views:

112

answers:

2

I'm hacking a security system DVR so I can add motion capture and other fun features in python (version 2.6). One of the functions I was able to decompile from java and convert to python was the following:

def ToInt(abyte0, i):

  if(abyte0[i] >= 0):
      j = abyte0[i]
      print "A " + str(j)
  else:
      j = 256 + abyte0[i]

  if abyte0[i + 1] >= 0:
      j = j + (abyte0[i + 1] * 256)
      print "A " + str(j)
  else:
      j = j + (256 + abyte0[i + 1]) * 256

  if abyte0[i + 2] >= 0:
      j = j+ abyte0[i + 2] * 256 * 256
      print "A " + str(j)
  else:
      j = j + (256 + abyte0[i + 2]) * 256 * 256

  if abyte0[i + 3] >= 0:
      j = j + abyte0[i + 3] * 256 * 256 * 256
      print "A " + str(j)
  else:
      j = j + (256 + abyte0[i + 3]) * 256 * 256 * 256

  return j

I added print statements to it to see what was going on while I was figuring things out. Now that I have it working, I went back to remove the print statements and I get an error!

Traceback (most recent call last):
  File "C:\Users\...\videostuff.py", line 154, in <module>
  ReadData(i)
    File "C:\Users\..\videostuff.py", line 122, in ReadData
    data = s.recv(DATA_SIZE)
    OverflowError: long int too large to convert to int

There seems to be a problem with converting from a long int to an int when reading from the socket with the returned value. But why does this work with the print statements in place?!

Calling code:

i = ToInt(data_string.tolist(), 0)

# First byte tells how big the data wil be
if i > 4 and (i - 4) > DATA_SIZE:
    DATA_SIZE = i - 4

# line 122
data = s.recv(DATA_SIZE)

All the codez:

import socket
from array import array
import Image
import StringIO
import sys

def ToInt(abyte0, i):

    if(abyte0[i] >= 0):
        j = abyte0[i]
        #print "A " + str(j)
    else:
        j = 256 + abyte0[i]

    if abyte0[i + 1] >= 0:
        j = j + (abyte0[i + 1] * 256)
        #print "A " + str(j)
    else:
        j = j + (256 + abyte0[i + 1]) * 256

    if abyte0[i + 2] >= 0:
        j = j+ abyte0[i + 2] * 256 * 256
        #print "A " + str(j)
    else:
        j = j + (256 + abyte0[i + 2]) * 256 * 256

    if abyte0[i + 3] >= 0:
        j = j + abyte0[i + 3] * 256 * 256 * 256
        #print "A " + str(j)
    else:
        j = j + (256 + abyte0[i + 3]) * 256 * 256 * 256

    return j

def StrLen(abyte0):
    for i in len(abyte0):
        if abyte0[i] == 0:
            return i

def StrLen(abyte0, i):
    for j in len(abyte0):
        if abyte0[i] == 0:
            return i
        else:
            i = i + 1

def Connect(s):
    out_header = array('B', [32, 0, 0, 0, 205, 0, 0, 0])
    data = array('B', [0, 0, 0, 0, \
                       5, 0, 0, 0, \
                       0, 0, 0, 0, \
                       0, 0, 0, 0, \
                       0, 0, 0, 0, \
                       0, 0, 0, 0, \
                       0, 0, 0, 0  \
                       ])

    #print 'sending data: '
    #print out_header.tostring()
    #print out_header.buffer_info()
    #print struct.unpack('BBBBBBBBB', out_header)
    s.send(out_header)
    s.send(data)

def ReadHeader():
    global DATA_SIZE
    global DATA_TYPE

    DATA_SIZE = 32

    # Read the reply header
    data = s.recv(HEADER_SIZE)
    data_string = array('B', data)

    i = ToInt(data_string.tolist(), 0)

    # First byte tells how big the data wil be
    if i > 4 and (i - 4) > DATA_SIZE:
        DATA_SIZE = i - 4

    print "DATA_SIZE is " + str(DATA_SIZE)

    # Second byte tells what the data is
    DATA_TYPE = data_string[4]

    #if DATA_TYPE == 1:
    #    print "Dunno"
    #elif DATA_TYPE == 106:
    #    print "MESSAGE"
    #elif DATA_TYPE == 207:
    #    print "IMAGE"
    #elif DATA_TYPE == 0:
    #    print "FALSE"
    #else:
    #    print "ERROR"

def ReadData(i):
    global DATA_SIZE

    #if DATA_SIZE > sys.maxint:
    #    DATA_SIZE = sys.maxint

    data = s.recv(DATA_SIZE)

    data_string = array('B', data)
    #afile = open("Dataz.txt", 'w')
    #data_string.tofile(afile)
    #print data_string

    abyte0 = data_string.tolist()

    #draw image
    image_w = ToInt(abyte0, 0)
    image_h = ToInt(abyte0, 4)

    # should be around 9k
    image_data_length = ToInt(abyte0, 72)

    datas = data_string[76:]

    file1 = open("Dataz.jpg", 'wb')
    datas.tofile(file1)
    file1.close()
    #print "Length of image data is: " + str(len(datas))

    #file = StringIO.StringIO(datas)
    #file1 = open("Dataz1.jpg", 'rb')
    #image = Image.open(file1)
    #image.show()

#Global variables
TCP_IP = '192.168.1.106'
TCP_PORT = 17860    
HEADER_SIZE = 8
DATA_SIZE = 32

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))

#Starts channel 1
Connect(s)

ReadHeader()

#first data contains the channel name and status
data = s.recv(DATA_SIZE)
data_string = array('B', data)

# Second data should be first image
ReadHeader()
ReadData(0)

for i in range(1, 20):
    ReadHeader()
    ReadData(i)

s.close()
+4  A: 

If you pass socket.recv() a value larger than 2147483647 (hex 0x7fffffff) Python will attempt to use a long integer instead of a regular integer. Clearly your value for DATA_SIZE is considered to be larger than that.

The ToInt() code appears to be trying to build up an integer out of individual bytes, and likely you aren't doing the conversion properly (specifically the part where you try to handle negative values). Generally when converting code from a C-like language, and I'll include Java in that set here, you want to find a higher-level way to express the code than working with individual bytes and characters.

Try using the standard library struct module to do the conversion instead of working with bytes. Making sure you specify the proper byte order (big/little endian) to get correct results. For example, assuming your data is a 4-character string where the first character represents the smallest value, this would probably do:

>>> import struct
>>> i = struct.unpack('<L', '\x23\x45\x00\x73')[0]
>>> print i
1929397539

You can interpret and modify that by checking the documentation referenced above.

Peter Hansen
I'll probably just implement it with this and forget the decompiled code. Still not sure why it works with the print statements in place...
Jake
As others have said, it very likely doesn't actually "work", it merely doesn't show that particular error, possibly as a result of the small delays introduced by printing. When printing changes behaviour, look either for exceptions raised by the printing code (but caught elsewhere, often by "blanket try/except" statements that don't specify a particular exception) or for the effect of delays. Perhaps the socket has received more data by the time the print completes. I can't say in your particular case, other than it's not likely the code really worked in all cases before.
Peter Hansen
I'm not offended that no one believes me, I would be the same way. But I'm actually getting images over the network saved to file, so I'd say it's working.
Jake
Don't get us wrong. I don't think anyone is saying it doesn't work *at all*. We're just saying the print statements could not be making the difference, so it's more likely that it works only sometimes and fails for other reasons. Maybe it's intermittent? Depends on the specific values in particular packets? If you could control the input data (reproduce a "canned" version for example) and try with and without prints and get 100% correlation between the results, then there might be more to this than meets the eye... and we could all be wrong about those prints too. :)
Peter Hansen
@Jake: "so I'd say it's working". If `abyte0[i+3] < 0`, it does not work. Period. You can claim that it appears to work, but it can only "work" when you avoid the `abyte0[i+3] < 0` condition.
S.Lott
Peter, you were right about the delays in printing. It seems adding a single sleep(0.08) has the same effect as the print statements. Without the delay, the packet is truncated and the next calculation becomes too large.
Jake
@Jake, excellent! Thanks for following up with results. So few do.
Peter Hansen
A: 

Here's an example of the problem

if abyte0[i + 3] >= 0:
    j = j + abyte0[i + 3] * 256 * 256 * 256
    #print "A " + str(j)
else:
    j = j + (256 + abyte0[i + 3]) * 256 * 256 * 256

Let's pretend j == 0 and abyte0 == ( 0, 0, 0, 0) and i == 0

>>> j + (256 + abyte0[i + 3]) * 256 * 256 * 256
4294967296L

The result is a long value. With or without the print statement, this statement is unlikely to be correct. The "Now that I have it working" part of the question is unlikely to have been completely true to begin with. That makes the "remove the print statements and I get an error" unlikely to be true, also.

S.Lott