Re^3: Socket unpack

Yes and no. How can you tell what the following means?

00 00 00 40 00 10 43 55 00 00 00 01 00 00 00 00
[download]

Judging by the placement of the NULs, what are probably big-endian 4-byte numbers stand out.

00 00 00 40 00 10 43 55 00 00 00 01 00 00 00 05
-----------             ----------- -----------
[download]

If it was stored in little-endian byte order, it would look like

40 00 00 00 55 43 10 00 01 00 00 00 05 00 00 00
-----------             ----------- -----------
[download]

00 00 00 40 is likely a 32-bit field with value 64. Do you have an idea of what data you are getting? Are you expecting 64 for anything or 64 of something? If you change the input, do you see a corresponding change there?

But maybe 00 00 00 40 is two 16-bit fields. Or two bytes and one 16-bit, or ...

Do you see any repeating patterns? You could be looking at a list of records. For example,

06 00 00 00 00 00 00 00 3C 00 00 00 7A 2D 01 01   ........<...z-..
EC 4E 14 DE FF FF FF FF FF FF FF FF 7A 2D 01 01   .N..........z-..
ED 4E 14 DE FF FF FF FF FF FF FF FF 39 5A 01 27   .N..........9Z.'
E8 62 F4 EA FF FF FF FF FF FF FF FF 39 5A 01 27   .b..........9Z.'
E7 62 F4 EA FF FF FF FF FF FF FF FF 39 5A 01 27   .b..........9Z.'
76 5D AE E5 FF FF FF FF FF FF FF FF 39 5A 01 27   v]..........9Z.'
...
[download]

appears to contains 16 byte records (starting after 12 bytes). There are 60 such records, so the preceding 3C 00 00 00 must be the number of records that follow.

You could study the sender's source code, disassembling a binary if necessary. If you have access to another receiver, you could also study it.

If you need to send something back, you'll need to study an existing client, or at least the communication between an exiting client and server.

Nothing simple ahead.

Comment on Re^3: Socket unpack Select or Download Code

Replies are listed 'Best First'.
Re^4: Socket unpack by Anonymous Monk on Feb 16, 2010 at 09:48 UTC
That`s way beyond my experience and skills. Is there some kind of a book or guide that explains it all. Do you suggest any reading	[reply]
Re^5: Socket unpack by Corion (Patriarch) on Feb 16, 2010 at 10:02 UTC
I'm not aware of any book on reverse engineering. Reverse engineering is to me not unlike debugging, except that you have no access to the source code of either end of the communication. You will need to monitor all communication between the two parts of your program, and try to associate the communication with certain actions that you can identify, like "if I press this button, it sends the following byte sequence". Then you will need to try to replay that communication on your own. So far, you haven't even told us what application you are trying to automate, and what setting it is, so we can't likely help you further.	[reply]
Re^6: Socket unpack by cdarke (Prior) on Feb 16, 2010 at 13:05 UTC
I'm not aware of any book on reverse engineering "Reversing: Secrets of Reverse Engineering" by Eldad Eilam is available on Amazon. However, you do need low-level skills. Maybe you should discuss this with the manager who set you this task. If the socket stream you need to read is undocumented then the first thing to look for is the source code of the program that is generating it. Presumably the data stream is aimed at a program at the other end - where is the source code for that?	[reply]
Re^6: Socket unpack by Anonymous Monk on Feb 16, 2010 at 11:01 UTC
That`s exactly what I'm up to. I need to know what it`s sending and/or receiving so I can automate it. The fact I am new to this and have no idea why they use binary data in socket communications and how the request is assembled that`s why I am asking about some kind of tutorial/book/guide or anything that gets me started	[reply]