Results 1 to 9 of 9

Thread: Editing a PNG file with custom header information?

  1. #1

    Editing a PNG file with custom header information?

    Hi all,

    I have been working on a little hobby to mod my car stereo so that I can re-skin the GUI.
    I've gotten into the unit and have the skin file for the shell application (this unit runs on WinCE).

    The skin file is one 18MB file that contains PNG/BMP and a bunch of various language infos etc.
    I have written a program that works through the file and extracts all the different parts into their own files, I can successfully put all of these files back together and it still works on the stereo.

    However - the images inside the file appear to be PNG (the naming from the strings present in the file suggest this), but the images themselves do not appear to have a standard PNG header.
    There is an 80 byte header on each of the image files before the image data starts - the first bytes of this are not consistent for all files (eg. it doesn't start with 42 4D like BMP to specify file type)
    The first few bytes specify the dimensions of the image, but I have no idea about the rest....

    My goal is to edit this file, but maintain (or restore) the correct header info so that it still works in the application.

    I've learnt a lot while trying to do this, but I've hit my limit of understanding and hope someone can help me figure out the header on these files.

    I have put one of the images here in-case anyone wants to have a look at it - http://dl.dropbox.com/u/6618363/6.sample_out_1435.raw
    I can successfully taken the 80 byte header off, and replaced it with a self made bitmap header - and the image displays OK in MS Paint (obviously transparency doesn't work), but then this doesn't really help me getting it back into the right format

    I'd appreciate anyones input (bear in mind this is the first time I've ever done something like this though! )

    Cheers!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    You may already be aware of this, but 010 Editor has templates for PNG files. While it may not fully parse your custom version, you may be able to deduce something by comparing the graphical breakdown from a standard png to your structure. I notice there's also a "PNG 1.2" as well as a PNG template, you may want to look at them both.http://www.sweetscape.com/010editor/templates/

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by swifty View Post
    I've gotten into the unit and have the skin file for the shell application (this unit runs on WinCE).
    Given that you were able to get the skin file, why not also grab the code that parses the skin file and see reverse engineer it to see how it handles the image file headers?

  4. #4
    Thanks for the responses.

    I have taken a look using the templates in 010 editor, as expected it doesn't parse the custom images. But I loaded a normal PNG in and compared the start of the file.. but there is not really any pattern that I can find in common.

    I wouldn't really know where to start in reversing the whole program... it took me long enough to just get the right bits of out this single file :-p

    edit - @disavowed; Your post got me thinking.. so I started looking at the exports for some DLL's used by the application, and there is a DLL called UIDesigner that has a function called UIGetBitmap!
    Need to do some more digging, but maybe that could help?!
    Last edited by swifty; February 28th, 2013 at 16:17.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    I looked at this a little bit more this morning before going to work, I can open the executable for the 'frontend' application in winhex and searched for the name of the skin file (sample.dui) - I found it, and directly after, there is some more text which says 'OpenDUI'.

    However, I'm stuck on where to go now... I've tried to open the executable in a few disassembler (not that i'd know what I was doing there!) but it seems they don't support ARM applications.
    Any pointers on what I can use for WinCE executables? - so far I've only found Ida Pro (the paid one) but I don't have a copy of that.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    as a generic way or what the seasoned industry veterans term as standard operating procedure (sop) for this kind of work is to run several monitors in the background in logging mode before loading the file in debugger that also has logging enabled to generate voluminous records that could be sedded awked and grepped

    try running processmonitor , debugview , ollydbg with log enabled for a start
    process monitor can log file events, registry events ,thread / process / creation deletion events and profiling events
    in ollydbg you can set blind conditions on code that are common like say fread in or a bit more deeper like NtReadFile with arguments
    some where someone will definitely be trapped and all it takes is one break to unravel the flow

    some blind observations on the .raw you uploaded
    the system i downloaded had an association for .raw with photoshop it seems so it had an icon and i could double click it (no work on my part )
    Code:
    C:\>reg query hkcr\.raw
    HKEY_CLASSES_ROOT\.raw
        <NO NAME>   REG_SZ  Photoshop.RAWFile
    C:\>reg query hkcr\Photoshop.rawfile /s
    HKEY_CLASSES_ROOT\Photoshop.rawfile
    HKEY_CLASSES_ROOT\Photoshop.rawfile\DefaultIcon
        <NO NAME>   REG_SZ  C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe,1
    HKEY_CLASSES_ROOT\Photoshop.rawfile\shell\open\command
        <NO NAME>   REG_SZ  C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe "%1"
    C:\>
    so before double clicking i ran procmon in default mode double clicked the .raw answered some questions by photoshop saved the result as .bmp closed photoshop and disabled capturing

    now i can filter for some clues about .raw

    total events that happened in the mean time are 266680
    and events that have .raw in path are 832 if you filter out registry
    pure file system activity that has .raw in path are 146
    those that were done by photoshop are 59
    and you have IRP_MJ_READ only 3 events

    Code:
    Path	Operation	Detail
    C:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw	IRP_MJ_READ	Offset: 0, Length: 1,024
    C:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw	IRP_MJ_READ	Offset: 0, Length: 32,768
    C:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw	IRP_MJ_READ	Offset: 0, Length: 1,024
    out of the the three only one event has an userstack with photoshop

    Code:
    0	fltMgr.sys	FltpPerformPreCallbacks + 0x2d4	0xf74b4888	C:\WINDOWS\System32\Drivers\fltMgr.sys
    1	fltMgr.sys	FltpPassThroughInternal + 0x32	0xf74b62a0	C:\WINDOWS\System32\Drivers\fltMgr.sys
    2	fltMgr.sys	FltpPassThrough + 0x1c2	0xf74b6c48	C:\WINDOWS\System32\Drivers\fltMgr.sys
    3	fltMgr.sys	FltpDispatch + 0x10d	0xf74b7059	C:\WINDOWS\System32\Drivers\fltMgr.sys
    4	ntkrnlpa.exe	IopfCallDriver + 0x31	0x804ee129	C:\WINDOWS\system32\ntkrnlpa.exe
    5	aswMon2.SYS	aswMon2.SYS + 0xac7	0xa8f8cac7	C:\WINDOWS\System32\Drivers\aswMon2.SYS
    6	ntkrnlpa.exe	IopfCallDriver + 0x31	0x804ee129	C:\WINDOWS\system32\ntkrnlpa.exe
    7	ntkrnlpa.exe	NtReadFile + 0x580	0x80571d9c	C:\WINDOWS\system32\ntkrnlpa.exe
    8	ntkrnlpa.exe	KiFastCallEntry + 0xf8	0x8053d658	C:\WINDOWS\system32\ntkrnlpa.exe
    9	kernel32.dll	_lread + 0x19	0x7c835417	C:\WINDOWS\system32\kernel32.dll
    10	Photoshp.exe	Photoshp.exe + 0x6cd509	0xacd509	C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe
    and there you have an entrance into the fort at 0xacd509 or a sure fire decorative capital city gate welcoming any and every tourist at _lread

    next logical step is to ATTACH TO (if you want to be blind as ps may have anti debugging) photoshop equivalent of

    Code:
    C:\>f:\odbg110\OLLYDBG.EXE "c:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe" "
    c:\Documents and Settings\Admin\Desktop\6.sample_out_1435.raw"
    shift+f4
    Code:
    Breakpoints, item 9
     Address=7C8353FE kernel32._lread
     Module=kernel32
     Active=Log "poking the raw file"
     Disassembly=MOV     EDI, EDI
    and f9


    there you have the logs

    Code:
    Log data
    Address    Message
    7C8353FE   CALL to _lread from Photoshp.00ACD503
                 hFile = 000005BC (window)
                 Buffer = 05B12A08
                 BufSize = 8000 (32768.)
    7C8353FE   CALL to _lread from Photoshp.00ACD503
                 hFile = 000005BC (window)
                 Buffer = 05B1AA08
                 BufSize = 8000 (32768.)
    7C8353FE   CALL to _lread from Photoshp.00ACD503
                 hFile = 000005BC (window)
                 Buffer = 05B12A08
                 BufSize = 8000 (32768.)
    you can follow the call and simply add the procedure to hittrace and f9

    and in a few minutes you can deduce that thsi procedure is called from a thread

    Code:
    Call stack of thread 00000158, item 0
     Address=03DAFFB8
     Stack=7C80B729
     Procedure / arguments=Maybe Photoshp.00ACD480
     Called from=kernel32.BaseThreadStart+34
    and sets an event

    Code:
    Handles, item 114
     Handle=000005A0
     Type=Event
     Refs=   3.
     Access=001F0003 SYNCHRONIZE|WRITE_OWNER|WRITE_DAC|READ_CONTROL|DELETE|QUERY_STATE|MODIFY_STATE
    the saved from ps .bmp (i just saved it with save as i cant say if it is an image or some random garbage ) below
    Attached Images Attached Images  

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    did you say wince oops i didnt read it but the approach should be same anyways


    edit
    hey you learn something everyday google says windbg can do wince

    http://www.windowsfordevices.com/c/a/Windows-For-Devices-Articles/Finding-Windows-CE-bugs-with-help-from-Dr-Watson/

    http://nicolasbesson.blogspot.in/2009/10/post-mortem-debug-under-windows-mobile.html

    http://www.iwavesystems.com/blog/debugging-wince-device-applications-4-easy-steps/

    and from the horse itself

    http://support.microsoft.com/kb/264038
    Last edited by blabberer; March 1st, 2013 at 08:01.

  8. #8
    Thanks for the detailed info - it will take some time for me to digest all of that

    I think the main problem I'm going to have, is that I can't even get the application to run in a WinCE emulator (since I guess its trying to look for the bluetooth, radio etc. modules of the stereo unit) it just crashes at startup.
    I can only run the software on the unit itself, but then I have no way of attaching any debugger while its running

    I should have mentioned in the OP - the sample file I uploaded is just .raw extension because that's what I called it... I should probably have used .hex or something, since it was some 'unknown' custom PNG format.

    If you use something like irfanview and tell it to skip the first 80 bytes of the file (that troublesome header!) then you can see the image OK (you have to tell irfanview the dimensions of the file, which are the first few bytes)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by swifty View Post
    I've tried to open the executable in a few disassembler (not that i'd know what I was doing there!) but it seems they don't support ARM applications.
    Any pointers on what I can use for WinCE executables? - so far I've only found Ida Pro (the paid one) but I don't have a copy of that.
    http://onlinedisassembler.com/odaweb/file_upload

Similar Threads

  1. Replies: 0
    Last Post: April 23rd, 2012, 10:19
  2. Source Editing
    By w_a_r_1 in forum The Newbie Forum
    Replies: 1
    Last Post: June 24th, 2009, 16:39
  3. custom message on deletion of file...
    By shakuni in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: May 15th, 2008, 21:12
  4. Editing a CHM file "live".
    By 5aLIVE in forum Off Topic
    Replies: 11
    Last Post: October 27th, 2005, 03:01
  5. Resource Editing
    By yan_kur in forum The Newbie Forum
    Replies: 6
    Last Post: March 25th, 2003, 03:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •