REG_BINARY readable

woodle · April 18, 2011

Hello,

I need the IP-Adress from the following BINARY registry key.

I try the following script:

dim $var

$var = RegRead("HKEY_CURRENT_USER\SOFTWARE\SUP\PXE", "BootServerReply")

$var = BinaryToString($var, #)

msgbox(4096,"test",$var)

</script>

I replaced # with 1/2/3/4

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\SUP\PXE]

"BootServerReply"=hex:02,01,06,00,74,2d,1a,34,00,09,00,00,00,00,00,00,00,00,00,\

00,0a,0b,01,83,00,00,00,00,00,21,70,2d,1a,34,00,00,00,00,00,00,00,00,00,00,\

4e,6f,76,65,6c,6c,20,50,72,6f,78,79,20,44,48,43,50,20,53,65,72,76,65,72,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,6e,76,6c,6e,62,70,2e,73,79,73,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,63,82,53,63,35,01,05,36,\

04,0a,0b,01,83,61,11,00,44,45,4c,4c,44,00,10,46,80,42,b3,c0,4f,59,33,4a,3c,\

09,50,58,45,43,6c,69,65,6e,74,dc,04,0a,0b,01,83,2b,7e,06,01,03,08,07,a6,cc,\

01,0a,0b,01,83,09,41,a6,cc,24,4e,6f,76,65,6c,6c,20,50,72,65,62,6f,6f,74,20,\

53,65,72,76,65,72,20,2d,2d,20,31,30,2e,31,31,2e,31,2e,31,33,31,00,00,17,42,\

6f,6f,74,20,66,72,6f,6d,20,6c,6f,63,61,6c,20,64,65,76,69,63,65,73,0a,26,02,\

50,72,65,73,73,20,5b,46,38,5d,20,66,6f,72,20,61,20,6d,65,6e,75,20,6f,66,20,\

62,6f,6f,74,20,73,65,72,76,65,72,73,47,04,a6,cc,00,00,ff,ff,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

</regfile>

But I don't get a right result.

I hope someone can help me.

Thanks.

Michael

Skitty · April 18, 2011

Hello,
I need the IP-Adress from the following BINARY registry key.
I try the following script:

<script>
dim $var
$var = RegRead("HKEY_CURRENT_USER\SOFTWARE\SUP\PXE", "BootServerReply")
$var = BinaryToString($var, #)
msgbox(4096,"test",$var)
</script>
I replaced # with 1/2/3/4

<regfile>
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\SUP\PXE]
"BootServerReply"=hex:02,01,06,00,74,2d,1a,34,00,09,00,00,00,00,00,00,00,00,00,\
00,0a,0b,01,83,00,00,00,00,00,21,70,2d,1a,34,00,00,00,00,00,00,00,00,00,00,\
4e,6f,...............................................................

That cannot be an ip address,If it is a freaking IP then it has to be encrypted to a whole new level of extreme.

So none of the macro's work for you? eg @IPAdress1 etc, what is the IP address for or related to?

EDIT: just checked vista, xp and windows 7 and there are no such registry keys, so this must be software specific.

If so, then good luck finding their encryption's secret spice....

Edited April 18, 2011 by System238

PsaltyDS · April 18, 2011

It's the IP address being extracted from the DHCP server reply to a request for PXE boot (network boot). If you haven't attempted a PXE boot, the value doesn't exist:

; $var = RegRead("HKEY_CURRENT_USER\SOFTWARE\SUP\PXE", "BootServerReply")
$var = Binary("0x02010600742d1a340009000000000000000000" & _
"000a0b0183000000000021702d1a3400000000000000000000" & _
"4e6f76656c6c2050726f787920444843502053657276657200" & _
"00000000000000000000000000000000000000000000000000" & _
"00000000000000000000000000006e766c6e62702e73797300")

$sIP = StringFormat("%u.%u.%u.%u", BinaryMid($var, 21, 1), BinaryMid($var, 22, 1), BinaryMid($var, 23, 1), BinaryMid($var, 24, 1))
ConsoleWrite("$sIP = " & $sIP & @LF)

Assuming the offset is bytes 21 thru 24 in the message, this returns:

$sIP = 10.11.1.131

:unsure:

Edited April 18, 2011 by PsaltyDS

woodle · April 19, 2011

Hi,

you are brilliant! Work's perfekt.

To complete the information (I moved the reg-key to another location so it's easier for me to debug). The original location on a PXE bootet WinPE is "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PXE]".

Michael

Sign In

REG_BINARY readable

Recommended Posts

woodle

Skitty

PsaltyDS

woodle

Create an account or sign in to comment

Create an account

Sign in

Browse

AutoIt Resources

Release

Beta