I have a binary file. I don't know how it's formatted, I only know it comes from a delphi code.
Does it exist any way to analyze a binary file?
Does it exist any "pattern" to analyze and deserialize the binary content of a file with unknown format?
+2
A:
Do you know the program that uses it? If so you can hook that programs write to file function and get an idea of what data its writing, the size of the data and where.
More Info: http://www.codeproject.com/KB/DLL/Win32APIHooking_Trouble.aspx
Lodle
2009-06-22 08:29:16
+2
A:
The unix "file" command is really useful - I don't know if there is anything like it in windows. You run it like this:
file myfile.ext
And it spits out a text description based on the magic numbers and data contained therein.
Probably it is contained within cygwin.
1800 INFORMATION
2009-06-22 08:29:32
He will probably get "octet-stream" which will confuse him more. ".bin" files (I guess it is) aren't "standardized" and as colithium said, he probably needs to RE.
LiraNuna
2009-06-22 08:36:07
That's what "file" does - it doesn't look at the extension at all
1800 INFORMATION
2009-06-22 08:42:22
I tried it, but it say only "DATA"
Ricibald
2009-06-22 08:51:50
"file" looks for magic numbers as you said, but only magic numbers of knows filetypes. So it most likely will find .jpg, .tar.gz, .avi etc. etc., but a custom binary file-structure is not a known filetype (if it was, he wouldn't have this problem in the first place :) )
cwap
2009-06-22 14:15:31
+6
A:
Reverse engineering a binary file when you have some idea of what it represents is a very time consuming process. If you have no idea what it is then it will be even harder.
It is possible though, but you have to have a pretty good reason for doing so.
The first step would be to open it up in a hex editor of your choice and see if you can find any English text to point you in the direction of what the file is even supposed to represent. From there, Google "Reverse Engineering binary files", there are much more knowledgeable people than me that have written guides about it.
colithium
2009-06-22 08:31:02
+3
A:
The "strings" program from GNU binutils is very useful. It will print the strings of printable characters in a file, quite often giving a clue to what a file contains or a program does.
Andreas Fugl
2009-06-22 08:41:21
+3
A:
If the data represents serialized Delphi objects, you should start reading about the Delphi serialization process. If that's the case, I think your best bet would be to load it using Delphi and continue your analysis from the IDE. Some informations about Delphi serialization can be found here.
EDIT: if the file does contain serialized delphi objects, then you should write a small delphi program that loads it, and "convert" the data yourself to something neutral, like xml. If you manage to do this, you should check and see if delphi supports serializing to xml. Then, you could access those objects from any language.
Geo
2009-06-22 08:49:38
If it's a serialized delphi data, how can I use it in a c# or objective-c program?
Ricibald
2009-06-22 09:53:33
but it needs a delphi interpreter. If I have my single application that open this file I can't. I have to execute two distinct applications.
Ricibald
2009-06-22 10:46:25
Yes. You need to convert the object to something usable from anywhere. You can execute the converter from your main application's code, and work on the resulted files. It's how I would do it.
Geo
2009-06-22 10:55:55
+2
A:
If you have access to the application that creates the file, you can apply changes to the application, then save the file and see the effects (Keep in mind that numbers are probably stored in little endian):
- First create the file repeatedly. If the files are not binary equal, the current date/time is probably stored in the area where hte differences occur.
- Maybe you want to repeat that with the software running under different environments, to see if OS version etc are stored, but this is rather unusual.
- Next you can try to change single variables and create several files that only differ in the value of this variable. This helps you identify where this variable is stored.
- That way you can also exclude variables that are not stored in the file: If you change them, but the files created are identical, they are not stored.
In order to test the hypotheses you worked out with the steps above, edit one of the files and have the application read it.
If you don't have access to the application itself, I suggest that you forget about it and find another way to solve your problem. There is a very high probability that it will be faster...
Treb
2009-06-22 08:59:11
+3
A:
For my hobby project I had to reverse engineer some old game files. My approaches were:
- Have a good hex editor.
- Look for readable words in the binary file. Note how their distribution is. If the distance between them is constant you know it is a listing.
- Look for 2-3 consequent zeros. Might indicate an int32 value.
- Some dwords might be pointers into the file.
- Try to identify reoccurring patterns in the file.
- Seeing lots of C0-CF might indicate RLE compressed data.
kd304
2009-06-22 09:07:54
A:
Try these:
- Deserialize data: analyze how it's compiled your exe (try File Analyzer). Try to deserialize the binary data with the language discovered. Then serialize it in a xml format (language-indipendent) that every programming language can understand
- Analyze the binary data: try to save various versions of the file with little variation and use a diff program to analyze the meaning of every bit with an hex editor. Use it in conjunction with binary hacking techniques (like How to crack a Binary File Format by Frans Faase)
- Reverse Engineer the application: try getting code using reverse engineering tools for the programming language used for build the app (found with File Analyzer). Otherwise use disassembler analysis tool like IDA Pro Disassembler
Ricibald
2009-06-22 14:11:11
maybe you should have marked an answer, instead of providing a summary of what was said.
Geo
2009-06-23 09:33:53
I think that all are "partial" answer. So I reconstruct a summary and if there are no answer I will mark this summary as the answer
Ricibald
2009-06-23 09:39:54
Ok, so this question will never have an answer! If you want, copy and paste this answer. I will be very happy to mark your answer! And you will be very happy too! I'm not interested about reputation, I only want to mark an answer for this question. And you? What is your real interest?
Ricibald
2009-06-23 11:29:19
For more info: http://blog.stackoverflow.com/2009/01/accept-your-own-answers/
Ricibald
2009-06-23 11:39:23
if you look at other questions, when the author wanted to provide a summary, he edited the question and added that there. I don't care about the reputation, but these answers were provided by the users.
Geo
2009-06-23 13:59:30
ok, I think that was correct to put the answer here. But if not I move it in my question
Ricibald
2009-06-23 14:16:46
+1
A:
If file does not give a meaningful answer, you may want to try TRiD by Marco Pontello to determine whether your data is stored in a known format.
hillu
2009-06-22 14:30:38
I tried it but it says about the file: "Program X Format". Well... I already know that it's a file coming from the program X
Ricibald
2009-06-22 14:40:48
+2
A:
Get the Delphi application and open it in IDA Pro freeware version, and find where it writes the file, and decode how it writes the file that way.
Unless it's plan text.
Simeon Pilgrim
2009-06-23 04:31:07