[2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor...
-
Upload
gangseok-lee -
Category
Technology
-
view
574 -
download
0
description
Transcript of [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor...
![Page 1: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/1.jpg)
Using a Hex Editor and your Brain
3rd CodeEngn ReverseEngineering Seminar2009.07.04
![Page 2: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/2.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 3: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/3.jpg)
} When the program that reads the File is not accessible(i.e. Firmware)
} When the program is in your possession, but is too hard to reverse(packed, protected etc.)
} When you don’t know how to reverse executable files, but still want to reverse a file format
} Sometimes, reversing a file itself is faster than reversing the executable file(Game Archives)
3rd CodeEngn ReverseEngineering Seminar
![Page 4: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/4.jpg)
} Search Wotsit.org} Study the general structures of File Formats} Using a Hex Editor, try to match the structure of
the data with the structures you already know} “Look” at the Hex Bytes and try to find patterns} Make Assumptions and verify} If the theory proves to be correct, make more
assumptions based on the new facts until the whole(or part) of the file format is revealed
3rd CodeEngn ReverseEngineering Seminar
![Page 5: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/5.jpg)
} Case I : Cannot write but readable} Case II : readable/writable} Case III : Only 1 sample, cannot read/write
(“can read/write” means the program that reads/writes to the file is accessible)
3rd CodeEngn ReverseEngineering Seminar
![Page 6: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/6.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 7: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/7.jpg)
} GRAIS(Game Resource Archive Identity Strings)} Offsets} Size Fields} Number of Files} Filenames
3rd CodeEngn ReverseEngineering Seminar
![Page 8: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/8.jpg)
} The file that contains the resources are bigger than the other files
} Most values are stored in a 4 byte field} There is usually at least 1 meaningful field in the
beginning of the file} Strings can be null-terminated, or fixed-length in
which case the string is padded with nulls
3rd CodeEngn ReverseEngineering Seminar
![Page 9: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/9.jpg)
OK… So I’m looking at a bunch of Hex Bytes… Now What???
3rd CodeEngn ReverseEngineering Seminar
![Page 10: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/10.jpg)
} File Size = 1299033} File size fits in 3 bytes(0~16777216)} Most fields are stored as 4 bytes} All offset and size fields will end with a NULL byte
3rd CodeEngn ReverseEngineering Seminar
![Page 11: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/11.jpg)
GRAIF Possibly an offset ???
3rd CodeEngn ReverseEngineering Seminar
![Page 12: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/12.jpg)
Is indeed an offset JLooks like a directory…
3rd CodeEngn ReverseEngineering Seminar
![Page 13: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/13.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 14: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/14.jpg)
Possibly the number of Directory entries in the Directory?
3rd CodeEngn ReverseEngineering Seminar
![Page 15: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/15.jpg)
0x85E / 0x15 = 0x66Verified! J
3rd CodeEngn ReverseEngineering Seminar
![Page 16: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/16.jpg)
} First field is increasing in each successive entries → Possibly a File Offset?
} If first theory is correct, second field has a high chance to be the File Size
3rd CodeEngn ReverseEngineering Seminar
![Page 17: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/17.jpg)
Confirmed! J
3rd CodeEngn ReverseEngineering Seminar
![Page 18: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/18.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 19: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/19.jpg)
Files extracted! J Moving on…
3rd CodeEngn ReverseEngineering Seminar
![Page 20: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/20.jpg)
} First File Offset } Archive Name } Filename Offset } Filename Directory Offset } Total File Data Size } Total Directory Size } Archive Size } Number Of Directories } Directory Offset } File Extension / Type } File ID } Archive Version } Filename Length } Decompressed File Size } Checksum } Timestamp
3rd CodeEngn ReverseEngineering Seminar
![Page 21: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/21.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 22: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/22.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 23: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/23.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 24: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/24.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 25: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/25.jpg)
} Max 40 Chars
3rd CodeEngn ReverseEngineering Seminar
![Page 26: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/26.jpg)
} 11/1
} 12/6
3rd CodeEngn ReverseEngineering Seminar
![Page 27: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/27.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 28: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/28.jpg)
} Possibly some kind of unique identifier
3rd CodeEngn ReverseEngineering Seminar
![Page 29: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/29.jpg)
Size Meaning2 Date40 Message2 Year4 Identifier
Chunk Structure
3rd CodeEngn ReverseEngineering Seminar
![Page 30: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/30.jpg)
You know what to do next! J
3rd CodeEngn ReverseEngineering Seminar
![Page 31: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/31.jpg)
FileType Unknown Data Size
Checksum
3rd CodeEngn ReverseEngineering Seminar
![Page 32: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/32.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 33: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/33.jpg)
} All strings are absolutely Incomprehensible
} → Possibly Compressed, Encrypted
} What to do next?→ Frequency Analysis! J
3rd CodeEngn ReverseEngineering Seminar
![Page 34: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/34.jpg)
What can we understand from this?3rd CodeEngn ReverseEngineering Seminar
![Page 35: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/35.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 36: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/36.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 37: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/37.jpg)
Highly Symmetric → Pattern→ Sign of a Weak Cipher !!!
3rd CodeEngn ReverseEngineering Seminar
![Page 38: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/38.jpg)
} Monoalphabetic} Polyalphabetic} Transposition
} Monoalphabetic(Frequency Doesn’t Change)} Polyalphabetic} Transposition(Frequency Doesn’t Change)
3rd CodeEngn ReverseEngineering Seminar
![Page 39: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/39.jpg)
} Why? Because it is the simplest encryption algorithm with a key to implement! J
} It also matches our theory of PolyalphabeticCipher, or more like, a Vigenère cipher
char[] key = “1234567890”
for(int i=0; i<filesize; i++){encrypted_data[i] = data[i]^key[i % strlen(key)]
}
3rd CodeEngn ReverseEngineering Seminar
![Page 40: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/40.jpg)
Key Length : 32 bytes
3rd CodeEngn ReverseEngineering Seminar
![Page 41: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/41.jpg)
} Key is XORed} Key is Added} Key is Subtracted} Key is RORed} Key is ROLed} …} …
Key Found! JRIMIDALV1AIDEMITLUMXOBEKUJSOHCRA
3rd CodeEngn ReverseEngineering Seminar
![Page 42: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/42.jpg)
3rd CodeEngn ReverseEngineering Seminar
![Page 43: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/43.jpg)
} Strings are weirdly distorted
} 1 byte trash in the Middle of Strings
} What could this mean???
} What to do next?→ Calculate the Entropy
3rd CodeEngn ReverseEngineering Seminar
![Page 44: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/44.jpg)
→ File is possibly Compressed
3rd CodeEngn ReverseEngineering Seminar
![Page 45: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/45.jpg)
FileType Uncompressed Size
Compressed Size
Checksum
} Compression Ratio : 1.8
3rd CodeEngn ReverseEngineering Seminar
![Page 46: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/46.jpg)
} Run Length Encoding} Arithmetic coding} Huffman} LZ77} LZ78
} Run Length Encoding(Repeating bytes exist)} Arithmetic coding(No text remains)} Huffman(No text remains)} LZ77} LZ78
3rd CodeEngn ReverseEngineering Seminar
![Page 47: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/47.jpg)
} the_rain_<3,3>Sp<9,4>falls} <3,3> : go 3 bytes back, copy 3 bytes from
there and paste at current location.
} The_rain_in_Sp<9,4>falls} <9,4> : go 9 bytes back, copy 4 bytes from
there and paste at current location.
} The_rain_in_Spain_fallsCompressed bytes info data(CBID) contains
<last occurred matching sequence position, length>
3rd CodeEngn ReverseEngineering Seminar
![Page 48: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/48.jpg)
} Every n bytes there exists a Header byte} HeaderByte probably tells the number of bytes
until the next HeaderByte, and the position of the CBID(s)
} HeaderByte 0xFF means the next 8 bytes are uncompressed
3rd CodeEngn ReverseEngineering Seminar
![Page 49: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/49.jpg)
} We know that the Header byte contains the following information :
1. The number of bytes until the next Header2. The position of the CBID(s)} Start attacking no.1 theory by collecting samples.
FB : 9 EF : 9 BE : 10 DF : 9FF : 8 EA : 11 AB : 11 AF : 10CF : 10 EB : 10 0F : 12 F9 : 10FE : 9 EE : 10 BF : 9 FD : 9
3rd CodeEngn ReverseEngineering Seminar
![Page 50: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/50.jpg)
} Compile Header Bytes with the same length(9)
} Use your brain and think. ‘Why do all those different bytes end up in the same length?’
} Make assumptions.(Length info is contained in High nibble | Low
nibble | bitfields | etc…)} Verify your theory by testing it on other samples.
FB : 9 EF : 9 DF : 9 FE : 9 BF : 9
3rd CodeEngn ReverseEngineering Seminar
![Page 51: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/51.jpg)
} Bit 0 means length = 2} Bit 1 means length = 1ex) 0xBF = 10111111 = 7*1 + 1*2 = 9
0xAC = 10101100 = 4*1 + 4*2 = 12} Moreover, 0 is a CBID, while 1 is a normal
uncompressed byte. Read from right to left.
} 0xDF = 11011111} = 5 uncompressed , CBID, 2 uncompressed} “media”,\xD4\xA0, “OW”
3rd CodeEngn ReverseEngineering Seminar
![Page 52: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/52.jpg)
} Offsets found! J} Verify for 5 or more header bytes just to make sure.} The theory is correct.} Something new learned : CBID is 2 bytes
3rd CodeEngn ReverseEngineering Seminar
![Page 53: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/53.jpg)
} What we already know about the CBID :1. Contains the size of the compressed bytes2. Contains the position of the compressed bytes
} Start attacking no.1 theory by collecting samples.
3rd CodeEngn ReverseEngineering Seminar
![Page 54: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/54.jpg)
} “Firmw.are V..io.” ≃ “Firmware Version”} ∴ C8B0 → 3 bytes
} “H{.igkei” = “Helligkei”} ∴ 7B80 → 3 bytes
} “Cre.a..Folder” = Create Folder} ∴ B3A0 → 3 bytes
3rd CodeEngn ReverseEngineering Seminar
![Page 55: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/55.jpg)
∴ C8B0 → 3 bytes∴ 7B80 → 3 bytes∴ B3A0 → 3 bytes} The last nibble is all 0 for all CBIDs.} (Compressed bytes length = Last Nibble + 3) ?} Verify by parsing the file using that assumption.
} Matches ! J} Theory is Correct. Uncompressed
File Size
3rd CodeEngn ReverseEngineering Seminar
![Page 56: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/56.jpg)
} The compressed bytes are still unknown and are filled with zeroes
3rd CodeEngn ReverseEngineering Seminar
![Page 57: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/57.jpg)
} We know that it represents the position of the last occurred matching bytes
} We know by the length field that the minimum length of the matching bytes is 3
} Collect samples where you can guess the compressed bytes, in which the bytes identical to the resulting bytes are located somewhere before the compressed bytes, where you can see them.
3rd CodeEngn ReverseEngineering Seminar
![Page 58: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/58.jpg)
} “a…save” = “and save”} Compressed bytes = “nd ”} Last occurred at 0x3826A and 0x48 bytes before
the compressed bytes} CBID position field = 0x258
3rd CodeEngn ReverseEngineering Seminar
![Page 59: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/59.jpg)
} “DIS…NECTED” = “DISCONNECTED”} Compressed bytes = “CON”} Last occurred at 0x53B1 and 0xB bytes before
the compressed bytes} CBID position field = 0x39F
3rd CodeEngn ReverseEngineering Seminar
![Page 60: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/60.jpg)
} “al…dy exists” = “already exists”} Compressed bytes = “rea”} Last occurred at 0x13769 and 0x6B9 bytes
before the compressed bytes} CBID position field = 0x757
3rd CodeEngn ReverseEngineering Seminar
![Page 61: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/61.jpg)
} 0x258 ≠ 0x3826A, 0x48} But 0x258 is very close to 0x26A !} In fact, 0x757 is also very close to 0x769, and so
is 0x39F and 0x3B1} Carefully observing the difference between the 2
numbers, we realize that the difference is constant !
} The difference between the two numbers is 0x12, therefore, the format of the CBID is
} <Offset of the last occurred identical byte sequence - 0x12(low 3 nibbles), Length – 3>
3rd CodeEngn ReverseEngineering Seminar
![Page 62: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/62.jpg)
} Using the Above facts, uncompress the entire file and dump it into a new file.
3rd CodeEngn ReverseEngineering Seminar
![Page 63: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/63.jpg)
} All strings are neatly displayed! Which means the whole file is uncompressed. J
3rd CodeEngn ReverseEngineering Seminar
![Page 64: [2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Formats using a Hex Editor and your Brain](https://reader033.fdocuments.in/reader033/viewer/2022051616/553890e1550346e0428b47b9/html5/thumbnails/64.jpg)
3rd CodeEngn ReverseEngineering Seminar