Friday, September 17, 2004

Reverse Engineering a Structure?

Can't sleep (yet), and suddenly an old itch surfaced back: I need a tool to analyze file format (maybe even better if it can do a stream snippet analysis, doesn't have to be file at all). Imagine that you have a new toy, a USB webcam. It works in Windows, but you really want to make it works on Linux also. What do you do?

You can fire up SnoopyPro, and sniff talks between Windows and that webcam. Then what? You have a nice, big, but very unknown piece of data. And you also have an AVI file. How to correlate them?

I dream of that tool that can be commanded to display, say from offset 0x2134 to 0x2159 as bytes. Then next up-to-256-bytes is an asciiz, followed by dup(32) dw [iow: 32-elements array of 16-bits values]. So we have a side window which contains:

what-the-hell-is-this {

byte junk[0x2133]
byte header[0x2134..0x2195]
asciiz comments[<=256]
word foo[32]
}
But wait, that header field has the wrong size. Okay, just edit again, replace 0x2195 by 0x2159 and see the right display window dumps the new structure definition. Piece-of-cake.

gubrak!

I suddenly awake, where is that beautiful tool? :(( Seems that this rusty brain-of-mine can't be persuaded to touch the new, slick Delphi; nor the old, trusted BC3.1; or should I try Python? Mixed with a little Gtk?

Heeeeelp!

No comments: