 (32768.)


you can follow the call and simply add the procedure to hittrace and f9

and in a few minutes you can deduce that thsi procedure is called from a thread

Code:

Call stack of thread 00000158, item 0
Address=03DAFFB8
Stack=7C80B729
Procedure / arguments=Maybe Photoshp.00ACD480
Called from=kernel32.BaseThreadStart+34


and sets an event

Code:

Handles, item 114
Handle=000005A0
Type=Event
Refs= 3.
Access=001F0003 SYNCHRONIZE|WRITE_OWNER|WRITE_DAC|READ_CONTROL|DELETE|QUERY_STATE|MODIFY_STATE


the saved from ps .bmp (i just saved it with save as i cant say if it is an image or some random garbage ) below

blabberer
March 1st, 2013, 07:38
did you say wince oops i didnt read it but the approach should be same anyways


edit
hey you learn something everyday google says windbg can do wince

http://www.windowsfordevices.com/c/a/Windows-For-Devices-Articles/Finding-Windows-CE-bugs-with-help-from-Dr-Watson/

http://nicolasbesson.blogspot.in/2009/10/post-mortem-debug-under-windows-mobile.html

http://www.iwavesystems.com/blog/debugging-wince-device-applications-4-easy-steps/

and from the horse itself

http://support.microsoft.com/kb/264038

swifty
March 1st, 2013, 07:57
Thanks for the detailed info - it will take some time for me to digest all of that

I think the main problem I'm going to have, is that I can't even get the application to run in a WinCE emulator (since I guess its trying to look for the bluetooth, radio etc. modules of the stereo unit) it just crashes at startup.
I can only run the software on the unit itself, but then I have no way of attaching any debugger while its running

I should have mentioned in the OP - the sample file I uploaded is just .raw extension because that's what I called it... I should probably have used .hex or something, since it was some 'unknown' custom PNG format.

If you use something like irfanview and tell it to skip the first 80 bytes of the file (that troublesome header!) then you can see the image OK (you have to tell irfanview the dimensions of the file, which are the first few bytes)

disavowed
March 3rd, 2013, 10:48
Quote:
[Originally Posted by swifty;94335]I've tried to open the executable in a few disassembler (not that i'd know what I was doing there!) but it seems they don't support ARM applications.
Any pointers on what I can use for WinCE executables? - so far I've only found Ida Pro (the paid one) but I don't have a copy of that.

http://onlinedisassembler.com/odaweb/file_upload