Results 1 to 11 of 11

Thread: compressed data in files?

  1. #1

    compressed data in files?

    I have a program that uses compressed data in these files. So when I open these files in a HEX editor to search for values that the program gives me I cannot find those values in the files by themselves.

    So I guess when the program loads these files it uncompresses the data and it makes sense. So, the uncompressed values displayed by the program will not be searhable in these files with just a hex editor.

    In other words when the program uses these files the uncompressed data is shown, but if you were to open one of these files on its own in a hex editor you would not be able to just search for the uncompressed values that the program displayed.

    Anyway to get around this?

  2. #2
    yup, uncompress the files

  3. #3
    Har har

    Yes, but I need to figure out how they are compressed in order to uncompress them.

    There must be some sort of 'compression algorithm' or something like that.

  4. #4
    Howdy,

    You need to tell us. Get a PE scanner.

    Woodmann

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Are the files executable (i.e. "self-extracting"), or are they processed by another program? In any case you have to pinpoint the uncompression routine in the code of the program, and then analyze/rip it.

    If the compressed files are executable it is often very easy to find the code for this routine, since it's then practically the only code in the entire program, and will also most likely be placed very near the entrypoint of the executable.

  6. #6
    I've a feeling he's talking about compressed datafiles however...

  7. #7
    Originally posted by squidge
    I've a feeling he's talking about compressed datafiles however...
    yes.

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ok, still same approach, just a little harder to pinpoint the exact uncompress code. I would recommend breakpointing on some file read API:s though, and trace from there. That will probably land you pretty close too.

  9. #9
    Originally posted by dELTA
    Ok, still same approach, just a little harder to pinpoint the exact uncompress code. I would recommend breakpointing on some file read API:s though, and trace from there. That will probably land you pretty close too.
    Should I use Filemon for that? (instead of breakpoints).

    It shows me where the data is written to these files, but it only shows the offset and the length. What does the "length" mean in Filemon?

    Last edited by Aquatic; February 26th, 2003 at 14:40.

  10. #10
    the length of the data that was written ?

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    You would want to pinpoint where in the executable code that the decompression is going on, not where in the data files that things are read (ok, maybe later on you might possibly want to know that too, but this will probably be quite clear once you have read the code anyway). So no, FileMon is probably not a very good approach to start out with, it should mostly be used to see which files a program reads, not what it reads inside them.

    Hook API-commands like OpenFile, ReadFile and so on, and see where it takes you in the code.

Similar Threads

  1. ARTeam: IDA plugin to depack aplib/lzma statically compressed data into IDA by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: October 2nd, 2008, 12:52
  2. Getting address data from exe files
    By Intruder in forum The Newbie Forum
    Replies: 63
    Last Post: May 5th, 2006, 16:07
  3. SafeKey's *.FST data files format
    By forestkon in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: April 14th, 2006, 00:52
  4. cracking data files of an unspecified software
    By kramer in forum The Newbie Forum
    Replies: 8
    Last Post: August 26th, 2005, 01:45
  5. Game data files cracking
    By highfly in forum The Newbie Forum
    Replies: 3
    Last Post: February 6th, 2004, 20:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •