Sign in to follow this  
Followers 0
woodle

REG_BINARY readable

4 posts in this topic

Hello,

I need the IP-Adress from the following BINARY registry key.

I try the following script:

<script>

dim $var

$var = RegRead("HKEY_CURRENT_USER\SOFTWARE\SUP\PXE", "BootServerReply")

$var = BinaryToString($var, #)

msgbox(4096,"test",$var)

</script>

I replaced # with 1/2/3/4

<regfile>

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\SUP\PXE]

"BootServerReply"=hex:02,01,06,00,74,2d,1a,34,00,09,00,00,00,00,00,00,00,00,00,\

00,0a,0b,01,83,00,00,00,00,00,21,70,2d,1a,34,00,00,00,00,00,00,00,00,00,00,\

4e,6f,76,65,6c,6c,20,50,72,6f,78,79,20,44,48,43,50,20,53,65,72,76,65,72,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,6e,76,6c,6e,62,70,2e,73,79,73,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,63,82,53,63,35,01,05,36,\

04,0a,0b,01,83,61,11,00,44,45,4c,4c,44,00,10,46,80,42,b3,c0,4f,59,33,4a,3c,\

09,50,58,45,43,6c,69,65,6e,74,dc,04,0a,0b,01,83,2b,7e,06,01,03,08,07,a6,cc,\

01,0a,0b,01,83,09,41,a6,cc,24,4e,6f,76,65,6c,6c,20,50,72,65,62,6f,6f,74,20,\

53,65,72,76,65,72,20,2d,2d,20,31,30,2e,31,31,2e,31,2e,31,33,31,00,00,17,42,\

6f,6f,74,20,66,72,6f,6d,20,6c,6f,63,61,6c,20,64,65,76,69,63,65,73,0a,26,02,\

50,72,65,73,73,20,5b,46,38,5d,20,66,6f,72,20,61,20,6d,65,6e,75,20,6f,66,20,\

62,6f,6f,74,20,73,65,72,76,65,72,73,47,04,a6,cc,00,00,ff,ff,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

</regfile>

But I don't get a right result.

I hope someone can help me.

Thanks.

Michael

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Hello,

I need the IP-Adress from the following BINARY registry key.

I try the following script:

<script>

dim $var

$var = RegRead("HKEY_CURRENT_USER\SOFTWARE\SUP\PXE", "BootServerReply")

$var = BinaryToString($var, #)

msgbox(4096,"test",$var)

</script>

I replaced # with 1/2/3/4

<regfile>

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\SUP\PXE]

"BootServerReply"=hex:02,01,06,00,74,2d,1a,34,00,09,00,00,00,00,00,00,00,00,00,\

00,0a,0b,01,83,00,00,00,00,00,21,70,2d,1a,34,00,00,00,00,00,00,00,00,00,00,\

4e,6f,...............................................................

That cannot be an ip address,If it is a freaking IP then it has to be encrypted to a whole new level of extreme.

So none of the macro's work for you? eg @IPAdress1 etc, what is the IP address for or related to?

EDIT: just checked vista, xp and windows 7 and there are no such registry keys, so this must be software specific.

If so, then good luck finding their encryption's secret spice....

Edited by System238

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

It's the IP address being extracted from the DHCP server reply to a request for PXE boot (network boot). If you haven't attempted a PXE boot, the value doesn't exist:

; $var = RegRead("HKEY_CURRENT_USER\SOFTWARE\SUP\PXE", "BootServerReply")
$var = Binary("0x02010600742d1a340009000000000000000000" & _
"000a0b0183000000000021702d1a3400000000000000000000" & _
"4e6f76656c6c2050726f787920444843502053657276657200" & _
"00000000000000000000000000000000000000000000000000" & _
"00000000000000000000000000006e766c6e62702e73797300")

$sIP = StringFormat("%u.%u.%u.%u", BinaryMid($var, 21, 1), BinaryMid($var, 22, 1), BinaryMid($var, 23, 1), BinaryMid($var, 24, 1))
ConsoleWrite("$sIP = " & $sIP & @LF)

Assuming the offset is bytes 21 thru 24 in the message, this returns:

$sIP = 10.11.1.131

:unsure:

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

Hi,

you are brilliant! Work's perfekt.

To complete the information (I moved the reg-key to another location so it's easier for me to debug). The original location on a PXE bootet WinPE is "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PXE]".

Michael

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0