reading binary data with unknown data structure

[between3and26characters]

Howdy Fellas,

I'm trying to read a binary file that has a bunch of data, though I'm only interested in two pieces, a datestamp and some data.

I've been able to read some text using :

_WinAPI_ReadFile($hFile,DllStructGetPtr($struct),$nBytes,$nBytes)

where the struct is a char[256], and $nBytes is 256

this returns to me some strings that are up to 256 characters long, when I use 1024 it is up to 1024 and self-terminates

I also have an offset I need to account for from the header data, can I just use '_WinAPI_ReadFile' or is there a better way?

I noticed that the data is separated by a '00' or 'NULL' value

Looking at the file in a hex viewer and knowing some of the expected information, I can get an idea of what kind of data is where, but I'm wondering if someone can help me understand how I can read any information that exists between the NULL values. I'm guessing that I can just read every bit of information byte-by-byte and append it to my data until I find a NULL then based on the previous info read or the length I determine what kind of information I'm dealing with.

Is there a built in function that can search for the occurrence of a NULL (or other value) and split content based on that? Like a string split with a '00' as a delimiter.

[tirpider]

Is there a built in function that can search for the occurrence of a NULL (or other value) and split content based on that? Like a string split with a '00' as a delimiter.

There certainly is.

StringSplit($sString, chr(0))

chr(0) represents the "00" hex you are seeing.

Replace the 0 with the ASCII value of any other character you would like to act as a delimiter.

[between3and26characters]

There certainly is.

StringSplit($sString, chr(0))

chr(0) represents the "00" hex you are seeing.

Replace the 0 with the ASCII value of any other character you would like to act as a delimiter.

I don't think I can use stringSplit in this case. The data I'm retrieving is hexadecimal, Unless I'm reading it wrong, which I think I might be.

[Nessie]

Can you provide a sample of the data that you are currently working on?

Hi!

[between3and26characters]

I've been able to make some progress on classifying the data.

I'm trying to extract timestamp data from a hexadecimal sequence and I've narrowed down the hex data where the timestamp is hidden

I've found two dates that are off by about two minutes

(20 0888 2012-12-01 06:00:55 -0700)

A4 01 1B FE 36 05 88 23 E4 40 78 03 14

(20 0888 2012-12-01 06:02:56 -0700 )

A4 01 EF F9 AF 10 88 23 E4 40 78 03 14

I've noticed that the first two items, 20 and 0888 which are unrelated to the timestamp, are the last two items, `14` being 20 and `78 03` in reverse `0378` is 0888, so the datestamp could be in reverse too

so the time data (with the offset) is somewhere in here

A4 01 EF F9 AF 10 88 23 E4 40

or in reverse:

40 E4 23 88 05 36 FE 1B 01 A4

But this is about as far as I can get. I'm using this website http://fmdiff.com/fm/timestamp.html to convert the know timestamp to some common formats, but I'm just not seeing it.

Is there any other format (probably in .net) that I can try that this info is using?

And here's a small sample of the data

000CF8 31 00 5B 50 6F 77 65 72 20 73 74 61 74 75 73 5D 1.[Power status]

000D08 20 54 68 65 20 63 6F 6D 70 75 74 65 72 20 69 73 The computer is

000D18 20 61 62 6F 75 74 20 74 6F 20 73 68 75 74 64 6F about to shutdo

000D28 77 6E 2E 01 00 05 00 45 76 65 6E 74 08 00 53 68 wn.....Event..Sh

000D38 75 74 64 6F 77 6E 67 00 A4 01 12 F0 CD AB 88 23 utdowng........#

000D48 E4 40 59 1B 14 00 11 00 53 69 74 65 52 65 6D 6F .@Y.....SiteRemo

000D58 74 65 20 43 6C 69 65 6E 74 09 00 53 68 75 74 64 te Client..Shutd

000D68 6F 77 6E 2E 00 00 2E 00 A4 01 B3 B8 13 04 A8 23 own............#

000D78 E4 40 58 1B 14 00 11 00 53 69 74 65 52 65 6D 6F .@X.....SiteRemo

000D88 74 65 20 43 6C 69 65 6E 74 08 00 53 74 61 72 74 te Client..Start

000D98 75 70 2E 00 00 2D 00 A4 01 44 44 44 04 A8 23 E4 up...-...DDD..#.

000DA8 40 E9 03 14 00 09 00 53 69 74 65 4B 69 6F 73 6B @......SiteKiosk

000DB8 07 00 73 74 61 72 74 65 64 00 00 24 00 A4 01 0D ..started..$....

Is there a way to loop the data until I read the full character string?

I know the way I'm pulling the data, using DllStructCreate('char[256]'), works fine for one line, but then the buffer pointer goes too far and messes up any further data

[LarryDalooza]

Are you familiar with AutoIt's binary strings? Studying of which will get you past NULs...

maybe...

$hfile = FileOpen("binary.dat",16)
$bin = FileRead($hfile)
$text = StringReplace($bin,Chr(0)," ")
MsgBox(4096,"",$text)

Edited March 1, 2013 by LarryDalooza

[between3and26characters]

Are you familiar with AutoIt's binary strings? Studying of which will get you past NULs...

maybe...

$hfile = FileOpen("binary.dat",16)
$bin = FileRead($hfile)
$text = StringReplace($bin,Chr(0)," ")
MsgBox(4096,"",$text)

Ah, I see, I didn't know about the FileOpen '16' flag

The stringReplace stringSplit are still not working for me though.

I noticed that the result starts with "0x02B002000000FA010000..." the '0x' means it's a hex value, I'm guessing that's why it's not working

I have tried adding

$binText = StringReplace($bin,"0x","")

before the stringReplace, and now the replace is working.

The data is not separated by spaces or tabs, so using a replace for '00' can remove values such as '10 0F' because it would appear as '100F'

Instead of doing a string replace, I'm trying out reading the data as a string two characters at a time, and putting them into a buffer until I find a '00',

[between3and26characters]

actually,

I can use this to add spaces and then I can use split

$split = StringRegExpReplace($binText, '\w{2}', '$0 ')

[between3and26characters]

thanks Fellas

I think I've got it all figured out now, with the exception of reading the timestamp data, but that's not really a topic for autoit