Byte Pattern Splitting Problem?

Dark Frost · Post by **Dark Frost** » Fri Jan 20, 2023 4:40 am

ı Can use this code https://zenhax.com/viewtopic.php?t=1843#p10024 but ı have problem Byte Pattern Splitting
my code is

findloc OFFSET binary "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
do
    goto OFFSET
    get DUMMY long
    findloc NEXT_OFFSET binary "\x00\x07\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77" 0 ""
    if NEXT_OFFSET == ""
        get SIZE asize
    else
        math SIZE = NEXT_OFFSET
    endif
    math SIZE += OFFSET
    log "" OFFSET SIZE
    math OFFSET = NEXT_OFFSET
while NEXT_OFFSET != ""

Problem is first extracted file is fine because start with \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Pattern And End With "\x00\x07\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77"
Like This

but 2nd and another files doesnt extracted correctly because start with "\x00\x07\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77" and with Nothing
Like This

How Can I Fix This ?

spiritovod · Post by **spiritovod** » Fri Jan 20, 2023 7:02 pm

Original script is designed for splitting by headers only (when you only search next header). If you need to consider both header and footer, you need to adjust the script accordingly:

Code: Select all

do
    findloc OFFSET binary "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 0 ""
    goto OFFSET
    get DUMMY long
    findloc NEXT_OFFSET binary "\x00\x07\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77" 0 ""
    if NEXT_OFFSET == ""
        get SIZE asize
    else
    	math NEXT_OFFSET + 16
        math SIZE = NEXT_OFFSET
    endif
    math SIZE - OFFSET
    log "" OFFSET SIZE
    math OFFSET = NEXT_OFFSET
    goto OFFSET
while NEXT_OFFSET != ""

though it may produce error on last iteration (everything should be already extracted at this point).

Dark Frost · Post by **Dark Frost** » Sat Jan 21, 2023 1:43 pm

spiritovod wrote:Original script is designed for splitting by headers only (when you only search next header). If you need to consider both header and footer, you need to adjust the script accordingly:
Code: Select all
do
    findloc OFFSET binary "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 0 ""
    goto OFFSET
    get DUMMY long
    findloc NEXT_OFFSET binary "\x00\x07\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77" 0 ""
    if NEXT_OFFSET == ""
        get SIZE asize
    else
    	math NEXT_OFFSET + 16
        math SIZE = NEXT_OFFSET
    endif
    math SIZE - OFFSET
    log "" OFFSET SIZE
    math OFFSET = NEXT_OFFSET
    goto OFFSET
while NEXT_OFFSET != ""
though it may produce error on last iteration (everything should be already extracted at this point).

Thank You So Much !!!! Everything Work Flawless Now

Dark Frost · Post by **Dark Frost** » Sat Jan 21, 2023 4:09 pm

I Try Learned Someting,I Try Rewriting Your Sending Code, But Where I Went Wrong ?

Code: Select all

do
    findloc A_OFFSET binary "\x70\x51\x45\x53\x00\x00\x00\x01" 0 ""
    goto A_OFFSET
    get A_SIZE LONG
    findloc B_OFFSET binary "\x00\xFF\x2F" 0 ""
    goto B_OFFSET
    get B_SIZE LONG
    math B_OFFSET + 4
    math B_SIZE = B_OFFSET
    math A_SIZE = A_OFFSET
    math B_SIZE - A_SIZE
    log "" NAME B_SIZE
    math A_OFFSET = B_OFFSET
    goto A_OFFSET
While NotEOF <> 0

spiritovod · Post by **spiritovod** » Sat Jan 21, 2023 6:01 pm

@Dark Frost: If you need to only change patterns for header or footer, just change 16 to the footer size (in bytes) and it will work. Otherwise, in case of more complex modifications, I suggest to look into quickbms documention for better understanding of what you're doing.

Dark Frost · Post by **Dark Frost** » Fri Jan 27, 2023 12:45 am

spiritovod wrote:@Dark Frost: If you need to only change patterns for header or footer, just change 16 to the footer size (in bytes) and it will work. Otherwise, in case of more complex modifications, I suggest to look into quickbms documention for better understanding of what you're doing.

Finally ı Create This Thing

Code: Select all

do
    findloc A_OFFSET binary "\x80\x00"
    goto A_OFFSET
    get A_SIZE asize
    findloc Q_OFFSET binary "\x43\x52\x49"
    goto Q_OFFSET
    get Q_SIZE asize
    if A_OFFSET == Q_OFFSET - 32
    findloc B_OFFSET binary "\x80\x01\x??\x??" 0 ""
    goto B_OFFSET
    if B_OFFSET == ""
        get B_SIZE asize
    else
       math B_OFFSET + 4 # 4 is B_OFFSET Byte
        math B_SIZE = B_OFFSET
    endif
    math B_SIZE - A_OFFSET
    string A_OFFSET + ".adx"
    log A_OFFSET A_OFFSET B_SIZE
    math A_OFFSET = B_OFFSET
    goto A_OFFSET
    else
    goto A_OFFSET
While NotEOF <> 0
cleanexit

I Thing if A_OFFSET == Q_OFFSET - 32 Script Continue, else goto A_OFFSET
but ı have problem Because İts Not working
my data is

How Can I Fix that because my some files have only "\x80\x00" Data ı Need Compare A_OFFSET before Q_OFFSET

And I try This Way But Not Working Too:

Code: Select all

do
    findloc A_OFFSET binary "\x80\x00"
    goto A_OFFSET
    get A_SIZE asize
    findloc Q_OFFSET binary "\x43\x52\x49"
    math Q_OFFSET - 34
    goto Q_OFFSET
    math Q_SIZE = Q_OFFSET
    if A_OFFSET == Q_SIZE
    findloc B_OFFSET binary "\x80\x01\x??\x??" 0 ""
    goto B_OFFSET
    if B_OFFSET == ""
        get B_SIZE asize
    else
       math B_OFFSET + 4 # 4 is B_OFFSET Byte
        math B_SIZE = B_OFFSET
    endif
    math B_SIZE - A_OFFSET
    string A_OFFSET + ".adx"
    log A_OFFSET A_OFFSET B_SIZE
    math A_OFFSET = B_OFFSET
    goto A_OFFSET
    else
    goto A_OFFSET
While NotEOF <> 0
cleanexit

ZenHAX

Byte Pattern Splitting Problem?

Byte Pattern Splitting Problem?

Re: Byte Pattern Splitting Problem?

Re: Byte Pattern Splitting Problem?

Re: Byte Pattern Splitting Problem?

Re: Byte Pattern Splitting Problem?

Re: Byte Pattern Splitting Problem?