x64dbg
/
btparser
mirror of https://github.com/x64dbg/btparser
1
0
Fork 0
Code Releases Activity

initial commit (lexer working for very very simple files)

This commit is contained in:
mrexodia 2016-06-05 00:00:36 +02:00
commit 7c18c0238f
No known key found for this signature in database
GPG Key ID: D72F9A4FAA0073B4
105 changed files with 35629 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
*.sdf
*.opensdf
*.suo
Release/
Debug/

22
cparser.sln Normal file
View File

@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.40629.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cparser", "cparser\cparser.vcxproj", "{B0411C78-2F06-49E0-8DE9-5C52A466F5DE}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B0411C78-2F06-49E0-8DE9-5C52A466F5DE}.Debug|Win32.ActiveCfg = Debug|Win32
{B0411C78-2F06-49E0-8DE9-5C52A466F5DE}.Debug|Win32.Build.0 = Debug|Win32
{B0411C78-2F06-49E0-8DE9-5C52A466F5DE}.Release|Win32.ActiveCfg = Release|Win32
{B0411C78-2F06-49E0-8DE9-5C52A466F5DE}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

2
cparser/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
Debug/
Release/

306
cparser/AVITemplate.bt Normal file
View File

@ -0,0 +1,306 @@
//------------------------------------
//--- 010 Editor v1.2 Binary Template
//
// Name: AVITemplate.bt
// Original Author: Blaine Lefebvre [bl]
// Contributor: Elias Bachaalany [eb]
// Purpose: Parse an AVI file
//
// Last Updated: 10/02/2006, 04:40 PM
//
// History
// -----------
// [bl] original version: Blaine Lefevre
// 10/02/2006:
// - [eb] Added BITMAPINFO and WAVEFORMATEX proper strfHEADER recognition
// - [eb] Fixed 'idx1' parsing
//------------------------------------
typedef struct
{
WORD wFormatTag;
WORD nChannels;
DWORD nSamplesPerSec;
DWORD nAvgBytesPerSec;
WORD nBlockAlign;
WORD wBitsPerSample;
WORD cbSize;
} WAVEFORMATEX;
// head structure info
typedef struct
{
DWORD dwMicroSecPerFrame;
DWORD dwMaxBytesPerSec;
DWORD dwReserved1;
DWORD dwFlags;
DWORD dwTotalFrames;
DWORD dwInitialFrames;
DWORD dwStreams;
DWORD dwSuggestedBufferSize;
DWORD dwWidth;
DWORD dwHeight;
DWORD dwScale;
DWORD dwRate;
DWORD dwStart;
DWORD dwLength;
} MainAVIHeader;
typedef struct
{
uint32 biSize;
uint32 biWidth;
uint32 biHeight;
uint16 biPlanes;
uint16 biBitCount;
uint32 biCompression;
uint32 biSizeImage;
uint32 biXPelsPerMeter;
uint32 biYPelsPerMeter;
uint32 biClrUsed;
uint32 biClrImportant;
} BITMAPINFOHEADER;
typedef struct
{
unsigned char rgbBlue;
unsigned char rgbGreen;
unsigned char rgbRed;
unsigned char rgbReserved;
} RGBQUAD;
typedef struct
{
BITMAPINFOHEADER bmiHeader;
RGBQUAD bmiColors;
} BITMAPINFO;
typedef struct
{
char id[4];
uint32 datalen;
MainAVIHeader data;
} avihHEADER;
// header stream structure info
typedef struct
{
char fccType[4];
char fccHandler[4];
DWORD dwFlags;
DWORD dwReserved1;
DWORD dwInitialFrames;
DWORD dwScale;
DWORD dwRate;
DWORD dwStart;
DWORD dwLength;
DWORD dwSuggestedBufferSize;
DWORD dwQuality;
DWORD dwSampleSize;
DWORD xdwQuality;
DWORD xdwSampleSize;
} AVIStreamHeader;
typedef struct
{
char id[4];
uint32 datalen;
AVIStreamHeader data;
}strhHEADER;
// Generic strfHEADER
typedef struct
{
char id[4];
uint32 datalen;
if (datalen % 2)
char data[datalen+1];
else
char data[datalen];
} strfHEADER;
// strfHEADER with BITMAPINFOHEADER
typedef struct
{
char id[4];
uint32 datalen;
BITMAPINFOHEADER bmiHeader;
local int sz = sizeof(bmiHeader);
if (datalen == (sizeof(BITMAPINFOHEADER) + sizeof(RGBQUAD)))
{
RGBQUAD bmiColors;
sz += sizeof(RGBQUAD);
}
Printf("left: %d\n", sz);
char exData[datalen - sz];
} strfHEADER_BIH;
// strfHEADER with WAVEFORMAT
typedef struct
{
char id[4];
uint32 datalen;
WAVEFORMATEX wave;
char exData[datalen - sizeof(WAVEFORMATEX)];
} strfHEADER_WAVE;
//
typedef struct
{
char id[4];
uint32 datalen;
if ( datalen % 2 )
char data[datalen+1];
else
char data[datalen];
} strnHEADER;
//
typedef struct
{
char id[4];
uint32 datalen;
if ( datalen % 2 )
char data[datalen+1];
else
char data[datalen];
} genericblock;
typedef struct
{
char id[4];
uint32 datalen;
char type[4];
if (!Memcmp(type,"hdrl",4))
{
avihHEADER avhi;
}
else if (!Memcmp(type,"strl",4))
{
strhHEADER strh;
// Printf("->%c%c%c%c\n", strh.data.fccHandler[0], strh.data.fccHandler[1],strh.data.fccHandler[2],strh.data.fccHandler[3]);
if (Memcmp(strh.data.fccType, "vids", 4) == 0)
{
strfHEADER_BIH strf;
}
else if (Memcmp(strh.data.fccType, "auds", 4) == 0)
{
strfHEADER_WAVE strf;
}
else
{
strfHEADER strf;
}
strnHEADER strn;
}
else if (Memcmp(type,"movi",4) == 0)
{
local int32 pointer = 0;
local int32 stop = datalen - 4;
//Printf("stop=%d\n", stop);
do
{
genericblock gb;
pointer += sizeof(gb);
//Printf("+%x = %d\n", gb.datalen, pointer);
} while (pointer != stop);
}
else
{
char data[datalen-4];
}
} LISTHEADER;
// junk structure info
typedef struct
{
char id[4];
uint32 datalen;
if ( datalen % 2 )
char data[datalen+1];
else
char data[datalen];
} JUNKHEADER;
// aviindex structure info
typedef struct
{
DWORD ckid;
DWORD dwFlags;
DWORD dwChunkOffset;
DWORD dwChunkLength;
} AVIINDEXENTRY;
const DWORD AVIINDEXENTRYLEN = 16;
typedef struct
{
char id[4];
uint32 datalen;
AVIINDEXENTRY data[datalen/AVIINDEXENTRYLEN];
} idx1HEADER;
// root structure info
typedef struct xroot
{
char id[4]; // RIFF
if (root.id[3] == 'X')
{
Printf("Motorola format\n");
BigEndian();
}
else
{
Printf("Intel format\n");
LittleEndian();
}
uint32 datalen;
char form[4];
if (Strcmp(form, "AVI "))
{
Warning("Not a valid AVI file");
return -1;
}
} ROOT;
local char nheader[4];
ROOT root;
while (!FEof())
{
ReadBytes(nheader,FTell(), 4);
if (Memcmp(nheader,"LIST",4) == 0)
{
LISTHEADER list;
}
else if (Memcmp(nheader, "JUNK",4) == 0)
{
JUNKHEADER junk;
}
else if (Memcmp(nheader, "idx1",4) == 0)
{
idx1HEADER idx1;
}
else
{
if (!FEof())
Printf("unknown chunk: %c%c%c%c", nheader[0],nheader[1],nheader[2],nheader[3]);
return -1;
}
}

188
cparser/AndroidManifestTemplate.bt Normal file
View File

@ -0,0 +1,188 @@
//--------------------------------------
//--- 010 Editor v5.0.2 Binary Template
//
// File: AndroidManifestTemplate.bt
// Author: dongmu
// Revision: 1.0
// Purpose: Define a template for parsing
// AndroidManifest.xml binary files.
//--------------------------------------
// Define the structures used in a
// AndroidManifest.xml binary file
// Define Header
typedef struct {
uint magicnumber;
uint filesize;
} HEADER;
// Define the string format
typedef struct {
ushort sfSize;
if (sfSize > 0)
{
struct {
char c1;
char c2;
} ONECHAR[ sfSize ];
}
ushort sfEnd;
} STRING_ITEM;
// Define the string chunk
typedef struct {
uint scSignature;
uint scSize;
uint scStringCount;
uint scStyleCount;
uint scUNKNOWN;
uint scStringPoolOffset;
uint scStylePoolOffset;
uint scStringOffsets[ scStringCount ] <comment="Relative to the 0x8+scStringPoolOffset">;
if (scStyleCount > 0)
uint scStyleOffset[ scStylePoolOffset ];
// The Strings
local int i;
for (i = 0; i < scStringCount; i++)
{
if ((0x8+scStringPoolOffset + scStringOffsets[ i ]) < (0x8+scSize))
{
FSeek(0x8+scStringPoolOffset + scStringOffsets[ i ]);
STRING_ITEM strItem;
}
}
} STRINGCHUNK;
// Define the Resource chunk
typedef struct {
local int pos = FTell();
uint rcSignature;
uint rcSize;
uint rcItem[ rcSize/4 - 2 ];
} RESOURCEIDCHUNK;
// Define the Start Namespace Chunk
typedef struct {
uint sncSignature;
uint sncSize;
uint sncLineNumber;
uint sncUNKNOWN;
uint sncPrefix;
uint sncUri;
} SNCHUNK;
// Define the End Namespace Chunk
typedef struct {
uint encSignature;
uint encSize;
uint encLineNumber;
uint encUNKNOWN;
uint encPrefix;
uint encUri;
} ENCHUNK;
// Define the Attribute Chunk
typedef struct {
uint acNamespaceUri;
uint acName;
uint acValueStr;
uint acType <comment="right shift 24bit">;
uint acData;
} ATTRIBUTECHUNK;
// Define the Start Tag Chunk
typedef struct {
local int pos = FTell();
uint stcSignature;
uint stcSize;
uint stcLineNumber;
uint stcUNKNOWN;
uint stcNamespaceUri;
uint stcName;
uint stcFlags;
uint stcAttributeCount;
uint stcClassAttribute;
while (FTell() != pos + stcSize)
ATTRIBUTECHUNK attributeChunk;
} STCHUNK;
// Define the End Tag Chunk
typedef struct {
uint etcSignature;
uint etcSize;
uint etcLineNumber;
uint etcUNKNOWN;
uint etcNamespaceUri;
uint etcName;
} ETCHUNK;
// Define the Text Chunk
typedef struct {
uint tcSignature;
uint tcSize;
uint tcLineNumber;
uint tcUNKNOWN;
uint tcName;
uint tcUNKNOWN;
uint tcUNNNOWN;
} TEXTCHUNK;
//--------------------------------------
// Define the file
local uint tag;
LittleEndian();
HEADER header;
SetBackColor( cLtGreen );
STRINGCHUNK stringChunk;
// Sometimes there are some zeros padding after the string chunk
FSeek(0x8+stringChunk.scSize);
SetBackColor( cLtBlue );
RESOURCEIDCHUNK resourceChunk;
FSeek(resourceChunk.pos+resourceChunk.rcSize);
while( !FEof() )
{
// Read a tag
tag = ReadUInt( FTell() );
// Read data depending upon tag
if (tag == 0x00100100)
{
SetBackColor( cLtPurple );
SNCHUNK startNamespaceChunk;
}
else if (tag == 0x00100101)
{
SetBackColor( cLtPurple );
ENCHUNK endNamespaceChunk;
}
else if (tag == 0x00100102)
{
SetBackColor( cLtGreen );
STCHUNK startTagChunk;
}
else if (tag == 0x00100103)
{
SetBackColor( cLtGreen );
ETCHUNK endTagChunk;
}
else if (tag == 0x00100104)
{
SetBackColor( cLtBlue );
TEXTCHUNK TextChunk;
}
}

127
cparser/BMPTemplate.bt Normal file
View File

@ -0,0 +1,127 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: BMPTemplate.bt
// Author: SweetScape Software
// Revision: 2.2
// Purpose: Defines a template for
// parsing BMP image files.
//-----------------------------------
// Define structures used in BMP files
typedef struct { // bmfh
CHAR bfType[2];
DWORD bfSize;
WORD bfReserved1;
WORD bfReserved2;
DWORD bfOffBits;
} BITMAPFILEHEADER;
typedef struct { // bmih
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount;
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;
typedef struct { // rgbq
UBYTE rgbBlue;
UBYTE rgbGreen;
UBYTE rgbRed;
UBYTE rgbReserved;
} RGBQUAD <read=ReadRGBQUAD>;
typedef struct { // rgbt
UBYTE rgbBlue;
UBYTE rgbGreen;
UBYTE rgbRed;
} RGBTRIPLE <read=ReadRGBTRIPLE>;
//---------------------------------------------
// Custom read functions for color types - this allows the
// color to be displayed without having to open up the structure.
string ReadRGBQUAD( RGBQUAD &a )
{
string s;
SPrintf( s, "#%02X%02X%02X%02X", (int)a.rgbReserved, (int)a.rgbRed, (int)a.rgbGreen, (int)a.rgbBlue );
return s;
}
string ReadRGBTRIPLE( RGBTRIPLE &a )
{
string s;
SPrintf( s, "#%02X%02X%02X", (int)a.rgbRed, (int)a.rgbGreen, (int)a.rgbBlue );
return s;
}
//---------------------------------------------
// Define the headers
LittleEndian();
SetBackColor( cLtGray );
BITMAPFILEHEADER bmfh;
BITMAPINFOHEADER bmih;
// Check for header
if( bmfh.bfType != "BM" )
{
Warning( "File is not a bitmap. Template stopped." );
return -1;
}
// Define the color table
if( (bmih.biBitCount != 24) && (bmih.biBitCount != 32) )
{
SetBackColor( cLtAqua );
if( bmih.biClrUsed > 0 )
RGBQUAD aColors[ bmih.biClrUsed ];
else
RGBQUAD aColors[ 1 << bmih.biBitCount ];
}
// Define the bytes of the data
SetBackColor( cNone );
if( bmih.biCompression > 0 )
{
// Bytes are compressed
if( bmih.biSizeImage > 0 )
UBYTE rleData[ bmih.biSizeImage ];
else
UBYTE rleData[ bmfh.bfSize - FTell() ];
}
else
{
// Calculate bytes per line and padding required
local int bytesPerLine = (int)Ceil( bmih.biWidth * bmih.biBitCount / 8.0 );
local int padding = 4 - (bytesPerLine % 4);
if( padding == 4 )
padding = 0;
// Define each line of the image
struct BITMAPLINE {
// Define color data
if( bmih.biBitCount < 8 )
UBYTE imageData[ bytesPerLine ];
else if( bmih.biBitCount == 8 )
UBYTE colorIndex[ bmih.biWidth ];
else if( bmih.biBitCount == 24 )
RGBTRIPLE colors[ bmih.biWidth ];
else if( bmih.biBitCount == 32 )
RGBQUAD colors[ bmih.biWidth ];
// Pad if necessary
if( padding != 0 )
UBYTE padBytes[ padding ];
} lines[ bmih.biHeight ] <optimize=true>;
}

117
cparser/CABTemplate.bt Normal file
View File

@ -0,0 +1,117 @@
//--------------------------------------
//--- 010 Editor v3.2.2 Binary Template
//
// File: cabtemplate.bt
// Author: Alex McDonnell
// Revision: 0.1
// Purpose: Parse Microsoft CAB files
// Changes:
// 0.2 (SweetScape):
// - Allow for multiple flags to be set at the same time
//--------------------------------------
// Define structures used in CAB files
typedef struct {
//header
char signature[4]; /* 'MSCF' */
uint reserved1; /* 0x00000000 */
uint cbCabinet; /* size of this cabinet file in bytes */
uint reserved2; /* 0x00000000 */
uint coffFiles; /* offset of the first CFFILE entry */
uint reserved3; /* 0x00000000 */
ubyte versionMinor; /* cabinet file format version, minor 0x03 */
ubyte versionMajor; /* cabinet file format version, major 0x01 */
ushort cFolders; /* number of CFFOLDER entries in this cabinet */
ushort cFiles; /* number of CFFILE entries in this cabinet */
ushort flags; /* cabinet file option indicators 0x0001 0x0002 0x0004 only*/
ushort setID; /* must be the same for all cabinets in a set */
ushort iCabinet; /* number of this cabinet file in a set */
if(flags & 4){
ushort cbCFHeader; /* (optional) size of per-cabinet reserved area */
ubyte cbCFFolder; /* (optional) size of per-folder reserved area */
ubyte cbCFData; /* (optional) size of per-datablock reserved area */
if(cbCFHeader > 0)
char abReserve[cbCFHeader]; /* (optional) per-cabinet reserved area */
}
if(flags & 1){
char szCabinetPrev[];/* (optional) name of previous cabinet file */
char szDiskPrev[]; /* (optional) name of previous disk */
}
if(flags & 2){
char szCabinetNext[]; /* (optional) name of next cabinet file */
char szDiskNext[]; /* (optional) name of next disk */
}
} CFHEADER;
LittleEndian();
CFHEADER header;
local uint counter = 0;
typedef struct {
//folder
uint coffCabStart; /* offset of the first CFDATA block in this folder */
ushort cCFData; /* number of CFDATA blocks in this folder */
ushort typeCompress; /* compression type indicator */
if( exists(header.cbCFFolder))
char abReserve[header.cbCFFolder]; /* (optional) per-folder reserved area */
} CFFOLDER;
typedef struct {
//file
uint cbFile; /* uncompressed size of this file in bytes */
uint uoffFolderStart; /* uncompressed offset of this file in the folder */
ushort iFolder; /* index into the CFFOLDER area */
DOSDATE date; /* date stamp for this file */
DOSTIME time; /* time stamp for this file */
ushort attribs; /* attribute flags for this file */
char szName[]; /* name of this file */
} CFFILE;
typedef struct {
//data
uint csum; /* checksum of this CFDATA entry */
ushort cbData; /* number of compressed bytes in this block */
ushort cbUncomp; /* number of uncompressed bytes in this block */
if( exists(header.cbCFData))
char abReserve[header.cbCFData]; /* (optional) per-datablock reserved area */
char ab[cbData]; /* compressed data bytes */
} CFDATA;
while(header.cFolders > counter){
counter++;
CFFOLDER folder;
}
counter = 0;
while(header.cFiles > counter){
counter++;
CFFILE file;
}
counter = 0;
while(folder.cCFData > counter){
counter++;
CFDATA data;
}

1292
cparser/CAPTemplate.bt Normal file
View File

File diff suppressed because it is too large Load Diff

31
cparser/CDATemplate.bt Normal file
View File

@ -0,0 +1,31 @@
//------------------------------------
//--- 010 Editor v1.0 Binary Template
//
// Name: CDATemplate.bt
// Author: Szabolcs Dávid
// Purpose: CDA template for Audio CD
// header Information
//------------------------------------
typedef struct
{
char szHeader[8];
char szFormat[8];
DWORD dwEOLn;
} CDAFILEHEADER;
typedef struct
{
WORD wTrackFirst;
WORD wTrackCount;
DWORD dwVolumeSerialNumber;
DWORD dwStartFrame;
DWORD dwLengthFrame;
DWORD dwStartMS;
DWORD dwLengthMS;
} CDAINFORMATION;
LittleEndian();
CDAFILEHEADER Header;
CDAINFORMATION Information;

253
cparser/CLASSTemplate.bt Normal file
View File

@ -0,0 +1,253 @@
//-------------------------------------------------------------------------
//--- 010 Editor v2.1 Binary Template
//
// File: CLASSTemplate.bt
// Author: Kevin O. Grover <kevin@kevingrover.net>
// Purpose: A template for parsing Java Class (JVM) Files
// Version: 1.1 2014-08-13
// History:
// 2007-02-26 kog Original Version
// 2014-08-13 kog Updated for Java 7/8 Version number (and future)
//
// This template was written to the "The Java Virtual Machine
// Specification", Second Edition, by Tim Lindholm, Frank Yellin.
// It was later updated to include the provisio in that spec (and future
// specs).
//
// The details used to write this Template came mainly from Chapter 4:
// "The <code>class</code> File Format".
//
// You can get the document from the Oracle Java Pages or Wikipedia:
// http://docs.oracle.com/javase/specs/
// http://docs.oracle.com/javase/specs/jvms/se7/jvms7.pdf
// http://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf
// http://en.wikipedia.org/wiki/Class_file
//-------------------------------------------------------------------------
BigEndian();
// Types used in the JVM Spec.
// (To make this code as close to the text in the spec as possible.)
typedef uint32 u4;
typedef uint16 u2;
typedef ubyte u1;
typedef enum <u2> eACCESS_FLAGS {
ACC_PUBLIC = 0x0001, // Declared public; may be accessed from outside its package.
ACC_PRIVATE = 0x0002, // Declared private; usable only within the defining class.
ACC_PROTECTED = 0x0004, // Declared protected; may be accessed within subclasses.
ACC_STATIC = 0x0008, // Declared static.
ACC_FINAL = 0x0010, // Declared final; no subclasses allowed.
ACC_SUPER = 0x0020, // Treat superclass methods specially when invoked by the invokespecial instruction.
ACC_VOLATILE = 0x0040, // Declared volatile; cannot be cached.
ACC_TRANSIENT = 0x0080, // Declared transient; not written or read by a persistent object manager.
ACC_NATIVE = 0x0100, // Declared native; implemented in a language other than Java.
ACC_INTERFACE = 0x0200, // Is an interface, not a class.
ACC_ABSTRACT = 0x0400, // Declared abstract; may not be instantiated.
ACC_STRICT = 0x0800 // Declared strictfp; floating-point mode is FP-strict
} AF <read=read_AF>;
string read_AF (local AF &af) {
local string s = "";
local int commaNeeded = 0;
local AF i = 1;
SPrintf (s, "%d: ", af);
// Iterate over all possible values the flags
// if the given bit is set, add it's text representation to the
// return string.
// NOTE: There's probably a better way to do this. (More portable?)
while (i < ACC_STRICT) {
if (af && i) {
if (commaNeeded) {
s += ", ";
}
s += EnumToString(i);
commaNeeded = 1;
}
i = i << 1;
}
return s;
}
// Constants for cp_info.tag ...
typedef enum <u1> eCP_CONST {
CONSTANT_Utf8 = 1,
CONSTANT_Integer = 3,
CONSTANT_Float = 4,
CONSTANT_Long = 5,
CONSTANT_Double = 6,
CONSTANT_Class = 7,
CONSTANT_String = 8,
CONSTANT_Fieldref = 9,
CONSTANT_Methodref = 10,
CONSTANT_InterfaceMethodref = 11,
CONSTANT_NameAndType = 12,
} CP_CONST;
// Constant Pool Table Structure
// NOTE: These are NOT constant sized items. Although referenced
// like an array in the main structure, you can not use position
// to directly infer a byte offset because you do not know the
// sizes of the items preceeding it.
typedef struct {
CP_CONST tag;
switch(tag)
{
case CONSTANT_Class:
u2 name_index;
break;
case CONSTANT_Methodref:
case CONSTANT_Fieldref:
case CONSTANT_InterfaceMethodref:
u2 class_index;
u2 name_and_type_index;
break;
case CONSTANT_Utf8:
u2 length;
char bytes[length];
break;
case CONSTANT_Integer:
case CONSTANT_Float:
u4 bytes;
break;
case CONSTANT_Long:
case CONSTANT_Double:
u4 high_bytes;
u4 low_bytes;
break;
case CONSTANT_String:
u2 string_index;
break;
case CONSTANT_NameAndType:
u2 name_index;
u2 descriptor_index;
break;
default:
local string s;
SPrintf(s, "Unknown 'constant_pool' tag: %d", tag);
Warning(s);
return -3;
}
} cp_info <read=read_cp_info, optimize=false>;
/**
* Reader for 'cp_info'
* @param cp_info Constant Pool info structure
*/
string read_cp_info (local cp_info &i)
{
local string s = "";
s = EnumToString(i.tag);
if (i.tag == CONSTANT_Utf8) {
s += ": " + i.bytes;
}
return s;
}
typedef struct {
u2 attribute_name_index;
u4 attribute_length;
u1 info[attribute_length];
} attribute_info <optimize=false>;
typedef struct {
AF access_flags;
u2 name_index;
u2 descriptor_index;
u2 attributes_count;
attribute_info attributes[attributes_count];
} field_info <optimize=false>;
typedef struct {
AF access_flags;
u2 name_index;
u2 descriptor_index;
u2 attributes_count;
attribute_info attributes[attributes_count];
} method_info <optimize=false>;
// MAIN Structure
typedef struct {
u4 magic <format=hex>;
if (magic != 0xCAFEBABE) { // Check that 'magic' is correct
Warning("Incorrect Magic Number. This is not a JVM Class. Template Terminated.");
return -1;
}
u2 minor_version;
u2 major_version;
u2 constant_pool_count;
cp_info constant_pool[constant_pool_count-1];
AF access_flags;
u2 this_class; // Reference into constant_pool table
if (this_class < 1 || this_class > constant_pool_count-1) {
local string s;
SPrintf(s,"Bad 'this_class' reference (%d). It should be in the range [1..%d]", this_class, constant_pool_count-1);
Warning(s);
return -2;
}
u2 super_class; // Reference into constant_pool table
if (super_class < 1 || super_class > constant_pool_count-1) {
local string s;
SPrintf(s,"Bad 'super_class' reference (%d). It should be in the range [1..%d]", super_class, constant_pool_count-1);
Warning(s);
return -2;
}
u2 interfaces_count;
u2 interfaces[interfaces_count];
u2 fields_count;
field_info fields[fields_count];
u2 methods_count;
method_info methods[methods_count];
u2 attributes_count;
attribute_info attributes[attributes_count];
} JVMClass <read=read_JVMClass, optimize=false>;
/**
* Reader for 'JVMClass'
* Returns the JVM Version: major.minor and the Java version (if it can
* calculate it from the JVM Version.
* @param j JVMClass The JVM Class Structure
* @return string The version information
*/
string read_JVMClass (local JVMClass &j)
{
// JVM Version (as stored in the class file)
local string s;
SPrintf (s, "JVM class v%d.%d", j.major_version, j.minor_version);
// Java Runtime Version. From the JVM Spec for class files
local int major = 1;
local int minor = 0;
if (j.major_version == 45) {
if (j.minor_version >= 3) minor = 1;
} else {
if (j.major_version >= 46) {
minor = j.major_version - 44;
} else {
// Unknown: it's either newer or older than expected
major = 0;
minor = 0;
Warning("Unexpected JVM major version number.");
}
}
if (major || minor) {
local string jre_v;
SPrintf(jre_v, " (Java %d.%d)", major, minor);
s += jre_v;
} else {
s += " (Unknown Java Version)";
}
return s;
}
// *****************************************
// MAIN - Allocate data here...
// *****************************************
struct JVMClass jc;

121
cparser/CLASSTemplate2.bt Normal file
View File

@ -0,0 +1,121 @@
BigEndian();
typedef struct {
enum <ubyte> {
CONSTANT_Class = 7,
CONSTANT_Fieldref = 9,
CONSTANT_Methodref = 10,
CONSTANT_InterfaceMethodref = 11,
CONSTANT_String = 8,
CONSTANT_Integer = 3,
CONSTANT_Float = 4,
CONSTANT_Long = 5,
CONSTANT_Double = 6,
CONSTANT_NameAndType = 12,
CONSTANT_Utf8 = 1
} tag;
switch (tag) {
case 7:
uint16 name_index;
break;
case 9:
uint16 class_index;
uint16 name_and_type_index;
break;
case 10:
uint16 class_index;
uint16 name_and_type_index;
break;
case 11:
uint16 class_index;
uint16 name_and_type_index;
break;
case 8:
uint16 string_index;
break;
case 3:
int32 int_value;
break;
case 4:
float float_value;
break;
case 5:
int64 long_value;
break;
case 6:
double double_value;
break;
case 12:
uint16 name_index;
uint16 descriptor_index;
break;
case 1:
uint16 length;
char utf8_value[length];
break;
}
} cp_info;
typedef struct {
uint16 attribute_name_index;
uint32 attribute_length;
char info[attribute_length];
} attribute_info;
typedef struct {
uint16 access_flags <format = binary>;
uint16 name_index;
uint16 descriptor_index;
uint16 attributes_count;
local int i_att2 = 0;
for ( i_att2 = 0; i_att2 < attributes_count; i_att2++) {
attribute_info attributes;
};
} field_info, method_info;
typedef struct {
uint32 magic <format = hex>;
if (magic != 0xCAFEBABE) {
Warning ("Invalid Class File.");
return -1;
}
uint16 minor_version;
uint16 major_version;
uint16 constant_pool_count;
local int i_cp = 0;
for ( i_cp = 1; i_cp < constant_pool_count; i_cp++) {
cp_info constant_pool;
if ( constant_pool.tag == 5 || constant_pool.tag == 6 ){
i_cp++;
}
};
uint16 access_flags <format = binary>;
uint16 this_class;
uint16 super_class;
uint16 interfaces_count;
local int i_if = 0;
for ( i_if = 0; i_if < interfaces_count; i_if++) {
uint16 interfaces;
};
uint16 fields_count;
local int i_fld = 0;
for ( i_fld = 0; i_fld < fields_count; i_fld++) {
field_info fields;
};
uint16 methods_count;
local int i_m = 0;
for ( i_m = 0; i_m < methods_count; i_m++) {
method_info methods;
};
uint16 attributes_count;
local int i_att = 0;
for ( i_att = 0; i_att < attributes_count; i_att++) {
attribute_info attributes;
};
} class_file;
class_file file;
if (!FEof()) {
Warning("File is not properly ended.");
};

1477
cparser/CLASSTemplate3.bt Normal file
View File

File diff suppressed because it is too large Load Diff

209
cparser/CRXTemplate.bt Normal file
View File

@ -0,0 +1,209 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: CRXTemplate.bt
// Author: SweetScape Software
// Revision: 1.0
// Purpose: Copy of ZIPTemplate.bt
// with extra bits for Google Chrome
// extensions.
//-----------------------------------
// Define structures used in ZIP files
//enum used for compression format
typedef enum <short> {
COMP_STORED = 0,
COMP_SHRUNK = 1,
COMP_REDUCED1 = 2,
COMP_REDUCED2 = 3,
COMP_REDUCED3 = 4,
COMP_REDUCED4 = 5,
COMP_IMPLODED = 6,
COMP_TOKEN = 7,
COMP_DEFLATE = 8,
COMP_DEFLATE64 = 9
} COMPTYPE;
// Defines a file record
typedef struct {
// Header for the file
char frSignature[4]; //0x04034b50
ushort frVersion;
ushort frFlags;
COMPTYPE frCompression;
DOSTIME frFileTime;
DOSDATE frFileDate;
uint frCrc <format=hex>;
uint frCompressedSize;
uint frUncompressedSize;
ushort frFileNameLength;
ushort frExtraFieldLength;
if( frFileNameLength > 0 )
char frFileName[ frFileNameLength ];
if( frExtraFieldLength > 0 )
uchar frExtraField[ frExtraFieldLength ];
// Compressed data
SetBackColor( cNone );
if( frCompressedSize > 0 )
uchar frData[ frCompressedSize ];
} ZIPFILERECORD <read=ReadZIPFILERECORD, write=WriteZIPFILERECORD>;
// Defines an entry in the directory table
typedef struct {
char deSignature[4]; //0x02014b50
ushort deVersionMadeBy;
ushort deVersionToExtract;
ushort deFlags;
COMPTYPE deCompression;
DOSTIME deFileTime;
DOSDATE deFileDate;
uint deCrc <format=hex>;
uint deCompressedSize;
uint deUncompressedSize;
ushort deFileNameLength;
ushort deExtraFieldLength;
ushort deFileCommentLength;
ushort deDiskNumberStart;
ushort deInternalAttributes;
uint deExternalAttributes;
uint deHeaderOffset;
if( deFileNameLength > 0 )
char deFileName[ deFileNameLength ];
if( deExtraFieldLength > 0 )
uchar deExtraField[ deExtraFieldLength ];
if( deFileCommentLength > 0 )
uchar deFileComment[ deFileCommentLength ];
} ZIPDIRENTRY <read=ReadZIPDIRENTRY>;
// Defines the digital signature
typedef struct {
char dsSignature[4]; //0x05054b50
ushort dsDataLength;
if( dsDataLength > 0 )
uchar dsData[ dsDataLength ];
} ZIPDIGITALSIG;
// Defintes the Data descriptor
typedef struct {
char ddSignature[4]; //0x08074b50
uint ddCRC <format=hex>;
uint ddCompressedSize;
uint ddUncompressedSize;
} ZIPDATADESCR;
// Defines the end of central directory locator
typedef struct {
char elSignature[4]; //0x06054b50
ushort elDiskNumber;
ushort elStartDiskNumber;
ushort elEntriesOnDisk;
ushort elEntriesInDirectory;
uint elDirectorySize;
uint elDirectoryOffset;
ushort elCommentLength;
if( elCommentLength > 0 )
char elComment[ elCommentLength ];
} ZIPENDLOCATOR;
//--------------------------------------------
// Custom read functions that allows the name of the
// of the file to appear in the Template Results.
string ReadZIPFILERECORD( ZIPFILERECORD &file )
{
if( exists( file.frFileName ) )
return file.frFileName;
else
return "";
}
string ReadZIPDIRENTRY( ZIPDIRENTRY &entry )
{
if( exists( entry.deFileName ) )
return entry.deFileName;
else
return "";
}
// Custom write function that allows changing
// the name of the file - note that the file
// name size cannot be increased
void WriteZIPFILERECORD( ZIPFILERECORD &file, string s )
{
local int len = Strlen( s );
if( exists( file.frFileName ) )
{
Strncpy( file.frFileName, s, file.frFileNameLength );
if( len < file.frFileNameLength )
file.frFileName[len] = 0; //null terminate
}
}
typedef struct {
SetBackColor(0xd8e5ed);
char magicNumber[4];
SetBackColor(0xd8edd8);
uint32 version;
SetBackColor(0xd8e5ed);
uint32 pkLength;
SetBackColor(0xd8edd8);
uint32 sigLength;
SetBackColor(0xf7d6c3);
byte pubKey[pkLength];
SetBackColor(0xd8edd8);
byte sig[sigLength];
} CRXHEADER;
//--------------------------------------------
// Define the file
SetBackColor(0xe8e8e8);
CRXHEADER crxHeader;
SetBackColor(cNone);
local uint tag;
LittleEndian();
while( !FEof() )
{
// Read a tag
tag = ReadUInt( FTell() );
// Read data depending upon tag - should start with 'PK'.
// Note that when duplicate variables are defined, they
// are made into an array (see 'Using Templates and Structs'
// in the help file).
if( tag == 0x04034b50 )
{
SetBackColor( cLtGray );
ZIPFILERECORD record;
}
else if( tag == 0x08074b50 )
{
SetBackColor( cLtGreen );
ZIPDATADESCR dataDescr;
}
else if( tag == 0x02014b50 )
{
SetBackColor( cLtPurple );
ZIPDIRENTRY dirEntry;
}
else if( tag == 0x05054b50 )
{
SetBackColor( cLtBlue );
ZIPDIGITALSIG digitalSig;
}
else if( tag == 0x06054b50 )
{
SetBackColor( cLtYellow );
ZIPENDLOCATOR endLocator;
}
else
{
Warning( "Unknown ZIP tag encountered. Template stopped." );
return -1;
}
}

59
cparser/DBFTemplate.bt Normal file
View File

@ -0,0 +1,59 @@
//--------------------------------------
//--- 010 Editor v2.1.3 Binary Template
//
// File:
// Author:
// Revision:
// Purpose:
//--------------------------------------
string yearFrom1900 (char yy)
{
string s;
SPrintf(s, "%d", 1900 + yy);
return s;
}
struct DBF {
struct HEADER {
char version;
struct DATE_OF_LAST_UPDATE {
char yy <read=yearFrom1900,format=decimal>;
char mm <format=decimal>;
char dd <format=decimal>;
} DateOfLastUpdate;
int numberOfRecords;
short lengthOfHeaderStructure;
short lengthOfEachRecord;
char reserved[2];
char incompleteTrasaction <format=decimal>;
char encryptionFlag <format=decimal>;
int freeRecordThread;
int reserved1[2];
char mdxFlag <format=decimal>;
char languageDriver <format=decimal>;
short reserved2;
} header;
struct FIELD {
char fieldName[11];
char fieldType;
int fieldDataAddress;
char fieldLength <format=decimal>;
char decimalCount <format=decimal>;
short reserved;
char workAreaId <format=decimal>;
short reserved1;
char flags <format=hex>;
char reserved2[7];
char indexFieldFlag <format=decimal>;
} field[(header.lengthOfHeaderStructure-33)/sizeof(struct FIELD)];
char Terminator <format=hex>;
struct RECORD {
char deletedFlag;
char fields[header.lengthOfEachRecord-1];
} record [ header.numberOfRecords ] <optimize=false>;
} dbf <optimize=false>;

1665
cparser/DEXTemplate.bt Normal file
View File

File diff suppressed because it is too large Load Diff

1665
cparser/DEXTemplate.new.bt Normal file
View File

File diff suppressed because it is too large Load Diff

82
cparser/DMPTemplate.bt Normal file
View File

@ -0,0 +1,82 @@
//--------------------------------------
//--- 010 Editor v2.0.2 Binary Template
//
// File: DMPTemplate.bt
// Author: <a.schuster@yendor.net>
// Revision: 1.0 - 20060320
// Purpose: This template merely serves as documentation of the
// memory dump format used by Microsoft's debuggers and
// the NT kernel crashdump facility. Detailed and
// authorative information about a DMP file can be
// obtained by processing the file with the "dumpchk"
// utility which ships whith Microsoft's free debugging
// tools package.
//--------------------------------------
typedef enum <uint32> {
FULL = 1,
KERNEL,
SMALL
} e_DumpType;
typedef struct {
uint32 BasePage <format=hex>;
uint32 PageCount <format=hex>;
} _PHYSICAL_MEMORY_RUN32;
typedef struct {
uint32 NumberOfRuns;
uint32 NumberOfPages <format=hex>;
_PHYSICAL_MEMORY_RUN32 Run[NumberOfRuns];
} _PHYSICAL_MEMORY_DESCRIPTOR32;
typedef struct {
int32 ExceptionCode <format=hex>;
uint32 ExceptionFlags;
uint32 ExceptionRecord;
uint32 ExceptionAddress <format=hex>;
uint32 NumberParameters;
uint32 ExceptionInformation[15] <format=hex>;
} _EXCEPTION_RECORD32;
FSeek(0);
char Signature[4];
char ValidDump[4];
uint32 MajorVersion;
uint32 MinorVersion;
uint32 DirectoryTableBase <format=hex>;
uint32 PfnDataBase <format=hex>;
uint32 PsLoadedModuleList <format=hex>;
uint32 PsActiveProcessHead <format=hex>;
uint32 MachineImageType <format=hex>;
uint32 NumberProcessors;
uint32 BugCheckCode <format=hex>;
uint32 BugCheckParameter[4] <format=hex>;
char VersionUser[32];
uchar PaeEnabled;
uchar KdSecondaryVersion;
uchar Spare3[2];
uint32 KdDebuggerDataBlock <format=hex>;
_PHYSICAL_MEMORY_DESCRIPTOR32 PhysicalMemoryBlock;
FSeek(800);
uchar ContextRecord[1200];
_EXCEPTION_RECORD32 Exception;
char Comment[128];
uchar _reserved0[1768];
e_DumpType DumpType;
uint32 MiniDumpFields;
uint32 SecondaryDataState;
uint32 ProductType;
uint32 SuiteMask;
uint32 WriterStatus;
int64 RequiredDumpSpace;
uchar _reserved2[16];
FILETIME SystemUpTime;
FILETIME SystemTime;
uchar _reserved3[56];

730
cparser/EDIDTemplate.bt Normal file
View File

@ -0,0 +1,730 @@
//--------------------------------------
//--- 010 Editor v3.2.2 Binary Template
//
// File: EDIDTemplate.bt
// Author: Rafael Vuijk
// Revision: 2012-03-02
// Purpose: EDID structure parser
//--------------------------------------
//
// NOTE: This template uses variable-size/unoptimized structure arrays.
// Information source: https://en.wikipedia.org/wiki/Extended_display_identification_data
// Modeline calculator: http://www.epanorama.net/faq/vga2rgb/calc.html
//
//--------------------------------------
typedef uint16 EISAId <read=EISAIdToString, write=StringToEISAId>;
string EISAIdToString(EISAId x)
{
uint16 sw = SwapBytes(x);
string s;
SPrintf(s, "%c%c%c", '@' + (sw>>10 & 0x1F), '@' + (sw>>5 & 0x1F), '@' + (sw>>0 & 0x1F));
return s;
}
void StringToEISAId(EISAId &x, string s)
{
char c[3];
SScan(s, "%c%c%c", c[0], c[1], c2[2]);
x = (c[0] - '@')<<10 | (c[1] - '@')<<5 | (c[2] - '@')<<0;
x = SwapBytes(x);
}
//--------------------------------------
typedef struct
{
ubyte x_resolution;
ubyte vFrequency : 6;
ubyte pixelRatio : 2;
} Timing <read=TimingToString>;
string TimingToString(Timing &t)
{
if (t.x_resolution == 1 && t.vFrequency == 1 && t.pixelRatio == 0) return "-";
int x = (t.x_resolution + 31) * 8;
int y;
switch (t.pixelRatio)
{
case 0: y = x*10/16; break;
case 1: y = x*3/4; break;
case 2: y = x*4/5; break;
case 3: y = x*9/16; break;
}
string s;
SPrintf(s, "%ux%u, %uHz", x, y, t.vFrequency + 60);
return s;
}
//--------------------------------------
enum <ubyte> DescriptorType
{
TIMINGS = 0xFA, // Additional standard timing identifiers. 6- 2-byte descriptors, padded with 0A.
WHITE_POINT = 0xFB, // Additional white point data. 2- 5-byte descriptors, padded with 0A 20 20.
MONITOR_NAME = 0xFC, // Monitor name (text)
RANGE_LIMITS = 0xFD, // Monitor range limits. 6- or 13-byte binary descriptor.
UNSPECIFIED_TEXT = 0xFE, // Unspecified text (text)
SERIAL_NUMBER = 0xFF, // Monitor serial number (text)
};
//--------------------------------------
enum <ubyte> FormatCode
{
RESERVED = 0,
LPCM = 1,
AC_3 = 2,
MPEG1 = 3,
MP3 = 4,
MPEG2 = 5,
AAC = 6,
DTS = 7,
ATRAC = 8,
SACD = 9,
DD_PLUS = 10,
DTS_HD = 11,
MLP_TRUEHD = 12,
DST = 13,
WMA_PRO = 14,
RESERVED2 = 15,
};
//--------------------------------------
enum <ubyte> BlockType
{
AUDIO = 1,
VIDEO = 2,
VENDOR_SPECIFIC = 3,
SPEAKER = 4,
};
//--------------------------------------
enum <ubyte> SVDIndex
{
_DMT0659 = 1, // 4:3 640x480p @ 59.94/60Hz
_480p = 2, // 4:3 720x480p @ 59.94/60Hz
_480pH = 3, // 16:9 720x480p @ 59.94/60Hz
_720p = 4, // 16:9 1280x720p @ 59.94/60Hz
_1080i = 5, // 16:9 1920x1080i @ 59.94/60Hz
_480i = 6, // 4:3 720(1440)x480i @ 59.94/60Hz
_480iH = 7, // 16:9 720(1440)x480i @ 59.94/60Hz
_240p = 8, // 4:3 720(1440)x240p @ 59.94/60Hz
_240pH = 9, // 16:9 720(1440)x240p @ 59.94/60Hz
_480i4x = 10, // 4:3 (2880)x480i @ 59.94/60Hz
_480i4xH = 11, // 16:9 (2880)x480i @ 59.94/60Hz
_240p4x = 12, // 4:3 (2880)x240p @ 59.94/60Hz
_240p4xH = 13, // 16:9 (2880)x240p @ 59.94/60Hz
_480p2x = 14, // 4:3 1440x480p @ 59.94/60Hz
_480p2xH = 15, // 16:9 1440x480p @ 59.94/60Hz
_1080p = 16, // 16:9 1920x1080p @ 59.94/60Hz
_576p = 17, // 4:3 720x576p @ 50Hz
_576pH = 18, // 16:9 720x576p @ 50Hz
_720p50 = 19, // 16:9 1280x720p @ 50Hz
_1080i25 = 20, // 16:9 1920x1080i @ 50Hz*
_576i = 21, // 4:3 720(1440)x576i @ 50Hz
_576iH = 22, // 16:9 720(1440)x576i @ 50Hz
_288p = 23, // 4:3 720(1440)x288p @ 50Hz
_288pH = 24, // 16:9 720(1440)x288p @ 50Hz
_576i4x = 25, // 4:3 (2880)x576i @ 50Hz
_576i4xH = 26, // 16:9 (2880)x576i @ 50Hz
_288p4x = 27, // 4:3 (2880)x288p @ 50Hz
_288p4xH = 28, // 16:9 (2880)x288p @ 50Hz
_576p2x = 29, // 4:3 1440x576p @ 50Hz
_576p2xH = 30, // 16:9 1440x576p @ 50Hz
_1080p50 = 31, // 16:9 1920x1080p @ 50Hz
_1080p24 = 32, // 16:9 1920x1080p @ 23.98/24Hz
_1080p25 = 33, // 16:9 1920x1080p @ 25Hz
_1080p30 = 34, // 16:9 1920x1080p @ 29.97/30Hz
_480p4x = 35, // 4:3 (2880)x480p @ 59.94/60Hz
_480p4xH = 36, // 16:9 (2880)x480p @ 59.94/60Hz
_576p4x = 37, // 4:3 (2880)x576p @ 50Hz
_576p4xH = 38, // 16:9 (2880)x576p @ 50Hz
_1080i25b = 39, // 16:9 1920x1080i(1250 Total) @ 50Hz*
_1080i50 = 40, // 16:9 1920x1080i @ 100Hz
_720p100 = 41, // 16:9 1280x720p @ 100Hz
_576p100 = 42, // 4:3 720x576p @ 100Hz
_576p100H = 43, // 16:9 720x576p @ 100Hz
_576i50 = 44, // 4:3 720(1440)x576i @ 100Hz
_576i50H = 45, // 16:9 720(1440)x576i @ 100Hz
_1080i60 = 46, // 16:9 1920x1080i @ 119.88/120Hz
_720p120 = 47, // 16:9 1280x720p @ 119.88/120Hz
_480p119 = 48, // 4:3 720x480p @ 119.88/120Hz
_480p119H = 49, // 16:9 720x480p @ 119.88/120Hz
_480i59 = 50, // 4:3 720(1440)x480i @ 119.88/120Hz
_480i59H = 51, // 16:9 720(1440)x480i @ 119.88/120Hz
_576p200 = 52, // 4:3 720x576p @ 200Hz
_576p200H = 53, // 16:9 720x576p @ 200Hz
_576i100 = 54, // 4:3 720(1440)x576i @ 200Hz
_576i100H = 55, // 16:9 720(1440)x576i @ 200Hz
_480p239 = 56, // 4:3 720x480p @ 239.76/240Hz
_480p239H = 57, // 16:9 720x480p @ 239.76/240Hz
_480i119 = 58, // 4:3 720(1440)x480i @ 239.76/240Hz
_480i119H = 59, // 16:9 720(1440)x480i @ 239.76/240Hz
_720p24 = 60, // 16:9 1280x720p @ 23.98/24Hz
_720p25 = 61, // 16:9 1280x720p @ 25Hz
_720p30 = 62, // 16:9 1280x720p @ 29.97/30Hz
_1080p120 = 63, // 16:9 1920x1080p @ 119.88/120Hz
};
typedef struct
{
SVDIndex index : 7 <comment="index value to a table of standard resolutions/timings from CEA/EIA-861E">;
ubyte native : 1 <comment="1 to designate that this should be considered a \"native\" resolution, 0 for non-native">;
} SVD <read=SVDToString, comment="Short Video Descriptor">;
string SVDToString(SVD &svd)
{
string s;
SPrintf(s, "%s%s (%u)", (svd.native ? "*" : ""), EnumToString(svd.index), svd.index);
return s;
}
//--------------------------------------
string SPAToString(uint16 spa)
{
string s;
SPrintf(s, "%u.%u.%u.%u", spa>>4&15, spa>>0&15, spa>>12&15, spa>>8&15);
return s;
}
//--------------------------------------
string TDMSFreqToString(ubyte f)
{
string s;
SPrintf(s, "%u MHz", (uint)f * 5);
return s;
}
//--------------------------------------
string PixelClockToString(uint16 f)
{
string s;
SPrintf(s, "%.2lf MHz", (double)f / 100);
return s;
}
void StringToPixelClock(uint16 &f, string s)
{
f = Atof(s) * 100;
}
//--------------------------------------
typedef ubyte PixelRate <read=PixelRateToString, write=StringToPixelRate>;
string PixelRateToString(PixelRate f)
{
string s;
SPrintf(s, "%u MHz", (uint)f * 10);
return s;
}
void StringToPixelRate(PixelRate &f, string s)
{
f = Atof(s) / 10;
}
//--------------------------------------
typedef ubyte BitRate <read=BitRateToString, write=StringToBitRate, comment="maximum supported bitrate divided by 8 kbit/s">;
string BitRateToString(BitRate b)
{
string s;
SPrintf(s, "%u kHz", (uint)b * 8);
return s;
}
void StringToBitRate(BitRate &b, string s)
{
b = Atof(s) / 8;
}
//--------------------------------------
typedef ubyte Latency <read=LatencyToString, write=StringToLatency, comment="Latency (value=1+ms/2 with a max of 251 meaning 500ms)">;
string LatencyToString(Latency l)
{
if (l == 0) return "-";
string s;
SPrintf(s, "%u ms", ((uint)l - 1) * 2);
return s;
}
void StringToLatency(Latency &l, string s)
{
if (s == "-") l = 0; else l = (uint)(Atof(s) / 2) + 1;
}
//--------------------------------------
typedef struct
{
ubyte size : 5 <comment="Total number of bytes in this block following this byte">;
BlockType typeTag : 3 <comment="Block Type Tag (1 is audio, 2 is video, 3 is vendor specific, 4 is speaker allocation, all other values Reserved)">;
// local int64 dataStart <hidden=true> = FTell();
switch (typeTag)
{
case AUDIO:
{
ubyte channelCount : 3 <comment="number of channels minus 1">;
FormatCode formatCode : 4 <comment="Audio format code">;
ubyte reserved1 : 1;
struct SampleRates
{
ubyte _32kHz : 1;
ubyte _44kHz : 1;
ubyte _48kHz : 1;
ubyte _88kHz : 1;
ubyte _96kHz : 1;
ubyte _176kHz : 1;
ubyte _192kHz : 1;
ubyte reserved : 1;
} sampleRates <comment="sampling frequencies supported">;
if (formatCode == 1) // LPCM
{
ubyte _16bits : 1;
ubyte _20bits : 1;
ubyte _24bits : 1;
ubyte reserved : 5;
}
else
{
BitRate bitrate;
}
break;
}
case VIDEO:
{
SVD svds[size] <bgcolor=cLtGreen, comment="Short Video Descriptors">;
break;
}
case VENDOR_SPECIFIC:
{
ubyte oui[3] <format=hex, comment="IEEE Registration Identifier">;
uint16 spa <read=SPAToString, comment="Source Physical Address">;
if (size >= 3)
{
ubyte DVI_Dual : 1 <comment="sink supports DVI Dual Link Operation">;
ubyte reserved : 1;
ubyte reserved : 1;
ubyte dc_Y444 : 1 <comment="sink supports 4:4:4 in deep color modes">;
ubyte dc_30bit : 1 <comment="sink supports 10-bit-per-channel deep color">;
ubyte dc_36bit : 1 <comment="sink supports 12-bit-per-channel deep color">;
ubyte dc_48bit : 1 <comment="sink supports 16-bit-per-channel deep color">;
ubyte supports_AI : 1 <comment="sink supports a function that needs info from ACP or ISRC packets">;
}
if (size >= 4)
ubyte max_TMDS_Frequency <read=TDMSFreqToString, comment="Maximum TMDS frequency">;
if (size >= 5)
{
ubyte reserved : 6;
ubyte i_latency_fields : 1 <comment="set if interlaced latency fields are present; if set four latency fields will be present">;
ubyte latency_fields : 1 <comment="set if latency fields are present">;
if (latency_fields)
{
Latency videoLatency <comment="Video Latency (value=1+ms/2 with a max of 251 meaning 500ms)">;
Latency audioLatency <comment="Audio Latency (value=1+ms/2 with a max of 251 meaning 500ms)">;
}
if (i_latency_fields)
{
Latency interlacedVideoLatency <comment="Interlaced Video Latency (value=1+ms/2 with a max of 251 meaning 500ms)">;
Latency interlacedAudioLatency <comment="Interlaced Audio Latency (value=1+ms/2 with a max of 251 meaning 500ms)">;
}
}
break;
}
case SPEAKER:
{
ubyte frontLeftRight : 1 <comment="Front Left / Front Right present for 1, absent for 0">;
ubyte LFE : 1 <comment="LFE present for 1, absent for 0">;
ubyte frontCenter : 1 <comment="Front Center present for 1, absent for 0">;
ubyte rearLeftRight : 1 <comment="Rear Left / Rear Right present for 1, absent for 0">;
ubyte rearCenter : 1 <comment="Rear Center present for 1, absent for 0">;
ubyte frontLeftRightCenter : 1 <comment="Front Left Center / Front Right Center present for 1, absent for 0">;
ubyte rearLeftRightCenter : 1 <comment="Rear Left Center / Rear Right Center present for 1, absent for 0">;
ubyte reserved : 1;
ubyte reserved[2];
break;
}
} // switch
// local int64 dataEnd <hidden=true> = FTell();
// Printf("block size: %u %lu\n", size, dataEnd - dataStart);
/* Assert(dataEnd - dataStart <= size, "Data block size error");
if (dataEnd - dataStart < size)
{
ubyte extraData[size - (dataEnd - dataStart)];
}*/
} DataBlock <size=DataBlockSize, optimize=false, open=true, comment="Data block">;
int DataBlockSize(DataBlock &b)
{
return (ReadUByte(startof(b)) & 0x1F);
}
//--------------------------------------
typedef struct
{
uint16 pixelClock <read=PixelClockToString, write=StringToPixelClock, comment="Pixel clock in 10 kHz units. (0.01-655.35 MHz, little-endian)">;
ubyte hActive_lsb <comment="Horizontal active pixels 8 lsbits (0-4095)">;
ubyte hBlanking_lsb <comment="Horizontal blanking pixels 8 lsbits (0-4095) End of active to start of next active.">;
ubyte hBlanking_msb : 4 <comment="Horizontal blanking pixels 4 msbits">;
ubyte hActive_msb : 4 <comment="Horizontal active pixels 4 msbits">;
ubyte vActive_lsb <comment="Vertical active lines 8 lsbits (0-4095)">;
ubyte vBlanking_lsb <comment="Vertical blanking lines 8 lsbits (0-4095)">;
ubyte vBlanking_msb : 4 <comment="Vertical blanking lines 4 msbits">;
ubyte vActive_msb : 4 <comment="Vertical active lines 4 msbits">;
ubyte hSyncOffset_lsb <comment="Horizontal sync offset pixels 8 lsbits (0-1023) From blanking start">;
ubyte hSync_lsb <comment="Horizontal sync pulse width pixels 8 lsbits (0-1023)">;
ubyte vSync_lsb : 4 <comment="Vertical sync pulse width lines 4 lsbits (0-63)">;
ubyte vSyncOffset_lsb : 4 <comment="Vertical sync offset lines 4 lsbits (0-63)">;
ubyte vSync_msb : 2 <comment="Vertical sync pulse width lines 2 msbits">;
ubyte vSyncOffset_msb : 2 <comment="Vertical sync offset lines 2 msbits">;
ubyte hSync_msb : 2 <comment="Horizontal sync pulse width pixels 2 msbits">;
ubyte hSyncOffset_msb : 2 <comment="Horizontal sync offset pixels 2 msbits">;
ubyte hSize_lsb <comment="Horizontal display size, mm, 8 lsbits (0-4095 mm, 161 in)">;
ubyte vSize_lsb <comment="Vertical display size, mm, 8 lsbits (0-4095 mm, 161 in)">;
ubyte vSize_msb : 4 <comment="Vertical display size, mm, 4 msbits">;
ubyte hSize_msb : 4 <comment="Horizontal display size, mm, 4 msbits">;
ubyte hBorder <comment="Horizontal border pixels (each side; total is twice this)">;
ubyte vBorder <comment="Vertical border lines (each side; total is twice this)">;
ubyte _f0 : 1 <comment="2-way line-interleaved stereo, if bits 4-3 are not 00.">;
ubyte _f1 : 1 <comment="If analog sync: Sync on all 3 RGB lines (else green only). Digital: HSync polarity (1=positive)">;
ubyte _f2 : 1 <comment="If digital separate: Vertical sync polarity (1=positive). Other types: VSync serrated (HSync during VSync)">;
ubyte _f34 : 2 <comment="Sync type: 00=Analog composite; 01=Bipolar analog composite; 10=Digital composite (on HSync); 11=Digital separate">;
ubyte _f56 : 2 <comment="Stereo mode: 00=No stereo; other values depend on bit 0: Bit 0=0: 01=Field sequential, sync=1 during right; 10=similar, sync=1 during left; 11=4-way interleaved stereo. Bit 0=1 2-way interleaved stereo: 01=Right image on even lines; 10=Left image on even lines; 11=side-by-side">;
ubyte interlaced : 1 <comment="Interlaced">;
//if (_f34 >> 1 & 1) Printf("Digital sync: "); else Printf("Analog sync: ");
//if (_f34 >> 0 & 1) Printf("Bipolar/separate\n"); else Printf("Composite\n");
} ModeLine <read=ModeLineToString, write=StringToModeLine, comment="Xfree86 modeline">;
string ModeLineToString(ModeLine &n)
{
uint hActive = (uint)n.hActive_msb<<8 | n.hActive_lsb;
uint hSyncOffset = (uint)n.hSyncOffset_msb<<8 | n.hSyncOffset_lsb;
uint hSync = (uint)n.hSync_msb<<8 | n.hSync_lsb;
uint hBlanking = (uint)n.hBlanking_msb<<8 | n.hBlanking_lsb;
uint vActive = (uint)n.vActive_msb<<8 | n.vActive_lsb;
uint vSyncOffset = (uint)n.vSyncOffset_msb<<8 | n.vSyncOffset_lsb;
uint vSync = (uint)n.vSync_msb<<8 | n.vSync_lsb;
uint vBlanking = (uint)n.vBlanking_msb<<8 | n.vBlanking_lsb;
uint im = n.interlaced ? 2 : 1;
string s;
SPrintf(s, "Modeline \"%ux%u\" %.2lf %4u %4u %4u %4u %4u %4u %4u %4u %chsync %cvsync %s ; %u %u", // relative to absolute
hActive, vActive*im, (double)n.pixelClock / 100,
hActive, hActive + hSyncOffset, hActive + hSyncOffset + hSync, hActive + hBlanking,
vActive*im, (vActive + vSyncOffset)*im, (vActive + vSyncOffset + vSync)*im, (vActive + vBlanking)*im,
n._f1 ? '+' : '-', n._f2 ? '+' : '-',
n.interlaced ? "Interlace" : "",
n.hBorder, n.vBorder
);
return s;
}
void StringToModeLine(ModeLine &n, string s)
{
uint dummy;
uint hActive, hActive_hSyncOffset, hActive_hSyncOffset_hSync, hActive_hBlanking;
uint vActive, vActive_vSyncOffset, vActive_vSyncOffset_vSync, vActive_vBlanking;
char hsync, vsync;
string interlaced;
double f;
SScanf(s, "Modeline \"%ux%u\" %lf %u %u %u %u %u %u %u %u %chsync %cvsync %[^0-9;]",
dummy, dummy, f,
hActive, hActive_hSyncOffset, hActive_hSyncOffset_hSync, hActive_hBlanking,
vActive, vActive_vSyncOffset, vActive_vSyncOffset_vSync, vActive_vBlanking,
hsync, vsync,
interlaced
);
int p = Strchr(s, ';');
if (p >= 0) SScanf(SubStr(s, p), "; %u %u", n.hBorder, n.vBorder);
n.interlaced = (interlaced[0] == 'I');
uint im = n.interlaced ? 2 : 1;
uint hBlanking = hActive_hBlanking - hActive;
uint hSync = hActive_hSyncOffset_hSync - hActive_hSyncOffset;
uint hSyncOffset = hActive_hSyncOffset - hActive;
n.hActive_msb = hActive>>8; n.hActive_lsb = (ubyte)hActive;
n.hSyncOffset_msb = hSyncOffset>>8; n.hSyncOffset_lsb = (ubyte)hSyncOffset;
n.hSync_msb = hSync>>8; n.hSync_lsb = (ubyte)hSync;
n.hBlanking_msb = hBlanking>>8; n.hBlanking_lsb = (ubyte)hBlanking;
uint vBlanking = (vActive_vBlanking - vActive)/im;
uint vSync = (vActive_vSyncOffset_vSync - vActive_vSyncOffset)/im;
uint vSyncOffset = (vActive_vSyncOffset - vActive)/im;
vActive /= im;
n.vActive_msb = vActive>>8; n.vActive_lsb = (ubyte)vActive;
n.vSyncOffset_msb = vSyncOffset>>8; n.vSyncOffset_lsb = (ubyte)vSyncOffset;
n.vSync_msb = vSync>>8; n.vSync_lsb = (ubyte)vSync;
n.vBlanking_msb = vBlanking>>8; n.vBlanking_lsb = (ubyte)vBlanking;
n._f1 = hsync == '+' ? 1 : 0;
n._f2 = vsync == '+' ? 1 : 0;
n.pixelClock = f * 100;
}
//--------------------------------------
struct File
{
struct Header
{
ubyte pattern[8] <format=hex, comment="Fixed header pattern: 00 FF FF FF FF FF FF 00">;
EISAId eisaId <comment="EISA ID. Encoded as 3 5-bit letters (1=A, 26=Z), big-endian, with msbit reserved.">;
uint16 mfgProductId <comment="Manufacturer product code. 16-bit number, little-endian.">;
uint32 serial <comment="Serial number. 32 bits, little endian.">;
ubyte mfgWeek <comment="Week of manufacture. Week numbering is not consistent between manufacturers.">;
ubyte mfgYear <comment="Year of manufacture, less 1990. (1990-2245). If week=255, it is the model year instead.">;
ubyte edidVersion <comment="EDID version, usually 1 (for 1.3)">;
ubyte edidRevision <comment="EDID revision, usually 3 (for 1.3)">;
} header <open=false, comment="Header information">;
struct Basic
{
union Bitmap
{
ubyte hmz;
if (hmz & 0x80)
{
struct Digital
{
ubyte vesa : 1 <comment="Signal is compatible with VESA DFP 1.x TMDS CRGB, 1 pixel per clock, up to 8 bits per color, MSB aligned,">;
ubyte reserved : 6 <comment="Reserved, must be 0">;
ubyte digital : 1 <comment="1=Digital input">;
} digital;
}
else
{
struct Analog
{
ubyte vSeparate : 1 <comment="VSync pulse must be separated when composite or sync-on-green is used">;
ubyte syncOnGreen : 1 <comment="Sync on green supported">;
ubyte compositeSync : 1 <comment="Composite sync (on HSync) supported">;
ubyte separateSync : 1 <comment="Separate sync supported">;
ubyte blankToBlack : 1 <comment="Blank-to-black setup (pedestal) expected">;
ubyte level : 2 <comment="Video white and sync levels, relative to blank: 00=+0.7/0.3 V; 01=+0.714/0.286 V; 10=+1.0/0.4 V; 11=+0.7/0 V">;
ubyte analog : 1 <comment="0=Analog input">;
} analog;
}
} bitmap <comment="Video input parameters bitmap">;
ubyte width <comment="Maximum horizontal image size, in centimetres (max 292 cm/115 in at 16:9 aspect ratio)">;
ubyte height <comment="Maximum vertical image size, in centimetres. If either byte is 0, undefined (e.g. projector)">;
ubyte gamma <comment="Display gamma, minus 1, times 100 (range 1.00-3.54)">;
struct Features
{
ubyte gtf : 1 <comment="GTF supported with default parameter values.">;
ubyte prefTimingDesc1 : 1 <comment="Preferred timing mode specified in descriptor block 1.">;
ubyte sRGB : 1 <comment="Standard sRGB colour space. Bytes 25-34 must contain sRGB standard values.">;
if (bitmap.hmz & 0x80)
ubyte displayType : 2 <comment="Display type (digital): 00 = RGB 4:4:4; 01 = RGB 4:4:4 + YCrCb 4:4:4; 10 = RGB 4:4:4 + YCrCb 4:2:2; 11 = RGB 4:4:4 + YCrCb 4:4:4 + YCrCb 4:2:2">;
else
ubyte displayType : 2 <comment="Display type (analog): 00 = Monochrome or Grayscale; 01 = RGB color; 10 = Non-RGB color; 11 = Undefined">;
ubyte dpmsActiveOff : 1 <comment="DPMS active-off supported">;
ubyte dpmsSusepend : 1 <comment="DPMS suspend supported">;
ubyte dpmsStandby : 1 <comment="DPMS standby supported">;
} features <comment="Supported features bitmap">;
} basic <open=false, comment="Basic display parameters">;
struct Chromaticity
{
ubyte green_y_lsb : 2 <comment="Green y value least-significant 2 bits">;
ubyte green_x_lsb : 2 <comment="Green x value least-significant 2 bits">;
ubyte red_y_lsb : 2 <comment="Red y value least-significant 2 bits">;
ubyte red_x_lsb : 2 <comment="Red x value least-significant 2 bits">;
ubyte bluewhite_lsb : 2 <comment="Blue and white least-significant 2 bits">;
ubyte zero : 6; // Lelouch
ubyte red_x_msb <comment="Red x value most significant 8 bits. 0-255 encodes 0-0.996 (255/256); 0-0.999 (1023/1024) with lsbits">;
ubyte red_y_msb <comment="Red y value most significant 8 bits">;
ubyte green_x_msb <comment="Green x value most significant 8 bits">;
ubyte green_y_msb <comment="Green y value most significant 8 bits">;
ubyte blue_x_msb <comment="Blue x value most significant 8 bits">;
ubyte blue_y_msb <comment="Blue y value most significant 8 bits">;
ubyte white_x_msb <comment="Default white point x value most significant 8 bits">;
ubyte white_y_msb <comment="Default white point y value most significant 8 bits">;
} chromaticity <bgcolor=cLtAqua, comment="Chromaticity coordinates. 10-bit CIE xy coordinates for red, green, blue, and white. [0-1023/1024].">;
struct Timings
{
ubyte _800x600_60 : 1;
ubyte _800x600_56 : 1;
ubyte _640x480_75 : 1;
ubyte _640x480_72 : 1;
ubyte _640x480_67 : 1;
ubyte _640x480_60 : 1;
ubyte _720x400_88 : 1;
ubyte _720x400_70 : 1;
ubyte _1280x1024_75 : 1;
ubyte _1024x768_75 : 1;
ubyte _1024x768_72 : 1;
ubyte _1024x768_60 : 1;
ubyte _1024x768i_87 : 1;
ubyte _832x624_75 : 1;
ubyte _800x600_75 : 1;
ubyte _800x600_72 : 1;
ubyte mfgSpecific : 7;
ubyte _1152x870_75 : 1; // Apple Macintosh II
} timings <bgcolor=cLtGreen, comment="Established timing bitmap. Supported bitmap for very common timing modes.">;
Timing timings2[8] <bgcolor=cLtGreen, comment="Standard timing information. Up to 8 2-byte fields describing standard display modes.">;
struct Descriptor
{
if (ReadUShort(FTell()) != 0)
{
ModeLine numbers;
}
else
{
uint16 zero;
ubyte zero;
DescriptorType descriptorType; // FA-FF currently defined. 00-0F reserved for vendors.
ubyte zero;
switch (descriptorType)
{
case TIMINGS:
Timing timings[6] <comment="Additional standard timing identifiers. 6- 2-byte descriptors, padded with 0A.">;
break;
case MONITOR_NAME:
char name[13] <comment="Monitor name (text)">;
break;
case SERIAL_NUMBER:
char serial[13] <comment="Monitor serial number (text)">;
break;
case UNSPECIFIED_TEXT:
char text[13] <comment="Unspecified text (text)">;
break;
case RANGE_LIMITS: // Monitor range limits. 6- or 13-byte binary descriptor.
{
ubyte vMinRate <comment="Minimum vertical field rate">;
ubyte vMaxRate <comment="Maximum vertical field rate">;
ubyte hMinRate <comment="Minimum horizontal line rate">;
ubyte hMaxRate <comment="Maximum horizontal line rate">;
PixelRate maxPixelRate <comment="Maximum pixel clock rate, rounded up to 10 MHz multiple (10-2550 MHz)">;
ubyte extended <comment="02: Secondary GTF supported, parameters as follows.">;
if (extended == 0x02)
{
ubyte reserved;
ubyte startFreqSecondCurve <comment="Start frequency for secondary curve, divided by 2 kHz (0-510 kHz)">;
ubyte gtf_C <comment="C value, multiplied by 2 (0-127.5)">;
uint16 gtf_M <comment="GTF M value (0-65535, little-endian)">;
ubyte gtf_K <comment="GTF K value (0-255)">;
ubyte gtf_J <comment="GTF J value, multiplied by 2 (0-127.5)">;
}
else
{
ubyte padding[7] <comment="0A 20 20 20 20 20 20">;
}
break;
}
case WHITE_POINT: // Additional white point data. 2- 5-byte descriptors, padded with 0A 20 20.
{
struct
{
ubyte indexNumber <comment="Point index number (1-255) Usually 1; 0 indicates descriptor not used.">;
ubyte white_y_lsb : 2 <comment="White point y value least-significant 2 bits">;
ubyte white_x_lsb : 2 <comment="White point x value least-significant 2 bits">;
ubyte unused : 4; // (C) DarkFader
ubyte white_x_msb <comment="White point x value most significant 8 bits (like EDID byte 27)">;
ubyte white_y_msb <comment="White point y value most significant 8 bits (like EDID byte 28)">;
ubyte gamma <comment="Gamma value, minus 1, time 100 (1.0-3.54, like EDID byte 23)">;
} whitePoints[2] <bgcolor=cLtAqua, comment="Additional white point descriptors">;
ubyte padding[3] <comment="0A 20 20">;
break;
}
default:
{
ubyte unknown[13];
Warning("Unknown descriptor type");
break;
}
}
}
} descriptors[4] <optimize=false, bgcolor=cLtGray, comment="Detailed Timing Descriptor blocks, in decreasing preference order. After all detailed timing descriptors, additional descriptors are permitted.">;
ubyte extensionCount <comment="Number of extensions to follow. 0 if no extensions.">;
ubyte checksum <format=hex, comment="Sum of all 128 bytes should equal 0 (mod 256).">;
//--------------------------------------
struct CEA_EDID
{
local int64 extensionBlockStart <hidden=true> = FTell();
ubyte extensionTag <comment="Extension tag (which kind of extension block this is); 02h for CEA EDID">;
switch (extensionTag)
{
case 0x02: // Additional Timing Data Block (CEA EDID Timing Extension)
{
ubyte revision <comment="Revision number (Version number); 03h for Version 3">;
ubyte dtdStart <comment="Byte number \"d\" within this block where the 18-byte DTDs begin.">;
ubyte dtdCount : 4 <comment="total number of native formats in the DTDs included in this block">;
ubyte YCbCr422 : 1 <comment="1 if display supports YCbCr 4:2:2, 0 if not">;
ubyte YCbCr444 : 1 <comment="1 if display supports YCbCr 4:4:4, 0 if not">;
ubyte basic_audio : 1 <comment="1 if display supports basic audio, 0 if not">;
ubyte underscan : 1 <comment="if display supports underscan, 0 if not">;
while (FTell() < extensionBlockStart + dtdStart)
{
DataBlock dataBlock;
} // while
if (FTell() != extensionBlockStart + dtdStart)
{
Warning("Unexpected DTD start");
}
FSeek(extensionBlockStart + dtdStart);
while (ReadUShort(FTell()) != 0)
{
Descriptor descriptor <optimize=false, bgcolor=cLtGray, comment="Detailed Timing Descriptor block">;
}
ubyte padding[127 - (FTell() - extensionBlockStart)] <format=hex, comment="Post-DTD padding. Should be populated with 00h">;
ubyte checksum <format=hex, comment="This byte should be programmed such that the sum of all 128 bytes equals 00h.">;
if (Checksum(CHECKSUM_SUM8, extensionBlockStart, 128) != 0) Warning("Invalid extension block checksum!");
break;
}
default:
Warning("Unsupported extension block");
break;
}
} extensions[extensionCount] <optimize=false, open=true, comment="EDID Extensions">;
} file <open=true, fgcolor=cBlue>;
//--------------------------------------

795
cparser/ELFTemplate.bt Normal file
View File

@ -0,0 +1,795 @@
//----------------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: ELFTemplate.bt
// Author: 010Editor (Unknown?)
// Tim "diff" Strazzere <diff@lookout.com> <strazz@gmail.com>
// Revision: 2.2
// Purpose: Defines a template for
// parsing ELF 32-bit and 64-bit files.
//----------------------------------------
//
// Version 2.2
// FIXED:
// - Fixed issues if the section header count is greater
// the actual number of sections that exist.
// More information;
// http://dustri.org/b/?p=832
//
// Version 2.1
// FIXED:
// - Fixed issue with local variables so it's actually
// runnable inside v4.0.3
// Define structures used in ELF files
// ELF Header Types
// ELF identification element
// Accelerate a slow lookup with an array
local int sec_tbl_elem[255];
typedef enum <uchar> {
ELFCLASSNONE =0,
ELFCLASS32 =1,
ELFCLASS64 =2
}ei_class_2_e;
typedef enum <uchar> {
ELFDATAONE =0,
ELFDATA2LSB =1,
ELFDATA2MSB =2
}ei_data_e;
typedef enum <uchar> {
E_NONE =0,
E_CURRENT =1
}ei_version_e;
typedef enum <uchar> {
ELFOSABI_NONE =0, //No extensions or unspecified
ELFOSABI_HPUX =1, //Hewlett-Packard HP-UX
ELFOSABI_NETBSD =2, //NetBSD
ELFOSABI_SOLARIS=6, //Sun Solaris
ELFOSABI_AIX =7, //AIX
ELFOSABI_IRIX =8, //IRIX
ELFOSABI_FREEBSD=9, //FreeBSD
ELFOSABI_TRU64 =10, //Compaq TRU64 UNIX
ELFOSABI_MODESTO=11, //Novell Modesto
ELFOSABI_OPENBSD=12, //Open BSD
ELFOSABI_OPENVMS=13, //Open VMS
ELFOSABI_NSK =14, //Hewlett-Packard Non-Stop Kernel
ELFOSABI_AROS =15 //Amiga Research OS
}ei_osabi_e;
typedef struct {
char file_identification[4];
ei_class_2_e ei_class_2;
ei_data_e ei_data;
if( ei_data == ELFDATA2LSB ) {
LittleEndian();
} else {
BigEndian();
}
ei_version_e ei_version;
ei_osabi_e ei_osabi;
uchar ei_abiversion;
uchar ei_pad[6];
uchar ei_nident_SIZE;
} e_ident_t;
// Elf Data Types for 32/64 bit
//32 bit
typedef uint32 Elf32_Word;
typedef uint32 Elf32_Off;
typedef uint32 Elf32_Addr <read=VAddr32>;
typedef uint16 Elf32_Half;
typedef uint32 Elf32_Xword;
//64 bit
typedef uint32 Elf64_Word;
typedef uint64 Elf64_Off;
typedef uint64 Elf64_Addr <read=VAddr64>;
typedef uint16 Elf64_Half;
typedef uint64 Elf64_Xword;
string VAddr32( Elf32_Addr &addr ) {
local char buf[128];
SPrintf( buf, "0x%08X", addr );
return buf;
}
string VAddr64( Elf64_Addr &addr ) {
local char buf[128];
SPrintf( buf, "0x%016LX", addr );
return buf;
}
typedef enum <Elf32_Half> {
ET_NONE =0,
ET_REL =1,
ET_EXEC =2,
ET_DYN =3,
ET_CORE =4,
ET_LOOS =0xfe00,
ET_HIOS =0xfeff,
ET_LOPROC =0xff00,
ET_HIPROC =0xffff
} e_type32_e;
typedef e_type32_e e_type64_e;
typedef enum <Elf32_Half> { // list has to to be completed
EM_NONE =0, //No machine
EM_M32 =1, //AT&T WE 32100
EM_SPARC =2, //SPARC
EM_386 =3, //Intel 80386
EM_68K =4, //Motorola 68000
EM_88K =5, //Motorola 88000
reserved6 =6, //Reserved for future use (was EM_486)
EM_860 =7, //Intel 80860
EM_MIPS =8, //MIPS I Architecture
EM_S370 =9, //IBM System/370 Processor
EM_MIPS_RS3_LE =10, //MIPS RS3000 Little-endian
reserved11 =11, //Reserved for future use
reserved12 =12, //Reserved for future use
reserved13 =13, //Reserved for future use
reserved14 =14, //Reserved for future use
EM_PARISC =15, //Hewlett-Packard PA-RISC
reserved16 =16, //Reserved for future use
EM_VPP500 =17, //Fujitsu VPP500
EM_SPARC32PLUS =18, //Enhanced instruction set SPARC
EM_960 =19, //Intel 80960
EM_PPC =20, //PowerPC
EM_PPC64 =21, //64-bit PowerPC
EM_S390 =22, //IBM System/390 Processor
reserved23 =23, //Reserved for future use
reserved24 =24, //Reserved for future use
reserved25 =25, //Reserved for future use
reserved26 =26, //Reserved for future use
reserved27 =27, //Reserved for future use
reserved28 =28, //Reserved for future use
reserved29 =29, //Reserved for future use
reserved30 =30, //Reserved for future use
reserved31 =31, //Reserved for future use
reserved32 =32, //Reserved for future use
reserved33 =33, //Reserved for future use
reserved34 =34, //Reserved for future use
reserved35 =35, //Reserved for future use
EM_V800 =36, //NEC V800
EM_FR20 =37, //Fujitsu FR20
EM_RH32 =38, //TRW RH-32
EM_RCE =39, //Motorola RCE
EM_ARM =40, //Advanced RISC Machines ARM
EM_ALPHA =41, //Digital Alpha
EM_SH =42, //Hitachi SH
EM_SPARCV9 =43, //SPARC Version 9
EM_TRICORE =44, //Siemens TriCore embedded processor
EM_ARC =45, //Argonaut RISC Core, Argonaut Technologies Inc.
EM_H8_300 =46, //Hitachi H8/300
EM_H8_300H =47, //Hitachi H8/300H
EM_H8S =48, //Hitachi H8S
EM_H8_500 =49, //Hitachi H8/500
EM_IA_64 =50, //Intel IA-64 processor architecture
EM_MIPS_X =51, //Stanford MIPS-X
EM_COLDFIRE =52, //Motorola ColdFire
EM_68HC12 =53, //Motorola M68HC12
EM_MMA =54, //Fujitsu MMA Multimedia Accelerator
EM_PCP =55, //Siemens PCP
EM_NCPU =56, //Sony nCPU embedded RISC processor
EM_NDR1 =57, //Denso NDR1 microprocessor
EM_STARCORE =58, //Motorola Star*Core processor
EM_ME16 =59, //Toyota ME16 processor
EM_ST100 =60, //STMicroelectronics ST100 processor
EM_TINYJ =61, //Advanced Logic Corp. TinyJ embedded processor family
EM_X86_64 =62, //AMD x86-64 architecture
EM_PDSP =63, //Sony DSP Processor
EM_PDP10 =64, //Digital Equipment Corp. PDP-10
EM_PDP11 =65, //Digital Equipment Corp. PDP-11
EM_FX66 =66, //Siemens FX66 microcontroller
EM_ST9PLUS =67, //STMicroelectronics ST9+ 8/16 bit microcontroller
EM_ST7 =68, //STMicroelectronics ST7 8-bit microcontroller
EM_68HC16 =69, //Motorola MC68HC16 Microcontroller
EM_68HC11 =70, //Motorola MC68HC11 Microcontroller
EM_68HC08 =71, //Motorola MC68HC08 Microcontroller
EM_68HC05 =72, //Motorola MC68HC05 Microcontroller
EM_SVX =73, //Silicon Graphics SVx
EM_ST19 =75, //Digital VAX
EM_CRIS =76, //Axis Communications 32-bit embedded processor
EM_JAVELIN =77, //Infineon Technologies 32-bit embedded processor
EM_FIREPATH =78, //Element 14 64-bit DSP Processor
EM_ZSP =79, //LSI Logic 16-bit DSP Processor
EM_MMIX =80, //Donald Knuth's educational 64-bit processor
EM_HUANY =81, //Harvard University machine-independent object files
EM_PRISM =82, //SiTera Prism
EM_AVR =83, //Atmel AVR 8-bit microcontroller
EM_FR30 =84, //Fujitsu FR30
EM_D10V =85, //Mitsubishi D10V
EM_D30V =86, //Mitsubishi D30V
EM_V850 =87, //NEC v850
EM_M32R =88, //Mitsubishi M32R
EM_MN10300 =89, //Matsushita MN10300
EM_MN10200 =90, //Matsushita MN10200
EM_PJ =91, //picoJava
EM_OPENRISC =92, //OpenRISC 32-bit embedded processor
EM_ARC_A5 =93, //ARC Cores Tangent-A5
EM_XTENSA =94, //Tensilica Xtensa Architecture
EM_VIDEOCORE =95, //Alphamosaic VideoCore processor
EM_TMM_GPP =96, //Thompson Multimedia General Purpose Processor
EM_NS32K =97, //National Semiconductor 32000 series
EM_TPC =98, //Tenor Network TPC processor
EM_SNP1K =99, //Trebia SNP 1000 processor
EM_ST200 =100, //STMicroelectronics (www.st.com) ST200 microcontroller
EM_IP2K =101, //Ubicom IP2xxx microcontroller family
EM_MAX =102, //MAX Processor
EM_CR =103, //National Semiconductor CompactRISC microprocessor
EM_F2MC16 =104, //Fujitsu F2MC16
EM_MSP430 =105, //Texas Instruments embedded microcontroller msp430
EM_BLACKFIN =106, //Analog Devices Blackfin (DSP) processor
EM_SE_C33 =107, //S1C33 Family of Seiko Epson processors
EM_SEP =108, //Sharp embedded microprocessor
EM_ARCA =109, //Arca RISC Microprocessor
EM_UNICORE =110 //Microprocessor series from PKU-Unity Ltd. and MPRC of Peking University
} e_machine32_e;
typedef e_machine32_e e_machine64_e;
typedef enum <Elf32_Word> {
EV_NONE =0,
EV_CURRENT =1
} e_version32_e;
typedef e_version32_e e_version64_e;
// Program Header Types
typedef enum <Elf32_Word> {
PT_NULL =0,
PT_LOAD =1,
PT_DYNAMIC =2,
PT_INERP =3,
PT_NOTE =4,
PT_SHLIB =5,
PT_PHDR =6,
PT_LOOS =0x60000000,
PT_HIOS =0x6fffffff,
PT_LOPROC =0x70000000,
PT_HIPROC =0x7fffffff
} p_type32_e;
typedef p_type32_e p_type64_e;
typedef enum <Elf32_Word> {
PF_None =0,
PF_Exec =1,
PF_Write =2,
PF_Write_Exec =3,
PF_Read =4,
PF_Read_Exec =5,
PF_Read_Write =6,
PF_Read_Write_Exec =7
} p_flags32_e;
typedef p_flags32_e p_flags64_e;
typedef enum <Elf32_Word> {
SHN_UNDEF = 0, /* undefined, e.g. undefined symbol */
SHN_LORESERVE = 0xff00, /* Lower bound of reserved indices */
SHN_LOPROC = 0xff00, /* Lower bound processor-specific index */
SHN_HIPROC = 0xff1f, /* Upper bound processor-specific index */
SHN_LOOS = 0xff20, /* Lower bound OS-specific index */
SHN_HIOS = 0xff3f, /* Upper bound OS-specific index */
SHN_ABS = 0xfff1, /* Absolute value, not relocated */
SHN_COMMON = 0xfff2, /* FORTRAN common or unallocated C */
SHN_HIRESERVE = 0xffff /* Upper bound of reserved indices */
} s_name32_e;
typedef s_name32_e s_name64_e;
typedef enum <Elf32_Word> {
SHT_NULL = 0, /* Inactive section header */
SHT_PROGBITS = 1, /* Information defined by the program */
SHT_SYMTAB = 2, /* Symbol table - not DLL */
SHT_STRTAB = 3, /* String table */
SHT_RELA = 4, /* Explicit addend relocations, Elf64_Rela */
SHT_HASH = 5, /* Symbol hash table */
SHT_DYNAMIC = 6, /* Information for dynamic linking */
SHT_NOTE = 7, /* A Note section */
SHT_NOBITS = 8, /* Like SHT_PROGBITS with no data */
SHT_REL = 9, /* Implicit addend relocations, Elf64_Rel */
SHT_SHLIB = 10, /* Currently unspecified semantics */
SHT_DYNSYM = 11, /* Symbol table for a DLL */
SHT_LOOS = 0x60000000, /* Lowest OS-specific section type */
SHT_HIOS = 0x6fffffff, /* Highest OS-specific section type */
SHT_LOPROC = 0x70000000, /* Lowest processor-specific section type */
SHT_HIPROC = 0x7fffffff /* Highest processor-specific section type */
} s_type32_e;
typedef s_type32_e s_type64_e;
string ReservedSectionName( s_name32_e id ) {
local char buf[255];
if( id == SHN_UNDEF ) return "SHN_UNDEF";
if( id >= SHN_LOPROC && id <= SHN_HIPROC ) {
SPrintf( buf, "SHN_PROC_%02X", id - SHN_LOPROC );
return buf;
}
if( id >= SHN_LOOS && id <= SHN_HIOS ) {
SPrintf( buf, "SHN_OS_%02X", id - SHN_LOOS );
return buf;
}
if( id == SHN_ABS ) return "SHN_ABS";
if( id == SHN_COMMON ) return "SHN_COMMON";
SPrintf( buf, "SHN_RESERVE_%02X", id - SHN_LORESERVE );
return buf;
}
// Program Table 32/64 bit
typedef struct { //32bit
local quad off = FTell();
p_type32_e p_type;
Elf32_Off p_offset_FROM_FILE_BEGIN <format=hex>;
Elf32_Addr p_vaddr_VIRTUAL_ADDRESS;
Elf32_Addr p_paddr_PHYSICAL_ADDRESS;
Elf32_Word p_filesz_SEGMENT_FILE_LENGTH;
Elf32_Word p_memsz_SEGMENT_RAM_LENGTH;
p_flags32_e p_flags;
Elf32_Word p_align;
if( p_filesz_SEGMENT_FILE_LENGTH > 0 ) {
FSeek(p_offset_FROM_FILE_BEGIN);
char p_data[p_filesz_SEGMENT_FILE_LENGTH];
}
FSeek(off + file.elf_header.e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE);
} program_table_entry32_t <read=ProgramInfo32,optimize=false>;
typedef struct { //64bit
local quad off = FTell();
p_type64_e p_type;
p_flags64_e p_flags;
Elf64_Off p_offset_FROM_FILE_BEGIN <format=hex>;
Elf64_Addr p_vaddr_VIRTUAL_ADDRESS;
Elf64_Addr p_paddr_PHYSICAL_ADDRESS;
Elf64_Xword p_filesz_SEGMENT_FILE_LENGTH;
Elf64_Xword p_memsz_SEGMENT_RAM_LENGTH;
Elf64_Xword p_align;
if( p_filesz_SEGMENT_FILE_LENGTH > 0 ) {
FSeek(p_offset_FROM_FILE_BEGIN);
char p_data[p_filesz_SEGMENT_FILE_LENGTH];
}
FSeek(off + file.elf_header.e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE);
} program_table_entry64_t <read=ProgramInfo64,optimize=false>;
string ProgramType( p_type64_e type ) {
switch( type ) {
case PT_NULL: return "NULL";
case PT_LOAD: return "Loadable Segment";
case PT_DYNAMIC: return "Dynamic Segment";
case PT_INERP: return "Interpreter Path";
case PT_NOTE: return "Note";
case PT_SHLIB: return "PT_SHLIB";
case PT_PHDR: return "Program Header";
default: return "Unknown Section";
}
}
string ProgramFlags( p_flags64_e flags ) {
local string rv = "(";
rv += ( flags & PF_Read ) ? "R" : "_";
rv += ( flags & PF_Write ) ? "W" : "_";
rv += ( flags & PF_Exec ) ? "X" : "_";
rv += ")";
return rv;
}
string ProgramInfo64( program_table_entry64_t &ent ) {
return ProgramFlags( ent.p_flags ) + " " + ProgramType( ent.p_type );
}
string ProgramInfo32( program_table_entry32_t &ent ) {
return ProgramFlags( ent.p_flags ) + " " + ProgramType( ent.p_type );
}
// ************************************* Section Table ***************************************
typedef enum <Elf32_Xword> {
SF32_None =0,
SF32_Exec =1,
SF32_Alloc =2,
SF32_Alloc_Exec =3,
SF32_Write =4,
SF32_Write_Exec =5,
SF32_Write_Alloc =6,
SF32_Write_Alloc_Exec =7
} s_flags32_e;
typedef enum <Elf64_Xword> {
SF64_None =0,
SF64_Exec =1,
SF64_Alloc =2,
SF64_Alloc_Exec =3,
SF64_Write =4,
SF64_Write_Exec =5,
SF64_Write_Alloc =6,
SF64_Write_Alloc_Exec =7
} s_flags64_e;
// Pointer to where the next name is located
local quad section_name_block_off;
typedef struct {
s_name32_e s_name_off <format=hex>;
local quad off = FTell();
FSeek( section_name_block_off + s_name_off );
string s_name_str;
FSeek( off );
} s_name32_t <read=SectionName>;
typedef s_name32_t s_name64_t;
string SectionName( s_name32_t &sect ) {
if( sect.s_name_off > SHN_UNDEF && sect.s_name_off < SHN_LORESERVE ) {
return sect.s_name_str;
}
return ReservedSectionName( sect.s_name_off );
}
typedef struct { //64bit
local quad off = FTell();
s_name64_t s_name; /* Section name */
s_type64_e s_type; /* Section type */
s_flags64_e s_flags; /* Section attributes */
Elf64_Addr s_addr; /* Virtual address in memory */
Elf64_Off s_offset <format=hex>; /* Offset in file */
Elf64_Xword s_size; /* Size of section */
Elf64_Word s_link; /* Link to other section */
Elf64_Word s_info; /* Miscellaneous information */
Elf64_Xword s_addralign; /* Address alignment boundary */
Elf64_Xword s_entsize; /* Entry size, if section has table */
if( s_type != SHT_NOBITS && s_type != SHT_NULL && s_size > 0 ) {
FSeek(s_offset);
char data[s_size];
}
FSeek(off + file.elf_header.e_shentzise_SECTION_HEADER_ENTRY_SIZE);
} section_table_entry64_t <optimize=false>;
// Section Table 32/64 bit
typedef struct { //32bit
local quad off = FTell();
s_name32_t s_name; /* Section name */
s_type32_e s_type; /* Section type */
s_flags32_e s_flags; /* Section attributes */
Elf32_Addr s_addr; /* Virtual address in memory */
Elf32_Off s_offset <format=hex>; /* Offset in file */
Elf32_Xword s_size; /* Size of section */
Elf32_Word s_link; /* Link to other section */
Elf32_Word s_info; /* Miscellaneous information */
Elf32_Xword s_addralign; /* Address alignment boundary*/
Elf32_Xword s_entsize; /* Entry size, if section has table */
if( s_type != SHT_NOBITS && s_type != SHT_NULL && s_size > 0 ) {
FSeek(s_offset);
char s_data[s_size];
}
FSeek(off + file.elf_header.e_shentzise_SECTION_HEADER_ENTRY_SIZE);
} section_table_entry32_t <read=SectionName32,optimize=false>;
string SectionName64( section_table_entry64_t &sect ) {
return SectionName( sect.s_name );
}
string SectionName32( section_table_entry32_t &sect ) {
return SectionName( sect.s_name );
}
// ************************************** Symbol Table ***************************************
local quad symbol_name_block_off;
typedef struct {
Elf32_Word sym_name_off <format=hex>; /* Symbol table name offset */
local quad off = FTell();
FSeek( symbol_name_block_off + sym_name_off );
string sym_name_str;
FSeek( off );
} sym_name32_t <read=SymbolName,optimize=false>;
typedef sym_name32_t sym_name64_t;
string SymbolName( sym_name32_t &sym ) {
if( sym.sym_name_off > 0 ) {
return sym.sym_name_str;
}
return "<Undefined>";
}
typedef enum <unsigned char> {
STB_LOCAL = 0,
STB_GLOBAL = 1,
STB_WEAK = 2,
STB_OS_1 = 10,
STB_OS_2 = 11,
STB_OS_3 = 12,
STB_PROC_1 = 13,
STB_PROC_2 = 14,
STB_PROC_3 = 15
} sym_info_bind_e;
typedef enum <unsigned char> {
STT_NOTYPE = 0,
STT_OBJECT = 1,
STT_FUNC = 2,
STT_SECTION = 3,
STT_FILE = 4,
STT_OS_1 = 10,
STT_OS_2 = 11,
STT_OS_3 = 12,
STT_PROC_1 = 13,
STT_PROC_2 = 14,
STT_PROC_3 = 15
} sym_info_type_e;
typedef struct {
BitfieldDisablePadding();
if( IsBigEndian() ) {
uchar sym_info_bind:4;
uchar sym_info_type:4;
} else {
uchar sym_info_type:4;
uchar sym_info_bind:4;
}
BitfieldEnablePadding();
} sym_info_t <read=SymInfoEnums>;
string SymInfoEnums( sym_info_t &info ) {
local sym_info_bind_e x = info.sym_info_bind;
local sym_info_type_e y = info.sym_info_type;
return EnumToString( x ) + " | " + EnumToString( y );
}
typedef struct {
Elf64_Word sym_name; /* Symbol name */
unsigned char sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf64_Half sym_shndx; /* Section table index */
Elf64_Addr sym_value; /* Symbol value */
Elf64_Xword sym_size; /* Size of object (e.g., common) */
} Elf64_Sym_fixed;
typedef struct {
Elf32_Word sym_name; /* Symbol name */
Elf32_Addr sym_value; /* Symbol value */
Elf32_Xword sym_size; /* Size of object (e.g., common) */
unsigned char sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf32_Half sym_shndx; /* Section table index */
} Elf32_Sym_fixed;
typedef struct {
sym_name64_t sym_name; /* Symbol name */
sym_info_t sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf64_Half sym_shndx; /* Section table index */
Elf64_Addr sym_value; /* Symbol value */
Elf64_Xword sym_size; /* Size of object (e.g., common) */
if( sym_size && SectionHasData( sym_shndx ) ) {
local quad off = FTell();
FSeek( SectionVAddrOffset( sym_shndx, sym_value ) );
char sym_data[sym_size];
FSeek( off );
}
} Elf64_Sym <read=SymbolName64,optimize=false>;
typedef struct {
sym_name32_t sym_name; /* Symbol name */
Elf32_Addr sym_value; /* Symbol value */
Elf32_Xword sym_size; /* Size of object (e.g., common) */
sym_info_t sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf32_Half sym_shndx; /* Section table index */
if( sym_size && SectionHasData( sym_shndx ) ) {
local quad off = FTell();
FSeek( SectionVAddrOffset( sym_shndx, sym_value ) );
char sym_data[sym_size];
FSeek( off );
}
} Elf32_Sym <read=SymbolName32,optimize=false>;
string SymbolName64( Elf64_Sym &sym ) {
return ( sym.sym_size ? "" : "[U] " ) + SymbolName( sym.sym_name );
}
string SymbolName32( Elf32_Sym &sym ) {
return ( sym.sym_size ? "" : "[U] " ) + SymbolName( sym.sym_name );
}
// **************************************** ELF File *****************************************
local int iter;
int FindNamedSection( string sect ) {
// local int iter;
for( iter=0; iter < file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES; iter++ ) {
if( Strcmp( file.section_header_table.section_table_element[ iter ].s_name.s_name_str, sect ) == 0 ) {
return iter;
}
}
return -1;
}
quad FindNamedSectionBlock( string sect ) {
local int off = FindNamedSection( sect );
if( off != -1 )
return file.section_header_table.section_table_element[off].s_offset;
return -1;
}
int SectionHasData( Elf64_Half s_index ) {
// This is ridiculously slow for some reason, so cache our results in an array
if( sec_tbl_elem[s_index] == -1 ) {
sec_tbl_elem[s_index] = exists( file.section_header_table.section_table_element[s_index].s_data );
}
return sec_tbl_elem[s_index];
}
quad SectionVAddrOffset( Elf64_Half s_index, Elf64_Addr s_vaddr ) {
if( s_index < file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES ) {
return file.section_header_table.section_table_element[s_index].s_offset + s_vaddr -
file.section_header_table.section_table_element[s_index].s_addr;
}
return 0;
}
// Structure of elf
struct {
local int i;
for( i=0; i<255; i++ ) {
sec_tbl_elem[i] = -1;
}
struct {
e_ident_t e_ident;
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 )
{
//32-Bit definitions of ELF Header
e_type32_e e_type;
e_machine32_e e_machine;
e_version32_e e_version;
Elf32_Addr e_entry_START_ADDRESS;
Elf32_Off e_phoff_PROGRAM_HEADER_OFFSET_IN_FILE;
Elf32_Off e_shoff_SECTION_HEADER_OFFSET_IN_FILE;
Elf32_Word e_flags;
Elf32_Half e_ehsize_ELF_HEADER_SIZE;
Elf32_Half e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE;
Elf32_Half e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES;
Elf32_Half e_shentzise_SECTION_HEADER_ENTRY_SIZE;
Elf32_Half e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES;
Elf32_Half e_shtrndx_STRING_TABLE_INDEX;
}
else
{
//64-Bit definitions of ELF Header
e_type64_e e_type;
e_machine64_e e_machine;
e_version64_e e_version;
Elf64_Addr e_entry_START_ADDRESS;
Elf64_Off e_phoff_PROGRAM_HEADER_OFFSET_IN_FILE;
Elf64_Off e_shoff_SECTION_HEADER_OFFSET_IN_FILE;
Elf32_Word e_flags;
Elf64_Half e_ehsize_ELF_HEADER_SIZE;
Elf64_Half e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE;
Elf64_Half e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES;
Elf64_Half e_shentzise_SECTION_HEADER_ENTRY_SIZE;
Elf64_Half e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES;
Elf64_Half e_shtrndx_STRING_TABLE_INDEX;
}
} elf_header;
// Find the program table
if( file.elf_header.e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES > 0 ) {
FSeek(file.elf_header.e_phoff_PROGRAM_HEADER_OFFSET_IN_FILE);
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
program_table_entry32_t program_table_element[file.elf_header.e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES];
} else {
program_table_entry64_t program_table_element[file.elf_header.e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES];
}
} program_header_table;
}
// Find the header name location
local quad section_name_off =
file.elf_header.e_shoff_SECTION_HEADER_OFFSET_IN_FILE +
( file.elf_header.e_shentzise_SECTION_HEADER_ENTRY_SIZE *
file.elf_header.e_shtrndx_STRING_TABLE_INDEX );
// Find the header name block
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
if( FileSize() >= section_name_off + 2 * sizeof( Elf32_Word ) +
sizeof( Elf32_Xword ) + sizeof( Elf32_Addr ) )
section_name_block_off = ReadUInt( section_name_off + 2 * sizeof( Elf32_Word ) +
sizeof( Elf32_Xword ) + sizeof( Elf32_Addr ) );
else {
Printf("Invalid section header found, skipping!\n");
Warning("Invalid section header found, skipped and attempting to continue...");
}
} else {
if( FileSize() >= section_name_off + 2 * sizeof( Elf64_Word ) +
sizeof( Elf64_Xword ) + sizeof( Elf64_Addr ) )
section_name_block_off = ReadUQuad( section_name_off + 2 * sizeof( Elf64_Word ) +
sizeof( Elf64_Xword ) + sizeof( Elf64_Addr ) );
else {
Printf("Invalid section header found, skipping!\n");
Warning("Invalid section header found, skipped and attempting to continue...");
}
}
local int sec_tbl_cur_elem;
// Find the section headers
if( file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES > 0 ) {
FSeek(file.elf_header.e_shoff_SECTION_HEADER_OFFSET_IN_FILE);
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
sec_tbl_cur_elem = 0;
section_table_entry32_t section_table_element[file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES];
} else {
sec_tbl_cur_elem = 0;
section_table_entry64_t section_table_element[file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES];
}
} section_header_table;
}
local int sym_sect;
local int sym_name_sect;
// Find the symbol section
sym_sect = FindNamedSection( ".symtab" );
if( sym_sect >= 0 ) {
sym_name_sect = file.section_header_table.section_table_element[sym_sect].s_link;
symbol_name_block_off = file.section_header_table.section_table_element[sym_name_sect].s_offset;
FSeek( file.section_header_table.section_table_element[sym_sect].s_offset );
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
Elf32_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf32_Sym_fixed)];
} else {
Elf64_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf64_Sym_fixed)];
}
} symbol_table;
}
// Find the dynamic symbol section
sym_sect = FindNamedSection( ".dynsym" );
if( sym_sect >= 0 ) {
sym_name_sect = file.section_header_table.section_table_element[sym_sect].s_link;
symbol_name_block_off = file.section_header_table.section_table_element[sym_name_sect].s_offset;
FSeek( file.section_header_table.section_table_element[sym_sect].s_offset );
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
Elf32_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf32_Sym_fixed)];
} else {
Elf64_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf64_Sym_fixed)];
}
} dynamic_symbol_table;
}
} file;

795
cparser/ELFTemplate.new.bt Normal file
View File

@ -0,0 +1,795 @@
//----------------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: ELFTemplate.bt
// Author: 010Editor (Unknown?)
// Tim "diff" Strazzere <diff@lookout.com> <strazz@gmail.com>
// Revision: 2.2
// Purpose: Defines a template for
// parsing ELF 32-bit and 64-bit files.
//----------------------------------------
//
// Version 2.2
// FIXED:
// - Fixed issues if the section header count is greater
// the actual number of sections that exist.
// More information;
// http://dustri.org/b/?p=832
//
// Version 2.1
// FIXED:
// - Fixed issue with local variables so it's actually
// runnable inside v4.0.3
// Define structures used in ELF files
// ELF Header Types
// ELF identification element
// Accelerate a slow lookup with an array
local int sec_tbl_elem[255];
typedef enum <uchar> {
ELFCLASSNONE =0,
ELFCLASS32 =1,
ELFCLASS64 =2
}ei_class_2_e;
typedef enum <uchar> {
ELFDATAONE =0,
ELFDATA2LSB =1,
ELFDATA2MSB =2
}ei_data_e;
typedef enum <uchar> {
E_NONE =0,
E_CURRENT =1
}ei_version_e;
typedef enum <uchar> {
ELFOSABI_NONE =0, //No extensions or unspecified
ELFOSABI_HPUX =1, //Hewlett-Packard HP-UX
ELFOSABI_NETBSD =2, //NetBSD
ELFOSABI_SOLARIS=6, //Sun Solaris
ELFOSABI_AIX =7, //AIX
ELFOSABI_IRIX =8, //IRIX
ELFOSABI_FREEBSD=9, //FreeBSD
ELFOSABI_TRU64 =10, //Compaq TRU64 UNIX
ELFOSABI_MODESTO=11, //Novell Modesto
ELFOSABI_OPENBSD=12, //Open BSD
ELFOSABI_OPENVMS=13, //Open VMS
ELFOSABI_NSK =14, //Hewlett-Packard Non-Stop Kernel
ELFOSABI_AROS =15 //Amiga Research OS
}ei_osabi_e;
typedef struct {
char file_identification[4];
ei_class_2_e ei_class_2;
ei_data_e ei_data;
if( ei_data == ELFDATA2LSB ) {
LittleEndian();
} else {
BigEndian();
}
ei_version_e ei_version;
ei_osabi_e ei_osabi;
uchar ei_abiversion;
uchar ei_pad[6];
uchar ei_nident_SIZE;
} e_ident_t;
// Elf Data Types for 32/64 bit
//32 bit
typedef uint32 Elf32_Word;
typedef uint32 Elf32_Off;
typedef uint32 Elf32_Addr <read=VAddr32>;
typedef uint16 Elf32_Half;
typedef uint32 Elf32_Xword;
//64 bit
typedef uint32 Elf64_Word;
typedef uint64 Elf64_Off;
typedef uint64 Elf64_Addr <read=VAddr64>;
typedef uint16 Elf64_Half;
typedef uint64 Elf64_Xword;
string VAddr32( Elf32_Addr &addr ) {
local char buf[128];
SPrintf( buf, "0x%08X", addr );
return buf;
}
string VAddr64( Elf64_Addr &addr ) {
local char buf[128];
SPrintf( buf, "0x%016LX", addr );
return buf;
}
typedef enum <Elf32_Half> {
ET_NONE =0,
ET_REL =1,
ET_EXEC =2,
ET_DYN =3,
ET_CORE =4,
ET_LOOS =0xfe00,
ET_HIOS =0xfeff,
ET_LOPROC =0xff00,
ET_HIPROC =0xffff
} e_type32_e;
typedef e_type32_e e_type64_e;
typedef enum <Elf32_Half> { // list has to to be completed
EM_NONE =0, //No machine
EM_M32 =1, //AT&T WE 32100
EM_SPARC =2, //SPARC
EM_386 =3, //Intel 80386
EM_68K =4, //Motorola 68000
EM_88K =5, //Motorola 88000
reserved6 =6, //Reserved for future use (was EM_486)
EM_860 =7, //Intel 80860
EM_MIPS =8, //MIPS I Architecture
EM_S370 =9, //IBM System/370 Processor
EM_MIPS_RS3_LE =10, //MIPS RS3000 Little-endian
reserved11 =11, //Reserved for future use
reserved12 =12, //Reserved for future use
reserved13 =13, //Reserved for future use
reserved14 =14, //Reserved for future use
EM_PARISC =15, //Hewlett-Packard PA-RISC
reserved16 =16, //Reserved for future use
EM_VPP500 =17, //Fujitsu VPP500
EM_SPARC32PLUS =18, //Enhanced instruction set SPARC
EM_960 =19, //Intel 80960
EM_PPC =20, //PowerPC
EM_PPC64 =21, //64-bit PowerPC
EM_S390 =22, //IBM System/390 Processor
reserved23 =23, //Reserved for future use
reserved24 =24, //Reserved for future use
reserved25 =25, //Reserved for future use
reserved26 =26, //Reserved for future use
reserved27 =27, //Reserved for future use
reserved28 =28, //Reserved for future use
reserved29 =29, //Reserved for future use
reserved30 =30, //Reserved for future use
reserved31 =31, //Reserved for future use
reserved32 =32, //Reserved for future use
reserved33 =33, //Reserved for future use
reserved34 =34, //Reserved for future use
reserved35 =35, //Reserved for future use
EM_V800 =36, //NEC V800
EM_FR20 =37, //Fujitsu FR20
EM_RH32 =38, //TRW RH-32
EM_RCE =39, //Motorola RCE
EM_ARM =40, //Advanced RISC Machines ARM
EM_ALPHA =41, //Digital Alpha
EM_SH =42, //Hitachi SH
EM_SPARCV9 =43, //SPARC Version 9
EM_TRICORE =44, //Siemens TriCore embedded processor
EM_ARC =45, //Argonaut RISC Core, Argonaut Technologies Inc.
EM_H8_300 =46, //Hitachi H8/300
EM_H8_300H =47, //Hitachi H8/300H
EM_H8S =48, //Hitachi H8S
EM_H8_500 =49, //Hitachi H8/500
EM_IA_64 =50, //Intel IA-64 processor architecture
EM_MIPS_X =51, //Stanford MIPS-X
EM_COLDFIRE =52, //Motorola ColdFire
EM_68HC12 =53, //Motorola M68HC12
EM_MMA =54, //Fujitsu MMA Multimedia Accelerator
EM_PCP =55, //Siemens PCP
EM_NCPU =56, //Sony nCPU embedded RISC processor
EM_NDR1 =57, //Denso NDR1 microprocessor
EM_STARCORE =58, //Motorola Star*Core processor
EM_ME16 =59, //Toyota ME16 processor
EM_ST100 =60, //STMicroelectronics ST100 processor
EM_TINYJ =61, //Advanced Logic Corp. TinyJ embedded processor family
EM_X86_64 =62, //AMD x86-64 architecture
EM_PDSP =63, //Sony DSP Processor
EM_PDP10 =64, //Digital Equipment Corp. PDP-10
EM_PDP11 =65, //Digital Equipment Corp. PDP-11
EM_FX66 =66, //Siemens FX66 microcontroller
EM_ST9PLUS =67, //STMicroelectronics ST9+ 8/16 bit microcontroller
EM_ST7 =68, //STMicroelectronics ST7 8-bit microcontroller
EM_68HC16 =69, //Motorola MC68HC16 Microcontroller
EM_68HC11 =70, //Motorola MC68HC11 Microcontroller
EM_68HC08 =71, //Motorola MC68HC08 Microcontroller
EM_68HC05 =72, //Motorola MC68HC05 Microcontroller
EM_SVX =73, //Silicon Graphics SVx
EM_ST19 =75, //Digital VAX
EM_CRIS =76, //Axis Communications 32-bit embedded processor
EM_JAVELIN =77, //Infineon Technologies 32-bit embedded processor
EM_FIREPATH =78, //Element 14 64-bit DSP Processor
EM_ZSP =79, //LSI Logic 16-bit DSP Processor
EM_MMIX =80, //Donald Knuth's educational 64-bit processor
EM_HUANY =81, //Harvard University machine-independent object files
EM_PRISM =82, //SiTera Prism
EM_AVR =83, //Atmel AVR 8-bit microcontroller
EM_FR30 =84, //Fujitsu FR30
EM_D10V =85, //Mitsubishi D10V
EM_D30V =86, //Mitsubishi D30V
EM_V850 =87, //NEC v850
EM_M32R =88, //Mitsubishi M32R
EM_MN10300 =89, //Matsushita MN10300
EM_MN10200 =90, //Matsushita MN10200
EM_PJ =91, //picoJava
EM_OPENRISC =92, //OpenRISC 32-bit embedded processor
EM_ARC_A5 =93, //ARC Cores Tangent-A5
EM_XTENSA =94, //Tensilica Xtensa Architecture
EM_VIDEOCORE =95, //Alphamosaic VideoCore processor
EM_TMM_GPP =96, //Thompson Multimedia General Purpose Processor
EM_NS32K =97, //National Semiconductor 32000 series
EM_TPC =98, //Tenor Network TPC processor
EM_SNP1K =99, //Trebia SNP 1000 processor
EM_ST200 =100, //STMicroelectronics (www.st.com) ST200 microcontroller
EM_IP2K =101, //Ubicom IP2xxx microcontroller family
EM_MAX =102, //MAX Processor
EM_CR =103, //National Semiconductor CompactRISC microprocessor
EM_F2MC16 =104, //Fujitsu F2MC16
EM_MSP430 =105, //Texas Instruments embedded microcontroller msp430
EM_BLACKFIN =106, //Analog Devices Blackfin (DSP) processor
EM_SE_C33 =107, //S1C33 Family of Seiko Epson processors
EM_SEP =108, //Sharp embedded microprocessor
EM_ARCA =109, //Arca RISC Microprocessor
EM_UNICORE =110 //Microprocessor series from PKU-Unity Ltd. and MPRC of Peking University
} e_machine32_e;
typedef e_machine32_e e_machine64_e;
typedef enum <Elf32_Word> {
EV_NONE =0,
EV_CURRENT =1
} e_version32_e;
typedef e_version32_e e_version64_e;
// Program Header Types
typedef enum <Elf32_Word> {
PT_NULL =0,
PT_LOAD =1,
PT_DYNAMIC =2,
PT_INERP =3,
PT_NOTE =4,
PT_SHLIB =5,
PT_PHDR =6,
PT_LOOS =0x60000000,
PT_HIOS =0x6fffffff,
PT_LOPROC =0x70000000,
PT_HIPROC =0x7fffffff
} p_type32_e;
typedef p_type32_e p_type64_e;
typedef enum <Elf32_Word> {
PF_None =0,
PF_Exec =1,
PF_Write =2,
PF_Write_Exec =3,
PF_Read =4,
PF_Read_Exec =5,
PF_Read_Write =6,
PF_Read_Write_Exec =7
} p_flags32_e;
typedef p_flags32_e p_flags64_e;
typedef enum <Elf32_Word> {
SHN_UNDEF = 0, /* undefined, e.g. undefined symbol */
SHN_LORESERVE = 0xff00, /* Lower bound of reserved indices */
SHN_LOPROC = 0xff00, /* Lower bound processor-specific index */
SHN_HIPROC = 0xff1f, /* Upper bound processor-specific index */
SHN_LOOS = 0xff20, /* Lower bound OS-specific index */
SHN_HIOS = 0xff3f, /* Upper bound OS-specific index */
SHN_ABS = 0xfff1, /* Absolute value, not relocated */
SHN_COMMON = 0xfff2, /* FORTRAN common or unallocated C */
SHN_HIRESERVE = 0xffff /* Upper bound of reserved indices */
} s_name32_e;
typedef s_name32_e s_name64_e;
typedef enum <Elf32_Word> {
SHT_NULL = 0, /* Inactive section header */
SHT_PROGBITS = 1, /* Information defined by the program */
SHT_SYMTAB = 2, /* Symbol table - not DLL */
SHT_STRTAB = 3, /* String table */
SHT_RELA = 4, /* Explicit addend relocations, Elf64_Rela */
SHT_HASH = 5, /* Symbol hash table */
SHT_DYNAMIC = 6, /* Information for dynamic linking */
SHT_NOTE = 7, /* A Note section */
SHT_NOBITS = 8, /* Like SHT_PROGBITS with no data */
SHT_REL = 9, /* Implicit addend relocations, Elf64_Rel */
SHT_SHLIB = 10, /* Currently unspecified semantics */
SHT_DYNSYM = 11, /* Symbol table for a DLL */
SHT_LOOS = 0x60000000, /* Lowest OS-specific section type */
SHT_HIOS = 0x6fffffff, /* Highest OS-specific section type */
SHT_LOPROC = 0x70000000, /* Lowest processor-specific section type */
SHT_HIPROC = 0x7fffffff /* Highest processor-specific section type */
} s_type32_e;
typedef s_type32_e s_type64_e;
string ReservedSectionName( s_name32_e id ) {
local char buf[255];
if( id == SHN_UNDEF ) return "SHN_UNDEF";
if( id >= SHN_LOPROC && id <= SHN_HIPROC ) {
SPrintf( buf, "SHN_PROC_%02X", id - SHN_LOPROC );
return buf;
}
if( id >= SHN_LOOS && id <= SHN_HIOS ) {
SPrintf( buf, "SHN_OS_%02X", id - SHN_LOOS );
return buf;
}
if( id == SHN_ABS ) return "SHN_ABS";
if( id == SHN_COMMON ) return "SHN_COMMON";
SPrintf( buf, "SHN_RESERVE_%02X", id - SHN_LORESERVE );
return buf;
}
// Program Table 32/64 bit
typedef struct { //32bit
local quad off = FTell();
p_type32_e p_type;
Elf32_Off p_offset_FROM_FILE_BEGIN <format=hex>;
Elf32_Addr p_vaddr_VIRTUAL_ADDRESS;
Elf32_Addr p_paddr_PHYSICAL_ADDRESS;
Elf32_Word p_filesz_SEGMENT_FILE_LENGTH;
Elf32_Word p_memsz_SEGMENT_RAM_LENGTH;
p_flags32_e p_flags;
Elf32_Word p_align;
if( p_filesz_SEGMENT_FILE_LENGTH > 0 ) {
FSeek(p_offset_FROM_FILE_BEGIN);
char p_data[p_filesz_SEGMENT_FILE_LENGTH];
}
FSeek(off + file.elf_header.e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE);
} program_table_entry32_t <read=ProgramInfo32,optimize=false>;
typedef struct { //64bit
local quad off = FTell();
p_type64_e p_type;
p_flags64_e p_flags;
Elf64_Off p_offset_FROM_FILE_BEGIN <format=hex>;
Elf64_Addr p_vaddr_VIRTUAL_ADDRESS;
Elf64_Addr p_paddr_PHYSICAL_ADDRESS;
Elf64_Xword p_filesz_SEGMENT_FILE_LENGTH;
Elf64_Xword p_memsz_SEGMENT_RAM_LENGTH;
Elf64_Xword p_align;
if( p_filesz_SEGMENT_FILE_LENGTH > 0 ) {
FSeek(p_offset_FROM_FILE_BEGIN);
char p_data[p_filesz_SEGMENT_FILE_LENGTH];
}
FSeek(off + file.elf_header.e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE);
} program_table_entry64_t <read=ProgramInfo64,optimize=false>;
string ProgramType( p_type64_e type ) {
switch( type ) {
case PT_NULL: return "NULL";
case PT_LOAD: return "Loadable Segment";
case PT_DYNAMIC: return "Dynamic Segment";
case PT_INERP: return "Interpreter Path";
case PT_NOTE: return "Note";
case PT_SHLIB: return "PT_SHLIB";
case PT_PHDR: return "Program Header";
default: return "Unknown Section";
}
}
string ProgramFlags( p_flags64_e flags ) {
local string rv = "(";
rv += ( flags & PF_Read ) ? "R" : "_";
rv += ( flags & PF_Write ) ? "W" : "_";
rv += ( flags & PF_Exec ) ? "X" : "_";
rv += ")";
return rv;
}
string ProgramInfo64( program_table_entry64_t &ent ) {
return ProgramFlags( ent.p_flags ) + " " + ProgramType( ent.p_type );
}
string ProgramInfo32( program_table_entry32_t &ent ) {
return ProgramFlags( ent.p_flags ) + " " + ProgramType( ent.p_type );
}
// ************************************* Section Table ***************************************
typedef enum <Elf32_Xword> {
SF32_None =0,
SF32_Exec =1,
SF32_Alloc =2,
SF32_Alloc_Exec =3,
SF32_Write =4,
SF32_Write_Exec =5,
SF32_Write_Alloc =6,
SF32_Write_Alloc_Exec =7
} s_flags32_e;
typedef enum <Elf64_Xword> {
SF64_None =0,
SF64_Exec =1,
SF64_Alloc =2,
SF64_Alloc_Exec =3,
SF64_Write =4,
SF64_Write_Exec =5,
SF64_Write_Alloc =6,
SF64_Write_Alloc_Exec =7
} s_flags64_e;
// Pointer to where the next name is located
local quad section_name_block_off;
typedef struct {
s_name32_e s_name_off <format=hex>;
local quad off = FTell();
FSeek( section_name_block_off + s_name_off );
string s_name_str;
FSeek( off );
} s_name32_t <read=SectionName>;
typedef s_name32_t s_name64_t;
string SectionName( s_name32_t &sect ) {
if( sect.s_name_off > SHN_UNDEF && sect.s_name_off < SHN_LORESERVE ) {
return sect.s_name_str;
}
return ReservedSectionName( sect.s_name_off );
}
typedef struct { //64bit
local quad off = FTell();
s_name64_t s_name; /* Section name */
s_type64_e s_type; /* Section type */
s_flags64_e s_flags; /* Section attributes */
Elf64_Addr s_addr; /* Virtual address in memory */
Elf64_Off s_offset <format=hex>; /* Offset in file */
Elf64_Xword s_size; /* Size of section */
Elf64_Word s_link; /* Link to other section */
Elf64_Word s_info; /* Miscellaneous information */
Elf64_Xword s_addralign; /* Address alignment boundary */
Elf64_Xword s_entsize; /* Entry size, if section has table */
if( s_type != SHT_NOBITS && s_type != SHT_NULL && s_size > 0 ) {
FSeek(s_offset);
char data[s_size];
}
FSeek(off + file.elf_header.e_shentzise_SECTION_HEADER_ENTRY_SIZE);
} section_table_entry64_t <optimize=false>;
// Section Table 32/64 bit
typedef struct { //32bit
local quad off = FTell();
s_name32_t s_name; /* Section name */
s_type32_e s_type; /* Section type */
s_flags32_e s_flags; /* Section attributes */
Elf32_Addr s_addr; /* Virtual address in memory */
Elf32_Off s_offset <format=hex>; /* Offset in file */
Elf32_Xword s_size; /* Size of section */
Elf32_Word s_link; /* Link to other section */
Elf32_Word s_info; /* Miscellaneous information */
Elf32_Xword s_addralign; /* Address alignment boundary*/
Elf32_Xword s_entsize; /* Entry size, if section has table */
if( s_type != SHT_NOBITS && s_type != SHT_NULL && s_size > 0 ) {
FSeek(s_offset);
char s_data[s_size];
}
FSeek(off + file.elf_header.e_shentzise_SECTION_HEADER_ENTRY_SIZE);
} section_table_entry32_t <read=SectionName32,optimize=false>;
string SectionName64( section_table_entry64_t &sect ) {
return SectionName( sect.s_name );
}
string SectionName32( section_table_entry32_t &sect ) {
return SectionName( sect.s_name );
}
// ************************************** Symbol Table ***************************************
local quad symbol_name_block_off;
typedef struct {
Elf32_Word sym_name_off <format=hex>; /* Symbol table name offset */
local quad off = FTell();
FSeek( symbol_name_block_off + sym_name_off );
string sym_name_str;
FSeek( off );
} sym_name32_t <read=SymbolName,optimize=false>;
typedef sym_name32_t sym_name64_t;
string SymbolName( sym_name32_t &sym ) {
if( sym.sym_name_off > 0 ) {
return sym.sym_name_str;
}
return "<Undefined>";
}
typedef enum <unsigned char> {
STB_LOCAL = 0,
STB_GLOBAL = 1,
STB_WEAK = 2,
STB_OS_1 = 10,
STB_OS_2 = 11,
STB_OS_3 = 12,
STB_PROC_1 = 13,
STB_PROC_2 = 14,
STB_PROC_3 = 15
} sym_info_bind_e;
typedef enum <unsigned char> {
STT_NOTYPE = 0,
STT_OBJECT = 1,
STT_FUNC = 2,
STT_SECTION = 3,
STT_FILE = 4,
STT_OS_1 = 10,
STT_OS_2 = 11,
STT_OS_3 = 12,
STT_PROC_1 = 13,
STT_PROC_2 = 14,
STT_PROC_3 = 15
} sym_info_type_e;
typedef struct {
BitfieldDisablePadding();
if( IsBigEndian() ) {
uchar sym_info_bind:4;
uchar sym_info_type:4;
} else {
uchar sym_info_type:4;
uchar sym_info_bind:4;
}
BitfieldEnablePadding();
} sym_info_t <read=SymInfoEnums>;
string SymInfoEnums( sym_info_t &info ) {
local sym_info_bind_e x = info.sym_info_bind;
local sym_info_type_e y = info.sym_info_type;
return EnumToString( x ) + " | " + EnumToString( y );
}
typedef struct {
Elf64_Word sym_name; /* Symbol name */
unsigned char sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf64_Half sym_shndx; /* Section table index */
Elf64_Addr sym_value; /* Symbol value */
Elf64_Xword sym_size; /* Size of object (e.g., common) */
} Elf64_Sym_fixed;
typedef struct {
Elf32_Word sym_name; /* Symbol name */
Elf32_Addr sym_value; /* Symbol value */
Elf32_Xword sym_size; /* Size of object (e.g., common) */
unsigned char sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf32_Half sym_shndx; /* Section table index */
} Elf32_Sym_fixed;
typedef struct {
sym_name64_t sym_name; /* Symbol name */
sym_info_t sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf64_Half sym_shndx; /* Section table index */
Elf64_Addr sym_value; /* Symbol value */
Elf64_Xword sym_size; /* Size of object (e.g., common) */
if( sym_size && SectionHasData( sym_shndx ) ) {
local quad off = FTell();
FSeek( SectionVAddrOffset( sym_shndx, sym_value ) );
char sym_data[sym_size];
FSeek( off );
}
} Elf64_Sym <read=SymbolName64,optimize=false>;
typedef struct {
sym_name32_t sym_name; /* Symbol name */
Elf32_Addr sym_value; /* Symbol value */
Elf32_Xword sym_size; /* Size of object (e.g., common) */
sym_info_t sym_info; /* Type and Binding attributes */
unsigned char sym_other; /* Reserved */
Elf32_Half sym_shndx; /* Section table index */
if( sym_size && SectionHasData( sym_shndx ) ) {
local quad off = FTell();
FSeek( SectionVAddrOffset( sym_shndx, sym_value ) );
char sym_data[sym_size];
FSeek( off );
}
} Elf32_Sym <read=SymbolName32,optimize=false>;
string SymbolName64( Elf64_Sym &sym ) {
return ( sym.sym_size ? "" : "[U] " ) + SymbolName( sym.sym_name );
}
string SymbolName32( Elf32_Sym &sym ) {
return ( sym.sym_size ? "" : "[U] " ) + SymbolName( sym.sym_name );
}
// **************************************** ELF File *****************************************
local int iter;
int FindNamedSection( string sect ) {
// local int iter;
for( iter=0; iter < file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES; iter++ ) {
if( Strcmp( file.section_header_table.section_table_element[ iter ].s_name.s_name_str, sect ) == 0 ) {
return iter;
}
}
return -1;
}
quad FindNamedSectionBlock( string sect ) {
local int off = FindNamedSection( sect );
if( off != -1 )
return file.section_header_table.section_table_element[off].s_offset;
return -1;
}
int SectionHasData( Elf64_Half s_index ) {
// This is ridiculously slow for some reason, so cache our results in an array
if( sec_tbl_elem[s_index] == -1 ) {
sec_tbl_elem[s_index] = exists( file.section_header_table.section_table_element[s_index].s_data );
}
return sec_tbl_elem[s_index];
}
quad SectionVAddrOffset( Elf64_Half s_index, Elf64_Addr s_vaddr ) {
if( s_index < file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES ) {
return file.section_header_table.section_table_element[s_index].s_offset + s_vaddr -
file.section_header_table.section_table_element[s_index].s_addr;
}
return 0;
}
// Structure of elf
struct {
local int i;
for( i=0; i<255; i++ ) {
sec_tbl_elem[i] = -1;
}
struct {
e_ident_t e_ident;
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 )
{
//32-Bit definitions of ELF Header
e_type32_e e_type;
e_machine32_e e_machine;
e_version32_e e_version;
Elf32_Addr e_entry_START_ADDRESS;
Elf32_Off e_phoff_PROGRAM_HEADER_OFFSET_IN_FILE;
Elf32_Off e_shoff_SECTION_HEADER_OFFSET_IN_FILE;
Elf32_Word e_flags;
Elf32_Half e_ehsize_ELF_HEADER_SIZE;
Elf32_Half e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE;
Elf32_Half e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES;
Elf32_Half e_shentzise_SECTION_HEADER_ENTRY_SIZE;
Elf32_Half e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES;
Elf32_Half e_shtrndx_STRING_TABLE_INDEX;
}
else
{
//64-Bit definitions of ELF Header
e_type64_e e_type;
e_machine64_e e_machine;
e_version64_e e_version;
Elf64_Addr e_entry_START_ADDRESS;
Elf64_Off e_phoff_PROGRAM_HEADER_OFFSET_IN_FILE;
Elf64_Off e_shoff_SECTION_HEADER_OFFSET_IN_FILE;
Elf32_Word e_flags;
Elf64_Half e_ehsize_ELF_HEADER_SIZE;
Elf64_Half e_phentsize_PROGRAM_HEADER_ENTRY_SIZE_IN_FILE;
Elf64_Half e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES;
Elf64_Half e_shentzise_SECTION_HEADER_ENTRY_SIZE;
Elf64_Half e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES;
Elf64_Half e_shtrndx_STRING_TABLE_INDEX;
}
} elf_header;
// Find the program table
if( file.elf_header.e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES > 0 ) {
FSeek(file.elf_header.e_phoff_PROGRAM_HEADER_OFFSET_IN_FILE);
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
program_table_entry32_t program_table_element[file.elf_header.e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES];
} else {
program_table_entry64_t program_table_element[file.elf_header.e_phnum_NUMBER_OF_PROGRAM_HEADER_ENTRIES];
}
} program_header_table;
}
// Find the header name location
local quad section_name_off =
file.elf_header.e_shoff_SECTION_HEADER_OFFSET_IN_FILE +
( file.elf_header.e_shentzise_SECTION_HEADER_ENTRY_SIZE *
file.elf_header.e_shtrndx_STRING_TABLE_INDEX );
// Find the header name block
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
if( FileSize() >= section_name_off + 2 * sizeof( Elf32_Word ) +
sizeof( Elf32_Xword ) + sizeof( Elf32_Addr ) )
section_name_block_off = ReadUInt( section_name_off + 2 * sizeof( Elf32_Word ) +
sizeof( Elf32_Xword ) + sizeof( Elf32_Addr ) );
else {
Printf("Invalid section header found, skipping!\n");
Warning("Invalid section header found, skipped and attempting to continue...");
}
} else {
if( FileSize() >= section_name_off + 2 * sizeof( Elf64_Word ) +
sizeof( Elf64_Xword ) + sizeof( Elf64_Addr ) )
section_name_block_off = ReadUQuad( section_name_off + 2 * sizeof( Elf64_Word ) +
sizeof( Elf64_Xword ) + sizeof( Elf64_Addr ) );
else {
Printf("Invalid section header found, skipping!\n");
Warning("Invalid section header found, skipped and attempting to continue...");
}
}
local int sec_tbl_cur_elem;
// Find the section headers
if( file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES > 0 ) {
FSeek(file.elf_header.e_shoff_SECTION_HEADER_OFFSET_IN_FILE);
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
sec_tbl_cur_elem = 0;
section_table_entry32_t section_table_element[file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES];
} else {
sec_tbl_cur_elem = 0;
section_table_entry64_t section_table_element[file.elf_header.e_shnum_NUMBER_OF_SECTION_HEADER_ENTRIES];
}
} section_header_table;
}
local int sym_sect;
local int sym_name_sect;
// Find the symbol section
sym_sect = FindNamedSection( ".symtab" );
if( sym_sect >= 0 ) {
sym_name_sect = file.section_header_table.section_table_element[sym_sect].s_link;
symbol_name_block_off = file.section_header_table.section_table_element[sym_name_sect].s_offset;
FSeek( file.section_header_table.section_table_element[sym_sect].s_offset );
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
Elf32_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf32_Sym_fixed)];
} else {
Elf64_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf64_Sym_fixed)];
}
} symbol_table;
}
// Find the dynamic symbol section
sym_sect = FindNamedSection( ".dynsym" );
if( sym_sect >= 0 ) {
sym_name_sect = file.section_header_table.section_table_element[sym_sect].s_link;
symbol_name_block_off = file.section_header_table.section_table_element[sym_name_sect].s_offset;
FSeek( file.section_header_table.section_table_element[sym_sect].s_offset );
struct {
if (file.elf_header.e_ident.ei_class_2 == ELFCLASS32 ) {
Elf32_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf32_Sym_fixed)];
} else {
Elf64_Sym symtab[file.section_header_table.section_table_element[sym_sect].s_size / sizeof(Elf64_Sym_fixed)];
}
} dynamic_symbol_table;
}
} file;

221
cparser/EMFTemplate.bt Normal file
View File

@ -0,0 +1,221 @@
//--------------------------------------
//--- 010 Editor v2.1.3 Binary Template
//
// File: EMFTemplate.bt
// Author: Dustin D. Trammell <dtrammell@dustintrammell.com>
// Revision: 0.1
// Date: 2008/04/08 - 2008/04/08
// Purpose: Parsing EMF files.
// References:
// MS-EMF: Enhanced Metafile Format Specification 2.1, Microsoft
//--------------------------------------
typedef enum <DWORD> {
EMR_HEADER = 0x00000001,
EMR_POLYBEZIER = 0x00000002,
EMR_POLYGON = 0x00000003,
EMR_POLYLINE = 0x00000004,
EMR_POLYBEZIERTO = 0x00000005,
EMR_POLYLINETO = 0x00000006,
EMR_POLYPOLYLINE = 0x00000007,
EMR_POLYPOLYGON = 0x00000008,
EMR_SETWINDOWEXTEX = 0x00000009,
EMR_SETWINDOWORGEX = 0x0000000A,
EMR_SETVIEWPORTEXTEX = 0x0000000B,
EMR_SETVIEWPORTORGEX = 0x0000000C,
EMR_SETBRUSHORGEX = 0x0000000D,
EMR_EOF = 0x0000000E,
EMR_SETPIXELV = 0x0000000F,
EMR_SETMAPPERFLAGS = 0x00000010,
EMR_SETMAPMODE = 0x00000011,
EMR_SETBKMODE = 0x00000012,
EMR_SETPOLYFILLMODE = 0x00000013,
EMR_SETROP2 = 0x00000014,
EMR_SETSTRETCHBLTMODE = 0x00000015,
EMR_SETTEXTALIGN = 0x00000016,
EMR_SETCOLORADJUSTMENT = 0x00000017,
EMR_SETTEXTCOLOR = 0x00000018,
EMR_SETBKCOLOR = 0x00000019,
EMR_OFFSETCLIPRGN = 0x0000001A,
EMR_MOVETOEX = 0x0000001B,
EMR_SETMETARGN = 0x0000001C,
EMR_EXCLUDECLIPRECT = 0x0000001D,
EMR_INTERSECTCLIPRECT = 0x0000001E,
EMR_SCALEVIEWPORTEXTEX = 0x0000001F,
EMR_SCALEWINDOWEXTEX = 0x00000020,
EMR_SAVEDC = 0x00000021,
EMR_RESTOREDC = 0x00000022,
EMR_SETWORLDTRANSFORM = 0x00000023,
EMR_MODIFYWORLDTRANSFORM = 0x00000024,
EMR_SELECTOBJECT = 0x00000025,
EMR_CREATEPEN = 0x00000026,
EMR_CREATEBRUSHINDIRECT = 0x00000027,
EMR_DELETEOBJECT = 0x00000028,
EMR_ANGLEARC = 0x00000029,
EMR_ELLIPSE = 0x0000002A,
EMR_RECTANGLE = 0x0000002B,
EMR_ROUNDRECT = 0x0000002C,
EMR_ARC = 0x0000002D,
EMR_CHORD = 0x0000002E,
EMR_PIE = 0x0000002F,
EMR_SELECTPALETTE = 0x00000030,
EMR_CREATEPALETTE = 0x00000031,
EMR_SETPALETTEENTRIES = 0x00000032,
EMR_RESIZEPALETTE = 0x00000033,
EMR_REALIZEPALETTE = 0x00000034,
EMR_EXTFLOODFILL = 0x00000035,
EMR_LINETO = 0x00000036,
EMR_ARCTO = 0x00000037,
EMR_POLYDRAW = 0x00000038,
EMR_SETARCDIRECTION = 0x00000039,
EMR_SETMITERLIMIT = 0x0000003A,
EMR_BEGINPATH = 0x0000003B,
EMR_ENDPATH = 0x0000003C,
EMR_CLOSEFIGURE = 0x0000003D,
EMR_FILLPATH = 0x0000003E,
EMR_STROKEANDFILLPATH = 0x0000003F,
EMR_STROKEPATH = 0x00000040,
EMR_FLATTENPATH = 0x00000041,
EMR_WIDENPATH = 0x00000042,
EMR_SELECTCLIPPATH = 0x00000043,
EMR_ABORTPATH = 0x00000044,
EMR_RESERVED_69 = 0x00000045,
EMR_COMMENT = 0x00000046,
EMR_FILLRGN = 0x00000047,
EMR_FRAMERGN = 0x00000048,
EMR_INVERTRGN = 0x00000049,
EMR_PAINTRGN = 0x0000004A,
EMR_EXTSELECTCLIPRGN = 0x0000004B,
EMR_BITBLT = 0x0000004C,
EMR_STRETCHBLT = 0x0000004D,
EMR_MASKBLT = 0x0000004E,
EMR_PLGBLT = 0x0000004F,
EMR_SETDIBITSTODEVICE = 0x00000050,
EMR_STRETCHDIBITS = 0x00000051,
EMR_EXTCREATEFONTINDIRECTW = 0x00000052,
EMR_EXTTEXTOUTA = 0x00000053,
EMR_EXTTEXTOUTW = 0x00000054,
EMR_POLYBEZIER16 = 0x00000055,
EMR_POLYGON16 = 0x00000056,
EMR_POLYLINE16 = 0x00000057,
EMR_POLYBEZIERTO16 = 0x00000058,
EMR_POLYLINETO16 = 0x00000059,
EMR_POLYPOLYLINE16 = 0x0000005A,
EMR_POLYPOLYGON16 = 0x0000005B,
EMR_POLYDRAW16 = 0x0000005C,
EMR_CREATEMONOBRUSH = 0x0000005D,
EMR_CREATEDIBPATTERNBRUSHPT = 0x0000005E,
EMR_EXTCREATEPEN = 0x0000005F,
EMR_POLYTEXTOUTA = 0x00000060,
EMR_POLYTEXTOUTW = 0x00000061,
EMR_SETICMMODE = 0x00000062,
EMR_CREATECOLORSPACE = 0x00000063,
EMR_SETCOLORSPACE = 0x00000064,
EMR_DELETECOLORSPACE = 0x00000065,
EMR_GLSRECORD = 0x00000066,
EMR_GLSBOUNDEDRECORD = 0x00000067,
EMR_PIXELFORMAT = 0x00000068,
EMR_DRAWESCAPE = 0x00000069,
EMR_EXTESCAPE = 0x0000006A,
EMR_RESERVED_107 = 0x0000006B,
EMR_SMALLTEXTOUT = 0x0000006C,
EMR_FORCEUFIMAPPING = 0x0000006D,
EMR_NAMEDESCAPE = 0x0000006E,
EMR_COLORCORRECTPALETTE = 0x0000006F,
EMR_SETICMPROFILEA = 0x00000070,
EMR_SETICMPROFILEW = 0x00000071,
EMR_ALPHABLEND = 0x00000072,
EMR_SETLAYOUT = 0x00000073,
EMR_TRANSPARENTBLT = 0x00000074,
EMR_RESERVED_117 = 0x00000075,
EMR_GRADIENTFILL = 0x00000076,
EMR_SETLINKEDUFIS = 0x00000077,
EMR_SETTEXTJUSTIFICATION = 0x00000078,
EMR_COLORMATCHTOTARGETW = 0x00000079,
EMR_CREATECOLORSPACEW = 0x0000007A
} RecordType;
typedef struct {
LONG cx;
LONG cy;
} SIZEL;
typedef struct _RECTL {
LONG left;
LONG top;
LONG right;
LONG bottom;
} RECTL;
typedef struct {
RecordType iType; // Record type EMR_HEADER.
DWORD nSize; // Record size in bytes. This may be greater
// than the sizeof(ENHMETAHEADER).
RECTL rclBounds; // Inclusive-inclusive bounds in device units.
RECTL rclFrame; // Inclusive-inclusive Picture Frame of
// metafile in .01 mm units.
DWORD dSignature; // Signature. Must be ENHMETA_SIGNATURE.
DWORD nVersion; // Version number.
DWORD nBytes; // Size of the metafile in bytes.
DWORD nRecords; // Number of records in the metafile.
WORD nHandles; // Number of handles in the handle table.
// Handle index zero is reserved.
WORD sReserved; // Reserved. Must be zero.
DWORD nDescription; // Number of chars in the unicode description string.
// This is 0 if there is no description string.
DWORD offDescription; // Offset to the metafile description record.
// This is 0 if there is no description string.
DWORD nPalEntries; // Number of entries in the metafile palette.
SIZEL szlDevice; // Size of the reference device in pixels.
SIZEL szlMillimeters; // Size of the reference device in millimeters.
} Header;
typedef struct {
WORD desc[header.nDescription];
} Description;
typedef struct {
RecordType iType; // Record type EMR_XXX
DWORD nSize; // Record size in bytes
DWORD dParm[((nSize-8)/4)]; // DWORD Array of parameters
} Record;
typedef struct {
uchar Reserved;
uchar Blue;
uchar Green;
uchar Red;
} PaletteEntry;
// START
LittleEndian();
// Header
Header header;
// Optional Description
FSeek(header.offDescription);
Description description;
// Start of Records (after header)
FSeek(header.nSize);
// Parse the number of records indicated in the header
local int recCnt = 0;
for( recCnt = 0; recCnt < header.nRecords - 1; recCnt++ ) {
Record record;
}
// If the last record wasn't EMR_EOF, there should be more records
// even though they exceed the count in the header
do {
Record extrarecord;
recCnt++;
} while( record[recCnt-1].iType != EMR_EOF);
// Check last record or header for presence of Palette
local int palCnt = 0;
for( palCnt = 0; palCnt < header.nPalEntries; palCnt++ ) {
PaletteEntry paletteentry;
}

78
cparser/EOTTemplate.bt Normal file
View File

@ -0,0 +1,78 @@
//------------------------------------
//--- 010 Editor v2.01 Binary Template
//
// Name: EOTTemplate.bt
// Author: Neo (Jiepeng) Tan
// Revision: 1.0
// Purpose: Parse an Embedded OpenType (EOT) File Format for Version: 0x00020002
// Reference: http://www.w3.org/Submission/EOT/
//------------------------------------
LittleEndian();
typedef enum <DWORD> {TTEMBED_SUBSET = 0x1,
TTEMBED_TTCOMPRESSED = 0x4,
TTEMBED_FAILIFVARIATIONSIMULATED = 0x10,
TTMBED_EMBEDEUDC = 0x00000020,
TTEMBED_VALIDATIONTESTS = 0x00000040,
TTEMBED_WEBOBJECT = 0x00000080,
TTEMBED_XORENCRYPTDATA = 0x10000000
} TTEMBED;
typedef struct embedded_opentype_file {
unsigned long EOTSize;
unsigned long FontDataSize;
unsigned long Version;
TTEMBED Flags;//processing flags #define TTEMBED_TTCOMPRESSED 0x00000004
byte FontPANOSE[10];
byte Charset;
byte Italic;
unsigned long Weight;
unsigned short fsType;
unsigned short MagicNumber<bgcolor=cLtRed>;//Magic number for EOT file - 0x504C
unsigned long UnicodeRange1;
unsigned long UnicodeRange2;
unsigned long UnicodeRange3;
unsigned long UnicodeRange4;
unsigned long CodePageRange1;
unsigned long CodePageRange2;
unsigned long CheckSumAdjustment;
unsigned long Reserved1;//must be 0
unsigned long Reserved2;//must be 0
unsigned long Reserved3;//must be 0
unsigned long Reserved4;//must be 0
unsigned short Padding1;//always 0x0000
unsigned short FamilyNameSize;
byte FamilyName[FamilyNameSize];
unsigned short Padding2;//always 0x0000
unsigned short StyleNameSize;
byte StyleName[StyleNameSize];
unsigned short Padding3;//always 0x0000
unsigned short VersionNameSize;
byte VersionName[VersionNameSize];
unsigned short Padding4;//always 0x0000
unsigned short FullNameSize;
byte FullName[FullNameSize];
unsigned short Padding5;//always 0x0000
unsigned short RootStringSize;
byte RootString[RootStringSize];
unsigned long RootStringCheckSum;
unsigned long EUDCCodePage;
unsigned short Padding6;
unsigned short SignatureSize;
byte Signature[SignatureSize];
unsigned long EUDCFlags;
unsigned long EUDCFontSize;
byte EUDCFontData[EUDCFontSize];
byte FontData[FontDataSize]<bgcolor=cLtAqua>;
};
LittleEndian();
FSeek(0);
embedded_opentype_file EOT;

104
cparser/EVSBTemplate.bt Normal file
View File

@ -0,0 +1,104 @@
//----------------------------------------------------------------------------
//--- 010 Editor v2.0.2 Binary Template
//
// File: EVSB_Symbol_Display
// Author: Kip Leitner, Panasonic, PSDC NJ, USA, kleitner@pavcal.com
// Revision: 1.0 21 January, 2006
//
// Purpose: Decompose EVSB Over-the-Air (OTA) symbols for DTV Transmission
//
// Ref: ATSC Digital Television standard (A/53), Revision D
// Including Ammendment 1
// 19 July 2005
// Data Organization (Sect 5.3)
//----------------------------------------------------------------------------
// Setups for 010 View --> Width --> custom (832) to see segment synks
// View --> Width --> custom (64) to Field sync details
//
// modify template for your own frame length
const int Frame_Count = 951;
//----------------------------------------------------------------------------
typedef struct SYNC_SEGMENT_EVEN
{
SetBackColor(cRed);
char Sync[4];
SetBackColor(cPurple);
char PN511[511];
SetBackColor(cLtBlue);
char PN63_a[63];
SetBackColor(cBlue);
char PN63_b[63];
SetBackColor(cLtBlue);
char PN63_c[63];
SetBackColor(cLtGreen);
char VSB_Mode[24];
SetBackColor(cAqua);
char Kerdock[64];
SetBackColor(cNone);
char Reserved_a[28];
SetBackColor(cSilver);
char Reserved_b[12];
} Sync_Segment_Even;
typedef struct SYNC_SEGMENT_ODD
{
SetBackColor(cLtRed);
char Sync[4];
SetBackColor(cPurple);
char PN511[511];
SetBackColor(cLtBlue);
char PN63_a[63];
SetBackColor(cBlue);
char PN63_b[63];
SetBackColor(cLtBlue);
char PN63_c[63];
SetBackColor(cLtGreen);
char VSB_Mode[24];
SetBackColor(cAqua);
char Kerdock[64];
SetBackColor(cNone);
char Reserved_a[28];
SetBackColor(cSilver);
char Reserved_b[12];
} Sync_Segment_Odd;
typedef struct DATA_SEGMENT_EVEN
{
SetBackColor(cRed);
char Data_Segment_Sync[4];
SetBackColor(cNone);
char Payload_Even[828];
} Data_Segment_Even;
typedef struct DATA_SEGMENT_ODD
{
SetBackColor(cLtRed);
char Data_Segment_Sync[4];
SetBackColor(cNone);
char Payload_Odd[828];
} Data_Segment_Odd;
typedef struct FIELD_EVEN
{
Sync_Segment_Even Sync_Seg_Even[1];
Data_Segment_Even Data_Seg_Even[312];
} Field_Even;
typedef struct FIELD_ODD
{
Sync_Segment_Odd Sync_Seg_Odd[1];
Data_Segment_Odd Data_Seg_Odd[312];
} Field_Odd;
typedef struct FRAME
{
Field_Even F_Even;
Field_Odd F_Odd;
} Frame;
struct FILE
{
Frame Frames[Frame_Count];
} File;

384
cparser/EXETemplate.bt Normal file
View File

@ -0,0 +1,384 @@
//------------------------------------
//--- 010 Editor v1.2 Binary Template
//
// Autor: Blaine Lefebvre
// Purpose: display the structure of an exe file
// File mask: *.exe,*.dll
// Update: Sergey Evtushenko wildcar@mail.ru
// 2014/07/25: Added Resource structure decode
// DOS exe format
typedef struct {
char Signature[2];
if ( Memcmp(Signature,"MZ",2) )
{
Warning("Invalid file format");
return 1;
}
WORD LengthOfImage;
WORD SizeOfFile;
WORD NumberOfRelocationItems;
WORD SizeOfHeader;
WORD MinPara;
WORD MaxPara;
WORD OffsetStack;
WORD InitialSp;
WORD NegativeChecksum;
WORD InitialIp;
WORD OffsetCs;
WORD OffsetFirstRelocationItem;
WORD OverlayNumber;
WORD Res1;
WORD Res2;
WORD Res3;
WORD Res4;
WORD OemId;
WORD OemInfo;
WORD Res5[10];
DWORD OffsetToPEHeader;
} DosExeHeader;
typedef struct {
int32 DirExport;
int32 DirExportSize;
int32 DirImport;
int32 DirImportSize;
int32 DirResource;
int32 DirResourceSize;
int32 DirException;
int32 DirExceptionSize;
int32 DirSecurity;
int32 DirSecuritySize;
int32 DirBasereloc;
int32 DirBaserelocSize;
int32 DirDebug;
int32 DirDebugSize;
int32 DirArchitecture;
int32 DirArchitectureSize;
int32 DirGlobalptr;
int32 DirGlobalptrSize;
int32 DirTls;
int32 DirTlsSize;
int32 DirLoadConfig;
int32 DirLoadConfig_size;
int32 DirBoundImport;
int32 DirBoundImportSize;
int32 DirIat;
int32 DirIatSize;
int32 DirDelayImport;
int32 DirDelayImportSize;
int32 DirComDescriptor;
int32 DirComDescriptorSize;
int32 DirX;
int32 DirXSize;
} DataDirectory;
typedef struct {
int32 rva;
int32 size;
} DataDir;
typedef struct {
char Sig[4];
if ( Memcmp(Sig,"PE",2) )
{
Warning("Invalid file format");
return 1;
}
int16 CpuType;
int16 NumSections;
time_t Tm;
int32 PointerToSymbolTable;
int32 NumberOfSymbols;
int16 NtHeaderSize;
int16 Flags;
} PeHeader;
typedef struct {
int16 Res3;
char LMajor;
char LMinor;
int32 SizeOfCode;
int32 SizeOfInitData;
int32 SizeOfUninitData;
int32 EntrypointRva;
int32 BaseOfCode;
int32 BaseOfData;
int32 ImageBase;
int32 SectionAlign;
int32 FileAlign;
int16 OsMajor;
int16 OsMinor;
int16 UserMajor;
int16 UserMinor;
int16 SubsystemMajor;
int16 SubsystemMinor;
int32 Win32VersionValue;
int32 ImageSize;
int32 HeaderSize;
int32 FileChecksum;
int16 Subsystem;
int16 DllFlags;
int32 StackReserveSize;
int32 StackCommitSize;
int32 HeapReserveSize;
int32 HeapCommitSize;
int32 LoaderFlags;
int32 NumInterestingRvaSize;
} OptionalHeader;
typedef struct{
char Name[8];
int32 VirtualSize;
int32 VirtualAddress;
int32 SizeOfRawData;
int32 PointerToRawData;
int32 PointerToRelocations;
int32 PointerToLinenumbers;
int16 NumberOfRelocations;
int16 NumberOfLinenumbers;
int32 Characteristics;
} SectionTable;
void GetResourceDirectory()
{
res_level+=1;
struct
{
local int32 j;
uint32 Characteristics;
DOSTIME TimeStamp;
DOSDATE DataStamp;
uint16 MajorVersion;
uint16 MinorVersion;
uint16 NumberOfNameEntries;
uint16 NumberOfIDEntries;
for( j=0;j<NumberOfNameEntries;j++)
{
struct
{
local int64 currentaddress;
uint32 NameRVA:31 <format=hex>;
int TopBit:1;
currentaddress= FTell();
FSeek(resource_sa+NameRVA);
int16 Length;
wchar_t UnicodeString[Length];
if (res_show_log==1){Printf("\nLevel %d. ",res_level);}
if (res_show_log==1){Printf("Name: %s",UnicodeString);}
FSeek(currentaddress);
uint32 DataEntryRVA:31 <format=hex>;
int PointToChild:1;
currentaddress= FTell();
if (PointToChild==1)
{
FSeek(resource_sa+DataEntryRVA);
GetResourceDirectory();
FSeek(currentaddress);
};
} DirectoryNameEntry;
};
for( j=0;j<NumberOfIDEntries;j++)
{
struct
{
local int64 currentaddress;
//if (res_show_log==1){Printf("\nLevel %d. ",res_level);}
switch( res_level )
{
case 1:
uint32 IntegerID <comment=ShowType>;
rTypeID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowType(rTypeID));}
break;
case 2:
uint32 IntegerID <comment=ShowName>;
rNameID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowName(rNameID));}
break;
case 3:
uint32 IntegerID <comment=ShowLanguage>;
rLanguageID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowLanguage(rLanguageID));}
break;
}
uint32 DataEntryRVA:31 <format=hex>;
int PointToChild:1;
currentaddress= FTell();
if (PointToChild==1)
{
FSeek(resource_sa+DataEntryRVA);
GetResourceDirectory();
FSeek(currentaddress);
}
else
{
FSeek(resource_sa+DataEntryRVA);
struct
{
local int64 ba1, ba2;
int32 DataRVA <format=hex>;
int32 Size;
int32 Codepage;
int32 Reserved;
FSeek(DataRVA-(SectionVirtualAddress-resource_sa));
if (rTypeID==16)
{
struct
{
ba1=FTell();
char VersionInfoRAWData[Size];
ba2=FTell();
FSeek(ba1);
struct{} VersionInfoStructure;
FSeek(ba2);
} versioninfo;
}
else
{
char ResourceRAWData[Size];
};
} DataEntry;
FSeek(currentaddress);
};
} DirectoryIDEntry;
};
} DirectoryTable;
res_level-=1;
};
string ShowType(uint32 ID)
{
local string s;
switch( ID)
{
case 1: s="Cursor";break;
case 2: s="Bitmap";break;
case 3: s="Icon";break;
case 4: s="Menu";break;
case 5: s="Dialog box";break;
case 6: s="String table entry";break;
case 7: s="Font directory";break;
case 8: s="Font";break;
case 9: s="Accelerator table";break;
case 10: s="Application defined resource (raw data)";break;
case 11: s="Message table entry";break;
case 12: s="Group cursor";break;
case 14: s="Group icon";break;
case 16: s="Version information";break;
case 17: s="Dlginclude";break;
case 19: s="Plug and play resource";break;
case 20: s="VXD";break;
case 21: s="Animated cursor";break;
case 22: s="Animated icon";break;
case 23: s="HTML";break;
case 24: s="Side-by-side assembly manifest";break;
}
SPrintf( s, "Level 1. Resource type: %s", s );
return s;
}
string ShowName(uint32 ID)
{
local string s;
SPrintf( s, "Level 2. Name ID: %d", ID );
return s;
}
string ShowLanguage(uint32 ID)
{
local string s;
SPrintf( s, "Level 3. Language ID: %d", ID );
return s;
}
////////////////////////////////////////////////////////////////
local int32 i, done, j;
local int32 rTypeID, rNameID, rLanguageID;
local int64 resource_sa, resource_ea, res_level;
local int64 SectionVirtualAddress;
local int res_show_log=0;
SetBackColor(cLtGray);
DosExeHeader DOSHead;
char dosstub[DOSHead.OffsetToPEHeader-(DOSHead.SizeOfHeader*0x10)];
PeHeader PEHead;
OptionalHeader OptionalHead;
DataDir dd[16];
SectionTable sec[PEHead.NumSections];
for ( i = 0 ; i < PEHead.NumSections ; i++ )
{
done = 0;
FSeek(sec[i].PointerToRawData);
if ( !Strcmp(sec[i].Name,".text") )
{
char textsection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".bss") )
{
char bsssection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".rsrc") )
{
struct
{
resource_sa= FTell();
SectionVirtualAddress=sec[i].VirtualAddress;
char rawrsrcsection[sec[i].SizeOfRawData];
resource_ea= FTell();
FSeek(resource_sa);
struct
{
if (res_show_log==1){Printf("\nResources list.");}
res_level=0;
GetResourceDirectory();
} ResourcesStructure;
FSeek(resource_ea);
} rsrcsection;
done = 1;
}
if ( !Strcmp(sec[i].Name,".rdata") )
{
char rdatasection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".data") )
{
char datasection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".edata") )
{
char edatasection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".idata") )
{
char idatasection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".pdata") )
{
char pdatasection[sec[i].SizeOfRawData];
done = 1;
}
if ( !Strcmp(sec[i].Name,".debug") )
{
char debugsection[sec[i].SizeOfRawData];
done = 1;
}
if ( done == 0 )
{
struct
{
char unknownsection[sec[i].SizeOfRawData];
} unknown;
}
}

420
cparser/EXETemplate2.bt Normal file
View File

@ -0,0 +1,420 @@
//--------------------------------------
//--- 010 Editor v2.0.2 Binary Template
//
// Author: Peter Kankowski http://smallcode.weblogs.us
// File mask: *.exe,*.dll,*.scr,*.8b?,*.drv,*.ocx
// Purpose: to display executable file headers.
// Supports DLLs, Windows CE and Win64 executables.
// Displays informative names for all flags and fields.
// Update: Didier Stevens https://DidierStevens.com
// 2010/09/05: Added DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT and NO_ISOLATION to DLLCHARACTERISTICS struct
//--------------------------------------
// Recommended reading:
// 1. Bernd Luevelsmeyer. The PE file format
// http://webster.cs.ucr.edu/Page_TechDocs/pe.txt
// 2. DJ Delorie. MS DOS EXE format
// http://www.delorie.com/djgpp/doc/exe/
// 3. Iczelion. PE tutorial
// http://spiff.tripnet.se/~iczelion/tutorials.html
LittleEndian();
typedef struct { // DOS .EXE header
WORD MZSignature <format=hex>;
if(MZSignature != 0x5A4D) { // "MZ"
Warning("Not a valid EXE file");
return 1;
}
// One page is 512 bytes, one paragraph is 16 bytes
WORD UsedBytesInTheLastPage;
WORD FileSizeInPages;
WORD NumberOfRelocationItems;
WORD HeaderSizeInParagraphs;
WORD MinimumExtraParagraphs;
WORD MaximumExtraParagraphs;
WORD InitialRelativeSS <format=hex>;
WORD InitialSP <format=hex>;
WORD Checksum <format=hex>;
WORD InitialIP <format=hex>;
WORD InitialRelativeCS <format=hex>;
WORD AddressOfRelocationTable <format=hex>;
WORD OverlayNumber;
WORD Reserved[4];
WORD OEMid;
WORD OEMinfo;
WORD Reserved2[10];
LONG AddressOfNewExeHeader <format=hex>;
} IMAGE_DOS_HEADER;
typedef struct {
WORD Offset;
WORD Segment;
} DOS_RELOCATION_TABLE_ITEM;
typedef enum <WORD> {IMAGE_FILE_MACHINE_UNKNOWN = 0, IMAGE_FILE_MACHINE_I386 = 0x014c,
IMAGE_FILE_MACHINE_AMD64 = 0x8664, IMAGE_FILE_MACHINE_ARM = 0x01c0,
IMAGE_FILE_MACHINE_R3000 = 0x0162, // Rarely used
IMAGE_FILE_MACHINE_R4000 = 0x0166, IMAGE_FILE_MACHINE_R10000 = 0x0168,
IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169, IMAGE_FILE_MACHINE_ALPHA = 0x0184,
IMAGE_FILE_MACHINE_SH3 = 0x01a2, IMAGE_FILE_MACHINE_SH3DSP = 0x01a3,
IMAGE_FILE_MACHINE_SH3E = 0x01a4, IMAGE_FILE_MACHINE_SH4 = 0x01a6,
IMAGE_FILE_MACHINE_SH5 = 0x01a8, IMAGE_FILE_MACHINE_THUMB = 0x01c2,
IMAGE_FILE_MACHINE_AM33 = 0x01d3, IMAGE_FILE_MACHINE_POWERPC = 0x01F0,
IMAGE_FILE_MACHINE_POWERPCFP=0x01f1, IMAGE_FILE_MACHINE_IA64 = 0x0200,
IMAGE_FILE_MACHINE_MIPS16 = 0x0266, IMAGE_FILE_MACHINE_ALPHA64 = 0x0284,
IMAGE_FILE_MACHINE_MIPSFPU = 0x0366, IMAGE_FILE_MACHINE_MIPSFPU16=0x0466,
IMAGE_FILE_MACHINE_TRICORE = 0x0520, IMAGE_FILE_MACHINE_CEF = 0x0CEF,
IMAGE_FILE_MACHINE_EBC = 0x0EBC, IMAGE_FILE_MACHINE_M32R = 0x9041,
IMAGE_FILE_MACHINE_CEE = 0xC0EE} MACHINE;
typedef struct {
ushort RelocsStripped : 1;
ushort ExecutableImage : 1; // if not set, then OBJ
ushort LineNumsStripped : 1;
ushort LocalSymsStripped : 1;
ushort AggresiveWorksetTrim : 1;
ushort LargeAddressAware : 1; // Can hadle > 2Gb addresses
ushort Reserved : 1;
ushort BytesReversedLo: 1; // Reversed endianess
ushort _32bitMachine: 1;
ushort DebugStripped: 1;
ushort RemovableRunFromSwap: 1; // Should copy to swap file when run from removable media such as CD-ROM
ushort NetRunFromSwap: 1;
ushort System: 1; // File is a system driver
ushort DLL: 1;
ushort UPSystemOnly: 1; // If set, multiprocessor systems are not supported
ushort BytesReversedHi: 1;
} CHARACTERISTICS<read=ReadCHARACTERISTICS>;
string ReadCHARACTERISTICS(CHARACTERISTICS &flags) {
string s="";
if(flags.AggresiveWorksetTrim) Strcat(s,"AggresiveWorksetTrim ");
if(flags.LargeAddressAware) Strcat(s,"LargeAddressAware ");
if(flags.RemovableRunFromSwap) Strcat(s,"RemovableRunFromSwap ");
if(flags.NetRunFromSwap) Strcat(s,"NetRunFromSwap ");
if(flags.System) Strcat(s,"SystemDriver ");
if(flags.DLL) Strcat(s,"DLL ");
if(flags.UPSystemOnly) Strcat(s,"UniprocessorSystemOnly ");
if(flags.BytesReversedLo) Strcat(s,"BytesReversedLo ");
if(flags.BytesReversedHi) Strcat(s,"BytesReversedHi ");
if(flags.DebugStripped) Strcat(s,"NoDebug ");
if(flags.RelocsStripped) Strcat(s, "NoRelocs ");
if(flags.LineNumsStripped) Strcat(s,"NoLineNums ");
if(flags.LocalSymsStripped) Strcat(s,"NoLocalSyms ");
if(flags._32bitMachine) Strcat(s,"32bit ");
if(flags.ExecutableImage) Strcat(s, "Executable ");
return s;
}
typedef struct {
MACHINE Machine;
WORD NumberOfSections;
time_t TimeDateStamp;
DWORD PointerToSymbolTable <format=hex>;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
CHARACTERISTICS Characteristics;
} IMAGE_FILE_HEADER;
typedef enum <WORD> {UNKNOWN=0, NATIVE=1, WINDOWS_GUI=2,
WINDOWS_CONSOLE=3, OS2_CONSOLE=5, POSIX_CONSOLE=7, NATIVE_WIN9X_DRIVER=8,
WINDOWS_CE_GUI=9, EFI_APPLICATION=10, EFI_BOOT_SERVICE_DRIVER=11, EFI_RUNTIME_DRIVER=12,
EFI_ROM = 13, XBOX = 14} SUBSYSTEM;
typedef struct {
ushort NOTIFY_DLL_PROCESS_INIT: 1; // Not valid in modern OSes
ushort NOTIFY_DLL_PROCESS_TERM: 1; // Not valid in modern OSes
ushort NOTIFY_DLL_THREAD_TERM: 1; // Not valid in modern OSes
ushort NOTIFY_DLL_THREAD_TERM: 1; // Not valid in modern OSes
ushort Reserved:2;
ushort DYNAMIC_BASE:1;
ushort FORCE_INTEGRITY:1;
ushort NX_COMPAT:1;
ushort NO_ISOLATION:1;
ushort NO_SEH:1;
ushort NO_BIND:1;
ushort Reserved2: 1;
ushort WDM_DRIVER: 1;
ushort Reserved3: 1;
ushort TERMINAL_SERVER_AWARE: 1;
} DLLCHARACTERISTICS;
typedef struct {
DWORD VirtualAddress <format=hex>;
DWORD Size;
} DATA_DIR;
typedef struct {
local int len = OptionalHeader.NumberOfRvaAndSizes;
if(len > 16)
len = 16;
if(len > 0) DATA_DIR Export;
if(len > 1) DATA_DIR Import;
if(len > 2) DATA_DIR Resource;
if(len > 3) DATA_DIR Exception;
if(len > 4) DATA_DIR Security;
if(len > 5) DATA_DIR BaseRelocationTable;
if(len > 6) DATA_DIR DebugDirectory;
if(len > 7) DATA_DIR CopyrightOrArchitectureSpecificData;
if(len > 8) DATA_DIR GlobalPtr;
if(len > 9) DATA_DIR TLSDirectory;
if(len >10) DATA_DIR LoadConfigurationDirectory;
if(len >11) DATA_DIR BoundImportDirectory;
if(len >12) DATA_DIR ImportAddressTable;
if(len >13) DATA_DIR DelayLoadImportDescriptors;
if(len >14) DATA_DIR COMRuntimedescriptor;
if(len >15) DATA_DIR Reserved;
} IMAGE_DATA_DIRECTORIES;
typedef struct {
// Standard fields.
WORD Magic <format=hex>;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint <format=hex>;
DWORD BaseOfCode <format=hex>;
DWORD BaseOfData <format=hex>;
// NT additional fields.
DWORD ImageBase <format=hex>;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum <format=hex>;
SUBSYSTEM Subsystem;
DLLCHARACTERISTICS DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORIES DataDirectory;
} IMAGE_OPTIONAL_HEADER32;
typedef struct {
WORD Magic <format=hex>;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint <format=hex>;
DWORD BaseOfCode <format=hex>;
quad ImageBase <format=hex>;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum <format=hex>;
SUBSYSTEM Subsystem;
DLLCHARACTERISTICS DllCharacteristics;
quad SizeOfStackReserve;
quad SizeOfStackCommit;
quad SizeOfHeapReserve;
quad SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORIES DataDirectory;
} IMAGE_OPTIONAL_HEADER64;
typedef struct {
DWORD PESignature <format=hex>;
if(PESignature != 0x00004550) { // "PE\0\0"
Warning("Not a valid PE file");
return 1;
}
IMAGE_FILE_HEADER FileHeader;
local short OptionalHeaderMagic = ReadShort(FTell());
if(OptionalHeaderMagic == 0x10b)
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
else if(OptionalHeaderMagic == 0x20b)
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
else {
Warning("Not a valid PE file %x", OptionalHeaderMagic);
return 1;
}
} IMAGE_NT_HEADERS;
typedef struct {
DWORD Reserved : 5;
DWORD Code : 1;
DWORD InitializedData: 1;
DWORD UninitializedData : 1;
DWORD Reserved2: 1;
DWORD LinkerInfoOrComments: 1;
DWORD Reserved3: 1;
DWORD LinkerShouldRemove: 1;
DWORD CommonBlockData: 1;
DWORD Reserved4: 1;
DWORD NoDeferSpeculativeExceptions: 1;
DWORD FarData: 1;
DWORD Reserved5: 1;
DWORD PurgeableOr16Bit: 1;
DWORD Locked: 1;
DWORD PreLoad: 1;
DWORD Alignment: 4;
DWORD ExtendedRelocations: 1;
DWORD Discardable: 1;
DWORD NotCachable: 1;
DWORD NotPageable: 1;
DWORD Shareable: 1;
DWORD Executable: 1;
DWORD Readable: 1;
DWORD Writeable: 1;
} SECTION_FLAGS<read=ReadSECTION_FLAGS>;
string ReadSECTION_FLAGS(SECTION_FLAGS &flags) {
string s="";
if(flags.Code) Strcat(s, "Code ");
if(flags.InitializedData) Strcat(s, "InitializedData ");
if(flags.UninitializedData) Strcat(s, "UninitializedData ");
if(flags.LinkerInfoOrComments) Strcat(s, "LinkerInfoOrComments ");
if(flags.LinkerShouldRemove) Strcat(s, "LinkerShouldRemove ");
if(flags.CommonBlockData) Strcat(s, "CommonBlockData ");
if(flags.NoDeferSpeculativeExceptions) Strcat(s, "NoDeferSpeculativeExceptions ");
if(flags.FarData) Strcat(s, "FarData ");
if(flags.PurgeableOr16Bit) Strcat(s, "PurgeableOr16Bit ");
if(flags.Locked) Strcat(s, "Locked ");
if(flags.PreLoad) Strcat(s, "PreLoad ");
if(flags.ExtendedRelocations) Strcat(s, "ExtendedRelocations ");
if(flags.Discardable) Strcat(s, "Discardable ");
if(flags.NotCachable) Strcat(s, "NotCachable ");
if(flags.NotPageable) Strcat(s, "NotPageable ");
if(flags.Shareable) Strcat(s, "Shareable ");
if(flags.Executable) Strcat(s, "Executable ");
if(flags.Readable) Strcat(s, "Readable ");
if(flags.Writeable) Strcat(s, "Writeable ");
if(flags.Alignment) {
string p;
SPrintf(p, "Alignment: %g", Pow(2, flags.Alignment - 1));
Strcat(s, p);
}
return s;
}
typedef struct {
BYTE Name[8];
DWORD VirtualSize;
DWORD VirtualAddress <format=hex>;
DWORD SizeOfRawData;
DWORD PointerToRawData <format=hex>;
DWORD NonUsedPointerToRelocations;
DWORD NonUsedPointerToLinenumbers;
WORD NonUsedNumberOfRelocations;
WORD NonUsedNumberOfLinenumbers;
SECTION_FLAGS Characteristics;
} IMAGE_SECTION_HEADER<read=ReadIMAGE_SECTION_HEADER>;
string ReadIMAGE_SECTION_HEADER(IMAGE_SECTION_HEADER &sect) {
if(exists(sect.Name))
return sect.Name;
else
return "";
}
// Main code start
IMAGE_DOS_HEADER dos_header;
FSeek(dos_header.HeaderSizeInParagraphs * 16);
local int dosstubsize = dos_header.FileSizeInPages * 512;
if(dos_header.UsedBytesInTheLastPage)
dosstubsize -= (512 - dos_header.UsedBytesInTheLastPage);
if(dosstubsize > dos_header.AddressOfNewExeHeader)
dosstubsize = dos_header.AddressOfNewExeHeader;
dosstubsize -= dos_header.HeaderSizeInParagraphs * 16;
local quad richpos; // Microsoft linker signature ("Rich")
local quad richstart, richsize=0;
if((richpos = FindFirst("Rich",true,false,false,0.0,1,FTell(),dosstubsize)) > 0 &&
(ReadUInt(richpos - 4) & 0xFFFFFF00) == (ReadUInt(richpos + 4) & 0xFFFFFF00)) {
local int a = 0;
local quad save = FTell();
FSeek(richpos); // Find the first zero DWORD preceeding richpos
richstart = FindFirst(a, true, false,false,0.0,0,FTell(),richpos-FTell());
FSeek(save);
richpos += 8; // advance richpos to the end of the "Rich" signature
richstart += 4; // advance richstart to the non-null byte
richsize = richpos - richstart;
dosstubsize = richstart - FTell();
}
if(dosstubsize > 0)
UCHAR doscode[dosstubsize];
if(richsize > 0) {
FSeek(richstart);
DWORD MSlinkerSignatureRich[richsize/4]<format=hex>;
}
if(dos_header.NumberOfRelocationItems) {
FSeek(dos_header.AddressOfRelocationTable);
if(FileSize() - FTell() >= dos_header.NumberOfRelocationItems *
sizeof(DOS_RELOCATION_TABLE_ITEM))
DOS_RELOCATION_TABLE_ITEM relocation_items[dos_header.NumberOfRelocationItems];
}
FSeek(dos_header.AddressOfNewExeHeader);
IMAGE_NT_HEADERS nt_headers;
FSeek(dos_header.AddressOfNewExeHeader + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) +
nt_headers.FileHeader.SizeOfOptionalHeader);
IMAGE_SECTION_HEADER sections_table[nt_headers.FileHeader.NumberOfSections];
local int sectend = FTell();
local int i, max=0;
for(i = 0; i < nt_headers.FileHeader.NumberOfSections; ++i)
if(sections_table[i].PointerToRawData && sections_table[i].SizeOfRawData) {
FSeek(sections_table[i].PointerToRawData);
if(0 == Strcmp(sections_table[i].Name,".text") && !exists(textsection))
BYTE textsection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".data") && !exists(datasection))
BYTE datasection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".rsrc") && !exists(rsrcsection))
BYTE rsrcsection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".idata") && !exists(idatasection))
BYTE idatasection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".rdata") && !exists(rdatasection))
BYTE rdatasection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".pdata") && !exists(pdatasection))
BYTE pdatasection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".reloc") && !exists(relocsection))
BYTE relocsection[sections_table[i].SizeOfRawData];
else if(0 == Strcmp(sections_table[i].Name,".edata") && !exists(edatasection))
BYTE edatasection[sections_table[i].SizeOfRawData]; // Borland's export data
else if(0 == Strcmp(sections_table[i].Name,".tls") && !exists(tlssection))
BYTE tlssection[sections_table[i].SizeOfRawData]; // Borland's tls section
else if((0 == Strcmp(sections_table[i].Name,"CODE") ||
0 == Strcmp(sections_table[i].Name,".code")) && !exists(codesection))
BYTE codesection[sections_table[i].SizeOfRawData];
// Borland's CODE section; ".code" is used by some other linkers
else if(0 == Strcmp(sections_table[i].Name,"DATA") && !exists(datasection))
BYTE datasection[sections_table[i].SizeOfRawData];// Borland's DATA section
else if(0 == Strcmp(SubStr(sections_table[i].Name,0,3),"UPX") && !exists(upxsection))
BYTE upxsection[sections_table[i].SizeOfRawData]; // UPX compressor
else if(0 == Strcmp(sections_table[i].Name,".flat") && !exists(fasmsection))
BYTE fasmsection[sections_table[i].SizeOfRawData]; // Flat Assembler's section
else if(0 == Strcmp(sections_table[i].Name,".aspack") && !exists(aspacksection))
BYTE aspacksection[sections_table[i].SizeOfRawData]; // Alexey Solodovnikov's packer
else
struct {
BYTE sectiondata[sections_table[i].SizeOfRawData];
} section;
if(sections_table[i].PointerToRawData + sections_table[i].SizeOfRawData > max)
max = sections_table[i].PointerToRawData + sections_table[i].SizeOfRawData;
}
if(max < FileSize()) {
BYTE Overlay[FileSize()-max];
}

66
cparser/ElTorito.bt Normal file
View File

@ -0,0 +1,66 @@
BitfieldRightToLeft();
BitfieldDisablePadding();
#define BLOCK_SIZE 2048
#define BOOT_RECORD_OFFSET 2048 * 16
#define ELTORITO_OFFSET 2048 * 17
typedef struct {
ubyte BootIndicator;
char IsoId[5];
ubyte Version;
char Identifier[32];
ubyte Unused[32];
uint32 BootCatalog;
ubyte Unused2[5];
uint32 VolSpaceSize[2];
} BOOT_RECORD_DESC;
typedef union {
struct {
ubyte HeaderId;
ubyte PlatformId;
uint16 Res0;
char Id[24];
uint16 Checksum <format=hex>;
uint16 Sig <format=hex>; // 0xaa55
} ValEntry;
struct {
enum <ubyte> { BOOTABLE=0x88, NOT_BOOTABLE=0x0 } BootId <format=hex>;
enum <ubyte> { NO_EMULATION=0x0, DISKETTE_1_2=0x1, DISKETTE_1_44=0x2, DISKETTE_2_88=0x3, HARDDISK=0x4 } MediaType <format=hex>;
uint16 LoadSegment <format=hex>;
ubyte SystemType;
ubyte Unused;
uint16 SectorCount;
uint32 LoadLba;
} DefaultEntry;
struct {
enum <ubyte> { NOT_LAST_HEADER=0x90, LAST_HEADER=0x91 } HeaderId <format=hex>;
enum <ubyte> { PC_80x86=0x0, POWERPC=0x1, MAC=0x2 } PlatformId <format=hex>;
uint16 NumSectionEntries;
char IdString[28];
} SecHeader;
struct {
enum <ubyte> { SECTION_BOOTABLE=0x88, SECTION_NOT_BOOTABLE=0x0 } BootId <format=hex>;
enum <ubyte> { SEC_NO_EMULATION=0x0, SEC_DISKETTE_1_2=0x1, SEC_DISKETTE_1_44=0x2, SEC_DISKETTE_2_88=0x3, SEC_HARDDISK=0x4 } MediaType <format=hex>;
uint16 LoadSegment <format=hex>;
ubyte SystemType;
ubyte Unused;
uint16 SectorCount;
uint32 LoadLba;
enum <ubyte> { NO_SELECTION_CRITERIA=0x0, LANGUAGE_AND_VERSION=0x1 } SelectionType;
ubyte Criteria[19];
} SecEntry;
} EL_TORITO_ENTRIES;
LittleEndian();
FSeek(ELTORITO_OFFSET);
BOOT_RECORD_DESC boot_record;
FSeek(boot_record.BootCatalog * BLOCK_SIZE);
EL_TORITO_ENTRIES el_torito[BLOCK_SIZE / sizeof(EL_TORITO_ENTRIES) - 1];

154
cparser/FAT16Template.bt Normal file
View File

@ -0,0 +1,154 @@
//--------------------------------------
//--- 010 Editor v3.1.2 Binary Template
//
// File: FAT16Template.bt
// Author:
// Revision:
// Purpose: This template can find the
// partitions and display the FAT16
// partitions on the disk.
//--------------------------------------
//--------------------------------------
//Master Boot record
//--------------------------------------
typedef struct _CHS
{
BYTE Head;
BYTE Sector;
BYTE Cylinder;
}CHS;
//--------------------------------------
typedef union _CHSAddr
{
CHS chs;
BYTE Address[3];
}CHSAddr;
//--------------------------------------
typedef struct _Partion_Table_Entry{
BYTE Status;
CHSAddr StartCHSAddress;
BYTE PartitionType;
CHSAddr EndCHSAddress;
DWORD FirstLBA;
DWORD TotalSectors;
}Partion_Table_Entry;
//--------------------------------------
typedef struct {
BYTE Code[446];
Partion_Table_Entry ptable[4];
WORD Signature55AA <format=hex>;
if ( Signature55AA != 0xAA55 )
{
Warning("Invalid MBR");
return 1;
}
}MBR;
//--------------------------------------
//FAT Boot sector FAT12,FAT16
//--------------------------------------
typedef struct _FAT16BootSector
{
BYTE JumpCode[3];
BYTE OEM_Name[8];
WORD BytesPerSector;
BYTE SectorsPerCluster;
WORD ReservedSectorCount; //Number of sectors before the first FAT, including the boot sector
BYTE NumberOfFAT;
WORD MAX_RootDirEntry;
WORD TotalSectors; //If Less than 65535 else see offset 0x20
BYTE MediaDescriptor;
WORD SectorsPerFAT; //For FAT12/16
WORD SectorsPerTrack;
WORD NumberOfHeads;
DWORD HiddenSectorsBeforePartition;
DWORD TotalSectors;
BYTE PhysicalDriveNumber;
BYTE Reserved; //Current Head
BYTE ExtendedBootSignature;
BYTE SerialNumber[4];
BYTE VolumeLable[11];
BYTE FAT_Type[8];
BYTE BootCode[448];
WORD BootSectorSignature; //0x55 0xAA
}FAT16BootSector;
//--------------------------------------
//FAT16
//--------------------------------------
local unsigned int FATEntryCount=0;
typedef struct _FAT16
{
WORD Table[FATEntryCount];
}FAT16;
//--------------------------------------
//FAT root dir entry FAT12,FAT16
//--------------------------------------
typedef struct _RootDirEntry
{
BYTE name[8];
BYTE extn[3];
BYTE attributes;
BYTE reserved[10];
WORD time;
WORD date;
WORD firstDataBlock;
DWORD size;
}RootDirEntry;
//--------------------------------------
LittleEndian();
FSeek(0);
//--------------------------------------
//MBR Object
MBR MasterBootRecord;
//--------------------------------------
//Partition Info
//--------------------------------------
local unsigned int partition_index=0;
typedef struct _Fat16Partition
{
local unsigned int startBYTE = (MasterBootRecord.ptable[partition_index].FirstLBA*512);
FSeek( startBYTE);
FAT16BootSector BtSector;
//--------------------------------------
//Find the FATs
//--------------------------------------
//Skip the reserved sectors (-1 for accounting the bootrecord)
FSkip((BtSector.ReservedSectorCount-1)*512);
local unsigned int FATsize = (BtSector.SectorsPerFAT * 512)/2;
local unsigned int FATcnt = 0;
for(FATcnt = 0;FATcnt < BtSector.NumberOfFAT;++FATcnt)
{
FATEntryCount=FATsize;
FAT16 FAT;
}
//--------------------------------------
//Find the Root Dir Entries
//--------------------------------------
RootDirEntry rootDir[BtSector.MAX_RootDirEntry];
//--------------------------------------
}Fat16Partition;
//--------------------------------------
//disk Info
//--------------------------------------
typedef struct _Disk
{
//find all the partitions
local int part;
for(part=0;part<4;++part)
{
if(MasterBootRecord.ptable[part].FirstLBA)
{
partition_index=part;
Fat16Partition FAT16partition;
}
}
}Disk;
//--------------------------------------
Disk dsk;
//--------------------------------------

92
cparser/FLVTemplate.bt Normal file
View File

@ -0,0 +1,92 @@
//-----------------------------------
//--- 010 Editor v3.0 Binary Template
//
// File: FLVTemplate.bt
// Author: lafei(indep@263.net)
// Revision: 2.1
// Purpose: Defines a template for
// parsing FLV files.
//-----------------------------------
// Define structures used in FLV files
typedef struct {
CHAR signature[3]; //"FLV"
UBYTE version;
UBYTE dummy : 5;
UBYTE audio : 1; //1 if audio present
UBYTE dummy2 : 1;
UBYTE video : 1; //1 if video present
DWORD dataoffset; //in abs. file offset
DWORD zero; //previous tag size
} HEADER;
local UINT taglen;
typedef struct {
UINT type : 8;
UINT datasize : 24;
UINT timestamp : 24;
UINT timestamphi : 8;
UINT streamid : 24;
taglen = datasize - 1;
Printf("tag length: %x\n",taglen);
if(type==8) //audio
{
UINT fmt : 4;
UINT sr : 2;
UINT bits : 1;
UINT channels : 1;
if(fmt==10)
{
--taglen;
UBYTE frmtype;
}
}
else if(type==9)//video
{
UINT frmtype : 4;
UINT codecid : 4;
if(codecid==7)
{
taglen -= 4;
UINT pkttype : 8;
UINT compotime : 24;
}
}
else if(type==18)//script
{
UINT fristbyte : 8;
}
UBYTE data[taglen];
UINT lastsize; //last tag size
//for debugging
//Printf("lastsize: %x\n",lastsize);
//Printf("Pos: %x\n",FTell());
} Tag;
BigEndian();
SetBackColor( cLtGray );
HEADER hdr;
// Check for header
if( hdr.signature != "FLV" )
{
Warning( "File is not a FLV. Template stopped." );
return -1;
}
if( hdr.version != 1 )
{
Warning( "Unsupported FLV version. Template stopped." );
return -1;
}
// Define the bytes of the data
SetBackColor( cNone );
while( !FEof() )
{
Tag tag;
}

200
cparser/GIFTemplate.bt Normal file
View File

@ -0,0 +1,200 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: BMGIFTemplate.bt
// Author: Berend-Jan "SkyLined" Wever
// Revision: 1.1
// Purpose: Defines a template for
// parsing GIF image files.
// SweetScape: Added bug fixes for
// reading global color table (May 2nd, 2007)
// SweetScape: Added bug fixes for
// reading local color table and
// changed ReadShort to ReadUShort (Sept 25, 2007)
//-----------------------------------
// From GIF89a Specification:
//<GIF Data Stream> ::= Header <Logical Screen> <Data>* Trailer
//<Logical Screen> ::= Logical Screen Descriptor [Global Color Table]
//<Data> ::= <Graphic Block> | <Special-Purpose Block>
//<Graphic Block> ::= [Graphic Control Extension] <Graphic-Rendering Block>
//<Graphic-Rendering Block> ::= <Table-Based Image> | Plain Text Extension
//<Table-Based Image> ::= Image Descriptor [Local Color Table] Image Data
//<Special-Purpose Block> ::= Application Extension | Comment Extension
LittleEndian();
typedef struct {
UBYTE R;
UBYTE G;
UBYTE B;
} RGB <read=ReadRGB>;
string ReadRGB( RGB &color )
{
string s;
SPrintf( s, "#%02X%02X%02X", color.R, color.G, color.B );
return s;
}
typedef struct {
local UBYTE size = ReadUByte(FTell());
while (size != 0) {
struct DATASUBBLOCK {
UBYTE Size;
char Data[size];
} DataSubBlock;
size = ReadUByte(FTell());
}
UBYTE BlockTerminator;
} DATASUBBLOCKS;
typedef struct {
char Signature[3];
char Version[3];
} GIFHEADER;
typedef struct {
ushort Width;
ushort Height;
BitfieldLeftToRight();
struct LOGICALSCREENDESCRIPTOR_PACKEDFIELDS {
UBYTE GlobalColorTableFlag : 1;
UBYTE ColorResolution : 3;
UBYTE SortFlag : 1;
UBYTE SizeOfGlobalColorTable : 3;
} PackedFields;
UBYTE BackgroundColorIndex;
UBYTE PixelAspectRatio;
} LOGICALSCREENDESCRIPTOR;
//<GIF Data Stream> ::= Header <Logical Screen> <Data>* Trailer
// Header
SetBackColor( 0xFFFFFF );
GIFHEADER GifHeader;
if( GifHeader.Signature != "GIF" )
{
Warning( "File is not a valid GIF. Template stopped." );
return -1;
}
//<Logical Screen> ::= Logical Screen Descriptor [Global Color Table]
// Logical Screen Descriptor
SetBackColor( 0xE0E0E0 );
LOGICALSCREENDESCRIPTOR LogicalScreenDescriptor;
// [Global Color Table]
if (LogicalScreenDescriptor.PackedFields.GlobalColorTableFlag == 1) {
SetBackColor( 0xC0C0C0 );
struct GLOBALCOLORTABLE {
local int i;
local int size = 1;
for (i = 0; i <= LogicalScreenDescriptor.PackedFields.SizeOfGlobalColorTable; i++) {
size *= 2;
}
RGB rgb[size];
} GlobalColorTable <optimize=false>;;
}
//<Data> ::= <Graphic Block> | <Special-Purpose Block>
SetBackColor( 0xFFFFFF );
struct DATA {
while (ReadUByte(FTell()) != 0x3B) {
// <Graphic Block> ::= [Graphic Control Extension] <Graphic-Rendering Block>
if (ReadUByte(FTell()) == 0x2C) {
SetBackColor( 0xE0FFE0 );
struct IMAGEDESCRIPTOR {
UBYTE ImageSeperator;
ushort ImageLeftPosition;
ushort ImageTopPosition;
ushort ImageWidth;
ushort ImageHeight;
struct IMAGEDESCRIPTOR_PACKEDFIELDS {
UBYTE LocalColorTableFlag : 1;
UBYTE InterlaceFlag : 1;
UBYTE SortFlag : 1;
UBYTE Reserved : 2;
UBYTE SizeOfLocalColorTable : 3;
} PackedFields;
} ImageDescriptor;
if (ImageDescriptor.PackedFields.LocalColorTableFlag == 1) {
SetBackColor( 0xC0FFC0 );
struct LOCALCOLORTABLE {
local int i;
local int size = 1;
for (i = 0; i <= ImageDescriptor.PackedFields.SizeOfLocalColorTable; i++) {
size *= 2;
}
RGB rgb[size];
} LocalColorTable <optimize=false>;;
}
SetBackColor( 0xA0FFA0 );
struct IMAGEDATA {
UBYTE LZWMinimumCodeSize;
DATASUBBLOCKS DataSubBlocks;
} ImageData;
} else if (ReadUShort(FTell()) == 0xF921) {
SetBackColor( 0xC0FFFF );
struct GRAPHICCONTROLEXTENSION {
UBYTE ExtensionIntroducer; // 0x21
UBYTE GraphicControlLabel; // 0xF9
struct GRAPHICCONTROLSUBBLOCK {
UBYTE BlockSize;
struct GRAPHICCONTROLEXTENSION_DATASUBBLOCK_PACKEDFIELDS {
UBYTE Reserved : 3;
UBYTE DisposalMethod : 3;
UBYTE UserInputFlag : 1;
UBYTE TransparentColorFlag : 1;
} PackedFields;
ushort DelayTime;
UBYTE TransparentColorIndex;
} GraphicControlSubBlock;
UBYTE BlockTerminator;
} GraphicControlExtension;
} else if (ReadUShort(FTell()) == 0xFE21) {
SetBackColor( 0xFFFFC0 );
struct COMMENTEXTENSION {
UBYTE ExtensionIntroducer; // 0x21
UBYTE CommentLabel; // 0xFE
DATASUBBLOCKS CommentData;
} CommentExtension;
} else if (ReadUShort(FTell()) == 0x0121) {
SetBackColor( 0xC0C0C0 );
struct PLAINTEXTEXTENTION {
UBYTE ExtensionIntroducer; // 0x21
UBYTE PlainTextLabel; // 0x01
struct PLAINTEXTSUBBLOCK {
UBYTE BlockSize;
ushort TextGridLeftPosition;
ushort TextGridTopPosition;
ushort TextGridWidth;
ushort TextGridHeight;
UBYTE CharacterCellWidth;
UBYTE CharacterCellHeight;
UBYTE TextForegroundColorIndex;
UBYTE TextBackgroundColorIndex;
} PlainTextSubBlock;
DATASUBBLOCKS PlainTextData;
} PlainTextExtension;
} else if (ReadUShort(FTell()) == 0xFF21) {
SetBackColor( 0xC0C0FF );
struct APPLICATIONEXTENTION {
UBYTE ExtensionIntroducer; // 0x21
UBYTE ApplicationLabel; // 0xFF
struct APPLICATIONSUBBLOCK {
UBYTE BlockSize;
char ApplicationIdentifier[8];
char ApplicationAuthenticationCode[3];
} ApplicationSubBlock;
DATASUBBLOCKS ApplicationData;
} ApplicationExtension;
} else {
SetBackColor( 0xFF8080 );
struct UNDEFINEDDATA {
UBYTE ExtensionIntroducer; // 21
UBYTE Label; // F9
DATASUBBLOCKS DataSubBlocks;
} UndefinedData;
}
}
} Data;
SetBackColor( 0xFFFFFF );
struct TRAILER {
UBYTE GIFTrailer;
} Trailer;

68
cparser/GPTTemplate.bt Normal file
View File

@ -0,0 +1,68 @@
//--------------------------------------
//--- 010 Editor v5.0 Binary Template
//
// File: GPTTemplate
// Author: lurker0ster@gmail.com
// Revision: V1.0
// Purpose: Guid Partition Table
//--------------------------------------
typedef struct {
BYTE BootIndicator;
BYTE StartHead;
WORD StartSector:6;
WORD StartCylinder:10;
BYTE PartitionType;
BYTE EndHead;
WORD EndSector:6;
WORD EndCylider:10;
DWORD SectorsPrecedingPartion;
DWORD SectorsInPartition;
}MBRPARTITIONTABLE;
typedef struct{
char SIGNATURE[8];
DWORD Revision;
DWORD Headersize;
DWORD CRC32OfHeader;
DWORD Reserved;
uint64 CurrentLBA;
uint64 BackupLBA; //location of the other head copy
uint64 FirstUsableLBA; //primary partition table last LBA+1
uint64 LastUsableLBA; //secondary parition table first LBA-1
BYTE DiskGUID[16];
uint64 PartitionEntries;
DWORD NumOfPartitions;
DWORD SizeOfPartitionEntry;
DWORD CRC32ofPartitionArray;
BYTE reserved[420];
}GPT;
typedef struct {
BYTE PartitionTypeGUID[16];
BYTE PartitionGUID[16];
uint64 PartitionStartLBA;
uint64 PartitionEndLBA;
uint64 PartitionProperty;
wchar_t PartitionName[36]; //Unicode
}GPTPAPTITIONTABLE <size=128>;
LittleEndian();
struct {
BYTE bootcode[446];
MBRPARTITIONTABLE partitionTable[4];
WORD signature;
}MBR <size=512>;
if ((MBR.partitionTable[0].PartitionType & 0xFF) == 0xEE) {
Printf("Protected MBR. GPT reserved");
GPT gptheader;
GPTPAPTITIONTABLE table[128];
FSeek(FileSize()-sizeof(GPT)-sizeof(GPTPAPTITIONTABLE)*128);
GPTPAPTITIONTABLE BackupTable[128];
FSeek(FileSize()-sizeof(GPT));
GPT Backupgptheader;
}

185
cparser/GZipTemplate.bt Normal file
View File

@ -0,0 +1,185 @@
//--------------------------------------
//--- 010 Editor v4.0.3 Binary Template
//
// File: GZipTemplate.bt
// Author: Tim "diff" Strazzere <diff@lookout.com> <strazz@gmail.com>
// Revision: 1.2
// Purpose: Quick template for parsing GZip data/files
//--------------------------------------
//
// Version 1.2
// - Fix processing of part numbers for continuation based gzips
// - Added some notes on the encrypted header information
//
// Version 1.1
// - Fix small typos
// - Added comments to fields
// - Fix compression/flag names according to gzip 1.2.4 source
// - Added uncompressed length and CRC32
// - Check for different common magic bytes, and display properly
// - Minor code clean up
//
// Version 1.0
// - First implementation of the template
//
// TODO:
// - Parse encrypted header information
// GZip's should be Little Endian only
LittleEndian();
// utility type to show the magic bytes in the value column
typedef ubyte MAGIC[2] <read=MAGICRead, format=hex>;
string MAGICRead(MAGIC magic) {
string ret;
string tmp;
int i;
for(i = 0; i<2; i++) {
SPrintf(tmp, "%.2X", magic[i]);
ret += tmp;
}
return ret;
}
typedef enum <ubyte> {
// All below, except DEFLATE are reserved
STORED = 0,
COMPRESSED = 1,
PACKED = 2,
LZHED = 3,
RESERVED_4 = 4,
RESERVED_5 = 5,
RESERVED_6 = 6,
RESERVED_7 = 7,
// Default (and most common)
DEFLATE = 8
} COMPRESSION;
// TODO : Probably some better way to do this
typedef struct {
// File is probably ascii text (determined by compressor)
byte FLAG_ASCII_TEXT : 1;
// Continuation of multi-part gzip file
byte FLAG_CONTINUATION : 1;
// Generic extra field present
byte FLAG_EXTRA : 1;
// Original filename present
byte FLAG_NAME : 1;
// File comment present
byte FLAG_COMMENT : 1;
// Is file encrypted?
byte FLAG_ENCRYPTED : 1;
// Reserved for future use (nothing as of gzip 1.2.4
byte FLAG_RESERVED : 1;
byte FLAG_RESERVED : 1;
} FLAGS;
typedef enum <byte> {
FAT_FILESYSTEM = 0,
AMIGA = 1,
VMS = 2,
UNIX = 3,
VM_CMS = 4,
ATARI_TOS = 5,
HPFS_FILESYSTEM = 6,
MACINTOSH = 7,
Z_SYSTEM = 8,
CPM = 9,
TOPS_20 = 10,
NTFS_FILESYSTEM = 11,
QDOS = 12,
ACORN_RISCOS = 13,
UNKNOWN = 255
} OS;
typedef struct {
MAGIC magic_bytes <format=hex, comment="Magic bytes for the file">;
// Should be a better way to parse the magic bytes and complain to user...
if(magic_bytes[0] == 0x1F) {
if(magic_bytes[1] == 0x8B) {
// GZIP_MAGIC
Printf("Appears to be a valid GZIP compressed file, attempting to parse.\n");
} else if(magic_bytes[1] == 0x1E) {
// PACK_MAGIC
Printf("Appears to be a generic compressed file, attempting to parse - don't expect much though.\n");
} else if(magic_bytes[1] == 0x9E) {
// OLD_GZIP_MAGIC
Printf("Appears to be an old GZip compressed file, attempting to parse - don't expect much though.\n");
} else if(magic_bytes[1] == 0xA0) {
// LZH_MAGIC
Printf("Appears to be a LZH compressed file, attempting to parse - don't expect much though.\n");
}
} else if(magic_bytes[0] == 0x50 && magic_bytes[1] == 0x4B) {
Warning("Appears to be a possible ZIP file - unable to parse with this template!");
Exit(-1);
} else {
Warning("Does not appear to be a GZip file!");
Exit(-1);
}
COMPRESSION compression_method <comment="Compression method used by engine">;
FLAGS flags <comment="Optional flags for compressed section">;
// Convert to proper timestamp
uint modification_time <comment="Unix timestamp of the file modification time">;
// Extra flags
ubyte extra_flags <comment="Extra flags, dependant on compression method">;
// OS where compression took place
OS operating_system <comment="Operating system compression took place on">;
// The file is marked as a continuation, so it should have a part number
if(flags.FLAG_CONTINUATION == 1) {
ushort part <comment="Part number of the continuation">;
}
// Read in extras from flags
if(flags.FLAG_EXTRA == 1) {
ushort extra_length <comment="Length of extra field">;
byte extra_bytes[extra_length] <comment="Data for extra field">;
}
if(flags.FLAG_NAME == 1) {
string original_file_name <comment="Original file name">;
}
if(flags.FLAG_COMMENT == 1) {
string file_comment <comment="File comment">;
}
// TODO: Parse encrypted header info
// -- according to the docs this is grabbed from the zip lib (crypt.h/crypt.c)
// which according to their docs is hardly used or fully supported.
// It would appear you would need to compile this directly into your gzip
// sources for it to properly work, even though it's considered "valid".
if(flags.FLAG_ENCRYPTED == 1) {
// 12 bytes of encryption header data
}
} gzip_header;
// Structure of gzip file
struct {
// Header information
gzip_header header <comment="GZip header information">;
// Everything else should just be compress bytes, less the last 8 bytes
// which contain the CRC32 and uncompressed size
byte compressed[FileSize() - FTell() - 8] <comment="compressed data section">;
uint CRC32 <format=hex, comment="CRC of the data section">;
// 4 bytes uncompressed input size modulo 2^32
uint uncompressed_sized <comment="Size of the uncompressed input">;
} gzip_file;

1118
cparser/GeoTIFTemplate.bt Normal file
View File

File diff suppressed because it is too large Load Diff

41
cparser/GocleverTemplate.bt Normal file
View File

@ -0,0 +1,41 @@
//--------------------------------------
//--- 010 Editor v3.2.1 Binary Template
//
// File:GocleverTemplate.bt
// Author:Artur Babecki
// Revision: 21.02.2012
// Purpose: template for GOCLEVER Navigation log format
// GPSLogYYYY-MM-DD_xx-xx-xx.bin
// (Model GC-4335 and others)
// Generates raport in the human readable form:
// Date, Longitude, Latitude, Geoid, Altitude, Direction.
//
//--------------------------------------
local uint number_of_records;
local int i;
local string s;
number_of_records=FileSize()/48;
struct gps
{
double longitude ;
double latitude ;
time_t date;
int direction;
int speed;
uchar unknown_data [12];
int geoid;
int altitude ;
} goclever[number_of_records];
OutputPaneClear();
Printf("GOCLEVER Navigation log: %s \n\n",GetFileName());
Printf(" Date\t\tLongitude Latitude Geoid Altitude Direction Speed\n");
Printf("mm/dd/yyyy hh:mm:ss\n");
for (i=0;i<number_of_records;i++)
{
s=TimeTToString(goclever[i].date );
Printf("%s\t%Lf\t%Lf\t%d\t%d\t%d\t%d\n",s,goclever[i].longitude, goclever[i].latitude,goclever[i].geoid,goclever[i].altitude,goclever[i].direction,goclever[i].speed);
};

159
cparser/ICOTemplate.bt Normal file
View File

@ -0,0 +1,159 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: ICOTemplate.bt
// Author: Amotz Getzov
// Revision: 1.0
// Purpose: Defines a template for
// parsing icon image files.
//
// Based on BMPTemplate.bt from SweetScape Software
// Does not support PMG icon images
//-----------------------------------
typedef struct
{
BYTE bWidth; // Width, in pixels, of the image
BYTE bHeight; // Height, in pixels, of the image
BYTE bColorCount; // Number of colors in image (0 if >=8bpp)
BYTE bReserved; // Reserved ( must be 0)
WORD wPlanes; // Color Planes
WORD wBitCount; // Bits per pixel
DWORD dwBytesInRes; // How many bytes in this resource?
DWORD dwImageOffset; // Where in the file is this image?
} ICONDIRENTRY <read=ReadIconDirEntry>;
typedef struct
{
WORD idReserved; // Reserved (must be 0)
WORD idType; // Resource Type (1 for icons)
WORD idCount; // How many images?
ICONDIRENTRY idEntries[idCount]; // An entry for each image (idCount of 'em)
} ICONDIR;
typedef struct { // rgbq
UBYTE rgbBlue;
UBYTE rgbGreen;
UBYTE rgbRed;
UBYTE rgbReserved;
} RGBQUAD <read=ReadRGBQUAD>;
typedef struct { // rgbt
UBYTE rgbBlue;
UBYTE rgbGreen;
UBYTE rgbRed;
} RGBTRIPLE <read=ReadRGBTRIPLE>;
typedef struct { // bmih
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount;
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;
typedef struct {
// Define the color table
if( (bmiHeader.biBitCount != 24) && (bmiHeader.biBitCount != 32) )
{
if( bmiHeader.biClrUsed > 0 )
RGBQUAD aColors[ bmiHeader.biClrUsed ];
else
RGBQUAD aColors[ 1 << bmiHeader.biBitCount ];
}
// Calculate bytes per line and padding required
local int bytesPerLine = (int)Ceil( bmiHeader.biWidth * bmiHeader.biBitCount / 8.0 );
local int padding = 4 - (bytesPerLine % 4);
if( padding == 4 )
padding = 0;
// Define each line of the image
struct BITMAPLINE {
// Define color data
if( bmiHeader.biBitCount < 8 )
UBYTE imageData[ bytesPerLine ];
else if( bmiHeader.biBitCount == 8 )
UBYTE colorIndex[ bmiHeader.biWidth ];
else if( bmiHeader.biBitCount == 24 )
RGBTRIPLE colors[ bmiHeader.biWidth ];
else if( bmiHeader.biBitCount == 32 )
RGBQUAD colors[ bmiHeader.biWidth ];
// Pad if necessary
if( padding != 0 )
UBYTE padBytes[ padding ];
} lines[ bmiHeader.biHeight/2 ]<optimize=false>;
// Define each line of the mask
struct MASKLINE {
UBYTE line[((bmiHeader.biWidth + 31)/32)*4]<format=hex>;
}mask[bmiHeader.biHeight/2]<optimize=false>;
}IMAGEDATA;
typedef struct {
SetBackColor( cLtAqua );
BITMAPINFOHEADER bmiHeader;
SetBackColor( cLtGray );
IMAGEDATA data;
}ICONIMAGE <read=ReadDIBHeader>;
//---------------------------------------------
// Custom read functions - this allows the data to be displayed without having to open up the structure.
string ReadIconDirEntry( ICONDIRENTRY &dirEntry )
{
string s;
SPrintf( s, "%dx%d %dbit %d colors", dirEntry.bWidth, dirEntry.bHeight, dirEntry.wBitCount, dirEntry.bColorCount );
return s;
}
string ReadDIBHeader( ICONIMAGE &image )
{
string s;
SPrintf( s, "%dx%d %dbit", image.bmiHeader.biWidth, image.bmiHeader.biHeight, image.bmiHeader.biBitCount );
return s;
}
string ReadRGBQUAD( RGBQUAD &a )
{
string s;
SPrintf( s, "#%02X%02X%02X%02X", a.rgbReserved, a.rgbRed, a.rgbGreen, a.rgbBlue );
return s;
}
string ReadRGBTRIPLE( RGBTRIPLE &a )
{
string s;
SPrintf( s, "#%02X%02X%02X", a.rgbRed, a.rgbGreen, a.rgbBlue );
return s;
}
//---------------------------------------------
// Define the headers
LittleEndian();
local short res = ReadShort( FTell() );
local short type = ReadShort(FTell() +2 );
//Check icon dir
if( res != 0 || type != 1)
{
Warning( "File is not an Icon. Template stopped." );
return -1;
}
SetBackColor( cNone );
ICONDIR icondir;
ICONIMAGE images[icondir.idCount] <optimize=false>;

157
cparser/ISOBMFTemplate.bt Normal file
View File

@ -0,0 +1,157 @@
//--------------------------------------
//--- 010 Editor v4.0.3 Binary Template
//
// File: ISOBMFTemplate.bt
// Author: @RReverser
// Revision: 201302261710
// Purpose: Parse ISO Base Media File Format files (QuickTime, JPEG2000, MPEG-4, etc.)
//--------------------------------------
BigEndian();
typedef struct
{
uint32 size <hidden = true>;
char type[4] <hidden = true>;
switch (type)
{
case "ftyp":
char fileType[4] <name = "File type", comment = "http://ftyps.com/">;
break;
case "co64":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
uint32 n <hidden = true>;
uint64 entries[n] <name = "Chunk offsets">;
break;
case "ctts":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
uint32 n <hidden = true>;
struct {
uint32 sampleCount <name = "Sample count">;
uint32 offset <name = "Offset">;
} entries[n] <name = "Chunk offsets">;
break;
case "elst":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
uint32 n <hidden = true>;
struct {
uint32 duration <name = "Duration", comment = "In global timescale units">;
uint32 mediaTime <name = "Media time", comment = "In trak timescale units">;
uint32 playbackSpeed <name = "Playback speed">;
} entries[n] <name = "Edit list entries">;
break;
case "fiel":
ubyte fields <name = "Scan mode", comment = "1 for progressive scan, 2 for 2:1 interlaced">;
ubyte detail <name = "Detail", comment = "https://developer.apple.com/quicktime/icefloe/dispatch019.html#fiel">;
break;
case "hdlr":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
char component_type[4] <name = "Component type">;
char subtype[4] <name = "Component subtype">;
uint32 manufacturer <name = "Component manufacturer">;
uint32 flags <name = "Component flags">;
uint32 flags_mask <name = "Component flags mask">;
string name <name = "Component name">;
break;
case "mdhd":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
if (version < 1)
{
uint32 creation_time <name = "Creation time">;
uint32 modification_time <name = "Modification time">;
}
else
{
uint64 creation_time <name = "Creation time">;
uint64 modification_time <name = "Modification time">;
}
uint32 time_scale <name = "Time scale">;
if (version < 1)
{
uint32 duration <name = "Duration">;
}
else
{
uint64 duration <name = "Duration">;
}
uint16 lang <name = "Language", format = binary, comment = "ISO-639 language code represented with three 5-bit values (each of which is the ASCII value of the letter minus 0x60)">;
uint16 quality <name = "Quality">;
break;
case "stco":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
uint32 n <hidden = true>;
uint32 entries[n] <name = "Chunk offsets">;
break;
case "stss":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
uint32 n <hidden = true>;
uint32 entries[n] <name = "Sync samples">;
break;
case "stsz":
ubyte version <name = "Version">;
ubyte flags[3] <name = "Flags", format = binary>;
uint32 uniform_size <name = "Uniform size">;
uint32 n <hidden = true>;
uint32 entries[n] <name = "Sample sizes">;
break;
case "cmov":
case "edts":
case "mdia":
case "minf":
case "moov":
case "rmda":
case "rmra":
case "stbl":
case "trak":
while (FTell() - startof(this) < size)
{
struct Atom child;
}
break;
default:
FSeek(FTell() - 8);
break;
}
local int left = size - (FTell() - startof(this));
if (left > 0)
{
ubyte data[left] <format = hex>;
}
}
Atom <name = GetAtomName, size = GetAtomSize>;
int GetAtomSize(Atom &atom)
{
return ReadUInt(startof(atom));
}
string GetAtomName(Atom &atom)
{
char type[4];
ReadBytes(type, startof(atom) + 4, 4);
return type;
}
while (!FEof())
{
Atom atom;
}

108
cparser/ISOTemplate.bt Normal file
View File

@ -0,0 +1,108 @@
//--------------------------------------
//--- 010 Editor v5.0 Binary Template
//
// File: ISOTemplate.bt
// Author: Anton Kochkov
// Revision: 0.1
// Purpose: Show contents of the ISO headers
//--------------------------------------
BitfieldRightToLeft();
BitfieldDisablePadding();
#define BLOCK_SIZE 2048
#define BOOT_RECORD_OFFSET 2048 * 16
typedef struct _BOOT_RECORD
{
ubyte BootIndicator;
char IsoId[5];
ubyte Version;
char Identifier[32];
ubyte Unused[32];
uint32 BootCatalog;
ubyte Unused2[5];
uint32 VolSpaceSize[2];
} BOOT_RECORD_DESC;
typedef struct {
ubyte VolDescType;
byte StdId[5];
ubyte VolDescVer;
} VOLUME_DESCRIPTOR_HEADER;
typedef struct {
uint32 Year;
uint16 Month;
uint16 Day;
uint16 Hour;
uint16 Minute;
uint16 Second;
uint16 HSecond;
byte Offset;
} CD_DATE_TIME;
typedef struct {
ubyte Year;
ubyte Month;
ubyte Day;
ubyte Hour;
ubyte Minute;
ubyte Second;
byte Offset;
} FILE_DATE_TIME;
typedef struct {
ubyte RecordLength;
ubyte ExtAttrRecLength;
uint64 StartLba;
uint64 DataLength;
FILE_DATE_TIME RecTime;
ubyte Flags;
ubyte FileUnitSize;
ubyte InterleaveGap;
uint32 VolSeqNum;
ubyte FileIdLength;
ubyte FileId[1];
} ROOT_DIR_HEADER;
typedef struct {
VOLUME_DESCRIPTOR_HEADER Header;
ubyte Flags;
byte SysId[32];
byte VolId[32];
uint64 Unused;
uint64 VolSpaceSize;
byte EscSeq[32];
uint32 VolSetSize;
uint32 VolSeqNum;
uint32 LBlockSize;
uint64 PathTblSize;
uint32 LPathTbl1;
uint32 LPathTbl2;
uint32 MPathTbl1;
uint32 MPathTbl2;
ROOT_DIR_HEADER Root;
byte VolSetId[128];
byte PublisherId[128];
byte DataPrepId[128];
byte ApplicationId[128];
byte CopyrightFileId[37];
byte AbstractFileId[37];
byte BiblioFileId[37];
CD_DATE_TIME CreationTime;
CD_DATE_TIME ModifyTime;
CD_DATE_TIME ExpireTime;
CD_DATE_TIME EffectiveTime;
ubyte FileStrucVer;
ubyte Unused1;
} PRIMARY_VOLUME_DESC_HEADER;
LittleEndian();
FSeek(BOOT_RECORD_OFFSET);
union {
BOOT_RECORD_DESC boot_record;
PRIMARY_VOLUME_DESC_HEADER primary_volume;
} disk_header;

174
cparser/InspectorDates.bt Normal file
View File

@ -0,0 +1,174 @@
//-----------------------------------
//--- 010 Editor v4.0 Binary Template
//
// File: InspectorDates.bt
// Author: SweetScape Software
// Revision: 1.0
// Purpose: Demonstrates how to add
// a series of date types to the
// Inspector.bt file. Includes
// WebkitTime, HFSTime, AppleTime, PRTime
// JavaTime, GPSTime, and BlackberryDate.
//-----------------------------------
RequiresVersion( 4.0 );
// Calculate the position for each variable,
// either at the beginning of the selection
// or at the current cursor position.
local int64 pos;
if( GetSelSize() > 0 )
pos = GetSelStart();
else
pos = GetCursorPos();
// Define variables for the inspector
FSeek( pos ); byte _si8 <name="Signed Byte">;
FSeek( pos ); ubyte _ui8 <name="Unsigned Byte">;
FSeek( pos ); short _si16 <name="Signed Short">;
FSeek( pos ); ushort _ui16 <name="Unsigned Short">;
FSeek( pos ); int _si32 <name="Signed Int">;
FSeek( pos ); uint _ui32 <name="Unsigned Int">;
FSeek( pos ); int64 _si64 <name="Signed Int64">;
FSeek( pos ); uint64 _ui64 <name="Unsigned Int64">;
FSeek( pos ); float _f <name="Float">;
FSeek( pos ); double _d <name="Double">;
FSeek( pos ); char _s [ReadStringLength(pos,256)] <name="String">; // limit to 256 characters
FSeek( pos ); wchar_t _ws[ReadWStringLength(pos,256)] <name="Unicode">; // limit to 256 characters
FSeek( pos ); DOSDATE _dd <name="DOS Date">;
FSeek( pos ); DOSTIME _dt <name="DOS Time">;
FSeek( pos ); time_t _tt <name="time_t">;
FSeek( pos ); FILETIME _ft <name="FILETIME">;
FSeek( pos ); OLETIME _ot <name="OLETIME">;
//----------------------------------------------------------------
// WebkitTime
// 64-bit integer, number of microseconds since 01/01/1601 00:00:00
typedef uint64 WebkitTime <read=WebkitTimeRead, write=WebkitTimeWrite>;
FSeek( pos ); WebkitTime _wkt <name="WebkitTime">;
string WebkitTimeRead( WebkitTime t )
{
// Convert to FILETIME
return FileTimeToString( t*10 );
}
int WebkitTimeWrite( WebkitTime &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (int64)ft/10;
return result;
}
//----------------------------------------------------------------
// HFSTime
// 32-bit integer, number of seconds since 01/01/1904 00:00:00
typedef uint HFSTime <read=HFSTimeRead, write=HFSTimeWrite>;
FSeek( pos ); HFSTime _hft <name="HFSTime">;
string HFSTimeRead( HFSTime t )
{
// Convert to FILETIME
return FileTimeToString( t*10000000L + 95616288000000000L );
}
int HFSTimeWrite( HFSTime &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (int)(((uint64)ft - 95616288000000000L)/10000000L);
return result;
}
//----------------------------------------------------------------
// AppleTime
// 32-bit integer, number of seconds since 01/01/2001 00:00:00
typedef uint AppleTime <read=AppleTimeRead, write=AppleTimeWrite>;
FSeek( pos ); AppleTime _at <name="AppleTime">;
string AppleTimeRead( AppleTime t )
{
// Convert to FILETIME
return FileTimeToString( t*10000000L + 126227808000000000L );
}
int AppleTimeWrite( AppleTime &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (int)(((uint64)ft - 126227808000000000L)/10000000L);
return result;
}
//----------------------------------------------------------------
// PRTime
// 64-bit integer, number of microseconds since 01/01/1970 00:00:00
typedef uint64 PRTime <read=PRTimeRead, write=PRTimeWrite>;
FSeek( pos ); PRTime _prt <name="PRTime">;
string PRTimeRead( PRTime t )
{
// Convert to FILETIME
return FileTimeToString( t*10L + 116444736000000000L );
}
int PRTimeWrite( PRTime &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (((uint64)ft - 116444736000000000L)/10L);
return result;
}
//----------------------------------------------------------------
// JavaTime
// 64-bit integer, number of microseconds since 01/01/1970 00:00:00
typedef uint64 JavaTime <read=JavaTimeRead, write=JavaTimeWrite>;
FSeek( pos ); JavaTime _jt <name="JavaTime">;
string JavaTimeRead( JavaTime t )
{
// Convert to FILETIME
return FileTimeToString( t*10000L + 116444736000000000L );
}
int JavaTimeWrite( JavaTime &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (((uint64)ft - 116444736000000000L)/10000L);
return result;
}
//----------------------------------------------------------------
// GPSTime
// 32-bit integer, number of seconds since 01/06/1980 00:00:00
typedef uint GPSTime <read=GPSTimeRead, write=GPSTimeWrite>;
FSeek( pos ); GPSTime _gpst <name="GPSTime">;
string GPSTimeRead( GPSTime t )
{
// Convert to FILETIME
return FileTimeToString( t*10000000L + 119604384000000000 );
}
int GPSTimeWrite( GPSTime &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (int)(((uint64)ft - 119604384000000000)/10000000L);
return result;
}
//----------------------------------------------------------------
// BlackberryDate
// 32-bit integer, number of minutes since 01/01/1900 00:00:00
typedef uint BlackberryDate <read=BlackberryDateRead, write=BlackberryDateWrite>;
FSeek( pos ); BlackberryDate _gt <name="BlackberryDate">;
string BlackberryDateRead( BlackberryDate t )
{
// Convert to FILETIME
return FileTimeToString( t*600000000L + 94354848000000000L );
}
int BlackberryDateWrite( BlackberryDate &t, string value )
{
// Convert from FILETIME
FILETIME ft;
int result = StringToFileTime( value, ft );
t = (int)(((uint64)ft - 94354848000000000L)/600000000L);
return result;
}

116
cparser/InspectorWithMP4DateTime.bt Normal file
View File

@ -0,0 +1,116 @@
//-----------------------------------
//--- 010 Editor v4.0 Binary Template
//
// File: InspectorMoje.bt
// Author: SweetScape Software
// Revision: 1.1
// Purpose: This template may be used
// to customize the auto tab of the
// Inspector with your own variables.
// See the Inspector section of the
// Options dialog for more information.
// Changes:
// 1.1 (SweetScape):
// - Added hfloat data type.
// 1.2 (Marian Denes):
// - Added MP4_Time data type
//-----------------------------------
RequiresVersion( 4.0 );
// Calculate the position for each variable,
// either at the beginning of the selection
// or at the current cursor position.
local int64 position;
if( GetSelSize() > 0 )
position = GetSelStart();
else
position = GetCursorPos();
int leap(int year)
{
return year % 4 == 0 && ( year % 100 != 0 || year % 400 == 0 );
}
int daysInYear(int year) {return 365 + leap(year);}
typedef uint MP4_Time <read=MP4_TimeRead, write=MP4_TimeWrite>;
string MP4_TimeRead( MP4_Time secs )
{
// secs - seconds since midnight, January 1, 1904
int days = secs / 86400;
secs = secs % 86400;
int year = 1904;
int month = 1;
int daysInMonth[13] = {-1, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
int extraDay [13] = {-1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
while (days > daysInYear(year))
{
days -= daysInYear(year);
year++;
}
while (days > daysInMonth[month] + leap(year) * extraDay[month])
{
days -= daysInMonth[month] + leap(year) * extraDay[month];
month++;
}
int day = ++days; // 0 (full) days remaining means the 1st day of the monht, and so on
int hours = secs / 3600;
secs = secs % 3600;
int mins = secs / 60;
secs = secs % 60;
string s;
SPrintf( s, "%02d.%02d.%4d %02d:%02d:%02d", day, month, year, hours, mins, secs );
return s;
}
void MP4_TimeWrite( MP4_Time &secs, string dateTime )
{
int daysInMonth[13] = {-1, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
int extraDay [13] = {-1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
int day, month, year, hour, min, sec; //secs = 0x1122;
SScanf(dateTime, "%d.%d.%d %d:%d:%d", day, month, year, hour, min, sec);
int days = day - 1; // January 1, 1994 is 0 days after this date, and so on
int months, hours, mins, y, m;
for (y = 1904; y < year; ++y)
days += daysInYear(y);
for (m = 1; m < month; ++m)
days += daysInMonth[m] + leap(year) * extraDay[m];
secs = days * 86400 + hour * 3600 + min * 60 + sec;
}
// Define variables for the inspector
FSeek( position ); MP4_Time _mp4t <name="MP4 time">;
FSeek( position ); byte _si8 <name="Signed Byte">;
FSeek( position ); ubyte _ui8 <name="Unsigned Byte">;
FSeek( position ); short _si16 <name="Signed Short">;
FSeek( position ); ushort _ui16 <name="Unsigned Short">;
FSeek( position ); int _si32 <name="Signed Int">;
FSeek( position ); uint _ui32 <name="Unsigned Int">;
FSeek( position ); int64 _si64 <name="Signed Int64">;
FSeek( position ); uint64 _ui64 <name="Unsigned Int64">;
FSeek( position ); float _f <name="Float">;
FSeek( position ); double _d <name="Double">;
FSeek( position ); hfloat _hf <name="Half Float">;
FSeek( position ); char _s [ReadStringLength(position,256)] <name="String">; // limit to 256 characters
FSeek( position ); wchar_t _ws[ReadWStringLength(position,256)] <name="Unicode">; // limit to 256 characters
FSeek( position ); DOSDATE _dd <name="DOS Date">;
FSeek( position ); DOSTIME _dt <name="DOS Time">;
FSeek( position ); FILETIME _ft <name="FILETIME">;
FSeek( position ); OLETIME _ot <name="OLETIME">;
FSeek( position ); time_t _tt <name="time_t">;

1604
cparser/JPGTemplate.bt Normal file
View File

File diff suppressed because it is too large Load Diff

424
cparser/LNKTemplate.bt Normal file
View File

@ -0,0 +1,424 @@
//---------------------------------------------------------------------------
/*
010 Editor Template for LNK file format
2010/08/11 v0.0.4
http://msdn.microsoft.com/en-us/library/dd871305%28PROT.10%29.aspx
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2010/07/23: start development with 010 Editor v3.0.6
2010/07/27: continue
2010/07/30: added CommonNetworkRelativeLink
2010/08/11: v0.0.4 added GUID processing to IDList
Todo:
Read functions for HotKeyFlags and NetworkProviderType
ExtraData structures for:
ConsoleDataBlock structure (section 2.5.1).
ConsoleFEDataBlock structure (section 2.5.2).
DarwinDataBlock structure (section 2.5.3).
EnvironmentVariableDataBlock structure (section 2.5.4).
IconEnvironmentDataBlock structure (section 2.5.5).
KnownFolderDataBlock structure (section 2.5.6).
PropertyStoreDataBlock structure (section 2.5.7).
ShimDataBlock structure (section 2.5.8).
SpecialFolderDataBlock structure (section 2.5.9).
VistaAndAboveIDListDataBlock structure (section 2.5.11).
*/
//---------------------------------------------------------------------------
local int iCOLOR = 0x95E8FF;
local int iToggleColor = iCOLOR;
void ToggleBackColor()
{
if (iToggleColor == iCOLOR)
iToggleColor = cNone;
else
iToggleColor = iCOLOR;
SetBackColor(iToggleColor);
}
typedef struct
{
int HasLinkTargetIDList : 1;
int HasLinkInfo : 1;
int HasName : 1;
int HasRelativePath : 1;
int HasWorkingDir : 1;
int HasArguments : 1;
int HasIconLocation : 1;
int IsUnicode : 1;
int ForceNoLinkInfo : 1;
int HasExpString : 1;
int RunInSeparateProcess : 1;
int Unused1 : 1;
int HasDarwinID : 1;
int RunAsUser : 1;
int HasExpIcon : 1;
int NoPidlAlias : 1;
int Unused2 : 1;
int RunWithShimLayer : 1;
int ForceNoLinkTrack : 1;
int EnableTargetMetadata : 1;
int DisableLinkPathTracking : 1;
int DisableKnownFolderTracking : 1;
int DisableKnownFolderAlias : 1;
int AllowLinkToLink : 1;
int UnaliasOnSave : 1;
int PreferEnvironmentPath : 1;
int KeepLocalIDListForUNCTarget : 1;
int Unused3 : 5;
} LinkFlags;
typedef struct
{
int FILE_ATTRIBUTE_READONLY : 1;
int FILE_ATTRIBUTE_HIDDEN : 1;
int FILE_ATTRIBUTE_SYSTEM : 1;
int Reserved1 : 1;
int FILE_ATTRIBUTE_DIRECTORY : 1;
int FILE_ATTRIBUTE_ARCHIVE : 1;
int FILE_ATTRIBUTE_NORMAL : 1;
int FILE_ATTRIBUTE_TEMPORARY : 1;
int FILE_ATTRIBUTE_SPARSE_FILE : 1;
int FILE_ATTRIBUTE_REPARSE_POINT : 1;
int FILE_ATTRIBUTE_COMPRESSED : 1;
int FILE_ATTRIBUTE_OFFLINE : 1;
int FILE_ATTRIBUTE_NOT_CONTENT_INDEXED : 1;
int FILE_ATTRIBUTE_ENCRYPTED : 1;
int Unused1 : 18;
} FileAttributes;
typedef struct
{
DWORD HeaderSize <read=ReadCheckHeaderSize>; /* Must be 0x0000004C */
BYTE LinkCLSID[16]; /* This value MUST be 00021401-0000-0000-C000-000000000046. */
LinkFlags sLinkFlags;
FileAttributes sFileAttributes;
FILETIME CreationTime;
FILETIME AccessTime;
FILETIME WriteTime;
DWORD FileSize;
DWORD IconIndex;
DWORD ShowCommand <read=ReadShowCommand>;
WORD HotKey;
WORD Reserved1;
DWORD Reserved2;
DWORD Reserved3;
} ShellLinkHeader;
string ReadCheckHeaderSize(DWORD data)
{
string result;
switch (data)
{
case 0x0000004C:
result = "76";
break;
default:
SPrintf(result, "Unexpected headersize: 0x%08X", data);
}
return result;
}
string ReadShowCommand(DWORD function)
{
string result;
switch (function)
{
case 0x00000001:
result = "SW_SHOWNORMAL";
break;
case 0x00000003:
result = "SW_SHOWMAXIMIZED";
break;
case 0x00000007:
result = "SW_SHOWMINNOACTIVE";
break;
default:
SPrintf(result, "0x%08X", function);
}
return result;
}
// http://msdn.microsoft.com/en-us/library/cc144089%28VS.85%29.aspx#unknown_74413
typedef struct
{
WORD ItemIDSize;
if (ItemIDSize == 0x14)
{
BYTE Type;
BYTE Unknown;
BYTE GUID[ItemIDSize - 4];
}
else
BYTE Data[ItemIDSize - 2];
} IDList <read=ReadIDList>;
string ReadIDList(IDList &sIDList)
{
string sGUID;
if (sIDList.ItemIDSize == 0x14)
{
SPrintf(sGUID, "{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", sIDList.GUID[3], sIDList.GUID[2], sIDList.GUID[1], sIDList.GUID[0], sIDList.GUID[5], sIDList.GUID[4], sIDList.GUID[7], sIDList.GUID[6], sIDList.GUID[8], sIDList.GUID[9], sIDList.GUID[10], sIDList.GUID[11], sIDList.GUID[12], sIDList.GUID[13], sIDList.GUID[14], sIDList.GUID[15]);
return LookupGUID(sGUID);
}
else
return "";
}
// GUIDs found in shlguid.h
string LookupGUID(string sGUID)
{
if (!Stricmp(sGUID, "{208D2C60-3AEA-1069-A2D7-08002B30309D}"))
return "CLSID_NetworkPlaces";
else if (!Stricmp(sGUID, "{46e06680-4bf0-11d1-83ee-00a0c90dc849}"))
return "CLSID_NetworkDomain";
else if (!Stricmp(sGUID, "{c0542a90-4bf0-11d1-83ee-00a0c90dc849}"))
return "CLSID_NetworkServer";
else if (!Stricmp(sGUID, "{54a754c0-4bf1-11d1-83ee-00a0c90dc849}"))
return "CLSID_NetworkShare";
else if (!Stricmp(sGUID, "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"))
return "CLSID_MyComputer";
else if (!Stricmp(sGUID, "{871C5380-42A0-1069-A2EA-08002B30309D}"))
return "CLSID_Internet";
else if (!Stricmp(sGUID, "{F3364BA0-65B9-11CE-A9BA-00AA004AE837}"))
return "CLSID_ShellFSFolder";
else if (!Stricmp(sGUID, "{645FF040-5081-101B-9F08-00AA002F954E}"))
return "CLSID_RecycleBin";
else if (!Stricmp(sGUID, "{21EC2020-3AEA-1069-A2DD-08002B30309D}"))
return "CLSID_ControlPanel";
else if (!Stricmp(sGUID, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"))
return "CLSID_MyDocuments";
else
return sGUID;
}
typedef struct
{
WORD IDListSize;
while(ReadUShort(FTell()) != 0x0000)
{
IDList sIDList;
}
WORD TerminalID;
} LinkTargetIDList;
typedef struct
{
int VolumeIDAndLocalBasePath : 1;
int CommonNetworkRelativeLinkAndPathSuffix : 1;
int Unused1 : 30;
} LinkInfoFlags;
typedef struct
{
DWORD VolumeIDSize;
DWORD DriveType <read=ReadDriveType>;;
DWORD DriveSerialNumber;
DWORD VolumeLabelOffset;
if (VolumeLabelOffset == 0x00000014)
{
DWORD VolumeLabelOffsetUnicode;
}
string Data;
} VolumeID;
typedef struct
{
DWORD CommonNetworkRelativeLinkSize;
DWORD CommonNetworkRelativeLinkFlags;
DWORD NetNameOffset;
DWORD DeviceNameOffset;
DWORD NetworkProviderType;
if (NetNameOffset > 0x14)
{
DWORD NetNameOffsetUnicode;
DWORD DeviceNameOffsetUnicode;
}
string NetName;
string DeviceName;
if (NetNameOffset > 0x14)
{
string NetNameUnicode; // Must be UNICODE
string DeviceNameUnicode; // Must be UNICODE
}
} CommonNetworkRelativeLink;
string ReadDriveType(DWORD function)
{
string result;
switch (function)
{
case 0x00000000:
result = "DRIVE_UNKNOWN";
break;
case 0x00000001:
result = "DRIVE_NO_ROOT_DIR";
break;
case 0x00000002:
result = "DRIVE_REMOVABLE";
break;
case 0x00000003:
result = "DRIVE_FIXED";
break;
case 0x00000004:
result = "DRIVE_REMOTE";
break;
case 0x00000005:
result = "DRIVE_CDROM";
break;
case 0x00000006:
result = "DRIVE_RAMDISK";
break;
default:
SPrintf(result, "0x%08X", function);
}
return result;
}
typedef struct
{
DWORD LinkInfoSize;
DWORD LinkInfoHeaderSize;
LinkInfoFlags sLinkInfoFlags;
DWORD VolumeIDOffset;
DWORD LocalBasePathOffset;
DWORD CommonNetworkRelativeLinkOffset;
DWORD CommonPathSuffixOffset;
if (LinkInfoHeaderSize >= 0x00000024 )
{
DWORD LocalBasePathOffsetUnicode;
DWORD CommonPathSuffixOffsetUnicode;
}
if (sLinkInfoFlags.VolumeIDAndLocalBasePath == 1)
{
VolumeID sVolumeID;
string LocalBasePath;
string CommonPathSuffix;
}
if (sLinkInfoFlags.CommonNetworkRelativeLinkAndPathSuffix == 1)
{
CommonNetworkRelativeLink sCommonNetworkRelativeLink;
}
} LinkInfo;
typedef struct
{
WORD CountCharacters;
BYTE String[CountCharacters * 2];
} StringData;
typedef struct
{
DWORD BlockSize;
DWORD BlockSignature;
BYTE BlockData[BlockSize - 8];
} ExtraDataBlock;
typedef struct
{
DWORD BlockSize;
DWORD BlockSignature;
DWORD Length;
DWORD Version;
BYTE MachineID[16];
BYTE Droid[32];
BYTE DroidBirth[32];
} TrackerDataBlock;
typedef struct
{
while(ReadUInt(FTell()) >= 0x00000004)
{
switch (ReadUInt(FTell() + 4))
{
case 0xA0000003:
TrackerDataBlock sTrackerDataBlock;
break;
default:
ExtraDataBlock sExtraDataBlock;
}
}
DWORD TerminalBlock;
} ExtraData;
// Start
LittleEndian();
SetBackColor(iToggleColor);
ShellLinkHeader sShellLinkHeader;
if (sShellLinkHeader.sLinkFlags.HasLinkTargetIDList == 1)
{
ToggleBackColor();
LinkTargetIDList sLinkTargetIDList;
}
if (sShellLinkHeader.sLinkFlags.HasLinkInfo == 1)
{
ToggleBackColor();
LinkInfo sLinkInfo;
}
if (sShellLinkHeader.sLinkFlags.HasName == 1)
{
ToggleBackColor();
StringData NAME_STRING;
}
if (sShellLinkHeader.sLinkFlags.HasRelativePath == 1)
{
ToggleBackColor();
StringData RELATIVE_PATH;
}
if (sShellLinkHeader.sLinkFlags.HasWorkingDir == 1)
{
ToggleBackColor();
StringData WORKING_DIR;
}
if (sShellLinkHeader.sLinkFlags.HasArguments == 1)
{
ToggleBackColor();
StringData COMMAND_LINE_ARGUMENTS;
}
if (sShellLinkHeader.sLinkFlags.HasIconLocation == 1)
{
ToggleBackColor();
StringData ICON_LOCATION;
}
ToggleBackColor();
ExtraData sExtraData;
SetBackColor(cNone);

75
cparser/LUKSTemplate.bt Normal file
View File

@ -0,0 +1,75 @@
//--------------------------------------
//--- 010 Editor v4.0.1 Binary Template
//
// File: LUKS.bt
// Author: Daniel Correa
// URL: http://www.sinfocol.org/
// Revision: 1.0
// Purpose: Template for LUKS
//--------------------------------------
#define LUKS_CIPHERNAME_L 32
#define LUKS_CIPHERMODE_L 32
#define LUKS_HASHSPEC_L 32
#define LUKS_DIGESTSIZE 20
#define LUKS_HMACSIZE 32
#define LUKS_SALTSIZE 32
#define LUKS_NUMKEYS 8
#define LUKS_MKD_ITERATIONS_MIN 1000
#define LUKS_SLOT_ITERATIONS_MIN 1000
#define LUKS_KEY_DISABLED_OLD 0
#define LUKS_KEY_ENABLED_OLD 0xCAFE
#define LUKS_KEY_DISABLED 0x0000DEAD
#define LUKS_KEY_ENABLED 0x00AC71F3
#define LUKS_STRIPES 4000
#define LUKS_MAGIC "LUKS\xBA\xBE"
#define LUKS_MAGIC_L 6
#define LUKS_PHDR_SIZE (sizeof(struct luks_phdr)/SECTOR_SIZE+1)
#define UUID_STRING_L 40
#define LUKS_ALIGN_KEYSLOTS 4096
typedef struct luks_phdr {
char magic[LUKS_MAGIC_L] <bgcolor=0xaabbcc>;
if (magic != LUKS_MAGIC) {
SetBackColor(0x0000ff);
Warning("File is not a LUKS disk. Bad signature.");
return -1;
}
uint16 version <bgcolor=0xccddee>;
char cipherName[LUKS_CIPHERNAME_L] <bgcolor=0x00ffee>;
char cipherMode[LUKS_CIPHERMODE_L] <bgcolor=0xffbbee>;
char hashSpec[LUKS_HASHSPEC_L] <bgcolor=0x339922>;
uint32 payloadOffset <bgcolor=0x3399ee>;
uint32 keyBytes <bgcolor=0x886633>;
char mkDigest[LUKS_DIGESTSIZE] <bgcolor=0x999999, format=hex>;
char mkDigestSalt[LUKS_SALTSIZE] <bgcolor=0xaa9933>;
uint32 mkDigestIterations <bgcolor=0x44ee88>;
char uuid[UUID_STRING_L] <bgcolor=0xeeff77>;
struct {
uint32 active <bgcolor=0x4444ff>;
uint32 passwordIterations <bgcolor=0xff7777>;
char passwordSalt[LUKS_SALTSIZE] <bgcolor=0x77ff77>;
uint32 keyMaterialOffset <bgcolor=0xffaabb>;
uint32 stripes <bgcolor=0xbbaadd>;
} keyblock[LUKS_NUMKEYS];
char _padding[432];
};
FSeek(0);
BigEndian();
luks_phdr LUKS;

460
cparser/MBRTemplate.bt Normal file
View File

@ -0,0 +1,460 @@
//------------------------------------
//--- 010 Editor v2.01 Binary Template
//
// Name: MBRTemplate.bt
// Author: Christian Schaffalitzky
// Revision: 1.3
// Purpose: Parse a Master Boot Record on a Harddisk
// Changes:
// 1.3 (insomniac@slackware.it)
// - Added partition ID and type comments
// 1.2 (A.Babecki):
// - Added BitfieldDisablePadding
// - Added unsigned for relsect/numsect
//
//------------------------------------
BitfieldRightToLeft();
BitfieldDisablePadding();
string BootID(unsigned char boot_id) {
string ret;
if (boot_id & 0x80)
Strcat(ret, "Bootable");
else
Strcat(ret, "Not bootable");
return ret;
}
/* Generated with partlist <https://github.com/insomniacslk/partlist> */
/* Original data source: http://www.win.tue.nl/~aeb/partitions/partition_types-1.html */
string PartitionID(unsigned char ptype) {
switch (ptype) {
case 0:
return "Empty";
case 1:
return "DOS 12-bit FAT";
case 2:
return "XENIX root";
case 3:
return "XENIX /usr";
case 4:
return "DOS 3.0+ 16-bit FAT (up to 32M)";
case 5:
return "DOS 3.3+ Extended Partition";
case 6:
return "DOS 3.31+ 16-bit FAT (over 32M)";
case 7:
return "OS/2 IFS (e.g., HPFS), Windows NT NTFS, exFAT, Advanced Unix, QNX2.x pre-1988 (see below under IDs 4d-4f)";
case 8:
return "OS/2 (v1.0-1.3 only), AIX boot partition, SplitDrive, Commodore DOS, DELL partition spanning multiple drives, QNX 1.x and 2.x (\"qny\")";
case 9:
return "AIX data partition, Coherent filesystem, QNX 1.x and 2.x (\"qnz\")";
case 10:
return "OS/2 Boot Manager, Coherent swap partition, OPUS";
case 11:
return "WIN95 OSR2 FAT32";
case 12:
return "WIN95 OSR2 FAT32, LBA-mapped";
case 13:
return "SILICON SAFE";
case 14:
return "WIN95: DOS 16-bit FAT, LBA-mapped";
case 15:
return "WIN95: Extended partition, LBA-mapped";
case 16:
return "OPUS (?)";
case 17:
return "Hidden DOS 12-bit FAT";
case 18:
return "Configuration/diagnostics partition";
case 20:
return "Hidden DOS 16-bit FAT &lt;32M";
case 22:
return "Hidden DOS 16-bit FAT &gt;=32M";
case 23:
return "Hidden IFS (e.g., HPFS)";
case 24:
return "AST SmartSleep Partition";
case 25:
return "Unused";
case 27:
return "Hidden WIN95 OSR2 FAT32";
case 28:
return "Hidden WIN95 OSR2 FAT32, LBA-mapped";
case 30:
return "Hidden WIN95 16-bit FAT, LBA-mapped";
case 32:
return "Unused";
case 33:
return "Reserved, Unused";
case 34:
return "Unused";
case 35:
return "Reserved";
case 36:
return "NEC DOS 3.x";
case 38:
return "Reserved";
case 39:
return "PQservice, Windows RE hidden partition, MirOS partition, RouterBOOT kernel partition";
case 42:
return "AtheOS File System (AFS)";
case 49:
return "Reserved";
case 50:
return "NOS";
case 51:
return "Reserved";
case 52:
return "Reserved";
case 53:
return "JFS on OS/2 or eCS ";
case 54:
return "Reserved";
case 56:
return "THEOS ver 3.2 2gb partition";
case 57:
return "Plan 9 partition, THEOS ver 4 spanned partition";
case 58:
return "THEOS ver 4 4gb partition";
case 59:
return "THEOS ver 4 extended partition";
case 60:
return "PartitionMagic recovery partition";
case 61:
return "Hidden NetWare";
case 64:
return "Venix 80286, PICK";
case 65:
return "Linux/MINIX (sharing disk with DRDOS), Personal RISC Boot, PPC PReP (Power PC Reference Platform) Boot";
case 66:
return "Linux swap (sharing disk with DRDOS), SFS (Secure Filesystem), Windows 2000 dynamic extended partition marker";
case 67:
return "Linux native (sharing disk with DRDOS)";
case 68:
return "GoBack partition";
case 69:
return "Boot-US boot manager, Priam, EUMEL/Elan ";
case 70:
return "EUMEL/Elan ";
case 71:
return "EUMEL/Elan ";
case 72:
return "EUMEL/Elan ";
case 74:
return "Mark Aitchison\'s ALFS/THIN lightweight filesystem for DOS, AdaOS Aquila (Withdrawn)";
case 76:
return "Oberon partition";
case 77:
return "QNX4.x";
case 78:
return "QNX4.x 2nd part";
case 79:
return "QNX4.x 3rd part, Oberon partition";
case 80:
return "OnTrack Disk Manager (older versions) RO, Lynx RTOS, Native Oberon (alt)";
case 81:
return "OnTrack Disk Manager RW (DM6 Aux1), Novell";
case 82:
return "CP/M, Microport SysV/AT";
case 83:
return "Disk Manager 6.0 Aux3";
case 84:
return "Disk Manager 6.0 Dynamic Drive Overlay (DDO)";
case 85:
return "EZ-Drive";
case 86:
return "Golden Bow VFeature Partitioned Volume., DM converted to EZ-BIOS";
case 87:
return "DrivePro, VNDI Partition";
case 92:
return "Priam EDisk";
case 97:
return "SpeedStor";
case 99:
return "Unix System V (SCO, ISC Unix, UnixWare, ...), Mach, GNU Hurd";
case 100:
return "PC-ARMOUR protected partition, Novell Netware 286, 2.xx";
case 101:
return "Novell Netware 386, 3.xx or 4.xx";
case 102:
return "Novell Netware SMS Partition";
case 103:
return "Novell";
case 104:
return "Novell";
case 105:
return "Novell Netware 5+, Novell Netware NSS Partition";
case 110:
return "??";
case 112:
return "DiskSecure Multi-Boot";
case 113:
return "Reserved";
case 114:
return "V7/x86";
case 115:
return "Reserved";
case 116:
return "Reserved, Scramdisk partition";
case 117:
return "IBM PC/IX";
case 118:
return "Reserved";
case 119:
return "M2FS/M2CS partition, VNDI Partition";
case 120:
return "XOSL FS";
case 126:
return "Unused";
case 127:
return "Unused";
case 128:
return "MINIX until 1.4a";
case 129:
return "MINIX since 1.4b, early Linux, Mitac disk manager";
case 130:
return "Prime, Solaris x86, Linux swap";
case 131:
return "Linux native partition";
case 132:
return "OS/2 hidden C: drive, Hibernation partition";
case 133:
return "Linux extended partition";
case 134:
return "Old Linux RAID partition superblock, FAT16 volume set";
case 135:
return "NTFS volume set";
case 136:
return "Linux plaintext partition table";
case 138:
return "Linux Kernel Partition (used by AiR-BOOT)";
case 139:
return "Legacy Fault Tolerant FAT32 volume";
case 140:
return "Legacy Fault Tolerant FAT32 volume using BIOS extd INT 13h";
case 141:
return "Free FDISK 0.96+ hidden Primary DOS FAT12 partitition";
case 142:
return "Linux Logical Volume Manager partition";
case 144:
return "Free FDISK 0.96+ hidden Primary DOS FAT16 partitition";
case 145:
return "Free FDISK 0.96+ hidden DOS extended partitition";
case 146:
return "Free FDISK 0.96+ hidden Primary DOS large FAT16 partitition";
case 147:
return "Hidden Linux native partition, Amoeba";
case 148:
return "Amoeba bad block table";
case 149:
return "MIT EXOPC native partitions";
case 150:
return "CHRP ISO-9660 filesystem";
case 151:
return "Free FDISK 0.96+ hidden Primary DOS FAT32 partitition";
case 152:
return "Free FDISK 0.96+ hidden Primary DOS FAT32 partitition (LBA), Datalight ROM-DOS Super-Boot Partition";
case 153:
return "DCE376 logical drive";
case 154:
return "Free FDISK 0.96+ hidden Primary DOS FAT16 partitition (LBA)";
case 155:
return "Free FDISK 0.96+ hidden DOS extended partitition (LBA)";
case 158:
return "ForthOS partition";
case 159:
return "BSD/OS";
case 160:
return "Laptop hibernation partition";
case 161:
return "Laptop hibernation partition, HP Volume Expansion (SpeedStor variant)";
case 163:
return "HP Volume Expansion (SpeedStor variant)";
case 164:
return "HP Volume Expansion (SpeedStor variant)";
case 165:
return "BSD/386, 386BSD, NetBSD, FreeBSD";
case 166:
return "OpenBSD, HP Volume Expansion (SpeedStor variant)";
case 167:
return "NeXTStep";
case 168:
return "Mac OS-X";
case 169:
return "NetBSD";
case 170:
return "Olivetti Fat 12 1.44MB Service Partition";
case 171:
return "Mac OS-X Boot partition, GO! partition";
case 173:
return "RISC OS ADFS";
case 174:
return "ShagOS filesystem";
case 175:
return "ShagOS swap partition, MacOS X HFS";
case 176:
return "BootStar Dummy";
case 177:
return "HP Volume Expansion (SpeedStor variant), QNX Neutrino Power-Safe filesystem";
case 178:
return "QNX Neutrino Power-Safe filesystem";
case 179:
return "HP Volume Expansion (SpeedStor variant), QNX Neutrino Power-Safe filesystem";
case 180:
return "HP Volume Expansion (SpeedStor variant)";
case 182:
return "HP Volume Expansion (SpeedStor variant), Corrupted Windows NT mirror set (master), FAT16 file system";
case 183:
return "Corrupted Windows NT mirror set (master), NTFS file system, BSDI BSD/386 filesystem";
case 184:
return "BSDI BSD/386 swap partition";
case 187:
return "Boot Wizard hidden";
case 188:
return "Acronis backup partition";
case 189:
return "BonnyDOS/286";
case 190:
return "Solaris 8 boot partition";
case 191:
return "New Solaris x86 partition";
case 192:
return "CTOS, REAL/32 secure small partition, NTFT Partition, DR-DOS/Novell DOS secured partition";
case 193:
return "DRDOS/secured (FAT-12)";
case 194:
return "Unused, Hidden Linux";
case 195:
return "Hidden Linux swap";
case 196:
return "DRDOS/secured (FAT-16, &lt; 32M)";
case 197:
return "DRDOS/secured (extended)";
case 198:
return "DRDOS/secured (FAT-16, &gt;= 32M), Windows NT corrupted FAT16 volume/stripe set";
case 199:
return "Windows NT corrupted NTFS volume/stripe set, Syrinx boot";
case 200:
return "Reserved for DR-DOS 8.0+";
case 201:
return "Reserved for DR-DOS 8.0+";
case 202:
return "Reserved for DR-DOS 8.0+";
case 203:
return "DR-DOS 7.04+ secured FAT32 (CHS)/";
case 204:
return "DR-DOS 7.04+ secured FAT32 (LBA)/";
case 205:
return "CTOS Memdump? ";
case 206:
return "DR-DOS 7.04+ FAT16X (LBA)/";
case 207:
return "DR-DOS 7.04+ secured EXT DOS (LBA)/";
case 208:
return "REAL/32 secure big partition, Multiuser DOS secured partition";
case 209:
return "Old Multiuser DOS secured FAT12";
case 212:
return "Old Multiuser DOS secured FAT16 &lt;32M";
case 213:
return "Old Multiuser DOS secured extended partition";
case 214:
return "Old Multiuser DOS secured FAT16 &gt;=32M";
case 216:
return "CP/M-86";
case 218:
return "Non-FS Data, Powercopy Backup";
case 219:
return "Digital Research CP/M, Concurrent CP/M, Concurrent DOS, CTOS (Convergent Technologies OS -Unisys), KDG Telemetry SCPU boot";
case 221:
return "Hidden CTOS Memdump? ";
case 222:
return "Dell PowerEdge Server utilities (FAT fs)";
case 223:
return "DG/UX virtual disk manager partition, BootIt EMBRM";
case 225:
return "DOS access or SpeedStor 12-bit FAT extended partition";
case 227:
return "DOS R/O or SpeedStor";
case 228:
return "SpeedStor 16-bit FAT extended partition &lt; 1024 cyl.";
case 230:
return "Storage Dimensions SpeedStor";
case 232:
return "LUKS";
case 234:
return "Rufus extra partition, Freedesktop boot";
case 235:
return "BeOS BFS";
case 236:
return "SkyOS SkyFS";
case 237:
return "Unused";
case 238:
return "Indication that this legacy MBR is followed by an EFI header";
case 239:
return "Partition that contains an EFI file system";
case 240:
return "Linux/PA-RISC boot loader";
case 241:
return "Storage Dimensions SpeedStor";
case 242:
return "DOS 3.3+ secondary partition";
case 243:
return "Reserved";
case 244:
return "SpeedStor large partition, Prologue single-volume partition";
case 245:
return "Prologue multi-volume partition";
case 246:
return "Storage Dimensions SpeedStor";
case 247:
return "DDRdrive Solid State File System";
case 249:
return "pCache";
case 250:
return "Bochs";
case 251:
return "VMware File System partition";
case 252:
return "VMware Swap partition";
case 253:
return "Linux raid partition with autodetect using persistent superblock";
case 254:
return "SpeedStor &gt; 1024 cyl., LANstep, Windows NT Disk Administrator hidden partition, Linux Logical Volume Manager partition (old)";
case 255:
return "Xenix Bad Block Table";
default:
return "Unknown partition type";
}
}
typedef struct fdisk_partition {
unsigned char bootid <comment=BootID>; /* bootable? 0=no, 128=yes */
unsigned short beghead : 8; /* beginning head number */
unsigned short begsect : 6; /* beginning sector number */
unsigned short begcyl : 10; /* 10 bit nmbr */
unsigned char systid <comment=PartitionID>; /* Operating System type indicator code */
unsigned short endhead : 8; /* ending head number */
unsigned short endsect : 6; /* ending sector number */
unsigned short endcyl : 10; /* also a 10 bit nmbr */
unsigned int relsect; /* first sector relative to start of disk */
unsigned int numsect; /* number of sectors in partition */
};
typedef struct master_boot_record {
char bootinst[446]; /* space to hold actual boot code */
fdisk_partition partitions[4];
ushort signature; /* set to 0xAA55 to indicate PC MBR format */
};
LittleEndian();
FSeek(0);
master_boot_record MBR;

887
cparser/MBRTemplateFAT.bt Normal file
View File

@ -0,0 +1,887 @@
//----------------------------------------
//--- 010 Editor v4.0 Binary Template
//
// File: MBR_FAT16_FAT32_NTFS.bt
// Author: Benjamin Vernoux (bvernoux@gmail.com)
// Revision: 0.1 Beta 14 January 2013
// Purpose: Defines a template for
// FAT16 or FAT32 drive with support of MBR
//----------------------------------------
LittleEndian();
typedef char BOOL;
typedef char BYTE;
typedef unsigned char UBYTE;
typedef short SHORT;
typedef unsigned short USHORT;
typedef long LONG;
typedef unsigned long ULONG;
// Global Shared Variable
local quad DataAreaSector;
local quad DataAreaFilePos;
local quad CurrentPosSector;
local unsigned char SizeOfEach_ClusterEntry_InBytes;
//##############################
// MBR
//##############################
// Partition Types
typedef enum <uchar> tagSYSTEMID
{
EMPTY = 0,
FAT_12 = 1,
XENIX_ROOT = 2,
XENIX_USR = 3,
FAT_16_INF32MB = 4,
EXTENDED = 5,
FAT_16 = 6,
NTFS_HPFS = 7,
AIX = 8,
AIX_BOOT = 9,
OS2_BOOT_MGR = 10,
PRI_FAT32_INT13 = 11,
EXT_FAT32_INT13 = 12,
EXT_FAT16_INT13 = 14,
WIN95_EXT = 15,
OPUS = 16,
FAT_12_HIDDEN = 17,
COMPAQ_DIAG = 18,
FAT_16_HIDDEN_INF32MB = 20,
FAT_16_HIDDEN = 22,
NTFS_HPFS_HIDDEN = 23,
VENIX = 64,
NOVEL0 = 81,
MICROPORT = 82,
GNU_HURD = 99,
NOVEL1 = 100,
PC_IX = 117,
MINUX_OLD = 128,
MINUX_LINUX = 129,
LINUX_SWAP = 130,
LINUX_NATIVE = 131,
AMOEBA = 147,
AMOEBA_BBT = 148,
BSD_386 = 165,
BSDI_FS = 183,
BSDI_SWAP = 184,
SYRINX = 199,
CP_M = 219,
ACCESS_DOS = 225,
DOS_R_O = 227,
DOS_SECONDARY = 242,
BBT = 255
} SYSTEMID;
// Boot Indicator Values
typedef enum <uchar> tagBOOTINDICATOR
{
NOBOOT = 0,
SYSTEM_PARTITION = 128,
} BOOTINDICATOR;
// Partition Entry
typedef struct PART_ENTRY
{
BOOTINDICATOR BootIndicator;
UBYTE StartingHead;
WORD StartingSectCylinder; // Need Bit fields
SYSTEMID SystemID;
UBYTE EndingHead;
WORD EndingSectCylinder; // Need Bit fields
DWORD RelativeSector;
DWORD TotalSectors;
} PART_ENTRY;
// MBR
struct MASTER_BOOT_RECORD
{
UBYTE BootCode[446];
PART_ENTRY partitions[4];
WORD EndOfSectorMarker <format=hex>;
};
//##############################
// FAT16 Boot Sector
//##############################
struct BOOTSECTOR_FAT16
{
UBYTE jmp[3];
CHAR OemName[8];
typedef struct BPB_FAT16
{
USHORT BytesPerSector;
UBYTE SectorsPerCluster;
USHORT ReservedSectors;
UBYTE NumberOfCopiesOfFats;
USHORT MaxRootDirEntries;
USHORT NumberOfSectors;
UBYTE MediaDescriptor;
USHORT SectorsPerFAT;
USHORT SectorsPerTrack;
USHORT NumHeadsPerCylinder;
ULONG NumHiddenSectors;
ULONG NumSectorInPartition;
};
BPB_FAT16 bpb_fat16;
USHORT LogicDriveNumber;
UBYTE extBootSignature <format=hex>;
ULONG SerialNumber;
CHAR VolumeLabel[11];
CHAR FileSystem[8];
UBYTE ExecutableCode[448];
WORD EndOfSectorMarker <format=hex>;
};
//##############################
// FAT16 FAT Table
//##############################
typedef enum <ushort> tagMEDIATYPE
{
HARD_DISK = 0xfff8,
FLOPPY_DISK = 0xfff0
} MEDIATYPE;
typedef enum <ushort> tagPARTITIONSTATE
{
PARTITION_NOT_IN_USE = 0xffff,
PARTITION_IN_USE = 0xfff7
} PARTITIONSTATE;
typedef enum <ushort> tagCLUSTERINFO
{
FREE_CLUSTER = 0x0000,
RESERVED_0001 = 0x0001,
RESERVED_FFF0 = 0xFFF0,
RESERVED_FFF1 = 0xFFF1,
RESERVED_FFF2 = 0xFFF2,
RESERVED_FFF3 = 0xFFF3,
RESERVED_FFF4 = 0xFFF4,
RESERVED_FFF5 = 0xFFF5,
RESERVED_FFF6 = 0xFFF6,
BAD_CLUSTER = 0xFFF7,
USED_LAST_CLUSTER_FFF8 = 0xFFF8,
USED_LAST_CLUSTER_FFF9 = 0xFFF9,
USED_LAST_CLUSTER_FFFA = 0xFFFA,
USED_LAST_CLUSTER_FFFB = 0xFFFB,
USED_LAST_CLUSTER_FFFC = 0xFFFC,
USED_LAST_CLUSTER_FFFD = 0xFFFD,
USED_LAST_CLUSTER_FFFE = 0xFFFE,
USED_LAST_CLUSTER_FFFF = 0xFFFF
} CLUSTERINFO;
void FAT16_FAT_Table(quad FilePosStartFatTable,quad SizeOfFatTableInSectors, UBYTE NumberOfCopiesOfFats)
{
SizeOfEach_ClusterEntry_InBytes=2;
FSeek(FilePosStartFatTable);
if(NumberOfCopiesOfFats==1)
{
MEDIATYPE FAT16_MediaType;
PARTITIONSTATE FAT16_PartitionState;
CLUSTERINFO FAT16_Cluster[ (((SizeOfFatTableInSectors*512)/SizeOfEach_ClusterEntry_InBytes)-SizeOfEach_ClusterEntry_InBytes) ];
}else if(NumberOfCopiesOfFats==2)
{
MEDIATYPE FAT16_MediaType_FAT1;
PARTITIONSTATE FAT16_PartitionState_FAT1;
CLUSTERINFO FAT16_Cluster_FAT1[ ((((SizeOfFatTableInSectors*512)/SizeOfEach_ClusterEntry_InBytes)-SizeOfEach_ClusterEntry_InBytes)/NumberOfCopiesOfFats)-1 ];
MEDIATYPE FAT16_MediaType_FAT2;
PARTITIONSTATE FAT16_PartitionState_FAT2;
CLUSTERINFO FAT16_Cluster_FAT2[ ((((SizeOfFatTableInSectors*512)/SizeOfEach_ClusterEntry_InBytes)-SizeOfEach_ClusterEntry_InBytes)/NumberOfCopiesOfFats)-1 ];
}
}
//##############################
// FAT16 Directory Entry
//##############################
typedef enum <uchar> tagAttribute
{
NoneOrFile = 0,
ReadOnly = 1, // bit0
Hidden = 2, // bit1
ReadOnlyHidden = 3,
System = 4, // bit2
ReadOnlySystem = 5,
HiddenSystem0 = 6,
ReadOnlyHiddenSystem= 7,
VolumeID = 8, // bit3
ReadOnlyVolume = 9,
HiddenSystem1 = 10,
ReadOnlySystemVolume0 = 11,
SystemVolume = 12,
ReadOnlySystemVolume1 = 13,
HiddenSystemVolume = 14,
LFN_Entry = 15,
Directory = 16, // bit4
Archive = 32, // bit5
ArchiveReadOnly = 33,
ArchiveHidden = 34
}ATTR;
typedef struct tagTime
{
USHORT Sec : 5; // bit0-4 need to be multiplied by 2
USHORT Min : 6; // bit5-10
USHORT Hour : 5; // bit11-15
}tTIME;
typedef struct tagDate
{
USHORT Day : 5; // bit0-4
USHORT Month : 4; // bit5-8
USHORT YearSince1980 : 7; // bit9-15
}tDATE;
typedef struct ShortEntry // Normal-Short structure
{
CHAR Name[8]; // Blank-padded name
CHAR Extension[3]; //Blank-padded extension
ATTR Attribute; // See tagAttribute enum only 5 valid bit (from 0 to 4)
UBYTE Reserved;
UBYTE CreateTime10ms; //10-ms units "Create Time" refinement
tTIME CreateTime;
tDATE CreateDate;
tDATE AccessDate;
USHORT HCluster; // Used on FAT32 only
tTIME UpdateTime;
tDATE UpdateDate;
USHORT Cluster;
ULONG FileSizeInBytes; //File size in bytes (always zero for directories).
} SHORTENTRY <read=Read_SHORT_DIR_ENTRY>;
unsigned char FAT16_Attribute(ATTR Attribute, string &stmp)
{
unsigned char volume=0;
switch(Attribute)
{
case NoneOrFile:
stmp="NoneOrFile";
break;
case ReadOnly:
stmp="ReadOnly";
break;
case Hidden:
stmp="Hidden";
break;
case ReadOnlyHidden:
stmp="ReadOnlyHidden";
break;
case System:
stmp="System";
volume=1;
break;
case ReadOnlySystem:
stmp="ReadOnlySystem";
volume=1;
break;
case HiddenSystem0:
stmp="HiddenSystem0";
volume=1;
break;
case ReadOnlyHiddenSystem:
stmp="ReadOnlyHiddenSystem";
volume=1;
break;
case VolumeID:
stmp="VolumeID";
volume=1;
break;
case ReadOnlyVolume:
stmp="ReadOnlyVolume";
volume=1;
break;
case HiddenSystem1:
stmp="HiddenSystem1";
break;
case ReadOnlySystemVolume0:
stmp="ReadOnlySystemVolume0";
break;
case SystemVolume:
stmp="SystemVolume";
volume=1;
break;
case ReadOnlySystemVolume1:
stmp="ReadOnlySystemVolume1";
volume=1;
break;
case HiddenSystemVolume:
stmp="HiddenSystemVolume";
volume=1;
break;
case LFN_Entry:
stmp="LFN_Entry";
break;
case Directory:
stmp="Directory";
volume=1;
break;
case Archive:
stmp="Archive";
break;
case ArchiveReadOnly:
stmp="ArchiveReadOnly";
break;
case ArchiveHidden:
stmp="ArchiveHidden";
break;
default:
stmp="Unknown";
volume=1;
break;
}
return volume;
}
string Read_SHORT_DIR_ENTRY( SHORTENTRY &f )
{
string s;
string stmp;
unsigned char volume=0;
s="";
if(f.Name[0]==0)
{
return "Last Dir Entry Empty";
}
// Short Entry
volume=FAT16_Attribute(f.Attribute, stmp);
s+=stmp;
if(volume)
{
SPrintf(stmp, "=%08s%03s",f.Name,f.Extension);
s+=stmp;
}else
{
SPrintf(stmp, "=%08s.%03s",f.Name,f.Extension);
s+=stmp;
}
return s;
}
typedef struct tagLFN_RecordSeqNum
{
UBYTE LFN_RecSeqNum : 6; // bit0-5 LFN sequence number (1..63)
UBYTE Last_LFN_record : 1; // bit6 Last LFN record in the sequence
UBYTE LFN_Erased : 1; // bit7 LFN record is an erased long name entry or maybe if it is part of an erased long name?
}tLFN_RecordSeqNum;
local string sconv;
local unsigned short iconv;
string Conv_UnicodeToASCII(char data[], unsigned short totalsize_inbyte)
{
sconv="";
for(iconv=0;iconv<totalsize_inbyte;iconv+=2)
{
if( data[iconv]!=-1 )
{
sconv+=data[iconv];
}
}
return sconv;
}
local string s_longentry;
typedef struct LongEntry // Long File Name (LFN) Entry Format
{
//############
// Structure
//############
typedef struct internalLongEntry
{
typedef union ulfn
{
tLFN_RecordSeqNum LFN_RecordSeqNum; // LFN Record Sequence Number
unsigned char char0;
}ULFN;
ULFN LFN;
char UnicodeChar1[10]; //5 UNICODE characters, LFN first part.
ATTR Attribute; // This field contains the special value of 0Fh, which indicates an LFN entry.
UBYTE Reserved;
UBYTE ChkShortName; // Checksum of short name entry, used to validate that the LFN entry belongs to the short name entry following. According to Ralf Brown's interrupt list, the checksum is computed by adding up all the short name characters and rotating the intermediate value right by one bit position before adding each character.
char UnicodeChar2[12]; //6 UNICODE characters, LFN 2nd part.
USHORT Cluster; //Initial cluster number, which is always zero for LFN entries.
char UnicodeChar3[4]; //2 UNICODE characters, LFN 3rd part.
}ILONGENTRY;
local unsigned char NumberOfLFNEntry;
local unsigned char dirname0;
dirname0=ReadByte(FTell());
if( !(dirname0==0x00) )
{
if( dirname0==0xE5 ) // Empty/Erased
{
for(i=0;i<63;i++)
{
dirname0=ReadByte(FTell());
if( !(dirname0==0xE5) ) // Check still Empty/Erased ?
break;
if(ReadByte(FTell()+11)!=0x0f) // Check is still LFN ?
break;
ILONGENTRY long_entry;
}
}else
{
ILONGENTRY long_entry;
NumberOfLFNEntry=long_entry.LFN.LFN_RecordSeqNum.LFN_RecSeqNum-1;
for(i=0;i<NumberOfLFNEntry;i++)
{
ILONGENTRY long_entry;
}
}
}
}LONGENTRY <read=Read_LONG_DIR_ENTRY>;
string Read_LONG_DIR_ENTRY( LONGENTRY &f )
{
local unsigned short i;
local unsigned short NumberOfLFNEntry;
local string str;
str="";
if(f.long_entry[0].LFN.LFN_RecordSeqNum.LFN_Erased==1)
{
// Entry deleted
str+="Erased name:";
// Count number of erased entry
for(i=0;i<63;i++)
{
if(exists(f.long_entry[i].LFN.char0))
{
if(f.long_entry[i].LFN.char0!=0xE5)
{
break;
}
}else
{
break;
}
}
NumberOfLFNEntry=i-1;
}else
{
// Long Entry
str+="Name:";
NumberOfLFNEntry=f.long_entry[0].LFN.LFN_RecordSeqNum.LFN_RecSeqNum-1;
}
for(i=NumberOfLFNEntry;i>0;i--)
{
str+=Conv_UnicodeToASCII(f.long_entry[i].UnicodeChar1,10);
str+=Conv_UnicodeToASCII(f.long_entry[i].UnicodeChar2,12);
str+=Conv_UnicodeToASCII(f.long_entry[i].UnicodeChar3,4);
}
str+=Conv_UnicodeToASCII(f.long_entry[0].UnicodeChar1,10);
str+=Conv_UnicodeToASCII(f.long_entry[0].UnicodeChar2,12);
str+=Conv_UnicodeToASCII(f.long_entry[0].UnicodeChar3,4);
return str;
}
/*
typedef union FAT16_DirEntry
{
struct ShortEntry shortEntry;
struct LongEntry longEntry;
};
*/
/*
void FAT16_DIR_ENTRYWrite( FAT16_DIR_ENTRY &f, string s )
{
SScanf( s, "%d-%d-%d %d:%d:%d", f[0], f[1], f[2], f[3], f[4], f[5] );
}
*/
void FAT16_Directory_Entry(quad FilePosStartDirectoryEntry)
{
FSeek(FilePosStartDirectoryEntry);
i=0;
while(1)
{
if(ReadByte(FTell()+11)==0x0f) // LFN Entry
{
LONGENTRY fat16_long_direntry;
}else
{
SHORTENTRY fat16_short_direntry;
if(fat16_short_direntry.Name[0]==0 && fat16_short_direntry.Name[1]==0) // End of Directory Entry
{
break;
}
}
}
}
//##############################
// FAT32 Boot Sector
//##############################
struct BOOTSECTOR_FAT32
{
BYTE jmp[3];
CHAR OemName[8];
typedef struct BPB_FAT32
{
WORD BytesPerSector;
BYTE SectorsPerCluster;
WORD ReservedSectors;
BYTE NumberOfFATs;
WORD RootEntries;
WORD TotalSectors;
BYTE Media;
WORD SectorsPerFAT;
WORD SectorsPerTrack;
WORD HeadsPerCylinder;
DWORD HiddenSectors;
DWORD TotalSectorsBig;
DWORD SectorsPerFAT;
WORD Flags;
WORD Version;
DWORD RootCluster;
WORD InfoSector;
WORD BootBackupStart;
BYTE Reserved[12];
};
BPB_FAT32 bpb_fat32;
BYTE DriveNumber;
BYTE Unused;
BYTE ExtBootSignature <format=hex>;
DWORD SerialNumber;
CHAR VolumeLabel[11];
CHAR FileSystem[8];
CHAR BootCode[420];
WORD EndOfSectorMarker <format=hex>;
};
//##############################
// FAT32 FAT Table
//##############################
// Warning on FAT32 only 28bit contain value
// 4 high bit (MSB) are reserved for future use.
// It is why following FAT32 enum could be wrong if 4 high bit reserved are different from 0x0 or 0xf
typedef enum <ulong> tagMEDIATYPE_FAT32
{
HARD_DISK_FAT32 = 0x0ffffff8,
FLOPPY_DISK_FAT32 = 0x0ffffff0
} MEDIATYPE_FAT32;
typedef enum <ulong> tagPARTITIONSTATE_FAT32
{
PARTITION_NOT_IN_USE_FAT32 = 0xffffffff,
PARTITION_IN_USE_FAT32 = 0xfffffff7
} PARTITIONSTATE_FAT32;
typedef enum <ulong> tagCLUSTERINFO_FAT32
{
FREE_CLUSTER_FAT32 = 0x00000000,
RESERVED_0001_FAT32 = 0x00000001,
RESERVED_FFF0_FAT32 = 0x0FFFFFF0,
RESERVED_FFF1_FAT32 = 0x0FFFFFF1,
RESERVED_FFF2_FAT32 = 0x0FFFFFF2,
RESERVED_FFF3_FAT32 = 0x0FFFFFF3,
RESERVED_FFF4_FAT32 = 0x0FFFFFF4,
RESERVED_FFF5_FAT32 = 0x0FFFFFF5,
RESERVED_FFF6_FAT32 = 0x0FFFFFF6,
BAD_CLUSTER_FAT32 = 0x0FFFFFF7,
USED_LAST_CLUSTER_FFF8_FAT32 = 0x0FFFFFF8,
USED_LAST_CLUSTER_FFF9_FAT32 = 0x0FFFFFF9,
USED_LAST_CLUSTER_FFFA_FAT32 = 0x0FFFFFFA,
USED_LAST_CLUSTER_FFFB_FAT32 = 0x0FFFFFFB,
USED_LAST_CLUSTER_FFFC_FAT32 = 0x0FFFFFFC,
USED_LAST_CLUSTER_FFFD_FAT32 = 0x0FFFFFFD,
USED_LAST_CLUSTER_FFFE_FAT32 = 0x0FFFFFFE,
USED_LAST_CLUSTER_FFFF_FAT32 = 0x0FFFFFFF
} CLUSTERINFO_FAT32;
void FAT32_FAT_Table(quad FilePosStartFatTable,quad SizeOfFatTableInSectors, UBYTE NumberOfCopiesOfFats)
{
local unsigned char SizeOfEach_ClusterEntry_InBytes;
SizeOfEach_ClusterEntry_InBytes=4;
FSeek(FilePosStartFatTable);
if(NumberOfCopiesOfFats==1)
{
MEDIATYPE_FAT32 FAT32_MediaType;
PARTITIONSTATE_FAT32 FAT32_PartitionState;
CLUSTERINFO_FAT32 FAT32_Cluster[ (((SizeOfFatTableInSectors*512)/SizeOfEach_ClusterEntry_InBytes)-SizeOfEach_ClusterEntry_InBytes) ];
}else if(NumberOfCopiesOfFats==2)
{
MEDIATYPE_FAT32 FAT32_MediaType_FAT1;
PARTITIONSTATE_FAT32 FAT32_PartitionState_FAT1;
CLUSTERINFO_FAT32 FAT32_Cluster_FAT1[ ((((SizeOfFatTableInSectors*512)/SizeOfEach_ClusterEntry_InBytes)-SizeOfEach_ClusterEntry_InBytes)/NumberOfCopiesOfFats)-0 ];
MEDIATYPE_FAT32 FAT32_MediaType_FAT2;
PARTITIONSTATE_FAT32 FAT32_PartitionState_FAT2;
CLUSTERINFO_FAT32 FAT32_Cluster_FAT2[ ((((SizeOfFatTableInSectors*512)/SizeOfEach_ClusterEntry_InBytes)-SizeOfEach_ClusterEntry_InBytes)/NumberOfCopiesOfFats)-0 ];
}
}
void FAT32_Directory_Entry(quad FilePosStartDirectoryEntry)
{
FSeek(FilePosStartDirectoryEntry);
i=0;
while(1)
{
if(ReadByte(FTell()+11)==0x0f) // LFN Entry
{
LONGENTRY fat32_long_direntry;
}else
{
SHORTENTRY fat32_short_direntry;
if(fat32_short_direntry.Name[0]==0 && fat32_short_direntry.Name[1]==0) // End of Directory Entry
{
break;
}
}
}
}
//##############################
// NTFS Boot Sector
//##############################
struct BOOTSECTOR_NTFS
{
BYTE jmp[3]; // Jump Instruction
CHAR OEMName[8]; // OEM Identifier
typedef struct BPB_NTFS
{
WORD BytesPerSector;
BYTE SectorsPerCluster;
WORD ReservedSectors;
BYTE Zero[3];
WORD NotUsed;
BYTE MediaDescriptor;
WORD Zero;
WORD SectorsPerTrack;
WORD HeadsPerCylinder;
DWORD HiddenSectors;
DWORD NotUsed;
DWORD NotUsed;
UQUAD TotalSectors;
UQUAD LogicalClusterMFT;
UQUAD LogicalClusterMFTMiror;
DWORD ClustersPerFileRecSegment;
DWORD ClustersPerIndexBlock;
UQUAD SerialNumber;
DWORD Checksum;
};
BPB_NTFS bpb_ntfs;
BYTE BootCode[426];
WORD EndOfSectorMarker <format=hex>;
};
typedef union boot
{
struct MASTER_BOOT_RECORD mbr;
struct BOOTSECTOR_FAT16 boot_fat16;
struct BOOTSECTOR_FAT32 boot_fat32;
struct BOOTSECTOR_NTFS boot_ntfs;
};
void FAT16CheckInit(SYSTEMID SystemID)
{
if( SystemID==FAT_16_INF32MB ||
SystemID==FAT_16 ||
SystemID==EXT_FAT16_INT13
)
{
CurrentPosSector=FTell()/512;
BOOTSECTOR_FAT16 detected_fat16;
FATTableSector=CurrentPosSector+detected_fat16.bpb_fat16.ReservedSectors;
RootDirEntrySector=CurrentPosSector+detected_fat16.bpb_fat16.ReservedSectors+
(detected_fat16.bpb_fat16.SectorsPerFAT*2);
RootDirEntryFilePos=RootDirEntrySector*512;
FATTableFilePos=FATTableSector*512;
FATTableSizeInSectors=RootDirEntrySector-FATTableSector;
// FAT16 FAT Table
FAT16_FAT_Table(FATTableFilePos,FATTableSizeInSectors,detected_fat16.bpb_fat16.NumberOfCopiesOfFats);
// FAT16 Directory Entry
FAT16_Directory_Entry(RootDirEntryFilePos);
DataAreaSector=CurrentPosSector+detected_fat16.bpb_fat16.ReservedSectors+
(detected_fat16.bpb_fat16.SectorsPerFAT*2)+
((detected_fat16.bpb_fat16.MaxRootDirEntries*32)/detected_fat16.bpb_fat16.BytesPerSector);
DataAreaFilePos=DataAreaSector*512;
//FSeek(DataAreaSector*512);
//unsigned char DataArea[4096];
}
}
void FAT32CheckInit(SYSTEMID SystemID)
{
if( SystemID==PRI_FAT32_INT13 ||
SystemID==EXT_FAT32_INT13
)
{
CurrentPosSector=FTell()/512;
struct BOOTSECTOR_FAT32 detected_fat32;
FATTableSector=CurrentPosSector+detected_fat32.bpb_fat32.ReservedSectors;
RootDirEntrySector=CurrentPosSector+detected_fat32.bpb_fat32.ReservedSectors+
(detected_fat32.bpb_fat32.SectorsPerFAT*2);
RootDirEntryFilePos=RootDirEntrySector*512;
FATTableFilePos=FATTableSector*512;
FATTableSizeInSectors=RootDirEntrySector-FATTableSector;
// FAT32 FAT Table
FAT32_FAT_Table(FATTableFilePos,FATTableSizeInSectors,detected_fat32.bpb_fat32.NumberOfFATs);
// FAT32 Directory Entry
FAT32_Directory_Entry(RootDirEntryFilePos);
}
}
//######################################
// Check if it's a drive access on FAT
//######################################
typedef struct _FATStruct
{
local unsigned short mbr_boot_ok=0;
local quad FATTableSector;
local quad FATTableFilePos;
local quad FATTableSizeInSectors;
local quad RootDirEntrySector;
local quad RootDirEntryFilePos;
// Check EndOfSectorMarker (present on MBR/FAT16/FAT32/NTFS
if(ReadUShort(510)==0xAA55)
{
boot boot_sect;
local unsigned short i;
// Check if MBR (check BootIndicator)
for(i=0;i<4;i++)
{
if( (boot_sect.mbr.partitions[i].BootIndicator==SYSTEM_PARTITION ||
boot_sect.mbr.partitions[i].BootIndicator==NOBOOT) &&
boot_sect.mbr.partitions[i].SystemID!=EMPTY
)
{
if(mbr_boot_ok==0)
{
FSeek(0);
MASTER_BOOT_RECORD detected_mbr;
mbr_boot_ok=1;
}
// Jump to Partition
FSeek(boot_sect.mbr.partitions[i].RelativeSector*512);
// Check type of filesystem and add it if found
FAT16CheckInit(boot_sect.mbr.partitions[i].SystemID);
FAT32CheckInit(boot_sect.mbr.partitions[i].SystemID);
}
}
// Check if FAT16
if(boot_sect.boot_fat16.FileSystem=="FAT16 ")
{
FSeek(0);
BOOTSECTOR_FAT16 detected_fat16;
FATTableSector=0+detected_fat16.bpb_fat16.ReservedSectors;
RootDirEntrySector=0+detected_fat16.bpb_fat16.ReservedSectors+
(detected_fat16.bpb_fat16.SectorsPerFAT*2);
RootDirEntryFilePos=RootDirEntrySector*512;
FATTableFilePos=FATTableSector*512;
FATTableSizeInSectors=RootDirEntrySector-FATTableSector;
// FAT16 FAT Table
FAT16_FAT_Table(FATTableFilePos,FATTableSizeInSectors,detected_fat16.bpb_fat16.NumberOfCopiesOfFats);
// FAT16 Directory Entry
FAT16_Directory_Entry(RootDirEntryFilePos);
DataAreaSector=0+detected_fat16.bpb_fat16.ReservedSectors+
(detected_fat16.bpb_fat16.SectorsPerFAT*2)+
((detected_fat16.bpb_fat16.MaxRootDirEntries*32)/detected_fat16.bpb_fat16.BytesPerSector);
DataAreaFilePos=DataAreaSector*512;
//FSeek(DataAreaSector*512);
//unsigned char DataArea[4096];
}
// Check if FAT32
if(boot_sect.boot_fat32.FileSystem=="FAT32 ")
{
FSeek(0);
struct BOOTSECTOR_FAT32 detected_fat32;
FATTableSector=0+detected_fat32.bpb_fat32.ReservedSectors;
RootDirEntrySector=0+detected_fat32.bpb_fat32.ReservedSectors+
(detected_fat32.bpb_fat32.SectorsPerFAT*2);
RootDirEntryFilePos=RootDirEntrySector*512;
FATTableFilePos=FATTableSector*512;
FATTableSizeInSectors=RootDirEntrySector-FATTableSector;
// FAT32 FAT Table
FAT32_FAT_Table(FATTableFilePos,FATTableSizeInSectors,detected_fat32.bpb_fat32.NumberOfFATs);
// FAT32 Directory Entry
FAT32_Directory_Entry(RootDirEntryFilePos);
}
// Check if NTFS
//FSeek(0);
//struct BOOTSECTOR_NTFS detected_ntfs;
}else
{
/*
Warning( "File/Disk is not a valid MBR/FAT16/FAT32/NTFS (wrong BootIndicator). Template stopped." );
return -1;
*/
}
}MBR_FAT;
MBR_FAT mbr_fat;
// Shared DataAreaSector && DataAreaFilePos

309
cparser/MFTRecord.bt Normal file
View File

@ -0,0 +1,309 @@
//--------------------------------------
//--- 010 Editor v6.0.3 Binary Template
//
// File: MFTRecord.bt
// Author: Andrea Barberio <insomniac@slackware.it>
// Revision: 1
// Purpose: Parsing of MFT records in NTFS file systems
//--------------------------------------
string getMFTNameFromRecurdNumber(UINT32 record_number) {
// Return the name of well-known record numbers
switch (record_number) {
case 0:
return "$MFT";
case 1:
return "$MFTMirr";
case 2:
return "$LogFile";
case 3:
return "$Volume";
case 4:
return "$AttrDef";
case 5:
return "$. (root dir)";
case 6:
return "$Bitmap";
case 7:
return "$Boot";
case 8:
return "$BadClus";
case 9:
return "$Secure";
case 10:
return "$UpCase";
case 11:
return "$Extend";
default:
return "";
}
}
string GetMFTRecordComment(struct MFTRecord &record) {
string ret;
SPrintf(ret, "Record # %u %s (%s)",
record.mftheader.mft_rec_number,
getMFTNameFromRecurdNumber(record.mftheader.mft_rec_number),
HeaderFlagsToString(record.mftheader.flags)
);
return ret;
}
wstring GetMFTNameFromAttribute(struct Attributes &attrs) {
// TODO handle differences between NT and 2k fields
switch (attrs.attribute.fixed_header.type) {
case STANDARD_INFORMATION:
return "$STANDARD_INFORMATION";
case ATTRIBUTE_LIST:
return "$ATTRIBUTE_LIST";
case FILE_NAME:
string ret;
SPrintf(ret, "$FILE_NAME (%s)",
attrs.attribute.resident_attribute_content.file_name);
return ret;
case OBJECT_ID:
return "$OBJECT_ID";
case SECURITY_DESCRIPTOR:
return "$SECURITY_DESCRIPTOR";
case VOLUME_NAME:
return "$VOLUME_NAME";
case VOLUME_INFORMATION:
return "$VOLUME_INFORMATION";
case DATA:
string ret;
if (attrs.attribute.fixed_header.non_res_flag)
return "$DATA (Non resident)";
else
return "$DATA (Resident)";
case INDEX_ROOT:
return "$INDEX_ROOT";
case INDEX_ALLOCATION:
return "$INDEX_ALLOCATION";
case BITMAP:
string ret;
SPrintf(ret,
"$BITMAP (map of bits telling for each record if they are in use or not)");
return ret;
case REPARSE_POINT:
return "$REPARSE_POINT";
case EA_INFORMATION:
return "$EA_INFORMATION";
case EA:
return "$EA";
case LOGGED_UTILITY_STREAM:
return "$LOGGED_UTILITY_STREAM";
default:
return "";
}
}
string HeaderFlagsToString(UINT16 flags) {
string ret;
if (flags & 0x02)
Strcat(ret, "Directory, ");
else
Strcat(ret, "File, ");
if (flags & 0x01)
Strcat(ret, "In use");
else
Strcat(ret, "Not in use");
return ret;
}
string AttributeFlagsToString(UINT16 flags) {
string ret;
if (flags & 0x01)
Strcat(ret, "Compressed, ");
else
Strcat(ret, "Not Compressed, ");
if (flags & 0x4000)
Strcat(ret, "Encrypted, ");
else
Strcat(ret, "Not Encrypted, ");
if (flags & 0x8000)
Strcat(ret, "Sparse");
else
Strcat(ret, "Not Sparse");
return ret;
}
string GetParentDirComment(uint64 ref_to_parent_dir) {
string ret,
details;
// FIXME for some reason the input number is truncated, hence the seq_num is
// wrong
UINT16 seq_num = ref_to_parent_dir >> 24;
UQUAD mft_entry = ref_to_parent_dir & 0x0000ffffffffffff;
if (mft_entry == 0x05) {
// record 0x05 is the root directory ($.)
Strcat(ret, "Root dir, ");
}
SPrintf(details, "Seq num = %04xh [!!] , MFT entry = %012xh", seq_num, mft_entry);
Strcat(ret, details);
return ret;
}
string GetAllocSize(UQUAD alloc_size) {
// assuming 4096-byte cluster size
string ret;
UQUAD num_clusters = alloc_size / 4096 + (alloc_size % 4096 ? 1 : 0);
SPrintf(ret, "%lu clusters (each cluster 4096 bytes)", num_clusters);
return ret;
}
string GetDataRunStart(UINT16 data_run_info) {
string ret;
SPrintf(ret, "Starting at 0x%x (assuming cluster size = 4096)", data_run_info * 4096);
return ret;
}
typedef struct MFTAttribute {
local int64 mftattribute_start = FTell();
struct FixedHeader {
enum <UINT32> {
STANDARD_INFORMATION = 0x10,
ATTRIBUTE_LIST = 0x20,
FILE_NAME = 0x30,
OBJECT_ID = 0x40, // on NT it's VOLUME_VERSION, on 2k it's OBJECT_ID
SECURITY_DESCRIPTOR = 0x50,
VOLUME_NAME = 0x60,
VOLUME_INFORMATION = 0x70,
DATA = 0x80,
INDEX_ROOT = 0x90,
INDEX_ALLOCATION = 0xa0,
BITMAP = 0xb0,
REPARSE_POINT = 0xc0, // on NT it's SYMBOLIC_LINK, on 2k it's REPARSE_POINT
EA_INFORMATION = 0xd0,
EA = 0xe0,
LOGGED_UTILITY_STREAM = 0x100 // on NT it's PROPERTY_SET, on 2k it's LOGGED_UTILITY_STREAM
} type; // Attribute type identifier
UINT32 attr_length; // length of attribute
enum <UBYTE> {
RESIDENT = 0,
NON_RESIDENT = 1
} non_res_flag <comment="Resident: stored in the record. Non-resident: stored in the data runs">; // resident flag
UBYTE name_length; // length of name
UINT16 name_offset; // offset to name
UINT16 flags <comment=AttributeFlagsToString>; // flags
UINT16 attribute_id; // attribute identifier
} fixed_header;
if (fixed_header.non_res_flag) {
struct NonResidentAttributeHeader {
UQUAD start_vcn; // starting Virtual Cluster Number of the runlist
UQUAD end_vcn; // ending Virtual Cluster Number of the runlist
UINT16 datarun_offset; // offset to the runlist
UINT16 compression_size <comment="If 0, not compressed">; // compression unit size
UINT32 padding; // unused
UQUAD alloc_size <comment=GetAllocSize>; // allocated size of attribute content
UQUAD real_size <comment="File size in bytes">; // actual size of attribute content
UQUAD stream_size <comment="Equal to real_size unless resized">; // initialized size of attribute content
} non_resident_attribute_header;
if (fixed_header.type == DATA) {
struct AttributeContentNonResidentData {
UBYTE unknown;
UBYTE num_of_clusters;
UINT16 data_run_start <format=hex, comment=GetDataRunStart>;
char padding[3];
} attribute_content_non_resident_data;
} else if (fixed_header.type == BITMAP) {
struct AttributeContentNonResidentBitmap {
char bitmap[fixed_header.attr_length - non_resident_attribute_header.datarun_offset];
} attribute_content_non_resident_bitmap;
} else {
// TODO define other data types
}
} else {
struct ResidentAttributeHeader {
UINT32 content_size;
UINT16 content_offset;
UINT16 indexed_tag;
} resident_attribute_header;
struct ResidentAttributeContent {
if (fixed_header.type == STANDARD_INFORMATION) {
struct AttributeContentStandardInformation {
FILETIME creation_time;
FILETIME alteration_time;
FILETIME mft_changed_time;
FILETIME read_time;
UINT32 dos_permissions;
UINT32 max_num_of_versions;
UINT32 version_number;
UINT32 class_id;
} attribute_content_standard_information;
if (resident_attribute_header.content_size != 48) {
UINT32 owner_id;
UINT32 security_id;
UQUAD quota_charged;
UQUAD update_sequence_number;
}
} else if (fixed_header.type == FILE_NAME) {
struct AttributeContentFileName {
UQUAD file_ref_to_parent_dir <format=hex, comment=GetParentDirComment>;
FILETIME file_creation_time;
FILETIME file_modification_time;
FILETIME mft_modification_time;
FILETIME file_access_time;
UQUAD allocated_size;
UQUAD real_size;
UINT32 flags;
UINT32 used_by_eas_and_reparse;
UBYTE filename_length_unicode;
UBYTE filename_namespace;
} attribute_content_file_name;
// variable, file name in Unicode
wchar_t file_name[attribute_content_file_name.filename_length_unicode];
} else {
UCHAR data[resident_attribute_header.content_size];
// TODO define other data types
}
} resident_attribute_content;
}
UCHAR padding[fixed_header.attr_length - (FTell() - mftattribute_start)];
} mftattribute;
struct MFTRecord {
struct MFTHeader {
char file_signature[4] <comment="Must be FILE">; // magic number, "FILE"
UINT16 fixup_offset; // offset to the update sequence
UINT16 fixup_size; // number of entries in the fixup array
UQUAD log_seq_number; // $LogFile Sequence Number (LSN)
UINT16 sequence; // Sequence Number
UINT16 hard_links <comment="Number of hard links">; // Hard link count
UINT16 attrib_offset; // Offset to first attribute
UINT16 flags <comment=HeaderFlagsToString>; // Flags: 0x01: record in use, 0x02: directory
UINT32 rec_length <comment="Length of the bytes used for this record. Must be <= 1024">; // Used size of MFT entry
UINT32 all_length <comment="Length of the whole record. Must be 1024">; // Allocated size of MFT entry
UQUAD base_mft_rec; // File reference to the base FILE record
UINT16 next_attr_id; // Next attribute ID
UINT16 fixup_pattern; // Align to 4 bytes boundary
UINT32 mft_rec_number <comment=getMFTNameFromRecurdNumber>; // Number of this MFT record
} mftheader;
UQUAD fixup; // is this correct?
local int i;
local int64 pos;
local UINT32 terminator;
for (i = 0; i == i ; i++) {
pos = FTell();
terminator = ReadUInt();
if (terminator == 0xffffffff) {
struct Terminator {
UINT32 terminator <format=hex, comment="Must be FF FF FF FF">;
} terminator <comment="Attribute list terminator">;
break;
} else {
struct Attributes {
mftattribute attribute;
} attributes <comment=GetMFTNameFromAttribute>;
}
}
} mftrecord <comment=GetMFTRecordComment>;

241
cparser/MIDITemplate.bt Normal file
View File

@ -0,0 +1,241 @@
/* General-MIDI Parser
* By Jack Andersen
*/
BigEndian();
struct MidiHeader
{
char m_magic[4] <format = hex>;
uint m_seclen;
enum <short>
{
MIDI_SINGLE = 0,
MIDI_MULTIPLE = 1,
MIDI_PATTERN = 2
} m_format;
short m_ntracks;
short m_tickdiv;
};
struct DeltaTime
{
local uint total = 0;
char t0;
total += t0 & 0x7f;
if (!(t0 & 0x80))
break;
total <<= 7;
char t1;
total += t1 & 0x7f;
if (!(t1 & 0x80))
break;
total <<= 7;
char t2;
total += t2 & 0x7f;
if (!(t2 & 0x80))
break;
total <<= 7;
char t3;
total += t3 & 0x7f;
if (!(t3 & 0x80))
break;
};
struct MidiMessage
{
DeltaTime m_dtime;
char m_status;
local char m_channel = m_status & 0xf;
if ((m_status & 0xf0) == 0x80)
{
struct
{
char m_note;
char m_velocity;
} note_off_event;
}
else if ((m_status & 0xf0) == 0x90)
{
struct
{
char m_note;
char m_velocity;
} note_on_event;
}
else if ((m_status & 0xf0) == 0xA0)
{
struct
{
char m_note;
char m_pressure;
} note_pressure_event;
}
else if ((m_status & 0xf0) == 0xB0)
{
struct
{
char m_controller;
char m_value;
} controller_event;
}
else if ((m_status & 0xf0) == 0xC0)
{
struct
{
char m_program;
} program_event;
}
else if ((m_status & 0xf0) == 0xD0)
{
struct
{
char m_pressure;
} channel_pressure_event;
}
else if ((m_status & 0xf0) == 0xE0)
{
struct
{
char m_lsb;
char m_msb;
} pitch_bend_event;
}
else if (m_status == -1)
{
struct
{
enum <char>
{
META_SEQUENCE_NUM = 0,
META_TEXT = 1,
META_COPYRIGHT = 2,
META_SEQUENCE_NAME = 3,
META_INSTRUMENT_NAME = 4,
META_LYRIC = 5,
META_MARKER = 6,
META_CUE_POINT = 7,
META_PROGRAM_NAME = 8,
META_DEVICE_NAME = 9,
META_MIDI_CHANNEL_PREFIX = 0x20,
META_MIDI_PORT = 0x21,
META_END_OF_TRACK = 0x2f,
META_TEMPO = 0x51,
META_SMPTE_OFFSET = 0x54,
META_TIME_SIGNATURE = 0x58,
META_KEY_SIGNATURE = 0x59,
META_SEQUENCER_EVENT = 0x7f
} m_type;
DeltaTime m_length;
if (m_type == META_SEQUENCE_NUM)
{
short m_seqNum;
}
else if (m_type == META_TEXT)
{
char m_text[m_length.total];
}
else if (m_type == META_COPYRIGHT)
{
char m_copyright[m_length.total];
}
else if (m_type == META_SEQUENCE_NAME)
{
char m_name[m_length.total];
}
else if (m_type == META_INSTRUMENT_NAME)
{
char m_name[m_length.total];
}
else if (m_type == META_LYRIC)
{
char m_lyric[m_length.total];
}
else if (m_type == META_MARKER)
{
char m_marker[m_length.total];
}
else if (m_type == META_CUE_POINT)
{
char m_cuePoint[m_length.total];
}
else if (m_type == META_PROGRAM_NAME)
{
char m_programName[m_length.total];
}
else if (m_type == META_DEVICE_NAME)
{
char m_deviceName[m_length.total];
}
else if (m_type == META_MIDI_CHANNEL_PREFIX)
{
char m_channelPrefix;
}
else if (m_type == META_MIDI_PORT)
{
char m_port;
}
else if (m_type == META_END_OF_TRACK)
{
}
else if (m_type == META_TEMPO)
{
uint m_usecPerQuarterNote : 24;
local uint m_bpm = 60000000 / m_usecPerQuarterNote;
FSeek(FTell() - 1);
}
else if (m_type == META_SMPTE_OFFSET)
{
char m_hours;
char m_mins;
char m_secs;
char m_fps;
char m_fracFrames;
}
else if (m_type == META_TIME_SIGNATURE)
{
char m_numerator;
char m_denominator;
char m_clocksPerClick;
char m_32ndPer4th;
}
else if (m_type == META_KEY_SIGNATURE)
{
char m_flatsSharps;
char m_majorMinor;
}
else
{
char m_data[m_length.total];
}
} meta_event;
}
else if ((m_status & 0xf0) == 0xF0)
{
struct
{
DeltaTime m_length;
char m_message[m_length.total];
} sysex_event;
}
};
struct MidiTrack
{
char m_magic[4] <format = hex>;
uint m_seclen;
local uint remaining = m_seclen;
while (remaining) {
MidiMessage message;
remaining -= sizeof(message);
}
};
struct
{
MidiHeader header;
MidiTrack tracks[header.m_ntracks] <optimize=false>;
} file;

714
cparser/MOBITemplate.bt Normal file
View File

@ -0,0 +1,714 @@
//-----------------------------------
//--- 010 Editor v4.0 Binary Template
//
// File: MOBITemplate.bt
// Author: David W. Deley
// Revision: 2.2
// Purpose: Defines a template for
// parsing MOBI ebook files.
//-----------------------------------
// Define structures used in MOBI files
typedef struct { // Record Info ri
DWORD dataOffset;
UBYTE attributeBits;
UBYTE uid1;
WORD uid2;
} ri;
void checkpdfheader()
{
// Check for correct header
if ( ( type != "BOOK" || creator != "MOBI")
&&( type != "TEXt" || creator != "REAd") )
{
Warning( "File is not BOOKMOBI or TEXtREAd. Template stopped." );
return -1;
}
}
typedef struct { // Palm Database Format header pdf
CHAR name[32];
WORD attributeBits;
WORD version;
DWORD creationDate;
DWORD modificationDate;
DWORD lastBackupDate;
DWORD modificationNumber;
DWORD appInfoID;
DWORD sortInfoID;
CHAR type[4];
CHAR creator[4];
checkpdfheader();
DWORD uniqueIDseed;
DWORD nextRecordListID;
WORD numberOfRecords;
//read record pointers
SetBackColor( cWhite );
struct { // Record Pointer
DWORD dataOffset;
UBYTE attributeBits;
UBYTE uid1;
WORD uid2;
} recptr[pdf.numberOfRecords];
} PalmDatabaseFormat;
enum <ushort> eCompression {
NoCompression = 1,
PalmDOC = 2,
HUFFCDIC = 17480
};
enum <ushort> encryptionType {
NoEncryption = 0,
OldMobipocketEncryption = 1,
MobipocketEncryption = 2
};
enum <ushort> TextEncoding {
CP1252_WinLatin1 = 1252,
UTF8 = 65001
};
enum <uint> MobiType {
MobipocketBook = 2,
PalmDOCbook= 3,
Audio= 4,
News= 257,
NewsFeed= 258,
NewsMagazine= 259,
PICS= 513,
Word= 514,
XLS= 515,
PPT= 516,
TEXT= 517,
HTML= 518
};
typedef struct { // PalmDOC Header pdh
eCompression compression;
WORD unused;
DWORD textLength;
WORD numPDBrecords;
WORD recMaxSize;
encryptionType encryption;
Assert( encryption == 0, "File encrypted. Abort." );
WORD unknown1;
} PalmDOCheader;
typedef enum <uint32> eMBHflags {
multibyte = 0x0001, // Declared public; may be accessed from outside its package.
trailers = 0x0002
} MBHflags <read=readMBHflags>;
string readMBHflags (local MBHflags &flags) {
local string s = "";
local int commaNeeded = 0;
local MBHflags i = 1;
SPrintf (s, "%x: ", flags);
// Iterate over all possible values the flags
// if the given bit is set, add it's text representation to the
// return string.
// NOTE: There's probably a better way to do this. (More portable?)
while (i <= 2) {
if (flags && i) {
if (commaNeeded) { s += ", "; }
s += EnumToString(i);
commaNeeded = 1;
}
i = i << 1;
}
return s;
}
//MOBI Header
typedef struct {
CHAR identifier[4] <comment="continuation of Palm DOC Header">; //MOBI
DWORD headerLength;
MobiType mobiType;
WORD cryptoType;
TextEncoding textEncoding <comment="codepage">;
DWORD uniqueID;
DWORD MOBIversion;
DWORD orthographicIndex <format=hex>;
DWORD inflectionIndex <format=hex>;
DWORD indexNames <format=hex>;
DWORD indexKeys <format=hex>;
DWORD extraIndex0 <format=hex>;
DWORD extraIndex1 <format=hex>;
DWORD extraIndex2 <format=hex>;
DWORD extraIndex3 <format=hex>;
DWORD extraIndex4 <format=hex>;
DWORD extraIndex5 <format=hex>;
DWORD firstNonBookIndex <format=hex>; //?
DWORD fullNameOffset <comment="Book Title">;
DWORD fullNameLength <comment="Book Title Length">;
DWORD locale;
DWORD inputLanguage;
DWORD outputLanguage;
DWORD minVersion;
DWORD firstImageIndex;
DWORD huffmanRecordOffset;
DWORD huffmanRecordCount;
DWORD huffmanTableOffset;
DWORD huffmanTableLength;
DWORD EXTHflags;
CHAR unknown2[32];
DWORD DRMoffset;
DWORD DRMcount<format=hex>;
DWORD DRMsize<format=hex>;
DWORD DRMflags;
CHAR unknown3[12];
WORD FirstContentRecNo;
WORD LastContentRecNo;
DWORD unknown4;
DWORD FCISrecNo;
DWORD unknown5;
DWORD FLISrecNo;
DWORD unknown6;
QWORD unknown7;
DWORD unknown8;
DWORD unknown9;
DWORD unknown10;
DWORD unknown11;
MBHflags mbhflags; //A set of binary flags, some of which indicate extra data at the end of each text block. This only seems to be valid for Mobipocket format version 5 and 6 (and higher?), when the header length is 228 (0xE4) or 232 (0xE8).
DWORD INDXrecordOffset;
} MobiHeader;
enum <ubyte> TextToSpeach {
TextToSpeechEnabled = 0,
TextToSpeechDisabled = 1
};
enum <DWORD> CreatorSoftware {
mobigen = 1,
MobipocketCreator = 2,
kindlegen_Windows = 200,
kindlegen_Linux = 201,
kindlegen_Mac = 202
};
typedef struct {
enum <DWORD> EXTHrecordType {
Drm_Server_Id = 1,
Drm_Commerce_Id = 2,
Drm_Ebookbase_Book_Id = 3,
Creator = 100,
Publisher = 101,
Imprint = 102,
Description = 103,
ISBN = 104,
Subject = 105,
Published = 106,
Review = 107,
Contributor = 108,
Rights = 109,
SubjectCode = 110,
Type = 111,
Source = 112,
ASIN = 113,
VersionNumber = 114,
Sample = 115,
StartReading = 116,
Adult = 117,
Price = 118,
Currency = 119,
K8_Boundary_Section = 121,
fixed_layout = 122,
book_type = 123,
orientation_lock = 124,
K8_Count_of_Resources_Fonts_Images = 125,
original_resolution = 126,
K8_Cover_Image = 129,
K8_Unidentified_Count = 131,
RegionMagnification = 132,
DictShortName = 200,
CoverOffset = 201,
ThumbOffset = 202,
HasFakeCover = 203,
CreatorSoftwareRecord = 204,
CreatorMajorVersion = 205,
CreatorMinorVersion = 206,
CreatorBuildNumber = 207,
Watermark = 208,
Tamper_proof_keys = 209,
FontSignature = 300,
ClippingLimit = 401,
PublisherLimit = 402,
TextToSpeachFlag = 404,
CDE_Type = 501,
last_update_time = 502,
Updated_Title = 503
/* Long Title
// # Amazon seems to regard this as the definitive book title
# rather than the title from the PDB header. In fact when
# sending MOBI files through Amazon's email service if the
# title contains non ASCII chars or non filename safe chars
# they are messed up in the PDB header
*/
} recordType;
DWORD recordLength;
switch (recordType) {
case 1 : //Drm_Server_Id :
UBYTE Drm_Server_Id[recordLength-8];
break;
case 2 : //Drm_Commerce_Id :
UBYTE Drm_Commerce_Id[recordLength-8];
break;
case 3 : //Drm_Ebookbase_Book_Id :
UBYTE Drm_Ebookbase_Book_Id[recordLength-8];
break;
case 100 : //Creator (author) : <dc:Creator>
UBYTE creator[recordLength-8];
break;
case 101 : //Publisher : <dc:Publisher>
UBYTE publisher[recordLength-8];
break;
case 102 : //Imprint : <Imprint>
UBYTE imprint[recordLength-8];
break;
case 103 : //Description : <dc:Description>
UBYTE description[recordLength-8];
break;
case 104 : //ISBN : <dc:Identifier scheme='ISBN'>
UBYTE ISBN[recordLength-8];
break;
case 105 : //Subject : <dc:Subject>
UBYTE subject[recordLength-8];
break;
case 106 : //PublishingDate : <dc:Date>
UBYTE publishingDate[recordLength-8];
break;
case 107 : //Review : <Review>
UBYTE review[recordLength-8];
break;
case 108 : //Contributor : <dc:Contributor>
UBYTE contributor[recordLength-8];
break;
case 109 : //Rights : <dc:Rights>
UBYTE rights[recordLength-8];
break;
case 110 : //SubjectCode : <dc:Subject BASICCode="subjectcode">
UBYTE subjectCode[recordLength-8];
break;
case 111 : //Type : <dc:Type>
UBYTE type[recordLength-8];
break;
case 112 : //Source : <dc:Source>
UBYTE source[recordLength-8];
break;
case 113 : //ASIN :
UBYTE ASIN[recordLength-8];
break;
case 114 : //'versionnumber',
UBYTE versionNumber[recordLength-8];
break;
case 115 : //'sample'. 0x0001 if the book content is only a sample of the full book
Assert( recordLength == 12, "sample recordLength-8 != 4 (DWORD)." );
DWORD sample;
break;
case 116 : //'startreading', 'StartOffset' Position (4-byte offset) in file at which to open when first opened
UBYTE startReading[recordLength-8];
break;
case 117 : //Adult : <Adult>
UBYTE adult[recordLength-8];
break;
case 118 : //Price 'retailprice': <SRP>
UBYTE price[recordLength-8];
break;
case 119 : //Currency 'retailPriceCurrency': <SRP Currency="currency">
UBYTE currency[recordLength-8];
break;
case 121 : //K8_Boundary_Section = 121,
case 122 : // fixed_layout = 122,
case 123 : // book_type = 123,
case 124 : // orientation_lock = 124,
case 125 : // K8_Count_of_Resources_Fonts_Images = 125,
case 126 : // original_resolution = 126,
case 129 : // K8_Cover_Image = 129,
case 131 : // K8_Unidentified_Count = 131,
case 132 : // RegionMagnification = 132,
UBYTE unknown[recordLength-8];
break;
case 200 : //DictShortName : <DictionaryVeryShortName>
UBYTE dictShortName[recordLength-8];
break;
case 201 : //'coveroffset', <EmbeddedCover>. Add to first image field in Mobi Header to find PDB record containing the cover image
Assert( recordLength == 12, "coverOffset recordLength-8 != 4 (DWORD)." );
DWORD coverOffset;
break;
case 202 : //'thumboffset',
Assert( recordLength == 12, "thumbOffset recordLength-8 != 4 (DWORD)." );
DWORD thumbOffset;
break;
case 203 : //'hasfakecover',
UBYTE hasFakeCover[recordLength-8];
break;
case 204 : //'Creator Software'. Known Values: 1=mobigen, 2=Mobipocket Creator, 200=kindlegen (Windows), 201=kindlegen (Linux), 202=kindlegen (Mac).
Assert( recordLength == 12, "creatorSoftware recordLength-8 != 4 (DWORD)." );
CreatorSoftware creatorSoftware;
break;
case 205 : //'Creator Major Version', # '>I'
Assert( recordLength == 12, "creatorMajorVersion recordLength-8 != 4 (DWORD)." );
DWORD creatorMajorVersion;
break;
case 206 : //'Creator Minor Version', # '>I'
Assert( recordLength == 12, "creatorMinorVersion recordLength-8 != 4 (DWORD)." );
DWORD creatorMinorVersion;
break;
case 207 : //'Creator Build Number', # '>I'
Assert( recordLength == 12, "creatorBuildNumber recordLength-8 != 4. (DWORD)" );
DWORD creatorBuildNumber;
break;
case 208 : //Watermark :
UBYTE watermark[recordLength-8];
break;
case 209 : //'tamper_proof_keys'. Used by the Kindle (and Android app) for generating book-specific PIDs.
UBYTE tamper_proof_keys[recordLength-8];
break;
case 300 : //'fontsignature',
UBYTE fontSignature[recordLength-8];
break;
case 301 : //'clippinglimit', # percentage '>B' Integer percentage of the text allowed to be clipped. Usually 10.
UBYTE clippingLimit[recordLength-8];
break;
case 402 : //'publisherlimit',
UBYTE publisherLimit[recordLength-8];
break;
case 404 : //'TTS flag', # '>B' 1 - TTS disabled 0 - TTS enabled 1 - Text to Speech disabled; 0 - Text to Speech enabled
Assert( recordLength == 9, "TextToSpeach recordLength-8 != 1 (BYTE)." );
TextToSpeach textToSpeach;
break;
case 501 : //CDE Type : PDOC - Personal Doc; EBOK - ebook; EBSP - ebook sample;
Assert( recordLength == 12, "CDEtype recordLength-8 != 1. (DWORD)" );
CHAR CDEtype[4];
break;
case 502 : //'lastupdatetime',
UBYTE lastUpdateTime[recordLength-8];
break;
case 503 : //Updated Title :
UBYTE updatedTitle[recordLength-8];
break;
case 504 : //ASIN (copy)?
UBYTE ASINcopy[recordLength-8];
break;
case 524 : //language from <dc:language>
UBYTE dclanguage[recordLength-8];
break;
default :
UBYTE unknown[recordLength-8];
break;
}
} EXTHrecord;
typedef struct { //EXTH Header
CHAR identifier[4]; //EXTH
DWORD headerLength;
UINT recordCount;
local int i = 0;
for ( i = 0; i < recordCount; i++) {
EXTHrecord exthrecord;
}
} ExthHeader;
typedef struct { // FLIS RECORD
UINT ID <comment="FLIS">;
UINT fixed1 <comment="fixed value 8">;
USHORT fixed2 <comment="fixed value 65">;
USHORT fixed3 <comment="fixed value 0">;
UINT fixed4 <comment="fixed value 0">;
UINT fixed5 <comment="fixed value -1">;
USHORT fixed6 <comment="fixed value 1">;
USHORT fixed7 <comment="fixed value 3">;
UINT fixed8 <comment="fixed value 3">;
UINT fixed9 <comment="fixed value 1">;
UINT fixed10 <comment="fixed value -1">;
} FLISRECORD;
typedef struct { // FDST RECORD for (KF8) format
UINT ID <comment="FDST">;
UINT FDSTstart <comment="FDST start">;
UINT fdstcnt <comment="Number of records inside FDST">;
struct {
UBYTE record[ reclen - 12];
} fdst;
} FDSTkf8RECORD;
typedef struct { // FCIS RECORD
UINT ID <comment="FCIS">;
UINT fixed1 <comment="fixed value 20">;
UINT fixed2 <comment="fixed value 16">;
UINT fixed3 <comment="fixed value 1">;
UINT fixed4 <comment="fixed value 0">;
UINT fixed5 <comment="text length (the same value as \"text length\" in the PalmDoc header)">;
UINT fixed6 <comment="fixed value 0">;
UINT fixed7 <comment="fixed value 32">;
UINT fixed8 <comment="fixed value 8">;
USHORT fixed9 <comment="fixed value 1">;
USHORT fixed10 <comment="fixed value 1">;
UINT fixed11 <comment="fixed value 0">;
} FCISRECORD;
typedef struct { // SRCS RECORD
UINT ID <comment="SRCS">;
struct {
UBYTE record[ reclen - 4];
} srcs;
} SRCSRECORD;
typedef struct { // DATP RECORD
UINT ID <comment="DATP">;
struct {
UBYTE record[ reclen - 4];
} datp;
} DATPRECORD;
typedef struct {
QUAD ID <comment="BOUNDARY">;
} BOUNDARYRECORD;
typedef struct { // HTML RECORD
struct {
UBYTE b[ reclen ];
} html;
} HTML;
typedef struct { // INDX RECORD
UINT ID <comment="INDX">;
UINT headerLength <comment="">;
UINT indexType <comment="">;
UINT unknown1 <comment="">;
UINT unknown2 <comment="">;
UINT idxtStart <comment="offset to the IDXT section">;
UINT indexEncoding ;
UINT indexLanguage <comment="language code of the index">;
UINT totalIndexCount <comment="number of index entries">;
UINT ordtStart <comment="offset to the ORDT section">;
UINT ligtStart <comment="offset to the LIGT section">;
UINT unknown3;
UINT unknown4;
} INDXRECORD;
typedef struct { // end-of-file
UBYTE fixed1 <comment="fixed value 233 (0xE9)">;
UBYTE fixed2 <comment="fixed value 142 (0x8E)">;
UBYTE fixed3 <comment="fixed value 13 (0x0D)">;
UBYTE fixed4 <comment="fixed value 10 (0x0A)">;
} ENDRECORD;
//---------------------------------------------
// Define the headers
BigEndian();
SetBackColor( cLtGray );
PalmDatabaseFormat pdf;
//record 0 is PalmDOC Header
FSeek(pdf.recptr[0].dataOffset);
SetBackColor( cLtGray );
PalmDOCheader pdh;
MobiHeader mbh;
local char fullName[255];
local char KF8fullName[255];
//local int outFile = FileNew();
local int reclen;
local int i, n;
local int endrec;
local char tag[9];
if (mbh.fullNameOffset != 0)
{
//get full name
FSeek(pdf.recptr[0].dataOffset + mbh.fullNameOffset);
ReadBytes(fullName, FTell(), mbh.fullNameLength);
fullName[mbh.fullNameLength] = '\0';
// FPrintf(outFile, "fullName=%s\n", fullName);
}
if (mbh.EXTHflags & 0x40)
{
//find EXTH record
FSeek(pdf.recptr[0].dataOffset + 16 + mbh.headerLength); //16 for the PalmDOCheader
SetBackColor( cYellow );
ExthHeader exth;
}
local uint multibyte = 0;
local uint trailers = 0;
if ( pdf.type == "BOOK" && pdf.creator == "MOBI")
{
if ((mbh.headerLength >= 0xE4) && (pdf.version >= 5))
{
multibyte = flags & 1;
while (flags > 1)
{
if (flags & 2)
{
++trailers;
flags = flags >> 1;
}
}
}
}
for( i = 0; i < pdf.numberOfRecords - 1; i++ )
{
FSeek(pdf.recptr[i].dataOffset);
reclen = ( pdf.recptr[i+1].dataOffset - pdf.recptr[i].dataOffset );
// FPrintf(outFile, "i=%d, reclen=%d\n", i, reclen);
ReadBytes(tag, FTell(), 8);
tag[8] = '\0';
// FPrintf(outFile, "tag=%s\n", tag );
// Parse data depending upon tag
if( Memcmp(tag,"FLIS",4) == 0) //FLIS
{
SetBackColor( cLtGray );
FLISRECORD data;
}
else if( Memcmp(tag,"FDST",4) == 0) //FDST
{
SetBackColor( cLtGray );
FDSTkf8RECORD data;
}
else if( Memcmp(tag,"FCIS",4) == 0 ) //FCIS
{
SetBackColor( cLtGreen );
FCISRECORD data;
if (data.fixed1 < 0x10)
{
// FPrintf(outFile, "0");
}
// FPrintf(outFile, "%X ", data.fixed1);
// FPrintf(outFile, "\n");
}
else if( Memcmp(tag,"SRCS",4) == 0 ) //SRCS
{
SetBackColor( cLtRed );
SRCSRECORD data;
}
else if( Memcmp(tag,"DATP",4) == 0 ) //DATP
{
SetBackColor( cLtBlue );
DATPRECORD data;
for (n = 0; n < reclen-4; n++)
{
if (data.datp.record[n] < 0x10)
{
// FPrintf(outFile, "0");
}
// FPrintf(outFile, "%X ", data.datp.record[n]);
}
// FPrintf(outFile, "\n");
}
else if( Memcmp(tag,"INDX",4) == 0 ) //INDX
{
SetBackColor( cSilver );
INDXRECORD data;
}
else if(Memcmp(tag,"BOUNDARY",8) == 0 ) //BOUNDARY (check record length is 8 bytes)
{
SetBackColor( cYellow );
BOUNDARYRECORD data;
//record following BOUNDARY is another PalmDOC Header for KF8
SetBackColor( cLtGray );
i++;
PalmDOCheader data;
MobiHeader KF8mbh;
if (KF8mbh.fullNameOffset != 0)
{
//get full name
FSeek(pdf.recptr[i].dataOffset + KF8mbh.fullNameOffset);
ReadBytes(KF8fullName, FTell(), KF8mbh.fullNameLength);
fullName[KF8mbh.fullNameLength] = '\0';
// FPrintf(outFile, "KF8fullName=%s\n", fullName);
}
if (KF8mbh.EXTHflags & 0x40)
{
//find EXTH record
// FPrintf(outFile, "KF8EXTH present\n");
FSeek(pdf.recptr[i].dataOffset + 16 + KF8mbh.headerLength); //16 for the PalmDOCheader
SetBackColor( cYellow );
ExthHeader KF8exth;
}
}
else if( Memcmp(tag,"<html>",6) == 0 )
{
SetBackColor( cLtGreen );
HTML data;
}
else if( Memcmp(tag,"<!DOCTYP",8) == 0 )
{
SetBackColor( cLtGreen );
HTML data;
}
else
{
SetBackColor( cLtGray );
struct {
UBYTE unknown[ reclen ] ;
} data;
}
}
//and the very last record is the rest of the file
endrec = ReadUInt( FTell() );
//FPrintf(outFile, "endrec=%X\n", endrec );
if( endrec == 0xE98E0D0A ) //end record
{
SetBackColor( cLtGreen );
ENDRECORD data;
}
/*
local int x;
x = pdf.numberOfRecords;
typedef struct {
UBYTE rec[10];
} PDFREC <read=ReadPDFrec>;
string ReadPDFrec( PDFREC &a )
{
local uint reclen;
reclen = ( pdf.recptr[1].dataOffset - pdf.recptr[0].dataOffset );
string s;
s = "Hello";
return s;
}
// Define each line of the image
struct PDFREC {
UBYTE Data[ 4096 ];
} record[ pdf.numberOfRecords ];
RGBQUAD aColors[ bmih.biClrUsed ];
typedef struct
{
char record[];
}
MATRIX[pdf.numberOfRecords];
MATRIX pdfrec;
local uint reclen;
reclen = ( pdf.recptr[1].dataOffset - pdf.recptr[0].dataOffset );
FSeek(pdf.recptr[0].dataOffset);
pdfrec[0].record[reclen];
reclen = ( pdf.recptr[2].dataOffset - pdf.recptr[1].dataOffset );
FSeek(pdf.recptr[1].dataOffset);
pdfrec[1].record[reclen];
*/
return;

498
cparser/MP3Template.bt Normal file
View File

@ -0,0 +1,498 @@
//--------------------------------------
//--- 010 Editor v1.3.2 Binary Template
//
// File: MP3Template.bt
// Author: Ivan Getta (ivanitto@ukr.net)
// Purpose: MP3 files analysis and smart editing
//
// Template version: 1.0
// Release date: 2005 Feb 18
// Licence: free
//
//--- Template features ----------------
//
// 1) MPEG frames support:
// * MPEG-1, MPEG-2
// * Layer 1,2,3
// 2) ID3v1 tags support
// 3) ID3v1.1 tags support
// 4) ID3v2.3 tags support
//
//--- Notes ----------------------------
//
// TODO:
// 1) MPEG 2.5 support
// 2) Resolve known bugs (see below)
//
// KNOWN BUGS (STILL PRESENT):
// 1) Incorrect frame size detection for MPEG 1.0 layer 3
// mono files with low bitrate (for example 56k, 64k).
// Frame size must be detected twice long.
// 2) Mp3pro files have some problems
//
//--- References -----------------------
//
// 1. "010 Editor templates"
// http://www.sweetscape.com/010editor/templates.html
//
// 2. "The private life of MP3 frames"
// http://www.id3.org/mp3frame.html
//
// 3. "ID3 made easy (ID3v1 & ID3v1.1)"
// http://www.id3.org/id3v1.html
//
// 4. "ID3 tag version 2.3.0 (Informal standard)"
// http://www.id3.org/id3v2.3.0.html
//
//--------------------------------------
local uint32 bitrate, frame_size, sampling_freq, frames_count = 0;
local quad frame_header_offset, seek_pos, sum_bitrate = 0;
local short data;
local byte was_bad_sync, id3v1_tag_found = 0;
local ubyte buf[3];
enum <ubyte> ID3_GENRES
{
Blues, Classic_Rock, Country, Dance, Disco, Funk, Grunge, Hip_Hop, // 7
Jazz, Metal, New_Age, Oldies, Other, Pop, R_and_B, Rap, // 15
Reggae, Rock, Techno, Industrial, Alternative, Ska, Death_Metal, Pranks, // 23
Soundtrack, Euro_Techno, Ambient, Trip_Hop, Vocal, Jazz_Funk, Fusion, Trance, // 31
Classical, Instrumental, Acid, House, Game, Sound_Clip, Gospel, Noise, // 39
AlternRock, Bass, Soul, Punk, Space, Meditative, Instrumental_Pop, Instrumental_Rock, // 47
Ethnic, Gothic, Darkwave, Techno_Industrial, Electronic, Pop_Folk, Eurodance, Dream, // 55
Southern_Rock, Comedy, Cult, Gangsta, Top_40, Christian_Rap, Pop_Funk, Jungle, // 63
Native_American, Cabaret, New_Wave, Psychadelic, Rave, Showtunes, Trailer, Lo_Fi, // 71
Tribal, Acid_Punk, Acid_Jazz, Polka, Retro, Musical, Rock_n_Roll, Hard_Rock, // 79
Folk, Folk_Rock, National_Folk, Swing, Fast_Fusion, Bebob, Latin, Revival, // 87
Celtic, Bluegrass, Avantgarde, Gothic_Rock,
Progressive_Rock, Psychedelic_Rock, Symphonic_Rock, Slow_Rock, // 95
Big_Band, Chorus, Easy_Listening, Acoustic, Humour, Speech, Chanson, Opera, // 103
Chamber_Music, Sonata, Symphony, Booty_Bass, Primus, Porn_Groove, Satire, Slow_Jam, // 111
Club, Tango, Samba, Folklore, Ballad, Power_Ballad, Rhythmic_Soul, Freestyle, // 119
Duet, Punk_Rock, Drum_Solo, A_capella, Euro_House, Dance_Hall, Goa, Drum_and_Bass, // 127
Club_House, Hardcore, Terror, Indie, BritPop, Negerpunk, Polsk_Punk, Beat, // 135
Christian, Heavy_Metal, Black_Metal, Crossover,
Contemporary, Christian_Rock, Merengue, Salsa, Thrash_Metal, Anime, JPop, Synthpop // 147
};
struct ID3v1_TAG
{
DisplayFormatDecimal();
SetBackColor(0x33BC55);
char id[3]; // always must be "TAG"
SetBackColor(0x48E048);
char title[30];
SetBackColor(0x5DE45D);
char artist[30];
SetBackColor(0x72E872);
char album[30];
SetBackColor(0x87EC87);
char year[4];
if ( ReadByte(FTell()+28) == 0 && ReadByte(FTell()+29) != 0 )
{
// We have ID3v1.1 tag
SetBackColor(0x9CF09C);
char comment[28];
SetBackColor(0xB1F4B1);
byte zero;
SetBackColor(0xC6F8C6);
ubyte track;
}
else
{
// We have ID3v1.0 tag
SetBackColor(0x9CF09C);
char comment[30];
}
SetBackColor(0xDBFCDB);
ID3_GENRES genre;
};
struct ID3v2_HEADER
{
SetBackColor(0x91C4FF);
char head[3]; // always must be "ID3" ($49 44 33)
DisplayFormatDecimal();
ubyte ver_major; // this byte will never be $FF
ubyte ver_revision; // this byte will never be $FF
struct FLAGS {
ubyte UNSYNCHRONISATION_USED : 1;
ubyte EXTENDED_HEADER_PRESENT : 1;
ubyte EXPERIMENTAL_TAG : 1;
ubyte : 5;
} flags;
DisplayFormatHex();
ubyte size[4]; // Is the size of the complete tag after unsynchronisation,
// including padding, excluding the header but not excluding
// the extended header (total tag size - 10). Most
// significant bit (bit 7) of each byte is set to zero
};
struct ID3v2_EXTENDED_HEADER
{
SetBackColor(0xA1D4FF);
DisplayFormatDecimal();
uint32 size; // extended header size, excluding this 'size' field
uint16 FLAG_CRC_PRESENT : 1; // extended header flags
uint16 : 15; //
uint32 padding_sz;
if (FLAG_CRC_PRESENT)
{
DisplayFormatHex();
uint32 crc;
}
};
struct ID3v2_FRAME
{
char id[4]; // four alpha chars
DisplayFormatDecimal();
uint32 size; // frame size without frame header
struct FRAME_FLAGS {
uint16 TAG_ALTER_PRESERV : 1;
uint16 FILE_ALTER_PRESERV : 1;
uint16 READ_ONLY_FRAME : 1;
uint16 : 5;
uint16 COMPRESSED_FRAME : 1;
uint16 ENCRYPTED_FRAME : 1;
uint16 GROUP_MEMBER_FRAME : 1;
uint16 : 5;
} flags;
if (id[0] == 'T')
{
// frame contains text related data
if ( ReadByte(FTell()) == 0 && size > 1)
{
byte id_asciiz_str;
char frame_data [size - 1];
}
else
char frame_data [size];
}
else
{
DisplayFormatHex();
ubyte frame_data [size];
}
};
struct ID3v2_TAG
{
ID3v2_HEADER hdr;
// calculating real size of the ID3v2 tag
local uint32 tag_sz = hdr.size[0];
tag_sz <<= 7;
tag_sz |= hdr.size[1];
tag_sz <<= 7;
tag_sz |= hdr.size[2];
tag_sz <<= 7;
tag_sz |= hdr.size[3];
//
// An ID3v2 tag header can be detected with the following pattern:
// $49 44 33 yy yy xx zz zz zz zz
// Where yy is less than $FF, xx is the 'flags' byte and zz is less than $80.
//
if (hdr.ver_major == 0xFF || hdr.ver_revision == 0xFF ||
hdr.size[0] >= 0x80 || hdr.size[1] >= 0x80 ||
hdr.size[2] >= 0x80 || hdr.size[3] >= 0x80)
{
Printf("MP3: warning: invalid ID3v2 tag header\n");
}
else
{
if (hdr.ver_major != 3 || hdr.flags.UNSYNCHRONISATION_USED || hdr.flags.EXPERIMENTAL_TAG)
{
Printf("MP3: warning: skipping unsupported ID3v2.%d tag\n", hdr.ver_major);
SetBackColor(0xA9DCFF);
DisplayFormatHex();
ubyte id3v2_data[tag_sz];
}
else
{
if ( hdr.flags.EXTENDED_HEADER_PRESENT )
ID3v2_EXTENDED_HEADER ext_hdr;
// Now reading ID3v2 frames
// A tag must contain at least one frame. A frame must be
// at least 1 byte big, excluding the header.
//
local uint32 frame_color = 0xC9FCFF;
do
{
SetBackColor(frame_color);
ID3v2_FRAME tf;
frame_color -= 0x020200;
}
while ( FTell() < tag_sz + sizeof(hdr) && ReadByte(FTell()) != 0 );
SetBackColor(0x99CCFF);
ubyte id3v2_padding [ tag_sz + sizeof(hdr) - FTell() ];
}
}
};
// 32-bit MPEG frame header octets:
// AAAAAAAA AAABBCCD EEEEFFGH IIJJKLMM
//
struct MPEG_HEADER
{
SetBackColor(0xCC99FF);
DisplayFormatHex();
uint32 frame_sync : 12; // A
DisplayFormatDecimal();
uint32 mpeg_id : 1; // B
uint32 layer_id : 2; // C
uint32 protection_bit : 1; // D
uint32 bitrate_index : 4; // E
uint32 frequency_index : 2; // F
uint32 padding_bit : 1; // G
uint32 private_bit : 1; // H
uint32 channel_mode : 2; // I
uint32 mode_extension : 2; // J
uint32 copyright : 1; // K
uint32 original : 1; // L
uint32 emphasis : 2; // M
if (protection_bit == 0)
{
DisplayFormatHex();
uint16 checksum;
}
};
struct MPEG_FRAME
{
MPEG_HEADER mpeg_hdr;
// define frame bitrate
bitrate = 0;
// header sanity check
if (mpeg_hdr.frame_sync < 0xFFE || mpeg_hdr.layer_id == 0 ||
mpeg_hdr.bitrate_index == 0 || mpeg_hdr.bitrate_index == 15 ||
mpeg_hdr.frequency_index == 3)
{
Printf("MP3: warning: invalid MPEG header in frame at offset 0x%X\n",
FTell() - 4 - (mpeg_hdr.protection_bit==0 ? 2:0) );
// Try to find MPEG header starting from offset (current - 2)
FSeek( FTell() - 2 );
}
else
{
if (mpeg_hdr.layer_id == 3) // MPEG-1,2 Layer 1
{
bitrate = (uint32)mpeg_hdr.bitrate_index<<5;
}
else
{
if (mpeg_hdr.layer_id == 2) // MPEG-1,2 Layer 2
{
bitrate = (uint32)mpeg_hdr.bitrate_index==1 ? 32 :
(1 << 5+(uint32)mpeg_hdr.bitrate_index/4) +
( ((uint32)mpeg_hdr.bitrate_index&3) <<
3+(uint32)mpeg_hdr.bitrate_index/4 );
}
else
{
if (mpeg_hdr.mpeg_id == 1) // MPEG-1 (Layer 3)
{
bitrate = (1 << 5+((uint32)mpeg_hdr.bitrate_index-1)/4) +
( ((uint32)mpeg_hdr.bitrate_index-1&3) <<
3+((uint32)mpeg_hdr.bitrate_index-1)/4);
}
else // (MPEG-2) (Layer 3)
{
bitrate = (uint32)mpeg_hdr.bitrate_index<4 ?
8*(uint32)mpeg_hdr.bitrate_index :
(1<<4+(uint32)mpeg_hdr.bitrate_index/4) +
(
((uint32)mpeg_hdr.bitrate_index&3)==0 ? 0 :
((uint32)mpeg_hdr.bitrate_index&3)==1 ?
(1<<4+(uint32)mpeg_hdr.bitrate_index/4) :
((uint32)mpeg_hdr.bitrate_index&3)==2 ?
(1<<4+(uint32)mpeg_hdr.bitrate_index/4) +
((1<<4+(uint32)mpeg_hdr.bitrate_index/4)>>1) :
(1<<4+(uint32)mpeg_hdr.bitrate_index/4) -
((1<<4+(uint32)mpeg_hdr.bitrate_index/4)>>2)
);
}
}
}
}
if (bitrate != 0)
{
local uint16 freq[3];
freq[0] = 2205;
freq[1] = 2400;
freq[2] = 1600;
sampling_freq = freq[mpeg_hdr.frequency_index];
if (mpeg_hdr.mpeg_id == 1) // if MPEG-1
sampling_freq <<= 1;
frame_size = (bitrate * 14400) / sampling_freq;
if (mpeg_hdr.channel_mode == 3)
frame_size >>= 1;
frame_size -= 4 + (mpeg_hdr.protection_bit==0 ? 2:0) - mpeg_hdr.padding_bit;
frame_header_offset = FTell() - 4 - (mpeg_hdr.protection_bit==0 ? 2:0);
// read frame data
if ( FTell() + frame_size > FileSize() )
{
Printf("MP3: warning: cut MPEG frame at end of file (frame header offset = 0x%LX, data length = %u)\n",
frame_header_offset, frame_size);
Printf("MP3: file parsing completed!\nMP3: valid MPEG frames found: %d\n", frames_count);
if (frames_count != 0)
Printf("MP3: average frame bitrate: %d kbit\n", sum_bitrate / frames_count);
return;
}
else
{
DisplayFormatHex();
SetBackColor(0xCCCCFF);
ubyte mpeg_frame_data [ frame_size ];
}
sum_bitrate += bitrate;
frames_count++;
}
};
//--------------------------------------------------------------
BigEndian();
ReadBytes(buf, 0, 3);
if ( ! Strcmp(buf, "ID3") )
{
Printf("MP3: ID3v2 tag found\n");
ID3v2_TAG id3v2_tag;
}
while ( !FEof() && !id3v1_tag_found )
{
// Reading file, until find frame synchronization
seek_pos = FTell();
was_bad_sync = 0;
do
{
data = ReadShort( seek_pos );
if ( (uint16)data == 0x5441 && (uchar)ReadByte(seek_pos+2) == 0x47 )
id3v1_tag_found = 1; // we found "TAG" identifier
if ( !was_bad_sync && (uint16)data < 0xFFE0 && !id3v1_tag_found )
{
Printf("MP3: warning: invalid MPEG frame synchronization at offset 0x%LX\n", seek_pos);
was_bad_sync = 1;
}
seek_pos++;
}
while ( (uint16)data < 0xFFE0 && seek_pos < (FileSize()-1) && !id3v1_tag_found );
if ( (uint16)data >= 0xFFE0 || id3v1_tag_found )
{
FSeek(seek_pos - 1);
}
else
{
Printf("MP3: file parsing completed!\nMP3: valid MPEG frames found: %d\n", frames_count);
if (frames_count != 0)
Printf("MP3: average frame bitrate: %d kbit\n", sum_bitrate / frames_count);
return;
}
if ( !id3v1_tag_found )
{
MPEG_FRAME mf;
if (frames_count == 1 && bitrate)
Printf("MP3: first found MPEG frame parameters:\nMP3:\t- header ofsset: 0x%LX\nMP3:\t- bitrate: %d kbit\nMP3:\t- MPEG-%d layer %d\nMP3:\t- sampling frequency: %d Hz\nMP3:\t- channel mode: %s\nMP3:\t- CRC protected: %s\n",
frame_header_offset,
bitrate,
mf.mpeg_hdr.mpeg_id==1 ? 1:2,
mf.mpeg_hdr.layer_id==1 ? 3 : mf.mpeg_hdr.layer_id==2 ? 2:1,
sampling_freq*10,
mf.mpeg_hdr.channel_mode==3 ? "mono" :
mf.mpeg_hdr.channel_mode==0 ? "stereo" :
mf.mpeg_hdr.channel_mode==1 ? "joint stereo" : "dual channel",
mf.mpeg_hdr.protection_bit==0 ? "Yes" : "No");
}
}
if (id3v1_tag_found)
{
Printf("MP3: ID3v1 tag found\n");
ID3v1_TAG id3v1_tag;
}
if ( !FEof() )
Printf("MP3: warning: there is some unknown extra-data after ID3v1 tag at end of file\n");
Printf("MP3: file parsing completed!\nMP3: valid MPEG frames found: %d\n", frames_count);
if (frames_count != 0)
Printf("MP3: average frame bitrate: %d kbit\n", sum_bitrate / frames_count);

163
cparser/MP4Template.bt Normal file
View File

@ -0,0 +1,163 @@
//-------------------------------------------------------------
//--- 010 Editor v6.0.2 Binary Template
//
// File: MP4.bt
// Author: Marian Denes
// Revision: 2.1
// Date: 2015.06.04
// Purpose: Defines a template for parsing MP4 and MOV files.
//-------------------------------------------------------------
BigEndian();
local int64 pos;
local int64 pos2;
typedef union {
/*uint number;*/
char text[4];
} _typ;
string typeFullName(_typ& type) {
if (Memcmp(type.text, "ftyp", 4) == 0) return "File type compatibility box";
if (Memcmp(type.text, "mvhd", 4) == 0) return "Movie header box";
if (Memcmp(type.text, "iods", 4) == 0) return "Initial object descriptor box";
if (Memcmp(type.text, "trak", 4) == 0) return "Track box";
if (Memcmp(type.text, "udta", 4) == 0) return "Uset data box";
if (Memcmp(type.text, "mdat", 4) == 0) return "Movie (sample) data box";
if (Memcmp(type.text, "moov", 4) == 0) return "Moovie box";
if (Memcmp(type.text, "tkhd", 4) == 0) return "Track header box";
if (Memcmp(type.text, "mdia", 4) == 0) return "Media box";
if (Memcmp(type.text, "edts", 4) == 0) return "Edit box";
if (Memcmp(type.text, "elst", 4) == 0) return "Edit list";
return "I don't know the full name";
}
string typeString(_typ& type) {
return "Type of the box: \"" + type.text + "\"";
}
// MessageBox(idOk, "", "GetCursorPos == %d", GetCursorPos());
while(FTell() < FileSize() - 1) {
struct _box {
uint size <hidden=true>;
_typ type <bgcolor=cLtRed, fgcolor=cWhite, name="Box Type", open=false,
name =typeString/*, comment=typeFullName*/>;
if (Memcmp(type.text, "ftyp", 4) == 0) {
char major_brand[4] <bgcolor=cDkGreen, fgcolor=cWhite, name="Major brand"> ;
char minor_ver [4] <bgcolor=cDkBlue, fgcolor=cWhite, name="Minor version"> ;
uint comp_brands[(size - sizeof(size) - sizeof(type) - sizeof(major_brand) -
sizeof(minor_ver)) / 4] <name = "Compatible brands",
comment = brandName, open=true>;
} else if (Memcmp(type.text, "moov", 4) == 0) {
pos = FTell();
while(FTell() < pos + size - sizeof(size) - sizeof(type))
struct _box2 {
uint size <hidden=true>;
_typ type <bgcolor=cLtRed, fgcolor=cWhite, name="Box Type", open=false,
name =typeString/*, comment=typeFullName*/>;
if (Memcmp(type.text, "mvhd", 4) == 0) {
char version <hidden=true>;
char flags[3] <hidden=true>;
uint crTime <bgcolor=cLtGreen, fgcolor=cBlack, name="Creation Time", open=false>;
uint mdTime <bgcolor=cPurple, fgcolor=cWhite, name="Modification Time", open=false>;
uint tmScale <name="Time scale",comment="Number of units per 1 second">;
uint duration <name="Duration", comment="In units defined in the previous field">;
char rest[size - sizeof(size) - sizeof(type) - sizeof(version) -
sizeof(flags) - sizeof(crTime) - sizeof(mdTime) -
sizeof(tmScale) - sizeof(duration)];
} else if (Memcmp(type.text, "trak", 4) == 0) {
pos2 = FTell();
while(FTell() < pos2 + size - sizeof(size) - sizeof(type))
struct _box3 {
uint size <hidden=true>;
_typ type <bgcolor=cLtRed, fgcolor=cWhite, name="Box Type", open=false,
name = typeString/*, comment=typeFullName*/>;
if (Memcmp(type.text, "tkhd", 4) == 0) {
char version <hidden=true>;
char flags[3] <hidden=true>;
uint crTime <bgcolor=cLtGreen, fgcolor=cBlack, name="Creation Time", open=false>;
uint mdTime <bgcolor=cPurple, fgcolor=cWhite, name="Modification Time", open=false>;
uint trkID < name="Track ID", open=false>;
uint reserv <hidden = true, name="Reserved">;
uint duration < name="Duration", open=false>;
char rest[size - sizeof(size) - sizeof(type) - sizeof(version) -
sizeof(flags) - sizeof(crTime) - sizeof(mdTime) -
sizeof(trkID) - sizeof(reserv) - sizeof(duration)];
} else if (Memcmp(type.text, "edts", 4) == 0) {
struct _box4 {
uint size <hidden=true>;
_typ type <bgcolor=cLtRed, fgcolor=cWhite, name="Box Type", open=false,
name = typeString>;
char version <hidden=true>;
char flags[3] <hidden=true>;
uint entrs<name ="Number of entries">;
struct {
uint trDuration <name="Track duration">;
uint mediaTime <name="Media time">;
uint mediaRate <name="Media rate">;
} entry[entrs] <open=true>;
} box <optimize=false, open=true, comment=boxName4>;
} else
char rest[size - sizeof(size) - sizeof(type)];
} box <optimize=false, open=true, comment=boxName3>;
} else
char rest[size - sizeof(size) - sizeof(type)];
} box <optimize=false, open=true, comment=boxName2>;
} else
char rest[size - sizeof(size) - sizeof(type)];
} box <optimize=false, open=true, comment=boxName>;
}
string boxName(_box& box) {
return box.type.text + " (" + typeFullName(box.type) + ")";;
}
string boxName2(_box2& box) {
return box.type.text + " (" + typeFullName(box.type) + ")";
}
string boxName3(_box3& box) {
return box.type.text + " (" + typeFullName(box.type) + ")";
}
string boxName4(_box4& box) {
return box.type.text + " (" + typeFullName(box.type) + ")";
}
string brandName(uint brand) {
local char text[4];
local int i;
for (i = 0; i < 4; ++i)
text[i] = brand >> 8 * (3 - i) & 0xFF;
return text;
}
// string boxName5(_box5& box) {
// return box.type.text + " (" + typeFullName(box.type) + ")";
// }
// local int i;
// struct DATABLOCK {
// int dataID;
// uchar dataArray[16];
// };
// pos = FTell(); // save read position
// for( i = 0; i < 4; i++ ) {
// DATABLOCK data <read=ReadDataBlock>;
// }
// FSeek( pos ); // restore read position
//
// // Custom read function
// string ReadDataBlock( DATABLOCK &d )
// {
// // string str;
// // SPrintf( str, "ID = '%d'", d.dataID );
// FTell( box[i].type] );
// return str;
// }

846
cparser/MachOTemplate.bt Normal file
View File

@ -0,0 +1,846 @@
//--------------------------------------
//--- 010 Editor v3.2.2 Binary Template
//
// File: MachOTemplate.bt
// Author: Tim "diff" Strazzere <diff@lookout.com> <strazz@gmail.com>
// Revision: 1.1
// Purpose: Quick template for parsing Macho-o binaries, pretty much fully working!
//--------------------------------------
//
// Version 1.1
// - Minimum version load command now properly outputs the format for better readability
// - Added a readvalue function for the header, helps understand headers at a glance
//
// Version 1.0
// - Correctly parses FAT headers and will continue to parse the rest of the combined
// binary
// - Added many todo's to make the output more pretty
// - Fixed some broken LoadCommands (64bit ones mainly), will gracefully fail if unknown
// LoadCommand is hit
// - Found some bugs in 010Editor and added fixes to try to avoid those
//
// Version 0.1
// - First stab it this, lots of issues - FAT binaries don't work at all
//
// Known issues:
// - Needs optimized structures otherwise anything of a decent size will kill it
// (Related to an 010Editor template bug)
//
// Mach-o's should be Little Endian only -- except for the fat_header/fat_arch LittleEndian();
typedef enum <uint> {
MACHO_32 = 0xFEEDFACE, // 32-bit mach object file
MACHO_64 = 0xFEEDFACF, // 64-bit mach object file
MACHO_FAT = 0xCAFEBABE, // Universal object file / FAT_MAGIC
MACHO_FAT_CIGAM = 0xBEBAFECA
} Magic <format=hex>;
#define CPU_ARCH_MASK 0xff000000
#define CPU_ARCH_ABI64 0x01000000
// This looks ugly due to a limitation (bug?) in 010Editor template processing,
// basically we're unable to define more constant using other constants - it doesn't
// see them as already being processed when trying to define others (though it won't
// error on this until it hits this when trying to access that constant)
#define CPU_TYPE_X86 0x7
#define CPU_TYPE_I386 0x7 // CPU_TYPE_X86
#define CPU_TYPE_X86_64 (0x7 | 0x01000000) // (CPU_TYPE_X86 | CPU_ARCH_ABI64)
#define CPU_TYPE_POWERPC 0x12
#define CPU_TYPE_POWERPC64 (0x12 | 0x01000000) // (CPU_TYPE_POWERPC | CPU_ARCH_ABI64)
#define CPU_TYPE_ARM 0xC
typedef enum <uint> {
MACH_OBJECT = 0x1,
MACH_EXECUTE = 0x2,
MACH_FVMLIB = 0x3,
MACH_CORE = 0x4,
MACH_PRELOAD = 0x5,
MACH_DYLIB = 0x6,
MACH_DYLINKER = 0x7,
MACH_BUNDLE = 0x8,
MACH_DYLIB_STUB = 0x9,
MACH_DSYM = 0xA,
MACH_KEXT_BUNDLE = 0xB,
} FileType;
typedef enum <uint> {
i386_THREAD_STATE = 0x1,
i386_FLOAT_STATE = 0x2,
i386_EXCEPTION_STATE = 0x3
} i386ThreadFlavor <format=hex>;
typedef struct {
uint32 eax <format=hex>;
uint32 ebx <format=hex>;
uint32 ecx <format=hex>;
uint32 edx <format=hex>;
uint32 edi <format=hex>;
uint32 esi <format=hex>;
uint32 ebp <format=hex>;
uint32 esp <format=hex>;
uint32 ss <format=hex>;
uint32 eflags <format=hex>;
uint32 eip <format=hex>;
uint32 cs <format=hex>;
uint32 ds <format=hex>;
uint32 es <format=hex>;
uint32 fs <format=hex>;
uint32 gs <format=hex>;
} i386ThreadState;
typedef enum <uint> {
x86_THREAD_STATE32 = 0x1,
x86_FLOAT_STATE32 = 0x2,
x86_EXCEPTION_STATE32 = 0x3,
x86_THREAD_STATE64 = 0x4,
x86_FLOAT_STATE64 = 0x5,
x86_EXCEPTION_STATE64 = 0x6,
x86_THREAD_STATE = 0x7,
x86_FLOAT_STATE = 0x8,
x86_EXCEPTION_STATE = 0x9,
x86_DEBUG_STATE32 = 0xA,
x86_DEBUG_STATE64 = 0xB,
x86_DEBUG_STATE = 0xC,
THREAD_STATE_NONE = 0xD
} x86ThreadFlavor <format=hex>;
typedef struct {
uint64 rax <format=hex>;
uint64 rbx <format=hex>;
uint64 rcx <format=hex>;
uint64 rdx <format=hex>;
uint64 rdi <format=hex>;
uint64 rsi <format=hex>;
uint64 rbp <format=hex>;
uint64 rsp <format=hex>;
uint64 r8 <format=hex>;
uint64 r9 <format=hex>;
uint64 r10 <format=hex>;
uint64 r11 <format=hex>;
uint64 r12 <format=hex>;
uint64 r13 <format=hex>;
uint64 r14 <format=hex>;
uint64 r15 <format=hex>;
uint64 rip <format=hex>;
uint64 rflags <format=hex>;
uint64 cs <format=hex>;
uint64 fs <format=hex>;
uint64 gs <format=hex>;
} x86ThreadState;
typedef enum <uint> {
PPC_THREAD_STATE = 0x1,
PPC_FLOAT_STATE = 0x2,
PPC_EXCEPTION_STATE = 0x3,
PPC_VECTOR_STATE = 0x4,
PPC_THREAD_STATE64 = 0x5,
PPC_EXCEPTION_STATE64 = 0x6
} PPCThreadFlavor <format=hex>;
typedef struct {
uint32 r0 <format=hex>;
uint32 r1 <format=hex>;
uint32 r2 <format=hex>;
uint32 r3 <format=hex>;
uint32 r4 <format=hex>;
uint32 r5 <format=hex>;
uint32 r6 <format=hex>;
uint32 r7 <format=hex>;
uint32 r8 <format=hex>;
uint32 r9 <format=hex>;
uint32 r10 <format=hex>;
uint32 r11 <format=hex>;
uint32 r12 <format=hex>;
uint32 r13 <format=hex>;
uint32 r14 <format=hex>;
uint32 r15 <format=hex>;
uint32 r16 <format=hex>;
} ARMThreadState;
typedef struct {
uint32 __srr0 <comment="Instruction address register (PC)">;
uint32 __srr1 <comment="Machine state register (supervisor)">;
uint32 __r0;
uint32 __r1;
uint32 __r2;
uint32 __r3;
uint32 __r4;
uint32 __r5;
uint32 __r6;
uint32 __r7;
uint32 __r8;
uint32 __r9;
uint32 __r10;
uint32 __r11;
uint32 __r12;
uint32 __r13;
uint32 __r14;
uint32 __r15;
uint32 __r16;
uint32 __r17;
uint32 __r18;
uint32 __r19;
uint32 __r20;
uint32 __r21;
uint32 __r22;
uint32 __r23;
uint32 __r24;
uint32 __r25;
uint32 __r26;
uint32 __r27;
uint32 __r28;
uint32 __r29;
uint32 __r30;
uint32 __r31;
uint32 __cr <comment="Condition register">;
uint32 __xer <comment="User's integer exception register">;
uint32 __lr <comment="Link register">;
uint32 __ctr <comment="Count register">;
uint32 __mq <comment="MQ Register (601 only)">;
uint32 __vrsave <comment="Vector save register">;
} PPCThreadState;
typedef enum <uint> {
MACH_NOUNDEFS = 0x1,
MACH_INCRLINK = 0x2,
MACH_DYLDLINK = 0x4,
MACH_BINDATLOAD = 0x8,
MACH_PREBOUND = 0x10,
MACH_SPLIT_SEGS = 0x20,
MACH_LAZY_INIT = 0x40,
MACH_TWOLEVEL = 0x80,
MACH_FORCE_FLAT = 0x100,
MACH_NOMULTIDEFS = 0x200,
MACH_NOFIXPREBINDING = 0x400,
MACH_PREBINDABLE = 0x800,
MACH_ALLMODSBOUND = 0x1000,
MACH_SUBSECTIONS_VIA_SYMBOLS = 0x2000,
MACH_CANONICAL = 0x4000,
MACH_WEAK_DEFINES = 0x8000,
MACH_BINDS_TO_WEAK = 0x10000,
MACH_ALLOW_STACK_EXECUTION = 0x20000,
MACH_ROOT_SAFE = 0x40000,
MACH_SETUID_SAFE = 0x80000,
MACH_NO_REEXPORTED_DYLIBS = 0x100000,
MACH_PIE = 0x200000,
MACH_DEAD_STRIPPABLE_DYLIB = 0x400000,
MACH_HAS_TLV_DESCRIPTORS = 0x800000,
MACH_NO_HEAP_EXECUTION = 0x1000000
} Flags;
typedef struct {
uint32 cpu_type <comment="CPU specifier", format=hex>;
// TODO : Extract out capabilities here
uint32 cpu_sub_type <comment="Machine specifier", format=hex>;
uint32 file_offset <comment="Offset of header in file">;
uint32 size <comment="Size of object file">;
uint32 align <comment="alignment as a power of two">;
} Fat_Arch;
typedef struct {
Magic magic <comment="Magic bytes for the file">;
if(magic == MACHO_FAT || magic == MACHO_FAT_CIGAM) {
// Need to switch to BigEndian!
BigEndian();
uint32 fat_arch_size <comment="Number of fat_arch structs">;
Fat_Arch fat_arch[fat_arch_size];
// Switch back to LittleEndian for rest of parsing
LittleEndian();
} else {
uint32 cpu_type <comment="CPU specifier", format=hex>;
uint32 cpu_sub_type <comment="Machine specifier", format=hex>;
FileType file_type;
uint32 num_load_commands;
uint32 size_of_load_commands;
Flags flags;
}
if(magic == MACHO_64) {
uint32 reserved;
}
} Header <read=HeaderRead>;
string HeaderRead(Header &header) {
local string header_string;
switch(header.magic) {
case MACHO_FAT :
case MACHO_FAT_CIGAM :
header_string = "FAT header";
break;
case MACHO_32 :
header_string = "32bit Mach-O header";
break;
case MACHO_64 :
header_string = "64bit Mach-O header";
break;
default :
header_string = "Unknown header!";
}
return header_string;
}
#define REQ_DYLD (0x80000000)
typedef enum <uint> {
SEGMENT = 0x1,
SYM_TAB = 0x2,
SYM_SEG = 0x3,
THREAD = 0x4,
UNIX_THREAD = 0x5,
LOAD_FVM_LIB = 0x6,
ID_FVM_LIB = 0x7,
IDENT = 0x8,
FVM_FILE = 0x9,
PREPAGE = 0xA,
DY_SYM_TAB = 0xB,
LOAD_DYLIB = 0xC,
ID_DYLIB = 0xD,
LOAD_DYLINKER = 0xE,
ID_DYLINKER = 0xF,
PREBOUND_DYLIB = 0x10,
ROUTINES = 0x11,
SUB_FRAMEWORK = 0x12,
SUB_UMBRELLA = 0x13,
SUB_CLIENT = 0x14,
SUB_LIBRARY = 0x15,
TWOLEVEL_HINTS = 0x16,
PREBIND_CKSUM = 0x17,
LOAD_WEAK_DYLIB = 0x18 | REQ_DYLD,
SEGMENT_64 = 0x19,
ROUTINES_64 = 0x1A,
UUID = 0x1B,
RPATH = 0x1C | REQ_DYLD,
CODE_SIGNATURE = 0x1D,
SEGMENT_SPLIT_INFO = 0x1E,
REEXPORT_DYLIB = 0x1F | REQ_DYLD,
LAZY_LOAD_DYLIB = 0x20,
ENCRYPTION_INFO = 0x21,
DYLD_INFO = 0x22,
DYLD_INFO_ONLY = 0x22 | REQ_DYLD,
LOAD_UPWARD_DYLIB = 0x23 | REQ_DYLD,
VERSION_MIN_MAC_OSX = 0x24,
VERSION_MIN_IPHONE_OS = 0x25,
FUNCTION_STARTS = 0x26,
DYLD_ENVIRONMENT = 0x27,
MAIN = 0x28,
DATA_IN_CODE = 0x29,
SOURCE_VERSION = 0x2A,
DYLIB_CODE_SIGN_DRS = 0x2B
} LoadCommandType <read=LoadCommandTypeRead>;
string LoadCommandTypeRead(LoadCommandType &loadCommandType) {
switch(loadCommandType) {
case SEGMENT :
return "SEGMENT";
case SYM_TAB :
return "SYM_TAB";
case SYM_SEG :
return "SYM_SEG";
case THREAD :
return "THREAD";
case UNIX_THREAD :
return "UNIX_THREAD";
case LOAD_FVM_LIB :
return "LOAD_FVM_LIB";
case ID_FVM_LIB :
return "ID_FVM_LIB";
case IDENT :
return "IDENT";
case FVM_FILE :
return "FVM_FILE";
case PREPAGE :
return "PREPAGE";
case DY_SYM_TAB :
return "DY_SYM_TAB";
case LOAD_DYLIB :
return "LOAD_DYLIB";
case ID_DYLIB :
return "ID_DYLIB";
case LOAD_DYLINKER :
return "LOAD_DYLINKER";
case ID_DYLINKER :
return "ID_DYLINKER";
case PREBOUND_DYLIB :
return "PREBOUND_DYLIB";
case ROUTINES :
return "ROUTINES";
case SUB_FRAMEWORK :
return "SUB_FRAMEWORK";
case SUB_UMBRELLA :
return "SUB_UMBRELLA";
case SUB_CLIENT :
return "SUB_CLIENT";
case SUB_LIBRARY :
return "SUB_LIBRARY";
case TWOLEVEL_HINTS :
return "TWOLEVEL_HINTS";
case PREBIND_CKSUM :
return "PREBIND_CKSUM";
case LOAD_WEAK_DYLIB :
return "LOAD_WEAK_DYLIB";
case SEGMENT_64 :
return "SEGMENT_64";
case ROUTINES_64 :
return "ROUTINES_64";
case UUID :
return "UUID";
case RPATH :
return "RPATH";
case CODE_SIGNATURE :
return "CODE_SIGNATURE";
case SEGMENT_SPLIT_INFO :
return "SEGMENT_SPLIT_INFO";
case REEXPORT_DYLIB :
return "REEXPORT_DYLIB";
case LAZY_LOAD_DYLIB :
return "LAZY_LOAD_DYLIB";
case ENCRYPTION_INFO :
return "ENCRYPTION_INFO";
case DYLD_INFO :
return "DYLD_INFO";
case DYLD_INFO_ONLY :
return "DYLD_INFO_ONLY";
case LOAD_UPWARD_DYLIB :
return "LOAD_UPWARD_DYLIB";
case VERSION_MIN_MAC_OSX :
return "VERSION_MIN_MAC_OSX";
case VERSION_MIN_IPHONE_OS :
return "VERSION_MIN_IPHONE_OS";
case FUNCTION_STARTS :
return "FUNCTION_STARTS";
case DYLD_ENVIRONMENT :
return "DYLD_ENVIRONMENT";
case MAIN :
return "MAIN";
case DATA_IN_CODE :
return "DATA_IN_CODE";
case SOURCE_VERSION :
return "SOURCE_VERSION";
case DYLIB_CODE_SIGN_DRS :
return "DYLIB_CODE_SIGN_DRS";
default :
return "Error";
}
}
typedef struct {
char section_name[16];
char segment_name[16];
uint32 address <format=hex>;
uint32 size <format=hex>;
uint32 offset;
uint32 section_alignment;
uint32 relocation_entry_offset;
uint32 number_of_relocation_entries;
uint32 flags <format=hex>;
uint32 reserved1;
uint32 reserved2;
} Section <optimize=false>;
typedef struct {
char section_name[16];
char segment_name[16];
uint64 address <format=hex>;
uint64 size <format=hex>;
uint64 offset;
uint32 section_alignment;
uint32 relocation_entry_offset;
uint32 number_of_relocation_entries;
uint32 flags <format=hex>;
uint32 reserved1;
uint32 reserved2;
} Section64 <optimize=false>;
typedef uint vm_proc;
typedef enum <uint> {
HIGH_VM = 0x1,
FVM_LIB = 0x2,
NO_RELOC = 0x4,
PROTECTION_VERSION_1 = 0x8
} SegmentFlags <format=hex>;
typedef struct {
uint32 load_command_string_offset <comment="Offset in respect to the start of load command to string data">;
local int64 pos = FTell();
// We need to goto beginning of LoadCommand, then goto the offset
FSeek(FTell() - (sizeof(uint32) * 3) + load_command_string_offset);
string string_data <comment="Load command string">;
FSeek(pos);
} LoadCommandString <read=LoadCommandStringRead>;
string LoadCommandStringRead(LoadCommandString &loadCommandString) {
return loadCommandString.string_data;
};
typedef ubyte Uuid[16] <read=UuidRead, format=hex>;
// TODO : Clean this ugly thing up
string UuidRead(Uuid uuid) {
local string ret, tmp;
local int i;
for(i = 0; i<4; i++) {
SPrintf(tmp, "%.2X", uuid[i]);
ret += tmp;
}
ret += "-";
for(i = 0; i<2; i++) {
SPrintf(tmp, "%.2X", uuid[i+4]);
ret += tmp;
}
ret += "-";
for(i = 0; i<2; i++) {
SPrintf(tmp, "%.2X", uuid[i+6]);
ret += tmp;
}
ret += "-";
for(i = 0; i<2; i++) {
SPrintf(tmp, "%.2X", uuid[i+8]);
ret += tmp;
}
ret += "-";
for(i = 0; i<6; i++) {
SPrintf(tmp, "%.2X", uuid[i+10]);
ret += tmp;
}
return ret;
}
typedef struct {
uint32 version;
} Version <read=VersionRead>;
string VersionRead(Version &version) {
local string version_string;
if(version.version & 0xFF == 0) {
SPrintf(version_string, "%u.%u", version.version >> 16, (version.version >> 8) & 0xFF);
} else {
SPrintf(version_string, "%u.%u.%u", version.version >> 16, (version.version >> 8) & 0xFF, version.version & 0xFF);
}
return version_string;
}
typedef struct {
//LoadCommandHead loadCommandHead <comment="Load command type and size">;
LoadCommandType command;
uint command_size;
// Process rest of load command based on command type
switch(command) {
case ID_DYLIB :
case LOAD_DYLIB :
case LOAD_WEAK_DYLIB :
case REEXPORT_DYLIB :
LoadCommandString name;
// TODO : Pretty print this
uint32 timestamp;
// TODO : Pretty print this
uint32 current_version;
// TODO : Pretty print this
uint32 compatibility_version;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 6));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case SYM_TAB :
uint32 symbol_table_offset <comment="Symbol table offsett address">;
uint32 number_of_symbol_table_entries <comment="Number of symbol table entries">;
uint32 string_table_offset <comment="String table offset">;
uint32 string_table_size <comment="String table size in bytes">;
break;
case DYLD_INFO :
case DYLD_INFO_ONLY :
uint32 rebase_offset;
uint32 rebase_size;
uint32 bind_offset;
uint32 bind_size;
uint32 weak_bind_offset;
uint32 weak_bind_size;
uint32 lazy_bind_offset;
uint32 lazy_bind_size;
uint32 export_offset;
uint32 export_size;
break;
case DY_SYM_TAB :
uint32 index_local_symbols;
uint32 local_symbols_size;
uint32 index_externally_defined_symbols;
uint32 externally_defined_symbols_size;
uint32 index_undefined_symbols;
uint32 undefined_symbols_size;
uint32 table_contents_offset;
uint32 enteries_toc_size;
uint32 file_offset_module_table;
uint32 module_table_entries_size;
uint32 external_references_symbol_table_offset;
uint32 external_references_symbol_table_size;
uint32 indirect_symbol_table_offset;
uint32 indirect_symbol_table_size;
uint32 external_relocation_entries_offset;
uint32 external_relocation_entries_size;
uint32 local_relocation_entries_offset;
uint32 local_relocation_entries_size;
break;
case UUID :
Uuid uuid;
break;
case VERSION_MIN_MAC_OSX :
case VERSION_MIN_IPHONE_OS :
// TODO : Pretty print this
Version version;
uint32 reserved <comment="Should be zero">;
break;
case FUNCTION_STARTS :
case CODE_SIGNATURE :
case SEGMENT_SPLIT_INFO:
case DATA_IN_CODE:
uint32 data_offset;
uint32 data_size;
break;
case UNIX_THREAD :
case THREAD :
switch(cpu_typer) {
case CPU_TYPE_X86 :
case CPU_TYPE_I386 :
i386ThreadFlavor flavor;
// TODO : Pretty print this
uint32 count;
switch(flavor) {
case i386_THREAD_STATE :
i386ThreadState threadState;
// TODO : Flesh these guys out
case i386_FLOAT_STATE :
case i386_EXCEPTION_STATE :
}
break;
case CPU_TYPE_X86_64 :
x86ThreadFlavor flavor;
// TODO : Pretty print this
uint32 count;
switch(flavor) {
case x86_THREAD_STATE64 :
x86ThreadState threadState;
break;
// TODO : Flesh these guys out
case x86_FLOAT_STATE64 :
case x86_EXCEPTION_STATE64 :
case x86_DEBUG_STATE64 :
}
break;
case CPU_TYPE_POWERPC :
case CPU_TYPE_POWERPC64 :
PPCThreadFlavor flavor;
// TODO : Pretty print this
uint32 count;
switch(flavor) {
case PPC_THREAD_STATE :
PPCThreadState threadState;
break;
// TODO : Flesh these guys out
case PPC_FLOAT_STATE :
case PPC_EXCEPTION_STATE :
case PPC_VECTOR_STATE :
case PPC_THREAD_STATE64 :
case PPC_EXCEPTION_STATE64 :
}
break;
case CPU_TYPE_ARM :
// TODO: Unsure if this is correct ?
// uint32 flavor;
// uint32 count;
ARMThreadState threadState;
break;
}
break;
case FVM_LIB :
case ID_FVM_LIB :
LoadCommandString name <comment="Fixed virtual memory library's target path name">;
uint32 minor_version <comment="Library's minor version number">;
uint32 header_address <comment="Library's header address">;
// Reposition(command_size, sizeof(uint32) * 5);
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 5));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case SUB_FRAMEWORK :
LoadCommandString umbrella <comment="Umbrella framework name">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 3));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case SUB_CLIENT :
LoadCommandString client <comment="Client name">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 3));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case SUB_UMBRELLA :
LoadCommandString sub_umbrella <comment="Sub umbrella framework name">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 3));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case SUB_LIBRARY :
LoadCommandString sub_library <comment="Sub library name">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 3));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case PREBOUND_DYLIB :
LoadCommandString name <comment="Library's path name">;
uint32 modules_size <comment="Number of modules inside library">;
LoadCommandString linked_modules <comment="Bit vector of linked modules">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 5));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case ID_DYLINKER :
case LOAD_DYLINKER :
LoadCommandString name <comment="Dynamic linker's path name">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 3));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case ROUTINES_64 :
uint64 init_address <comment="Address of initialization routine">;
uint64 init_module <comment="Index into module table that init routine is defined">;
uint32 reversed_1;
uint32 reversed_2;
uint32 reversed_3;
uint32 reversed_4;
uint32 reversed_5;
uint32 reversed_6;
break;
case ROUTINES :
uint32 init_address <comment="Address of initialization routine">;
uint32 init_module <comment="Index into module table that init routine is defined">;
uint32 reversed_1;
uint32 reversed_2;
uint32 reversed_3;
uint32 reversed_4;
uint32 reversed_5;
uint32 reversed_6;
break;
case TWOLEVEL_HINTS :
uint32 offset <comment="Offset into the hint table">;
uint32 hints_size <comment="Number of hints inside the hints table">;
break;
case PREBIND_CKSUM :
uint32 cksum <comment="Checksum or zero">;
break;
case RPATH:
LoadCommandString path <comment="Path to add to run path">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 3));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case ENCRYPTION_INFO :
uint32 crypt_offset <comment="File offset of encrypted range">;
uint32 crypt_size <comment="File size of the encrypted range">;
uint32 crypt_id <comment="Which encryption system, 0 means not-encrypted yet">;
break;
case IDENT :
break;
case FVM_FILE :
LoadCommandString name <comment="File's pathname">;
uint32 header_address <comment="File's virtual address">;
// Seek to the beginning of the LoadCommand
FSeek(FTell() - (sizeof(uint32) * 4));
// Then skip to the end of the command based on the command_size
FSkip(command_size);
break;
case SEGMENT_64 :
char segment_name[16];
uint64 vm_address <format=hex>;
uint64 vm_size <format=hex>;
uint64 file_off;
uint64 file_size;
vm_proc maximum_protection <format=hex>;
vm_proc initial_protection <format=hex>;
uint32 number_of_sections;
// TODO : Fix this enum
SegmentFlags flags;
// Having this if statement will prevent warnings in 010Editor
if(number_of_sections > 0) {
Section64 section[number_of_sections];
}
break;
case SEGMENT :
char segment_name[16];
uint32 vm_address <format=hex>;
uint32 vm_size <format=hex>;
uint32 file_off;
uint32 file_size;
vm_proc maximum_protection <format=hex>;
vm_proc initial_protection <format=hex>;
uint32 number_of_sections;
// TODO : Fix this enum
SegmentFlags flags;
// Having this if statement will prevent warnings in 010Editor
if(number_of_sections > 0) {
Section section[number_of_sections];
}
break;
default :
Warning("Hit an unknown or unsupported load command : [%d]", command);
Exit(-1);
}
} LoadCommand <read=LoadCommandReader, optimize=false>;
string LoadCommandReader(LoadCommand &loadCommand) {
return LoadCommandTypeRead(loadCommand.command) + " load command";
}
Header header <comment="Mach-o header information">;
local uint32 cpu_typer;
if(header.magic == MACHO_32 || header.magic == MACHO_64) {
cpu_typer = header.cpu_type;
// If we didn't find a FAT header, then just process the load commands
LoadCommand loadCommand[header.num_load_commands];
} else {
// Otherwise we need to grab the new headers again
local int i;
for(i = 0; i < header.fat_arch_size; i++) {
FSeek(header.fat_arch[i].file_offset);
Header machHeader;
cpu_typer = machHeader.cpu_type;
LoadCommand loadCommand[machHeader.num_load_commands];
}
}

28
cparser/Mifare1kTemplate.bt Normal file
View File

@ -0,0 +1,28 @@
//-----------------------------------
// File: Mifare Classic 1k
// Author: Ruben Boonen (b33f)
// http://www.fuzzysecurity.com/
// Purpose: Basic Structure
//-----------------------------------
struct FILE {
struct Manufacturer_block {
char Card_UID[4] <fgcolor=cDkGreen>;
char LRC[1] <fgcolor=cDkRed>;
char Internal[11] <fgcolor=cWhite>;
char Data[32];
char Key_A[6] <bgcolor=cDkGray, fgcolor=cLtRed>;
char Access_Bits[3] <bgcolor=cDkGray, fgcolor=cWhite>;
char GPB[1] <bgcolor=cDkGray, fgcolor=cLtBlue>;
char Key_B[6] <bgcolor=cDkGray, fgcolor=cYellow>;
} manufacturer_block;
struct Sec_4blk {
char Data[48];
char Key_A[6] <bgcolor=cDkGray, fgcolor=cLtRed>;
char Access_Bits[3] <bgcolor=cDkGray, fgcolor=cWhite>;
char GPB[1] <bgcolor=cDkGray, fgcolor=cLtBlue>;
char Key_B[6] <bgcolor=cDkGray, fgcolor=cYellow>;
} sec_4blk[ 15 ];
} file <bgcolor=cSilver>;

36
cparser/Mifare4kTemplate.bt Normal file
View File

@ -0,0 +1,36 @@
//-----------------------------------
// File: Mifare Classic 4k
// Author: Ruben Boonen (b33f)
// http://www.fuzzysecurity.com/
// Purpose: Basic Structure
//-----------------------------------
struct FILE {
struct Manufacturer_block {
char Card_UID[4] <fgcolor=cDkGreen>;
char LRC[1] <fgcolor=cDkRed>;
char Internal[11] <fgcolor=cWhite>;
char Data[32];
char Key_A[6] <bgcolor=cDkGray, fgcolor=cLtRed>;
char Access_Bits[3] <bgcolor=cDkGray, fgcolor=cWhite>;
char GPB[1] <bgcolor=cDkGray, fgcolor=cLtBlue>;
char Key_B[6] <bgcolor=cDkGray, fgcolor=cYellow>;
} manufacturer_block;
struct Sec_4blk {
char Data[48];
char Key_A[6] <bgcolor=cDkGray, fgcolor=cLtRed>;
char Access_Bits[3] <bgcolor=cDkGray, fgcolor=cWhite>;
char GPB[1] <bgcolor=cDkGray, fgcolor=cLtBlue>;
char Key_B[6] <bgcolor=cDkGray, fgcolor=cYellow>;
} sec_4blk[ 31 ];
struct Sec_16blk {
char Data[240];
char Key_A[6] <bgcolor=cDkGray, fgcolor=cLtRed>;
char Access_Bits[3] <bgcolor=cDkGray, fgcolor=cWhite>;
char GPB[1] <bgcolor=cDkGray, fgcolor=cLtBlue>;
char Key_B[6] <bgcolor=cDkGray, fgcolor=cYellow>;
} sec_16blk[ 8 ];
} file <bgcolor=cSilver>;

48
cparser/NetflowVersion5.bt Normal file
View File

@ -0,0 +1,48 @@
//--------------------------------------
//--- 010 Editor v2.1.3 Binary Template
//
// File: Netflow Version 5
//
// Author: Andrew Faust
// Revision:
// Purpose: Parses a Netflow Version 5 record
//--------------------------------------
BigEndian();
struct FLOW {
struct HEADER {
ushort Version;
ushort Count;
uint SysUptime;
uint EopochSeconds;
uint NanoSeconds;
uint FlowsSeen;
byte EngineType;
byte EngineID;
char filler[2];
} header;
struct DATA {
char SourceIP[4];
char DestIP[4];
char NextHopIP[4];
ushort InSNMP;
ushort OutSNMP;
uint PacketCount;
uint ByteCount;
uint StartFlowTime;
uint EndFlowTime;
ushort SourcePort;
ushort DestPort;
char filler[1];
byte TCPFlags;
byte Protocol;
byte TypeOfService;
ushort SourceSysID;
ushort DestSysID;
byte SourceMaskBitsCount;
byte DestMaskBitsCount;
char filler2[2];
} data [ flow.header.Count ];
} flow;

56
cparser/OGGTemplate.bt Normal file
View File

@ -0,0 +1,56 @@
//--------------------------------------
//--- 010 Editor v4.0.4 Binary Template
//
// File: OGGTemplate.bt
// Author: George Woods
// Revision:
// Purpose: Parses the ogg container format.
//--------------------------------------
// ogg files can be quite large. Don't read more the 1000 pages.
local uint MAXPAGES = 1000;
typedef struct { // bmfh
CHAR CapturePattern[4];
BYTE Version;
BYTE HeaderType;
QUAD GranulePosition;
DWORD BitstreamSerial;
DWORD PageSequenceNumber;
DWORD Checksum;
UBYTE PageSegments;
// the lengths of the segments that follow
UBYTE SegmentLen[PageSegments];
// the segments themselves
local uint i;
for (i = 0; i < PageSegments; i++) {
struct {
BYTE Data[SegmentLen[i]] <bgcolor=cLtGray>;
} Segment;
}
} PAGE;
LittleEndian();
local uint currpage = 0;
while( !FEof() )
{
currpage++;
if (MAXPAGES < currpage)
{
Printf("Max Pages of %d reached!\n", maxpages);
return 0;
}
PAGE page <bgcolor=cLtBlue>;
// Check for valid header
if( page.CapturePattern != "OggS" )
{
Warning( "File is not a valid ogg file. Template stopped." );
return -1;
}
}

289
cparser/OrCAD3.20a_LIB.bt Normal file
View File

@ -0,0 +1,289 @@
//-----------------------------------
//--- 010 Editor v6.0 Binary Template
//
// File: OrCAD3.20a_LIB.bt
// Author: L. Potjewijd
// Revision: 1.21
// Date: 20150530
// Purpose: Parsing OrCad 3.20a library files
//-----------------------------------
enum <byte> YesNo {No,Yes};
enum <byte> Vtype {END,LINE,CIRCLE,TEXT,ARC,FILL};
enum <byte> ptype {IN,I_O,OUT,OC,PAS,hiZ,OE,PWR};
enum <byte> pquad {II,IV};
enum <byte> pside {Left,Right,Top,Bottom};
typedef byte bit; // just for readability
typedef struct sText
{ byte Length <hidden=true>;
if (Length > 0) char String[Length];
};
typedef struct fTxt (byte fixLen)
{ byte Length <hidden=true>;
if (Length > 0) char String[Length];
if ((fixLen > 0) && (fixLen > Length)) char filler[fixLen-Length];
};
typedef struct Coord
{ short X;
short Y;
};
typedef struct idxP
{ ushort NameOffset <format=hex>;
ushort DefOffset <format=hex>;
BigEndian();
WORD PrefixBitmap <format=binary>;
LittleEndian();
WORD unknown <format=hex>;
};
typedef struct Offsets
{ ushort offsetLarge;
ushort offsetMedium;
ushort offsetSmall;
};
typedef struct PartDet
{ BigEndian(); /*************************/
WORD raw <format=binary>; /* this is to display */
LittleEndian(); /* the 'raw' bits, too */
FSkip (-2); /*************************/
BitfieldLeftToRight();
YesNo hasConvDef : 1; // exact meaning is uncertain
bit bitE : 1 <hidden=true>;
bit bitD : 1 <hidden=true>;
ubyte subparts : 5; // maximum = 16
YesNo isGridArray : 1;
bit bit6 : 1 <hidden=true>;
bit bit5 : 1 <hidden=true>;
bit bit4 : 1 <hidden=true>;
bit bit3 : 1 <hidden=true>;
YesNo NormBitmap : 1;
YesNo ConvBitmap : 1;
bit bit0 : 1 <hidden=true>;
};
typedef struct PinDet
{ BigEndian(); /*************************/
WORD raw <format=binary>; /* this is to display */
LittleEndian(); /* the 'raw' bits, too */
FSkip (-2); /*************************/
BitfieldLeftToRight();
YesNo vertical : 1 <hidden=true>;;
byte location : 7;
ptype type : 3;
YesNo isShort : 1;
YesNo hasDOT : 1;
YesNo hasCLK : 1;
bit bit1 : 1 <hidden=true>;
pquad quadrant : 1 <hidden=true>;
local pside side = quadrant + (2 * vertical);
};
typedef struct DefPart
{ ushort Length <format=hex>;
local ushort PartStart <format=hex, hidden=true>;
local ushort PartEnd <format=hex, hidden=true>;
local ushort NextPart <format=hex, hidden=true>;
PartStart = FTell();
PartEnd = PartStart + Length - 1;
NextPart = PartEnd + 1;
short sizeX <format=decimal>;
short sizeY <format=decimal>;
PartDet PartDetails;
short PinsPerPart;
WORD unknown1 <format=hex>;
if (PartDetails.NormBitmap == Yes)
Offsets NormalBitmap;
if (PartDetails.ConvBitmap == Yes)
{ WORD unknown2 <format=hex>;
Offsets ConvertBitmap;
};
sText RefDesPrefix;
typedef struct DefPin
{ PinDet PinDetails;
sText Name;
if (PartDetails.subparts > 0)
{ if (PartDetails.isGridArray == No)
byte PinNumber[PartDetails.subparts] <optimize=false>;
else sText PinNumber[PartDetails.subparts] <optimize=false>;
};
};
if (PinsPerPart > 0)
{ DefPin NormalPin[PinsPerPart] <optimize=false>;
if (PartDetails.ConvBitmap == Yes)
{ j=0;
while ((FTell() < NextPart) && (j < PinsPerPart))
{ DefPin ConvertPin;
j++;
}
}
else j=PinsPerPart;
};
if (FTell() < NextPart)
{ Printf(" Part %i has orphaned pin definition(s).\n",i);
while (FTell() < NextPart) DefPin orphanPin;
};
if (j < PinsPerPart)
{ Printf(" Part %i has %i missing pin definition(s).\n",i,PinsPerPart-j);
FSkip (NextPart-FTell());
};
i++;
};
typedef struct BM
{ ushort Length;
ushort offsetVectormap;
byte graphic[Length-2] <format=binary>;
};
typedef struct VM
{ ushort Length;
typedef struct VecDef
{ Vtype Type;
switch (Type)
{ case END : break;
case LINE : {Coord start;
Coord finish; break;}
case CIRCLE : {Coord center;
short radius; break;}
case TEXT : {Coord origin;
ubyte size;
sText text; break;}
case ARC : {Coord center;
Coord start;
Coord finish;
short radius; break;}
case FILL : {Coord location; break;}
default : {Printf (" Unknown vector type %i at 0x%X\n",Type,FTell());
return -1;}
};
};
do VecDef Vector;
while (Vector.Type != END);
};
void SORTlist (int start, int finish) // Qsort routine
{ local int left = start;
local int right = finish;
local ushort pivot = list[((start+finish)/2)];
local ushort temp;
do
{ while (left <= right)
{ while (list[left] < pivot) left++;
while (list[right] > pivot) right--;
if (left <= right)
{ temp=list[left]; list[left]=list[right]; list[right]=temp;
left++;
right--;
}; //if
}; //while
if (start < right) SORTlist(start,right);
if (left < finish) SORTlist(left,finish);
} while (left <= right);
};
// ***************************************************************************
LittleEndian();
// header section
struct HeaderDef
{ struct IDstring
{ char text[14]; // "LIBRARY OBJECT"
char term[3]; // #13, #10, #26
} head;
if (head.text != "LIBRARY OBJECT")
{ Warning("\nFile is not an OrCAD library file.\n");
Exit (-1);
};
byte filler[8];
ushort IndexOffset; // may be something else
int idxLength <format=hex>;
} HEADER;
local int entries <hidden=true>;
entries = HEADER.idxLength / 8;
local int parts <hidden=true>;
parts = entries-1;
local ushort list[entries] <hidden=true>;
local int i <hidden=true>;
local int j <hidden=true>;
local int k <hidden=true>;
//index section
struct IndexDef
{ idxP Pointer[entries] <format=hex>;
sText Name[entries] <format=hex, optimize=false>;
} INDEX;
for ( k=0; k < entries; k++ )
list[k]=INDEX.Pointer[k].DefOffset; // copy definition offsets
SORTlist (0,parts);
list[parts]=0; // mark end of list
for ( i=0; i < entries-1; i++ ) // hunt for doubles
{ j=i+1;
while ((list[i]==list[j]) && (j <= parts))
j++; // count doubles to move
if ((j <= parts) && (j > i+1))
while (j > i+1) // found doubles to shift
{ for ( k=i+1; k < parts; k++ )
list[k]=list[k+1]; // shift values
list[k]=0; // mark new end
j--;
parts--; // reduce search length
};
};
Printf("\nIndex has %i entries, %i distinct parts.\n",entries,parts);
// prefix section
struct PrefixDef
{ DWORD unknown[16] <format=hex>;
fTxt LEFT(7)[16];
fTxt RIGHT(7)[16];
} PREFIX;
// part definitions
local uint PartSecStart <format=hex, hidden=true>;
PartSecStart = FTell();
ushort PartSectionLength <format=hex>;
local uint PartSecEnd <format=hex, hidden=true>;
PartSecEnd = FTell() + PartSectionLength -1;
Printf ("Part section has %i bytes (0x%X-0x%X)\n",PartSectionLength,PartSecStart,PartSecEnd);
i=0;
while (FTell() < PartSecEnd) DefPart Part;
// bitmap section
local uint BitmapSecStart <format=hex, hidden=true>;
BitmapSecStart = FTell();
ushort BitmapSectionLength <format=hex>;
local uint BitmapSecEnd <hidden=true>;
BitmapSecEnd = FTell() + BitmapSectionLength -1;
Printf ("Bitmap section has %i bytes (0x%X-0x%X)\n",BitmapSectionLength,BitmapSecStart,BitmapSecEnd);
while (FTell() < BitmapSecEnd) BM Bitmap;
// vector section
local uint VecSecStart <format=hex, hidden=true>;
VecSecStart = FTell();
ushort VectorSectionLength <format=hex>;
local uint VecSecEnd <hidden=true>;
VecSecEnd = FTell() + VectorSectionLength -1;
Printf ("Vector section has %i bytes (0x%X-0x%X)\n",VectorSectionLength,VecSecStart,VecSecEnd);
while (FTell() < VecSecEnd) VM VectorSet;
// sheetpath index
local uint SheetIndexStart <format=hex, hidden=true>;
SheetIndexStart = FTell();
Printf ("Sheetpath index starts at 0x%X\n",SheetIndexStart);
ushort SheetpathIndex[entries];
// sheetpath section
ushort SheetSectionLength;
local uint SheetSectionStart <format=hex, hidden=true>;
SheetSectionStart = FTell();
local uint SheetSecEnd <hidden=true>;
SheetSecEnd = FTell() + SheetSectionLength -1;
Printf ("Sheetpath section starts at 0x%X\n",SheetSectionStart);
while (FTell() < SheetSecEnd) sText Sheetpath;
if (!FEof()) Printf("Found extra bytes at end of file.");

245
cparser/OrCad3.20a_SCH.bt Normal file
View File

@ -0,0 +1,245 @@
//-----------------------------------
//--- 010 Editor v6.0 Binary Template
//
// File: OrCad3.20a_SCH.bt
// Author: L. Potjewijd
// Revision: 1.20
// Date: 20150531
// Purpose: Parsing OrCad 3.20a schematic files
//-----------------------------------
enum <ubyte> fType {BLOCK,WORKSHEET};
enum <ubyte> YesNo {no,yes};
enum <ubyte> paper {OrcadA,OrcadB,OrcadC,OrcadD,OrcadE};
enum <ubyte> rotate {none,CCW_90,CCW_180,CCW_270};
enum <ubyte> primT {dwgDetails,sheet,part,line,bus,junction,modulePort,label,busEntry,dashedLine,powerSymbol,text,EndOfList=0x0f};
enum <ubyte> IOtype {UNSPEC,OUTPUT,INPUT,BIDIR};
enum <ubyte> Pstyle {block,pointL,pointR,pointLR};
enum <ubyte> side {left,right,top,bottom};
enum <ubyte> PStype {circle,arrow,bar,wave};
enum <ubyte> align {centered,just_left,just_right};
enum <ubyte> Btype {downleft,upleft};
typedef byte bit; // just for readability
typedef struct sText
{ byte Length <hidden=true>;
if (Length > 0) char String[Length];
};
typedef struct fTxt (byte fixLen)
{ byte Length <hidden=true>;
if (Length > 0) char String[Length];
if ((fixLen > 0) && (fixLen > Length)) char filler[fixLen-Length];
};
typedef struct Coord
{ short X;
short Y;
};
typedef struct PartField
{ Coord Location;
sText Value;
};
typedef struct IDstring
{ char text[14]; // "Schematic FILE"
char terminator[3]; // #13, #10, #26
};
typedef struct hdrDet
{ IDstring head;
if (head.text != "Schematic FILE")
{ Warning("File is not recognized as an OrCAD schematic file.");
return -1;
}
ubyte tail[5];
int primitiveSectionLength <format=hex>;
Coord cursor;
ushort zoom;
};
typedef struct pP00 // TITLEBLOCK
{ ushort sheetNumber;
ushort ofSheets;
paper PaperSize;
fTxt DocDate(12);
fTxt DocNumber(36);
fTxt RevNumber(3);
fTxt Title(44);
fTxt Organisation(44);
fTxt AddressLine(44)[4] <optimize=false>; // for readability
};
typedef struct pP01 // SHEET
{ local int i <hidden=true>;
Coord Location;
Coord Size;
ubyte unknown[4];
ubyte Ports;
sText FileName;
sText SheetName;
for ( i=0 ; i < Ports ; i++ )
struct PortDef
{ short NameXoffset;
short PortYoffset;
IOtype Type;
sText Name;
} Port;
};
typedef struct pP02 // PART
{ Coord Location;
Coord RefDesLocation;
Coord ValueLocation;
struct PartDet1
{ ubyte raw <format=binary>;/* this is to display */
FSkip (-1); /* the 'raw' bits, too */
BitfieldLeftToRight();
YesNo mirror : 1;
rotate rotation : 2;
byte subpackage : 5;
} Details;
struct PartDet2
{ BigEndian(); /*************************/
ushort raw <format=binary>;/* this is to display */
LittleEndian(); /* the 'raw' bits, too */
FSkip (-2); /*************************/
BitfieldLeftToRight();
bit bitF : 1 <hidden=true>;
YesNo XtraFields : 1;
bit bitD : 1 <hidden=true>;
bit bitC : 1 <hidden=true>;
bit bitB : 1 <hidden=true>;
YesNo HideValue : 1;
YesNo HideRefDes : 1;
bit bit8 : 1 <hidden=true>;
YesNo HideField8 : 1;
YesNo HideField7 : 1;
YesNo HideField6 : 1;
YesNo HideField5 : 1;
YesNo HideField4 : 1;
YesNo HideField3 : 1;
YesNo HideField2 : 1;
YesNo HideField1 : 1;
} Visibility;
ubyte unknown[13] <format=hex>;
sText RefDes;
sText PartValue;
if (Visibility.XtraFields == yes)
PartField Xfield[8] <optimize=false>;
};
typedef struct pP03 // LINE, BUS or DASHED LINE
{ Coord Start;
Coord End;
};
typedef struct pP05 // JUNCTION
{ Coord Location;
};
typedef struct pP06 // MOD_PORT
{ Coord Location;
struct PortDet
{ ubyte MinLength;
ubyte raw <format=binary>;// this is to display //
FSkip (-1); // the 'raw' bits, too //
BitfieldLeftToRight();
IOtype PortType : 2;
Pstyle PortStyle : 2;
bit bit3 : 1 <hidden=true>;
bit bit2 : 1 <hidden=true>;
bit bit1 : 1 <hidden=true>;
bit bit0 : 1 <hidden=true>;
} Details;
sText PortName ;
};
typedef struct pP07 // LABEL or TEXT
{ Coord Location;
short rawSize <hidden=true>;
local ushort Size = Abs(rawSize);
local YesNo Vertical = (rawSize < 0);
sText Name;
};
typedef struct pP08 // BUS_ENTRY
{ Coord Location;
struct BusDet
{ ubyte raw <format=binary>;// this is to display //
FSkip (-1); // the 'raw' bits, too //
BitfieldLeftToRight();
bit bit7 : 1 <hidden=true>;
bit bit6 : 1 <hidden=true>;
bit bit5 : 1 <hidden=true>;
bit bit4 : 1 <hidden=true>;
bit bit3 : 1 <hidden=true>;
bit bit2 : 1 <hidden=true>;
YesNo isBusType : 1;
Btype direction : 1;
} Details;
};
typedef struct pP0A // PWR_SYM
{ Coord Location;
struct PSDet
{ ubyte raw <format=binary>;// this is to display //
FSkip (-1); // the 'raw' bits, too //
BitfieldLeftToRight();
bit bit7 : 1 <hidden=true>;
bit bit6 : 1 <hidden=true>;
bit bit5 : 1 <hidden=true>;
bit bit4 : 1 <hidden=true>;
side Orientation : 2;
PStype Shape : 2;
} Details;
sText Name;
};
typedef struct Element // the actual displayable items
{ primT Type <hidden=true>;
ushort DataLength <hidden=true>;
switch ( Type )
{ case 0x00 : {pP00 TITLE_BLOCK;break;}
case 0x01 : {pP01 SHEET; break;}
case 0x02 : {pP02 PART; break;}
case 0x03 : {pP03 LINE; break;}
case 0x04 : {pP03 BUS; break;}
case 0x05 : {pP05 JUNCTION; break;}
case 0x06 : {pP06 MOD_PORT; break;}
case 0x07 : {pP07 LABEL; break;}
case 0x08 : {pP08 BUS_ENTRY; break;}
case 0x09 : {pP03 DASH_LINE; break;}
case 0x0a : {pP0A PWR_SYM; break;}
case 0x0b : {pP07 TEXT; break;}
case 0x0f : {/* End Of List */ break;}
case 0x11 : {pP01 bSHEET; break;}
case 0x12 : {pP02 bPART; break;}
case 0x13 : {pP03 bLINE; break;}
case 0x14 : {pP03 bBUS; break;}
case 0x15 : {pP05 bJUNCTION; break;}
case 0x16 : {pP06 bMOD_PORT; break;}
case 0x17 : {pP07 bLABEL; break;}
case 0x18 : {pP08 bBUS_ENTRY; break;}
case 0x19 : {pP03 bDASH_LINE; break;}
case 0x1a : {pP0A bPWR_SYM; break;}
case 0x1b : {pP07 bTEXT; break;}
default : { Printf ("Unknown primitive: %x, ",Type);
return (-1);
}
}
};
// ***************************************************************************
hdrDet HEADER;
do
{ Element primitive;
}
while ( primitive.Type != EndOfList );
while ( !FEof() )
{ sText part;
}

118
cparser/OscarItemTemplate.bt Normal file
View File

@ -0,0 +1,118 @@
//--------------------------------------
//--- 010 Editor v5.0.2 Binary Template
//
// File: OscarItemTemplate.bt
// Author:
// Revision:1.0
// Purpose: Template for binary journal
// file used in AppleOne POS.
//--------------------------------------
while( !FEof() ){
struct RECORD {
char type;
if (r.type == 'A'){
char unused <bgcolor=0xff0000>;
short empNum;
int ssn;
short checkNum;
short tableNum;
short calcGuestCt;
short openTime;
short flagDeleted;
short unused2;
short pullBack;
short itemCt;
short guestCt;
short takeoutTicket;
int csiNumber;
char junk[22];
} else { if (r.type == 'B'){
char unused <bgcolor=0xdddd00>;
short empNum;
int ssn;
short itemNum;
short deptCat;
short priceGrp;
int price;
int tax1Amt;
int tax2Amt;
short quantity;
short taxStatusAcct;
short specUserId;
int plu;
int managerSsn;
short orderTime;
byte seatNum;
byte priceCode;
byte xxExpansion;
byte itemType;
int reductionCode;
int postPrice;
} else { if (r.type == 'C' || r.type == 'D'){
char unused <bgcolor=0x0000ff>;
short empNum;
int ssn;
short itemNum;
short deptCat;
short priceGrp;
int price;
int tax1Amt;
int tax2Amt;
short quantity;
short dupVoidCat;
short managerNum;
int plu;
int managerSsn;
short tranTime;
byte seatNum;
char unused2[3];
short voidCatId;
char junk[6];
} else { if (r.type == 'E'){
char unused <bgcolor=0x00dddd>;
short empNum;
int ssn;
char unused2[6];
int discAmt;
int tax1Amt;
int tax2Amt;
short quantity;
short altDiscCat;
short managerNum;
char unused3[4];
int managerSsn;
short discTime;
byte seatNum;
char unused4[3];
short discCatId;
char junk[6];
} else { if (r.type == 'F'){
char unused <bgcolor=0x551a8b>;
short empNum;
int ssn;
short payCatId;
int payAmt;
int gratuity;
int externalId;
short status;
int acctNum;
int acctExHigh;
int cashBack;
char junk[18];
} else { if (r.type == 'K'){
char unused <bgcolor=0x00ff00>;
short empNum;
int ssn;
int amount;
short closedTime;
short origClsTime;
int unused2;
short dupEmpNum;
int unused3;
short origCheckNum;
char junk[26];
} else {
char junk[53] <bgcolor=0xaaaaaa>;
}}}}}}
} r;
}

44
cparser/PALTemplate.bt Normal file
View File

@ -0,0 +1,44 @@
//--------------------------------------
//--- 010 Editor v2.0.2 Template File
//
// File: PALTemplate.bt
// Author: SweetScape Software
// Revision: 1.1
// Purpose: Parses a Microsoft PAL
// palette file.
// SweetScape: Changed display order
// in ReadRGBQUAD to match the BMP
// template (Oct 24th, 2007).
//--------------------------------------
// Declare a structure for holding a color
typedef struct
{
uchar red;
uchar green;
uchar blue;
uchar alpha;
} RGBQUAD <read=ReadRGBQUAD>;
// Custom read functions for color types - this allows the
// color to be displayed without having to open up the structure.
string ReadRGBQUAD( RGBQUAD &a )
{
string s;
SPrintf( s, "#%02X%02X%02X%02X", a.alpha, a.red, a.green, a.blue );
return s;
}
//---------------------------------------------
// Declare the file header
char file_signature[4];
int file_length;
char tag_type[4];
// Declare the RIFF chunk with color data
char chunk_signature[4];
int chunk_size;
ushort version <format=hex>; //should be 300h
ushort num_colors;
RGBQUAD colors[ num_colors ];

186
cparser/PCAPTemplate.bt Normal file
View File

@ -0,0 +1,186 @@
//---------------------
//--- 010 Editor v3.0.3 Binary Template
//
// File: PCAPTemplate.bt
// Author: Didier Stevens (https://DidierStevens.com)
// Revision: 0.1, prototype, only tested on 1 PCAP file
// Date: 2009/05/24
// Purpose: Defines a template for parsing PCAP files.
// References:
// http://wiki.wireshark.org/Development/LibpcapFileFormat
//--------------------------------------
typedef struct {
uint32 magic_number <format=hex>; /* magic number */
if(magic_number != 0xA1B2C3D4) {
Warning("Not a valid PCAP file");
return 1;
}
uint16 version_major; /* major version number */
uint16 version_minor; /* minor version number */
int32 thiszone; /* GMT to local correction */
uint32 sigfigs; /* accuracy of timestamps */
uint32 snaplen; /* max length of captured packets, in octets */
uint32 network; /* data link type */
} PCAPHEADER;
typedef struct
{
uchar Byte[6];
} MACaddr<read=MACname>;
typedef struct
{
MACaddr DstMac<name="Destination MAC">;
MACaddr SrcMac<name="Source MAC">;
uint16 L3type<name="Layer 3 Protocol">;
} Layer_2 <size=14>;
typedef struct
{
uchar Byte[4];
} IPv4addr<read=IPv4addrName>;
string IPv4addrName(IPv4addr &IP)
{
string strReturn;
SPrintf(strReturn,"%d.%d.%d.%d",IP.Byte[0],IP.Byte[1],IP.Byte[2],IP.Byte[3]);
return strReturn;
}
typedef struct (uint16 proto_type)
{
uchar version:4;
uchar ip_hdr_len:4;
local int hdr_length = ip_hdr_len*4;
BYTE DiffServField;
uint16 total_length;
if (proto_type == 0x0800) // IP
{
uint16 Identification;
uint16 Flags;
BYTE TTL;
BYTE L4proto<name="Layer 4 Protocol",read=L4protoName>;
uint16 HdrChecksum;
IPv4addr SRC_IP<name="Source IP">;
IPv4addr DST_IP<name="Dest IP">;
}
else
{
BYTE Unknown[hdr_length-4];
}
} Layer_3;
typedef struct (ushort VER_HDR,uint16 total_length,uint L4proto)
{
local uint16 ip_hdr_length = VER_HDR*4;
if (L4proto == 0x11) // UDP
{
uint16 SrcPort<name="Source Port">;
uint16 DstPort<name="Destination Port">;
uint16 udp_hdr_len<name="Datagram Length">;
uint16 ChkSum<name="Checksum">;
}
else if (L4proto == 0x6) // TCP
{
uint16 SrcPort<name="Source Port">;
uint16 DstPort<name="Destination Port">;
uint32 SEQ;
uint32 ACK;
uchar tcp_hdr_len:4;
uchar Reserved:4;
BYTE Crap[tcp_hdr_len*4-13];
}
else
{
BYTE packet[total_length-ip_hdr_length]<name="Unknown Layer 4 Data">;
}
} Layer_4;
string L4protoName(BYTE val)
{
if (val == 0x06)
{
return "TCP";
}
else if (val == 0x11)
{
return "UDP";
}
else
{
return "Unknown";
}
}
typedef struct {
time_t ts_sec; /* timestamp seconds */
uint32 ts_usec; /* timestamp microseconds */
uint32 incl_len; /* number of octets of packet saved in file */
uint32 orig_len; /* actual length of packet */
BigEndian();
Layer_2 L2 <name="Layer 2">;
Layer_3 L3(L2.L3type) <name="Layer 3">;
Layer_4 L4(L3.ip_hdr_len,L3.total_length,L3.L4proto)<name="Layer 4">;
if (L3.L4proto == 0x6)
{
local uint16 AppDataLen = L3.total_length - L3.ip_hdr_len*4 - L4.tcp_hdr_len*4;
if (AppDataLen > 0)
{
BYTE AppData[AppDataLen]<name="TCP Application Data">;
}
}
else if (L3.L4proto == 0x11)
{
local uint AppDataLen = L4.udp_hdr_len-8;
if (AppDataLen > 0)
{
BYTE AppData[AppDataLen]<name="UDP Application Data">;
}
}
LittleEndian();
} PCAPRECORD <read=ReadPCAPRECORD,comment=PCAPcomments>;
string PCAPcomments(PCAPRECORD &P)
{
local uint16 L4_proto = P.L3.L4proto;
string strReturn;
local uint16 AppDataLen = 0;
if (L4_proto == 0x6)
{
AppDataLen = P.L3.total_length - P.L3.ip_hdr_len*4 - P.L4.tcp_hdr_len*4;
}
else if (L4_proto == 0x11)
{
AppDataLen = P.L4.udp_hdr_len - 8;
}
SPrintf(strReturn,"%s:%d -> %s:%d %s %s",IPv4addrName(P.L3.SRC_IP),P.L4.SrcPort,IPv4addrName(P.L3.DST_IP),P.L4.DstPort,L4protoName(L4_proto), AppDataLen > 0 ? "***" : "");
return strReturn;
}
string ReadPCAPRECORD(PCAPRECORD &record)
{
string strReturn;
SPrintf(strReturn, "%s.%06u", TimeTToString(record.ts_sec), record.ts_usec);
return strReturn;
}
string MACname(MACaddr &addr)
{
string strReturn;
SPrintf(strReturn,"%.02x:%.02x:%.02x:%.02x:%.02x:%.02x",addr.Byte[0],addr.Byte[1],addr.Byte[2],addr.Byte[3],addr.Byte[4],addr.Byte[5]);
return strReturn;
}
// Define the headers
LittleEndian();
PCAPHEADER header;
while( !FEof() )
{
PCAPRECORD record<name="Frame">;
}

39
cparser/PCXTemplate.bt Normal file
View File

@ -0,0 +1,39 @@
//------------------------------------
//--- 010 Editor v1.2 Binary Template
//
// Name: PCXTemplate.bt
// Author: James Newton
// Purpose: Sample template for PCX
// header information.
//------------------------------------
enum <ubyte> PCX_TYPE {
v25 =0, //Version 2.5 of PC Paintbrush
v28Pal =2, //Version 2.8 w/palette information
v28 =3, //Version 2.8 w/o palette information
v5Win =4, //PC Paintbrush for Windows(Plus for Windows uses Ver 5)
v3up =5 //Version 3.0 and > of PC Paintbrush and PC Paintbrush +, includes Publisher's Paintbrush. Includes 24-bit .PCX files.
} ;
struct PCX {
ubyte Manufacturer; //Constant Flag, 10 = ZSoft .pcx
PCX_TYPE version; //Version information
ubyte encoding; //1 = .PCX run length encoding
ubyte BitsPerPixel; //Number of bits to represent a pixel (per Plane) - 1, 2, 4, or 8
ushort Xmin; //Window. Image Dimensions: Xmin,Ymin,Xmax,Ymax
ushort Ymin; //
ushort Xmax; //
ushort Ymax; //
ushort HDpi; //Horizontal Resolution of image in DPI*
ushort VDpi; //Vertical Resolution of image in DPI*
ubyte Colormap[48]; //Color palette setting, see text
ubyte Reserved; //Should be set to 0.
ubyte NPlanes; //Number of color planes
ushort BytesPerLine; //Number of bytes to allocate for a scanline plane. MUST be an EVEN number. Do NOT calculate from Xmax-Xmin.
ushort PaletteInfo; //How to interpret palette- 1 = Color/BW, 2 = Grayscale (ignored in PB IV/ IV +)
ushort HscreenSize; //Horizontal screen size in pixels. New field found only in PB IV/IV Plus
ushort VscreenSize; //Vertical screen size in pixels. New field found only in PB IV/IV Plus
ubyte Filler[54]; //Blank to fill out 128 byte header. Set all bytes to 0
};
PCX file;

565
cparser/PDFTemplate.bt Normal file
View File

@ -0,0 +1,565 @@
//---------------------------------------------------------------------------
/*
010 Editor Template for PDF file format
2010/08/06 v0.0.1
As the PDF file format is not your usual binary file format for which it is easy to create
010 templates, I had to resort to unusual template programming techniques.
Some limitations of the 010 scripting language (like not being able to create local structures)
also explain the unusual style.
Summary of the algorithm used by this template:
- search for keywords with FindAll (%PDF, %%EOF, obj, endobj): FindAllKeywords()
- merge all found keywords into one array, and filter out found keywords that are not actual
PDF structures (like obj without preceding index and version): MergeAndFilterAllKeywords()
- loop over all keywords and prepare data needed to create PDF structures: PrepareStructures()
- create PDF structures: CreatePDFStructures()
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2010/08/03: start development with 010 Editor v3.0.6
2010/08/04: continue
2010/08/05: continue
2010/08/06: refactoring, cleanup
*/
//---------------------------------------------------------------------------
local int iCOLOR = 0x95E8FF; // Color used for highlighting PDF structures
enum int {TYPE_UNKNOWN, TYPE_HEADER, TYPE_TRAILER, TYPE_OBJ, TYPE_ENDOBJ};
// Global variables
local int iKeywordCount;
local int iStructureCount;
local TFindResults tfrHeaders;
local TFindResults tfrTrailers;
local TFindResults tfrObjs;
local TFindResults tfrEndobjs;
local int iPDFHeaderCount = 0;
local int iPDFTrailerCount = 0;
local int iPDFUnknownCount = 0;
local int iPDFCommentCount = 0;
local int iPDFWhitespaceCount = 0;
local int iPDFXrefCount = 0;
local int iPDFObjectCount = 0;
// Structures
local int iIndexLength;
local int iWhiteSpace1Length;
local int iVersionLength;
local int iWhiteSpace2Length;
local int iDataLength;
local int iFoundEndobj;
local int iWhiteSpace3Length;
typedef struct {
BYTE Index[iIndexLength];
BYTE WhiteSpace1[iWhiteSpace1Length];
BYTE Version[iVersionLength];
BYTE WhiteSpace2[iWhiteSpace2Length];
BYTE Object[3];
BYTE Data[iDataLength];
if (iFoundEndobj)
BYTE EndObject[6];
BYTE WhiteSpace3[iWhiteSpace3Length];
} PDFObj <read=ReadPDFObj>;
string ReadPDFObj(PDFObj &sPDFObj)
{
local string sResult;
SPrintf(sResult, "%s %s obj %s", sPDFObj.Index, sPDFObj.Version, sPDFObj.Data);
return sResult;
}
local int iHeaderSize;
typedef struct {
BYTE Header[iHeaderSize];
} PDFHeader;
local int iTrailerSize;
typedef struct {
BYTE Trailer[iTrailerSize];
} PDFTrailer;
local int iUnknownSize;
typedef struct {
BYTE Data[iUnknownSize];
} PDFUnknown;
local int iCommentSize;
typedef struct {
BYTE Comment[iCommentSize];
} PDFComment;
local int iWhitespaceSize;
typedef struct {
BYTE Whitespace[iWhitespaceSize];
} PDFWhitespace;
local int iXrefSize;
typedef struct {
BYTE Data[iXrefSize];
} PDFXref;
// Functions
int64 FindStartOfObj(int64 iStart, int &iIndexLength, int &iWhiteSpace1Length, int &iVersionLength, int &iWhiteSpace2Length)
{
local int iIter;
local BYTE bChar;
local int64 iIndex;
local int64 iStartIndex = -1;
local int64 iEndIndex = -1;
local int64 iStartVersion = -1;
local int64 iEndVersion = -1;
for(iIter = 1; iIter <= 20; iIter++)
{
iIndex = iStart - iIter;
if (iIndex < 0)
break;
bChar = ReadByte(iIndex);
if (iEndVersion == -1)
{
if (bChar == ' ')
;
else if (bChar >= '0' && bChar <= '9')
iEndVersion = iIndex;
else
break;
}
else if (iStartVersion == -1)
{
if (bChar >= '0' && bChar <= '9')
;
else if (bChar == ' ')
iStartVersion = iIndex + 1;
else
break;
}
else if (iEndIndex == -1)
{
if (bChar == ' ')
;
else if (bChar >= '0' && bChar <= '9')
iEndIndex = iIndex;
else
break;
}
else if (iStartIndex == -1)
{
if (bChar < '0' || bChar > '9')
{
iStartIndex = iIndex + 1;
break;
}
}
}
if (iEndIndex != -1 && iStartVersion != -1 && iEndVersion != -1)
{
if (iStartIndex == -1)
{
if (iIndex == -1)
iStartIndex = 0;
else
return -1;
}
iIndexLength = iEndIndex - iStartIndex + 1;
iWhiteSpace1Length = iStartVersion - iEndIndex - 1;
iVersionLength = iEndVersion - iStartVersion + 1;
iWhiteSpace2Length = iStart - iEndVersion;
return iStartIndex;
}
else
return -1;
}
int64 FindEOL(int64 iStart)
{
local int64 iIter;
for(iIter = iStart; iIter < FileSize(); iIter++)
if (ReadByte(iIter) == 0x0D && iIter + 1 < FileSize() && ReadByte(iIter + 1) == 0x0A)
return iIter + 1;
else if (ReadByte(iIter) == 0x0D || ReadByte(iIter) == 0x0A)
return iIter;
return -1;
}
void FindAllKeywords(void)
{
tfrHeaders = FindAll("%PDF");
tfrTrailers = FindAll("%%EOF");
tfrObjs = FindAll(" obj");
tfrEndobjs = FindAll("endobj");
iKeywordCount = tfrHeaders.count + tfrTrailers.count + tfrObjs.count + tfrEndobjs.count;
}
int MergeKeywords(int iMerge1Size, int iMerge2Size)
{
local int64 iIndex1 = 0;
local int64 iIndex2 = 0;
local int64 iIndex3 = 0;
while (true)
{
if (iIndex1 == iMerge1Size)
{
while (iIndex2 < iMerge2Size)
{
aiMerge3KeywordType[iIndex3] = aiMerge2KeywordType[iIndex2];
aiMerge3KeywordStart[iIndex3] = aiMerge2KeywordStart[iIndex2];
aiMerge3KeywordSize[iIndex3] = aiMerge2KeywordSize[iIndex2];
iIndex2++;
iIndex3++;
}
break;
}
if (iIndex2 == iMerge2Size)
{
while (iIndex1 < iMerge1Size)
{
aiMerge3KeywordType[iIndex3] = aiMerge1KeywordType[iIndex1];
aiMerge3KeywordStart[iIndex3] = aiMerge1KeywordStart[iIndex1];
aiMerge3KeywordSize[iIndex3] = aiMerge1KeywordSize[iIndex1];
iIndex1++;
iIndex3++;
}
break;
}
if (aiMerge1KeywordStart[iIndex1] < aiMerge2KeywordStart[iIndex2])
{
aiMerge3KeywordType[iIndex3] = aiMerge1KeywordType[iIndex1];
aiMerge3KeywordStart[iIndex3] = aiMerge1KeywordStart[iIndex1];
aiMerge3KeywordSize[iIndex3] = aiMerge1KeywordSize[iIndex1];
iIndex1++;
iIndex3++;
}
else
{
aiMerge3KeywordType[iIndex3] = aiMerge2KeywordType[iIndex2];
aiMerge3KeywordStart[iIndex3] = aiMerge2KeywordStart[iIndex2];
aiMerge3KeywordSize[iIndex3] = aiMerge2KeywordSize[iIndex2];
iIndex2++;
iIndex3++;
}
}
for(iIndex1 = 0; iIndex1 < iMerge1Size + iMerge2Size; iIndex1++)
{
aiMerge1KeywordType[iIndex1] = aiMerge3KeywordType[iIndex1];
aiMerge1KeywordStart[iIndex1] = aiMerge3KeywordStart[iIndex1];
aiMerge1KeywordSize[iIndex1] = aiMerge3KeywordSize[iIndex1];
}
return iMerge1Size + iMerge2Size;
}
void MergeAndFilterAllKeywords(void)
{
local int iIter;
local int iIter2;
local int iTempCount;
for(iIter = 0; iIter < tfrHeaders.count; iIter++)
{
aiMerge1KeywordType[iIter] = TYPE_HEADER;
aiMerge1KeywordStart[iIter] = tfrHeaders.start[iIter];
aiMerge1KeywordSize[iIter] = tfrHeaders.size[iIter];
}
for(iIter = 0; iIter < tfrTrailers.count; iIter++)
{
aiMerge2KeywordType[iIter] = TYPE_TRAILER;
aiMerge2KeywordStart[iIter] = tfrTrailers.start[iIter];
aiMerge2KeywordSize[iIter] = tfrTrailers.size[iIter];
}
iTempCount = MergeKeywords(tfrHeaders.count, tfrTrailers.count);
iIter2 = 0;
for(iIter = 0; iIter < tfrObjs.count; iIter++)
{
if (-1 != FindStartOfObj(tfrObjs.start[iIter], iIndexLength, iWhiteSpace1Length, iVersionLength, iWhiteSpace2Length))
{
aiMerge2KeywordType[iIter2] = TYPE_OBJ;
aiMerge2KeywordStart[iIter2] = tfrObjs.start[iIter];
aiMerge2KeywordSize[iIter2] = tfrObjs.size[iIter];
iIter2++;
}
}
iTempCount = MergeKeywords(iTempCount, iIter2);
for(iIter = 0; iIter < tfrEndobjs.count; iIter++)
{
aiMerge2KeywordType[iIter] = TYPE_ENDOBJ;
aiMerge2KeywordStart[iIter] = tfrEndobjs.start[iIter];
aiMerge2KeywordSize[iIter] = tfrEndobjs.size[iIter];
}
iKeywordCount = MergeKeywords(iTempCount, tfrEndobjs.count);
}
int CalculateSizeWithEOL(int64 iStart)
{
local int64 iIndexEOL;
iIndexEOL = FindEOL(iStart);
if (iIndexEOL == -1)
return -1;
else
return iIndexEOL - iStart + 1;
}
void PrepareStructures(void)
{
local int iIter;
local int64 iEndPreviousStructure = 0;
local int iSize;
local int64 iStartIndirectObject;
local BYTE bRead;
local int iWhitespaceCount;
iStructureCount = 0;
for(iIter = 0; iIter < iKeywordCount; iIter++)
{
if (aiMerge1KeywordType[iIter] == TYPE_OBJ)
iStartIndirectObject = FindStartOfObj(aiMerge1KeywordStart[iIter], iIndexLength, iWhiteSpace1Length, iVersionLength, iWhiteSpace2Length);
else
iStartIndirectObject = aiMerge1KeywordStart[iIter];
if (iStartIndirectObject != iEndPreviousStructure && aiMerge1KeywordType[iIter] != TYPE_ENDOBJ)
{
aiStructureType[iStructureCount] = TYPE_UNKNOWN;
aiStructureStart[iStructureCount] = iEndPreviousStructure;
aiStructureSize[iStructureCount] = iStartIndirectObject - iEndPreviousStructure;
iStructureCount++;
}
if (aiMerge1KeywordType[iIter] == TYPE_HEADER)
{
iSize = CalculateSizeWithEOL(aiMerge1KeywordStart[iIter]);
if (iSize == -1)
iSize = aiMerge1KeywordSize[iIter];
aiStructureType[iStructureCount] = TYPE_HEADER;
aiStructureStart[iStructureCount] = aiMerge1KeywordStart[iIter];
aiStructureSize[iStructureCount] = iSize;
iEndPreviousStructure = aiStructureStart[iStructureCount] + aiStructureSize[iStructureCount];
iStructureCount++;
}
else if (aiMerge1KeywordType[iIter] == TYPE_TRAILER)
{
iSize = CalculateSizeWithEOL(aiMerge1KeywordStart[iIter]);
if (iSize == -1)
iSize = aiMerge1KeywordSize[iIter];
aiStructureType[iStructureCount] = TYPE_TRAILER;
aiStructureStart[iStructureCount] = aiMerge1KeywordStart[iIter];
aiStructureSize[iStructureCount] = iSize;
iEndPreviousStructure = aiStructureStart[iStructureCount] + aiStructureSize[iStructureCount];
iStructureCount++;
}
else if (aiMerge1KeywordType[iIter] == TYPE_OBJ)
{
iSize = aiMerge1KeywordStart[iIter + 1] - iStartIndirectObject;
if (aiMerge1KeywordType[iIter + 1] == TYPE_ENDOBJ)
iSize += 6;
iWhitespaceCount = 0;
bRead = ReadByte(iStartIndirectObject + iSize);
while (bRead == 0x0D || bRead == 0x0A || bRead == 0x20)
{
iWhitespaceCount++;
bRead = ReadByte(iStartIndirectObject + iSize + iWhitespaceCount);
}
iSize += iWhitespaceCount;
aiStructureType[iStructureCount] = TYPE_OBJ;
aiStructureStart[iStructureCount] = iStartIndirectObject;
aiStructureSize[iStructureCount] = iSize;
aiStructureExtraParameter1[iStructureCount] = iIndexLength;
aiStructureExtraParameter2[iStructureCount] = iWhiteSpace1Length;
aiStructureExtraParameter3[iStructureCount] = iVersionLength;
aiStructureExtraParameter4[iStructureCount] = iWhiteSpace2Length;
aiStructureExtraParameter5[iStructureCount] = aiMerge1KeywordType[iIter + 1] == TYPE_ENDOBJ;
aiStructureExtraParameter6[iStructureCount] = iWhitespaceCount;
iEndPreviousStructure = aiStructureStart[iStructureCount] + aiStructureSize[iStructureCount];
iStructureCount++;
}
}
// code for unknown structure after last keyword
if (FileSize() - aiStructureStart[iStructureCount - 1] - aiStructureSize[iStructureCount - 1] != 0)
{
aiStructureType[iStructureCount] = TYPE_UNKNOWN;
aiStructureStart[iStructureCount] = aiStructureStart[iStructureCount - 1] + aiStructureSize[iStructureCount - 1];
aiStructureSize[iStructureCount] = FileSize() - aiStructureStart[iStructureCount - 1] - aiStructureSize[iStructureCount - 1];
iStructureCount++;
}
}
void CreatePDFHeader(int64 iStart, int iSize)
{
iPDFHeaderCount++;
FSeek(iStart);
iHeaderSize = iSize;
PDFHeader sPDFHeader;
}
void CreatePDFTrailer(int64 iStart, int iSize)
{
iPDFTrailerCount++;
FSeek(iStart);
iTrailerSize = iSize;
PDFTrailer sPDFTrailer;
}
void CreatePDFUnknown(int64 iStart, int iSize)
{
iPDFUnknownCount++;
FSeek(iStart);
iUnknownSize = iSize;
PDFUnknown sPDFUnknown;
}
void CreatePDFComment(int64 iStart, int iSize)
{
iPDFCommentCount++;
FSeek(iStart);
iCommentSize = iSize;
PDFComment sPDFComment;
}
int IsWhitespace(int64 iStart, int iSize)
{
local int64 iIter;
local BYTE bRead;
for(iIter = iStart; iIter < iStart + iSize; iIter++)
{
bRead = ReadByte(iIter);
if (bRead != 0x09 && bRead != 0x0A && bRead != 0x0D && bRead != 0x20)
return false;
}
return true;
}
void CreatePDFWhitespace(int64 iStart, int iSize)
{
iPDFWhitespaceCount++;
FSeek(iStart);
iWhitespaceSize = iSize;
PDFWhitespace sPDFWhitespace;
}
int StartsWith(int64 iStart, int iSize, string sData)
{
local int64 iIter;
if (Strlen(sData) > iSize)
return false;
for(iIter = 0; iIter < Strlen(sData); iIter++)
if (ReadByte(iStart + iIter) != sData[iIter])
return false;
return true;
}
void CreatePDFXref(int64 iStart, int iSize)
{
iPDFXrefCount++;
FSeek(iStart);
iXrefSize = iSize;
PDFXref sPDFXref;
}
void CreatePDFObject(int64 iStart, int iSize, int iIndexLengthArg, int iWhiteSpace1LengthArg, int iVersionLengthArg, int iWhiteSpace2LengthArg, int iFoundEndobjArg, int iWhiteSpace3LengthArg)
{
iPDFObjectCount++;
iIndexLength = iIndexLengthArg;
iWhiteSpace1Length = iWhiteSpace1LengthArg;
iVersionLength = iVersionLengthArg;
iWhiteSpace2Length = iWhiteSpace2LengthArg;
iFoundEndobj = iFoundEndobjArg;
iWhiteSpace3Length = iWhiteSpace3LengthArg;
FSeek(iStart);
iDataLength = iSize - iIndexLength - iWhiteSpace1Length - iVersionLength - iWhiteSpace2Length - 6 - 3 - iWhiteSpace3LengthArg;
PDFObj sPDFObj;
}
local int iToggleColor = iCOLOR;
void ToggleBackColor()
{
if (iToggleColor == iCOLOR)
iToggleColor = cNone;
else
iToggleColor = iCOLOR;
SetBackColor(iToggleColor);
}
void CreatePDFStructures(void)
{
local int iIter;
for(iIter = 0; iIter < iStructureCount; iIter++)
{
ToggleBackColor();
if (aiStructureType[iIter] == TYPE_UNKNOWN && StartsWith(aiStructureStart[iIter], aiStructureSize[iIter], "%"))
CreatePDFComment(aiStructureStart[iIter], aiStructureSize[iIter]);
else if (aiStructureType[iIter] == TYPE_UNKNOWN && StartsWith(aiStructureStart[iIter], aiStructureSize[iIter], "xref"))
CreatePDFXref(aiStructureStart[iIter], aiStructureSize[iIter]);
else if (aiStructureType[iIter] == TYPE_UNKNOWN && IsWhitespace(aiStructureStart[iIter], aiStructureSize[iIter]))
CreatePDFWhitespace(aiStructureStart[iIter], aiStructureSize[iIter]);
else if (aiStructureType[iIter] == TYPE_UNKNOWN)
CreatePDFUnknown(aiStructureStart[iIter], aiStructureSize[iIter]);
else if (aiStructureType[iIter] == TYPE_HEADER)
CreatePDFHeader(aiStructureStart[iIter], aiStructureSize[iIter]);
else if (aiStructureType[iIter] == TYPE_TRAILER)
CreatePDFTrailer(aiStructureStart[iIter], aiStructureSize[iIter]);
else if (aiStructureType[iIter] == TYPE_OBJ)
CreatePDFObject(aiStructureStart[iIter], aiStructureSize[iIter], aiStructureExtraParameter1[iIter], aiStructureExtraParameter2[iIter], aiStructureExtraParameter3[iIter], aiStructureExtraParameter4[iIter], aiStructureExtraParameter5[iIter], aiStructureExtraParameter6[iIter]);
}
SetBackColor(cNone);
}
void PrintPDFCounters(void)
{
Printf("Structure counts:\n");
Printf(" PDFHeader = %5d\n", iPDFHeaderCount);
Printf(" PDFTrailer = %5d\n", iPDFTrailerCount);
Printf(" PDFObject = %5d\n", iPDFObjectCount);
Printf(" PDFComment = %5d\n", iPDFCommentCount);
Printf(" PDFXref = %5d\n", iPDFXrefCount);
Printf(" PDFWhitespace = %5d\n", iPDFWhitespaceCount);
Printf(" PDFUnknown = %5d\n", iPDFUnknownCount);
}
// Main
FindAllKeywords();
if (iKeywordCount == 0)
{
Printf("Keywords not found, not a PDF file!\n");
return;
}
local int aiMerge1KeywordType[iKeywordCount];
local int64 aiMerge1KeywordStart[iKeywordCount];
local int aiMerge1KeywordSize[iKeywordCount];
local int aiMerge2KeywordType[iKeywordCount];
local int64 aiMerge2KeywordStart[iKeywordCount];
local int aiMerge2KeywordSize[iKeywordCount];
local int aiMerge3KeywordType[iKeywordCount];
local int64 aiMerge3KeywordStart[iKeywordCount];
local int aiMerge3KeywordSize[iKeywordCount];
MergeAndFilterAllKeywords();
local int aiStructureType[iKeywordCount * 2 + 1];
local int64 aiStructureStart[iKeywordCount * 2 + 1];
local int aiStructureSize[iKeywordCount * 2 + 1];
local int aiStructureExtraParameter1[iKeywordCount * 2 + 1];
local int aiStructureExtraParameter2[iKeywordCount * 2 + 1];
local int aiStructureExtraParameter3[iKeywordCount * 2 + 1];
local int aiStructureExtraParameter4[iKeywordCount * 2 + 1];
local int aiStructureExtraParameter5[iKeywordCount * 2 + 1];
local int aiStructureExtraParameter6[iKeywordCount * 2 + 1];
PrepareStructures();
CreatePDFStructures();
PrintPDFCounters();

821
cparser/PETemplate.bt Normal file
View File

@ -0,0 +1,821 @@
//--------------------------------------
//--- 010 Editor v4.0.3 Binary Template
//
// File: https://ntreserved.googlecode.com/svn/trunk/Wiki/PE.bt
// Author: xSpy [cdutboy@gmail.com]
// Revision: 0.0.0.2
// Purpose: Parse x86/x64 exe,dll,sys
// Build: 2013.01.01
// Update: 2013.01.06
/*
0.0.0.2 Add Parse Reloc
0.0.0.1 Basic
*/
//--------------------------------------
typedef QWORD ULONGLONG; //fix ULONGLONG
typedef struct _IMAGE_DOS_HEADER
{
WORD e_magic <format=hex,comment="IMAGE_DOS_SIGNATURE = 0x5A4D">;
WORD e_cblp <comment="Bytes on last page of file">;
WORD e_cp <comment="Pages in file">;
WORD e_crlc <comment="Relocations">;
WORD e_cparhdr <comment="Size of header in paragraphs">;
WORD e_minalloc <comment="Minimum extra paragraphs needed">;
WORD e_maxalloc <comment="Maximum extra paragraphs needed">;
WORD e_ss <comment="Initial (relative) SS value">;
WORD e_sp <comment="Initial SP value">;
WORD e_csum <comment="Checksum">;
WORD e_ip <comment="Initial IP value">;
WORD e_cs <comment="Initial (relative) CS value">;
WORD e_lfarlc <comment="File address of relocation table">;
WORD e_ovno <comment="Overlay number">;
WORD e_res[4] <comment="Reserved words">;
WORD e_oemid <comment="OEM identifier (for e_oeminfo)">;
WORD e_oeminfo <comment="OEM information; e_oemid specific">;
WORD e_res2[10] <comment="Reserved words">;
LONG e_lfanew <fgcolor=cPurple,format=hex,comment="NtHeader Offset">;
} IMAGE_DOS_HEADER;
typedef enum<WORD> _IMAGE_MACHINE
{
IMAGE_MACHINE_UNKNOWN = 0,
I386 = 0x014c,
R3000 = 0x0162, // MIPS little-endian, 0x160 big-endian
R4000 = 0x0166, // MIPS little-endian
R10000 = 0x0168, // MIPS little-endian
WCEMIPSV2= 0x0169, // MIPS little-endian WCE v2
ALPHA = 0x0184, // Alpha_AXP
SH3 = 0x01a2, // SH3 little-endian
SH3DSP = 0x01a3,
SH3E = 0x01a4, // SH3E little-endian
SH4 = 0x01a6, // SH4 little-endian
SH5 = 0x01a8, // SH5
ARM = 0x01c0, // ARM Little-Endian
THUMB = 0x01c2,
AM33 = 0x01d3,
POWERPC = 0x01F0, // IBM PowerPC Little-Endian
POWERPCFP= 0x01f1,
IA64 = 0x0200, // Intel 64
MIPS16 = 0x0266, // MIPS
ALPHA64 = 0x0284, // ALPHA64
MIPSFPU = 0x0366, // MIPS
MIPSFPU16= 0x0466, // MIPS
TRICORE = 0x0520, // Infineon
CEF = 0x0CEF,
EBC = 0x0EBC, // EFI Byte Code
AMD64 = 0x8664, // AMD64 (K8)
M32R = 0x9041, // M32R little-endian
CEE = 0xC0EE
}IMAGE_MACHINE <comment="WORD">;
//Characteristics
typedef struct _FILE_CHARACTERISTICS
{
WORD IMAGE_FILE_RELOCS_STRIPPED:1 <comment="0x0001 Relocation info stripped from file">;
WORD IMAGE_FILE_EXECUTABLE_IMAGE:1 <comment="0x0002 File is executable">;
WORD IMAGE_FILE_LINE_NUMS_STRIPPED:1 <comment="0x0004 Line nunbers stripped from file">;
WORD IMAGE_FILE_LOCAL_SYMS_STRIPPED:1 <comment="0x0008 Local symbols stripped from file">;
WORD IMAGE_FILE_AGGRESIVE_WS_TRIM:1 <comment="0x0010 Agressively trim working set">;
WORD IMAGE_FILE_LARGE_ADDRESS_AWARE:1 <comment="0x0020 App can handle >2gb addresses">;
WORD :1 <comment="0x0040 Reserved",hidden=true>;
WORD IMAGE_FILE_BYTES_REVERSED_LO:1 <comment="0x0080 Bytes of machine word are reversed">;
WORD IMAGE_FILE_32BIT_MACHINE:1 <comment="0x0100 32 bit word machine">;
WORD IMAGE_FILE_DEBUG_STRIPPED:1 <comment="0x0200 Debugging info stripped from file in .DBG file">;
WORD IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP:1 <comment="0x0400 If Image is on removable media, copy and run from the swap file">;
WORD IMAGE_FILE_NET_RUN_FROM_SWAP:1 <comment="0x0800 If Image is on Net, copy and run from the swap file">;
WORD IMAGE_FILE_SYSTEM:1 <comment="0x1000 System File">;
WORD IMAGE_FILE_DLL:1 <comment="0x2000 File is a DLL">;
WORD IMAGE_FILE_UP_SYSTEM_ONLY:1 <comment="0x4000 File should only be run on a UP machine">;
WORD IMAGE_FILE_BYTES_REVERSED_HI:1 <comment="0x8000 Bytes of machine word are reversed">;
}FILE_CHARACTERISTICS <comment="WORD">;
typedef struct _IMAGE_FILE_HEADER
{
IMAGE_MACHINE Machine <fgcolor=cPurple,format=hex,comment="WORD">;
WORD NumberOfSections <fgcolor=cBlue,comment="Section num">;
time_t TimeDateStamp <format=hex,comment="DWORD,from 01/01/1970 12:00 AM">;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
FILE_CHARACTERISTICS Characteristics <comment="WORD">;
}IMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY
{
DWORD VirtualAddress <format=hex,comment=CommentRVA2FOA>;
DWORD Size;
}IMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_DATA_DIRECTORY_ARRAY
{
IMAGE_DATA_DIRECTORY DataDir0 <comment="IMAGE_DIRECTORY_ENTRY_EXPORT">;
IMAGE_DATA_DIRECTORY DataDir1 <fgcolor=cPurple,comment="IMAGE_DIRECTORY_ENTRY_IMPORT">;
IMAGE_DATA_DIRECTORY DataDir2 <comment="IMAGE_DIRECTORY_ENTRY_RESOURCE">;
IMAGE_DATA_DIRECTORY DataDir3 <comment="IMAGE_DIRECTORY_ENTRY_EXCEPTION">;
IMAGE_DATA_DIRECTORY DataDir4 <comment="IMAGE_DIRECTORY_ENTRY_SECURITY">;
IMAGE_DATA_DIRECTORY DataDir5 <fgcolor=cPurple,comment="IMAGE_DIRECTORY_ENTRY_BASERELOC">;
IMAGE_DATA_DIRECTORY DataDir6 <comment="IMAGE_DIRECTORY_ENTRY_DEBUG">;
IMAGE_DATA_DIRECTORY DataDir7 <comment="IMAGE_DIRECTORY_ENTRY_ARCHITECTURE">;
IMAGE_DATA_DIRECTORY DataDir8 <comment="IMAGE_DIRECTORY_ENTRY_GLOBALPTR">;
IMAGE_DATA_DIRECTORY DataDir9 <comment="IMAGE_DIRECTORY_ENTRY_TLS">;
IMAGE_DATA_DIRECTORY DataDir10 <comment="IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG">;
IMAGE_DATA_DIRECTORY DataDir11 <comment="IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT">;
IMAGE_DATA_DIRECTORY DataDir12 <fgcolor=cPurple,comment="IMAGE_DIRECTORY_ENTRY_IAT">;
IMAGE_DATA_DIRECTORY DataDir13 <comment="IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT">;
IMAGE_DATA_DIRECTORY DataDir14 <comment="IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR">;
IMAGE_DATA_DIRECTORY DataDir15 <comment="System Reserved">;
}IMAGE_DATA_DIRECTORY_ARRAY;
typedef enum<WORD> _IMAGE_SUBSYSTEM
{
IMAGE_SUBSYSTEM_UNKNOWN =0, // Unknown subsystem.
NATIVE =1, // Image doesn't require a subsystem.
WINDOWS_GUI =2, // Image runs in the Windows GUI subsystem.
WINDOWS_CUI =3, // Image runs in the Windows character subsystem.
OS2_CUI =5, // image runs in the OS/2 character subsystem.
POSIX_CUI =7, // image runs in the Posix character subsystem.
NATIVE_WINDOWS =8, // image is a native Win9x driver.
WINDOWS_CE_GUI =9, // Image runs in the Windows CE subsystem.
EFI_APPLICATION =10,
EFI_BOOT_SERVICE_DRIVER =11,
EFI_RUNTIME_DRIVER =12,
EFI_ROM =13,
XBOX =14,
WINDOWS_BOOT_APPLICATION=16
}IMAGE_SUBSYSTEM<comment="WORD">;
typedef struct _DLL_CHARACTERISTICS
{
WORD IMAGE_LIBRARY_PROCESS_INIT:1 <comment="0x0001 Reserved",hidden=true>;
WORD IMAGE_LIBRARY_PROCESS_TERM:1 <comment="0x0002 Reserved",hidden=true>;
WORD IMAGE_LIBRARY_THREAD_INIT:1 <comment="0x0004 Reserved",hidden=true>;
WORD IMAGE_LIBRARY_THREAD_TERM:1 <comment="0x0008 Reserved",hidden=true>;
WORD :2 <comment="0x0010,0x0020",hidden=true>;
WORD IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE:1 <comment="0x0040">;
WORD IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY:1 <comment="0x0080">;
WORD IMAGE_DLLCHARACTERISTICS_NX_COMPAT:1 <comment="0x0100">;
WORD IMAGE_DLLCHARACTERISTICS_NO_ISOLATION:1 <comment="0x0200">;
WORD IMAGE_DLLCHARACTERISTICS_NO_SEH:1 <comment="0x0400">;
WORD IMAGE_DLLCHARACTERISTICS_NO_BIND:1 <comment="0x0800">;
WORD :1 <comment="0x1000",hidden=true>;
WORD IMAGE_DLLCHARACTERISTICS_WDM_DRIVER:1 <comment="0x2000">;
WORD :1 <comment="0x4000",hidden=true>;
WORD IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE:1 <comment="0x8000">;
}DLL_CHARACTERISTICS <comment="WORD">;
typedef enum<WORD> _OPTIONAL_MAGIC
{
PE32=0x10b,
PE64=0x20b,
ROM=0x107
}OPTIONAL_MAGIC <comment="WORD">;
typedef struct _IMAGE_OPTIONAL_HEADER32
{
OPTIONAL_MAGIC Magic <format=hex>;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode <format=hex>;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint <fgcolor=cPurple,format=hex,comment=CommentRVA2FOA>;
DWORD BaseOfCode <format=hex,comment=CommentRVA2FOA>;
DWORD BaseOfData <format=hex,comment=CommentRVA2FOA>;
DWORD ImageBase <format=hex>;
DWORD SectionAlignment <format=hex>;
DWORD FileAlignment <format=hex>;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage <format=hex>;
DWORD SizeOfHeaders <format=hex>;
DWORD CheckSum <format=hex>;
IMAGE_SUBSYSTEM Subsystem;
DLL_CHARACTERISTICS DllCharacteristics;
DWORD SizeOfStackReserve <format=hex>;
DWORD SizeOfStackCommit <format=hex>;
DWORD SizeOfHeapReserve <format=hex>;
DWORD SizeOfHeapCommit <format=hex>;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY_ARRAY DataDirArray;
}IMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_OPTIONAL_HEADER64
{
OPTIONAL_MAGIC Magic <format=hex>;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint <format=hex,comment=CommentRVA2FOA>;
DWORD BaseOfCode <format=hex>;
ULONGLONG ImageBase <format=hex>;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage <format=hex>;
DWORD SizeOfHeaders;
DWORD CheckSum;
IMAGE_SUBSYSTEM Subsystem;
DLL_CHARACTERISTICS DllCharacteristics;
ULONGLONG SizeOfStackReserve <format=hex>;
ULONGLONG SizeOfStackCommit <format=hex>;
ULONGLONG SizeOfHeapReserve <format=hex>;
ULONGLONG SizeOfHeapCommit <format=hex>;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY_ARRAY DataDirArray;
}IMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS
{
DWORD Signature <format=hex,comment="IMAGE_NT_SIGNATURE = 0x00004550">;
IMAGE_FILE_HEADER FileHeader;
local WORD OptionalHeaderMagic = ReadShort(FTell());
if (0x10b == OptionalHeaderMagic)
{
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
}
else if (0x20b == OptionalHeaderMagic)
{
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
}
else
{
Printf("not valid Optional header magic %x.\n",OptionalHeaderMagic);
return 1;
}
}IMAGE_NT_HEADERS <size=CalcImageNtHeadersSize>;
int CalcImageNtHeadersSize(IMAGE_NT_HEADERS& stNtHeader)
{
local WORD OptionalHeaderMagic = ReadShort(startof(stNtHeader) + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) );
if(0x10B == OptionalHeaderMagic)
{
Printf("PE32\n");
return 0xF8; //sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) + sizeof(IMAGE_OPTIONAL_HEADER32);
}
else if (0x20B == OptionalHeaderMagic)
{
Printf("PE64\n");
return 0x108; //sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) + sizeof(IMAGE_OPTIONAL_HEADER64);
}
else
{
return sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) + 0; //
}
return 0;
}
typedef struct _SECTION_CHARACTERISTICS
{
ULONG IMAGE_SCN_TYPE_DSECT:1 <hidden=true,comment="0x00000001 Reserved">;
ULONG IMAGE_SCN_TYPE_NOLOAD:1 <hidden=true,comment="0x00000002 Reserved">;
ULONG IMAGE_SCN_TYPE_GROUP:1 <hidden=true,comment="0x00000004 Reserved">;
ULONG IMAGE_SCN_TYPE_NO_PAD:1 <comment="0x00000008 Reserved">;
ULONG IMAGE_SCN_TYPE_COPY:1 <hidden=true,comment="0x00000010 Reserved">;
ULONG IMAGE_SCN_CNT_CODE:1 <comment="0x00000020 Section contains code">;
ULONG IMAGE_SCN_CNT_INITIALIZED_DATA:1 <comment="0x00000040 Section contains initialized data">;
ULONG IMAGE_SCN_CNT_UNINITIALIZED_DATA:1 <comment="0x00000080 Section contains uninitialized data">;
ULONG IMAGE_SCN_LNK_OTHER:1 <comment="0x00000100 Reserved">;
ULONG IMAGE_SCN_LNK_INFO:1 <comment="0x00000200 Section contains comments or some other type of information">;
ULONG IMAGE_SCN_TYPE_OVER:1 <hidden=true,comment="0x00000400 Reserved">;
ULONG IMAGE_SCN_LNK_REMOVE:1 <comment="0x00000800 Section contents will not become part of image">;
ULONG IMAGE_SCN_LNK_COMDAT:1 <comment="0x00001000 Section contents comdat">;
ULONG :1 <comment="0x00002000 Reserved">;
ULONG IMAGE_SCN_NO_DEFER_SPEC_EXC:1 <hidden=true,comment="0x00004000 Reset speculative exceptions handling bits in the TLB entries for this section.">;
ULONG IMAGE_SCN_GPREL:1 <comment="0x00008000 Section content can be accessed relative to GP">;
ULONG IMAGE_SCN_MEM_SYSHEAP:1 <hidden=true,comment="0x00010000 Obsolete">;
ULONG IMAGE_SCN_MEM_16BIT:1 <comment="0x00020000">;
ULONG IMAGE_SCN_MEM_LOCKED:1 <comment="0x00040000 ">;
ULONG IMAGE_SCN_MEM_PRELOAD:1 <comment="0x00080000">;
ULONG IMAGE_SCN_ALIGN_1BYTES:1 <comment="0x00100000">;
ULONG IMAGE_SCN_ALIGN_2BYTES:1 <comment="0x00200000">;
ULONG IMAGE_SCN_ALIGN_8BYTES:1 <comment="0x00400000">;
ULONG IMAGE_SCN_ALIGN_128BYTES:1 <comment="0x00800000">;
ULONG IMAGE_SCN_LNK_NRELOC_OVFL:1 <comment="0x01000000 Section contains extended relocations">;
ULONG IMAGE_SCN_MEM_DISCARDABLE:1 <comment="0x02000000 Section can be discarded.">;
ULONG IMAGE_SCN_MEM_NOT_CACHED:1 <comment="0x04000000 Section is not cachable">;
ULONG IMAGE_SCN_MEM_NOT_PAGED:1 <comment="0x08000000 Section is not pageable.">;
ULONG IMAGE_SCN_MEM_SHARED:1 <comment="0x10000000 Section is shareable">;
ULONG IMAGE_SCN_MEM_EXECUTE:1 <comment="0x20000000 Section is executable">;
ULONG IMAGE_SCN_MEM_READ:1 <comment="0x40000000 Section is readable">;
ULONG IMAGE_SCN_MEM_WRITE:1 <comment="0x80000000 Section is writeable">;
}SECTION_CHARACTERISTICS;
typedef struct _IMAGE_SECTION_HEADER
{
BYTE Name[8] <comment="can end without zero">;
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress <format=hex>;
DWORD SizeOfRawData <format=hex>;
DWORD PointerToRawData <format=hex>;
DWORD PointerToRelocations<format=hex>;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
SECTION_CHARACTERISTICS Characteristics <format=hex>;
}IMAGE_SECTION_HEADER;
typedef struct _IMAGE_SECTION_DATA(IMAGE_SECTION_HEADER& SecHeader)
{
local string sSecName=SecHeader.Name;
UCHAR Data[SecHeader.SizeOfRawData];
}IMAGE_SECTION_DATA <comment=commentSectionData>;
string commentSectionData(IMAGE_SECTION_DATA& SecData)
{
return SecData.sSecName;
}
typedef struct _IMAGE_IMPORT_BY_NAME(int nNameLen)
{
WORD Hint;
BYTE Name[nNameLen];
} IMAGE_IMPORT_BY_NAME <comment=commentImageImportByName>;
string commentImageImportByName(IMAGE_IMPORT_BY_NAME& ImportByName)
{
return ImportByName.Name;
}
typedef struct _IMAGE_IMPORT_DESCRIPTOR
{
local int nNameIndex=0;
local ULONG ulThrunk=0;
local int nNameLen=0;
local string sDllName="";
local ULONG ulOriginalFirstThunkFOA=0;
union
{
ULONG Characteristics;
ULONG OriginalFirstThunk <format=hex,comment=CommentRVA2FOA>;
}DUMMYUNIONNAME;
ULONG TimeDateStamp <comment="0 if not bound">;
ULONG ForwarderChain <comment="-1 if no forwarders">;
ULONG Name <format=hex,comment=CommentRVAString>;
ULONG FirstThunk <format=hex,comment=CommentRVA2FOA>;
ulOriginalFirstThunkFOA = RVA2FOA(DUMMYUNIONNAME.OriginalFirstThunk);
if ((0x20b == NtHeader.OptionalHeader.Magic))
{
}
else
{
nNameIndex =0;
while(1)
{
ulThrunk = ReadUInt(ulOriginalFirstThunkFOA + 4 * nNameIndex);
if (0 == ulThrunk)
{
break;
}
if (ulThrunk & 0x80000000)
{
Printf("mport by order \n");
}
else
{
nNameLen = Strlen(ReadString(RVA2FOA(ulThrunk) + sizeof(WORD)));
if(0 != nNameLen)
{
FSeek(RVA2FOA(ulThrunk));
IMAGE_IMPORT_BY_NAME ImportByName(nNameLen +1)<open=false>;
}
}
nNameIndex++;
}
}
}IMAGE_IMPORT_DESCRIPTOR <comment=commentImageImportDescriptor>;
string commentImageImportDescriptor(IMAGE_IMPORT_DESCRIPTOR& ImportDescriptor)
{
return ReadString( RVA2FOA(ImportDescriptor.Name));
}
typedef struct _IMAGE_EXPORT_BY_NAME(string& sExportFuncName,ULONG ulDestRVA,string& sJmpName)
{
local ULONG ulLocalDestRVA=ulDestRVA;
local string sLocalJmpName=sJmpName;
char Function[Strlen(sExportFuncName)];
}IMAGE_EXPORT_BY_NAME <read=ReadExportByName,comment=commentExportByName>;
string ReadExportByName(IMAGE_EXPORT_BY_NAME& ExportByName)
{
return ExportByName.Function;
}
string commentExportByName(IMAGE_EXPORT_BY_NAME& ExportByName)
{
local string sComment="";
if (0 == Strlen(ExportByName.sLocalJmpName) )
{
SPrintf(sComment,"0x%X",ExportByName.ulLocalDestRVA);
}
else
{
SPrintf(sComment,"%s",ExportByName.sLocalJmpName);
}
return sComment;
}
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
time_t TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name <format=hex,comment=CommentRVAString>;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions <format=hex,comment=CommentRVA2FOA>; // RVA from base of image
DWORD AddressOfNames <format=hex,comment=CommentRVA2FOA>; // RVA from base of image
DWORD AddressOfNameOrdinals <format=hex,comment=CommentRVA2FOA>; // RVA from base of image
local int nIndex=0;
local ULONG NameArrayFOA=0;
local ULONG OrdinalArrayFOA=0;
local ULONG FuncArrayFOA=0;
local ULONG ulNameRVA=0;
local ULONG ulNameFOA=0;
local ULONG ulFuncRVA=0;
local WORD wOrdinal=0;
local string sExportName="";
local string sJmpName="";
//List Export names.
NameArrayFOA = RVA2FOA(ExportDir.AddressOfNames);
OrdinalArrayFOA = RVA2FOA(ExportDir.AddressOfNameOrdinals);
FuncArrayFOA = RVA2FOA(ExportDir.AddressOfFunctions);
for(nIndex=0; nIndex < ExportDir.NumberOfNames; nIndex++)
{
ulNameRVA = ReadUInt(NameArrayFOA + nIndex*sizeof(ULONG) );
ulNameFOA = RVA2FOA(ulNameRVA);
sExportName = ReadString(ulNameFOA);
if (0 != Strlen(sExportName))
{
wOrdinal = ReadUShort(OrdinalArrayFOA + nIndex*sizeof(USHORT));
ulFuncRVA = ReadUInt(FuncArrayFOA + wOrdinal* sizeof(ULONG) ); //GetRVA
if ( (ulFuncRVA >NtHeader.OptionalHeader.DataDirArray.DataDir0.VirtualAddress ) && \
(ulFuncRVA < NtHeader.OptionalHeader.DataDirArray.DataDir0.VirtualAddress + NtHeader.OptionalHeader.DataDirArray.DataDir0.Size ) )
{
//is a jmp
sJmpName = ReadString( RVA2FOA(ulFuncRVA) );
FSeek(ulNameFOA);
IMAGE_EXPORT_BY_NAME ExportByName(sExportName,ulFuncRVA,sJmpName);
}
else
{
//normal
sJmpName ="";
FSeek(ulNameFOA);
IMAGE_EXPORT_BY_NAME ExportByName(sExportName,ulFuncRVA,sJmpName);
}
}
}
}IMAGE_EXPORT_DIRECTORY <comment=commentExportDirectory>;
string commentExportDirectory(IMAGE_EXPORT_DIRECTORY& ExportDir)
{
return ReadString(RVA2FOA(ExportDir.Name));
}
ULONG RVA2FOA(ULONG ulRVA)
{
local int i=0;
for(i=0; i < NtHeader.FileHeader.NumberOfSections; i++)
{
if ( (ulRVA >= SectionHeaders[i].VirtualAddress) && (ulRVA <= SectionHeaders[i].VirtualAddress + SectionHeaders[i].SizeOfRawData) )
{
return SectionHeaders[i].PointerToRawData + (ulRVA - SectionHeaders[i].VirtualAddress);
}
}
return 0;
}
string LocationRVA(ULONG ulRVA)
{
local int i=0;
for(i=0; i < NtHeader.FileHeader.NumberOfSections; i++)
{
if ( (ulRVA >= SectionHeaders[i].VirtualAddress) && (ulRVA <= SectionHeaders[i].VirtualAddress + SectionHeaders[i].SizeOfRawData) )
{
return SectionHeaders[i].Name;
}
}
return "";
}
string CommentRVA2FOA(DWORD dwRVA)
{
local string sComment="";
if (0 != dwRVA)
{
SPrintf(sComment,"%s FOA = 0x%X \n",LocationRVA(dwRVA),RVA2FOA(dwRVA));
}
return sComment;
}
string CommentRVAString(DWORD dwRVA)
{
local string sComment="";
if (0 != dwRVA)
{
SPrintf(sComment,"%s FOA = 0x%X -> %s",LocationRVA(dwRVA),RVA2FOA(dwRVA),ReadString(RVA2FOA(dwRVA)) );
}
return sComment;
}
typedef struct _IMAGE_BASE_RELOCATION
{
DWORD VirtualAddress <format=hex,comment=CommentRVA2FOA>;
DWORD SizeOfBlock;
// WORD TypeOffset[1];
local ULONG ulBlockNum=0;
local ULONG ulIndex=0;
ulBlockNum = (SizeOfBlock - 8)/2;
for(ulIndex=0; ulIndex< ulBlockNum ;ulIndex++)
{
WORD Block<format=hex,comment=CommentBaseRelocBlock>;
}
} IMAGE_BASE_RELOCATION <comment=commentImageBaseRelocation>;
string CommentBaseRelocBlock(WORD Block)
{
if(0x3000 == (Block & 0xF000) )
{
return "HIGHLOW";
}
else
{
return "ABSULUTE";
}
return "";
}
string commentImageBaseRelocation(IMAGE_BASE_RELOCATION& BaseReloc)
{
local string sComment="";
SPrintf(sComment,"%d",BaseReloc.ulBlockNum);
return sComment;
}
typedef struct _BASE_RELOCATION_TABLE
{
local ULONG ulRelocNum=0;
while(1)
{
if(0 == ReadUInt(FTell()) )
{
break;
}
IMAGE_BASE_RELOCATION BaseReloc;
ulRelocNum++;
}
}BASE_RELOCATION_TABLE <comment=commentBaseRelocationTable>;
string commentBaseRelocationTable(BASE_RELOCATION_TABLE& RelocTable)
{
local string sComment="";
SPrintf(sComment,"%d",RelocTable.ulRelocNum);
return sComment;
}
//Parse Export Directory
void ParseEAT(void)
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir0.VirtualAddress != 0) && (NtHeader.OptionalHeader.DataDirArray.DataDir0.Size != 0) )
{
local ULONG ulExportFOA= RVA2FOA(NtHeader.OptionalHeader.DataDirArray.DataDir0.VirtualAddress);
FSeek(ulExportFOA);
IMAGE_EXPORT_DIRECTORY ExportDir;
}
}
//Import Directory
void ParseIAT()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir1.VirtualAddress != 0) && (NtHeader.OptionalHeader.DataDirArray.DataDir1.Size != 0) )
{
local ULONG ulImportFOA = RVA2FOA(NtHeader.OptionalHeader.DataDirArray.DataDir1.VirtualAddress); //Import
local ULONG ulOriginalFirstThunk=0;
local ULONG ulOriginalFirstThunkFOA=0;
local int nImportIndex=0;
FSeek(ulImportFOA);
while(1)
{
ulOriginalFirstThunk = ReadUInt(ulImportFOA + 0x14*nImportIndex );
if (0 == ulOriginalFirstThunk)
{
break;
}
FSeek(ulImportFOA + 0x14*nImportIndex);
IMAGE_IMPORT_DESCRIPTOR ImportDescriptor;
nImportIndex++;
}
}
}
//Resource Directory 2
void ParseResource()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir2.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir2.Size == 0) )
{
return;
}
//FixMe
}
//Exception Directory 3
void ParseException()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir3.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir3.Size == 0) )
{
return;
}
//FixMe
}
//Security Directory 4
void ParseSecurity()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir4.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir4.Size == 0) )
{
return;
}
//FixMe
}
//Relocation Directory 5
void ParseBaseReloc()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir5.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir5.Size == 0) )
{
return;
}
FSeek( RVA2FOA(NtHeader.OptionalHeader.DataDirArray.DataDir5.VirtualAddress) );
BASE_RELOCATION_TABLE RelocTable;
}
//Debug Directory 6
void ParseDebug()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir6.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir6.Size == 0) )
{
return;
}
//FixMe
}
//TLS 9
void ParseTLS()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir9.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir9.Size == 0) )
{
return;
}
//FixMe
}
//Bound Import 11
void ParseBoundImport()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir11.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir11.Size == 0) )
{
return;
}
//FixMe
}
//Delay Import 13
void ParseDelayImport()
{
if( (NtHeader.OptionalHeader.DataDirArray.DataDir13.VirtualAddress == 0) || (NtHeader.OptionalHeader.DataDirArray.DataDir13.Size == 0) )
{
return;
}
//FixMe
}
//--------------------------------------------------------------------------------------------------------
//Code
Printf("Parse PE Begin.\n");
IMAGE_DOS_HEADER DosHeader;
if (DosHeader.e_magic != 0x5A4D)
{
Printf("invalid dos magic.\n");
return 1;
}
if (0 == DosHeader.e_lfanew )
{
Warning("not invalid e_lfanew = 0x%X",DosHeader.e_lfanew);
return 2;
}
UCHAR Space1[DosHeader.e_lfanew - sizeof(IMAGE_DOS_HEADER)] <hidden=true,fgcolor=cRed,comment="Space between dos header and nt header">;
Printf("Space between dos header and nt header is %d bytes \n",DosHeader.e_lfanew - sizeof(IMAGE_DOS_HEADER));
FSeek(DosHeader.e_lfanew);
IMAGE_NT_HEADERS NtHeader;
if (0x00004550 != NtHeader.Signature)
{
Printf("invalid nt Signature 0x%x \n",NtHeader.Signature);
return 3;
}
IMAGE_SECTION_HEADER SectionHeaders[NtHeader.FileHeader.NumberOfSections];
//no align header size
local ULONG ulRawHeaderSize = DosHeader.e_lfanew + sizeof(NtHeader) + NtHeader.FileHeader.NumberOfSections*sizeof(IMAGE_SECTION_HEADER);
if (NtHeader.OptionalHeader.SizeOfHeaders - ulRawHeaderSize >0)
{
UCHAR Space2[NtHeader.OptionalHeader.SizeOfHeaders - ulRawHeaderSize ] <hidden=true,fgcolor=cRed,comment="Space between header and first section">;
}
Printf("Space between headers and first sections is %d bytes\n",NtHeader.OptionalHeader.SizeOfHeaders - ulRawHeaderSize);
FSeek(NtHeader.OptionalHeader.SizeOfHeaders);
local ULONG ulIndex=0;
for (ulIndex=0; ulIndex < NtHeader.FileHeader.NumberOfSections; ulIndex++)
{
if ( 0 == SectionHeaders[ulIndex].PointerToRawData )
{
continue;
}
if ( 0 == SectionHeaders[ulIndex].SizeOfRawData )
{
continue;
}
IMAGE_SECTION_DATA Section(SectionHeaders[ulIndex]);
}
FSeek(NtHeader.OptionalHeader.SizeOfHeaders);
//Parse Directory
ParseEAT();
ParseIAT();
ParseResource();
ParseException();
ParseSecurity();
ParseBaseReloc();
ParseDebug();
ParseTLS();
ParseBoundImport();
ParseDelayImport();
Printf("Parse PE finish.\n");

404
cparser/PNG12Template.bt Normal file
View File

@ -0,0 +1,404 @@
//--------------------------------------
//--- 010 Editor v2.0.2 Binary Template
//
// File: PNG12Template.bt
// Author: RCS
// Revision: 0.3
// Purpose: Use templates on PNG images
// Changes: 0.2 - Allow duplicate chunks
// 0.3 - Made chunk names case sensitive
//--------------------------------------
typedef struct {
WORD btPngSignature[4] <format=hex>;
} PNG_SIGNATURE;
typedef struct {
DWORD btChunkLen;
SetForeColor(cYellow);
SetBackColor(cBlue);
CHAR btChunkType[4];
SetBackColor(cWhite);
} PNG_CHUNK_HEADER;
typedef enum <byte> pngColorSpaceType {
GrayScale = 0,
TrueColor = 2,
Indexed = 3,
AlphaGrayScale = 4,
AlphaTrueColor = 6
} PNG_COLOR_SPACE_TYPE;
// Compression Methods
typedef enum <byte> pngCompressionMethod {
Deflate = 0
} PNG_COMPR_METHOD;
// Filter Methods
typedef enum <byte> pngFilterMethod {
AdaptiveFiltering = 0
} PNG_FILTER_METHOD;
// Interlace Methods
typedef enum <byte> pngInterlaceMethod {
NoInterlace = 0,
Adam7Interlace = 1
} PNG_INTERLACE_METHOD;
// IHDR data
typedef struct {
UINT width;
UINT height;
BYTE bit_depth;
PNG_COLOR_SPACE_TYPE color_type;
PNG_COMPR_METHOD compr_method;
PNG_FILTER_METHOD filter_method;
PNG_INTERLACE_METHOD interlace_method;
} IHDR_CHUNK_DATA;
typedef struct {
BYTE btRed <format=hex>;
BYTE btGreen <format=hex>;
BYTE btBlue <format=hex>;
} PNG_PALETTE_PIXEL;
typedef struct {
uint x;
uint y;
} PNG_POINT;
typedef struct {
PNG_POINT white;
PNG_POINT red;
PNG_POINT green;
PNG_POINT blue;
} PNG_CHRM_CHUNK_DATA;
typedef enum <byte> {
Perceptual = 0,
RelativeColorimetric = 1,
Saturation = 2,
AbsoluteColorimetric = 3
} PNG_SRGB_CHUNK_DATA;
typedef struct {
string profile_name;
unsigned byte red;
} PNG_ICCP_CHUNK_DATA;
//---------------------------------------------
// PNG is big endian
BigEndian();
// Start PNG file
struct PngFile {
// Check the PNG signature
// (89h 50h 4Eh 47h 0Dh 0Ah 1Ah 0Ah)
SetForeColor(cRed);
PNG_SIGNATURE sig;
if (sig.btPngSignature[0] != 0x8950 ||
sig.btPngSignature[1] != 0x4E47 ||
sig.btPngSignature[2] != 0x0D0A ||
sig.btPngSignature[3] != 0x1A0A) {
Warning( "File is not a PNG image. Template stopped." );
return -1;
}
// Chunks naming rules
// Ancillary bit: bit 5 of first byte
// Private bit: bit 5 of second byte
// Reserved bit: bit 5 of third byte
// Safe-to-copy bit: bit 5 of fourth byte
SetForeColor(cGreen);
PNG_CHUNK_HEADER ihdrChunkHdr;
if (Strncmp(ihdrChunkHdr.btChunkType, "IHDR", 4) != 0)
{
Warning( "PNG File does not start with IHDR chunk." );
return -2;
}
SetForeColor(cBlack);
IHDR_CHUNK_DATA ihdrChunkData;
SetForeColor(cBlue);
DWORD ihdrCrc <format=hex>;
while (!FEof())
{
// Chunks naming rules
// Ancillary bit: bit 5 of first byte
// Private bit: bit 5 of second byte
// Reserved bit: bit 5 of third byte
// Safe-to-copy bit: bit 5 of fourth byte
SetForeColor(cGreen);
PNG_CHUNK_HEADER chunkHdr;
if (Strncmp(chunkHdr.btChunkType, "PLTE", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_PLTE
{
PNG_PALETTE_PIXEL plteChunkData[chunkHdr.btChunkLen/3];
SetForeColor(cBlue);
DWORD plteCrc <format=hex>;
} chunk_plte;
}
else if (Strncmp(chunkHdr.btChunkType, "tRNS", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_TRNS
{
BYTE trnsChunkData[chunkHdr.btChunkLen] <format=hex>;
SetForeColor(cBlue);
DWORD trnsCrc <format=hex>;
} chunk_trns;
}
else if (Strncmp(chunkHdr.btChunkType, "IDAT", 4) == 0)
{
SetForeColor(cWhite);
SetBackColor(cBlack);
struct PNG_CHUNK_IDAT
{
BYTE idatChunkData[chunkHdr.btChunkLen] <format=hex>;
SetForeColor(cBlack);
SetBackColor(cWhite);
SetForeColor(cBlue);
DWORD idatCrc <format=hex>;
} chunk_idat;
}
else if (Strncmp(chunkHdr.btChunkType, "gAMA", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_GAMA
{
BYTE gamaChunkData[chunkHdr.btChunkLen];
SetForeColor(cBlue);
DWORD gamaCrc <format=hex>;
} chunk_gama;
}
else if (Strncmp(chunkHdr.btChunkType, "cHRM", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_CHRM
{
PNG_CHRM_CHUNK_DATA chrmChunkData;
SetForeColor(cBlue);
DWORD chrmCrc <format=hex>;
} chunk_chrm;
}
else if (Strncmp(chunkHdr.btChunkType, "sRGB", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_SRGB
{
PNG_SRGB_CHUNK_DATA srgbChunkData;
SetForeColor(cBlue);
DWORD srgbCrc <format=hex>;
} chunk_srgb;
}
else if (Strncmp(chunkHdr.btChunkType, "iEXt", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_IEXT
{
string iextIdChunkData;
byte iextCompressionFlag;
PNG_COMPR_METHOD iextComprMethod;
string iextLanguageTag;
string iextTranslatedKeyword;
char iextValChunkData[chunkHdr.btChunkLen -
Strlen(iextIdChunkData) -1 -
Strlen(iextLanguageTag) -1 -
Strlen(iextTranslatedKeyword) -1 -
2];
SetForeColor(cBlue);
DWORD iextCrc <format=hex>;
} chunk_iext;
}
else if (Strncmp(chunkHdr.btChunkType, "tEXt", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_TEXT
{
string textIdChunkData;
char textValChunkData[chunkHdr.btChunkLen - Strlen(textIdChunkData) -1];
SetForeColor(cBlue);
DWORD textCrc <format=hex>;
} chunk_text;
}
else if (Strncmp(chunkHdr.btChunkType, "zEXt", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_ZEXT
{
string zextIdChunkData;
PNG_COMPR_METHOD comprMethod;
char zextValChunkData[chunkHdr.btChunkLen - Strlen(zextIdChunkData) -2];
SetForeColor(cBlue);
DWORD zextCrc <format=hex>;
} chunk_text;
}
else if (Strncmp(chunkHdr.btChunkType, "tIME", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_TIME
{
short timeYear <format=decimal>;
byte timeMonth <format=decimal>;
byte timeDay <format=decimal>;
byte timeHour <format=decimal>;
byte timeMin <format=decimal>;
byte timeSec <format=decimal>;
SetForeColor(cBlue);
DWORD zextCrc <format=hex>;
} chunk_time;
}
else if (Strncmp(chunkHdr.btChunkType, "bKGD", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_BKGD
{
switch (ihdrChunkData.color_type)
{
case 3: // Indexed
unsigned byte bgColorPaletteIndex <format=hex>;
break;
case 0: // Grayscale
case 4: // Grayscale with alpha
unsigned short bgGrayscalePixelValue <format=hex>;
break;
case 2: // TrueColor
case 6: // TrueColor with alpha
unsigned short bgColorPixelRed <format=hex>;
unsigned short bgColorPixelGreen <format=hex>;
unsigned short bgColorPixelBlue <format=hex>;
break;
default:
Warning( "Unknown Color Model Type for background color chunk." );
return -4;
}
SetForeColor(cBlue);
DWORD zextCrc <format=hex>;
} chunk_bkgd;
}
else if (Strncmp(chunkHdr.btChunkType, "pHYs", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_PHYS
{
uint physPixelPerUnitX;
uint physPixelPerUnitY;
enum <byte> {
UnkownUnit = 0,
Meter = 1
} physUnitSpec;
SetForeColor(cBlue);
DWORD zextCrc <format=hex>;
} chunk_phys;
}
else if (Strncmp(chunkHdr.btChunkType, "sBIT", 4) == 0)
{
SetForeColor(cBlack);
struct PNG_CHUNK_SBIT
{
switch (ihdrChunkData.color_type)
{
case 3: // Indexed
byte sbitRed;
byte sbitGreen;
byte sbitBlue;
break;
case 0: // Grayscale
byte sbitGraySource;
break;
case 4: // Grayscale with alpha
byte sbitGrayAlphaSource;
byte sbitGrayAlphaSourceAlpha;
break;
case 2: // TrueColor
byte sbitColorRed;
byte sbitColorGreen;
byte sbitColorBlue;
break;
case 6: // TrueColor with alpha
byte sbitColorAlphaRed;
byte sbitColorAlphaGreen;
byte sbitColorAlphaBlue;
byte sbitColorAlphaAlpha;
break;
default:
Warning( "Unknown Color Model Type for background color chunk." );
return -4;
}
SetForeColor(cBlue);
DWORD sbitCrc <format=hex>;
} chunk_sbit;
}
else if (Strncmp(chunkHdr.btChunkType, "sPLT", 4) == 0)
{
SetForeColor(cBlue);
struct PNG_CHUNK_SPLT
{
string paletteName;
byte sampleDepth;
byte spltData[chunkHdr.btChunkLen - Strlen(paletteName) -2];
SetForeColor(cBlue);
DWORD spltCrc <format=hex>;
} chunk_splt;
}
else if (Strncmp(chunkHdr.btChunkType, "hIST", 4) == 0)
{
SetForeColor(cBlue);
struct PNG_CHUNK_HIST
{
DWORD iendCrc <format=hex>;
SetForeColor(cBlue);
DWORD histCrc <format=hex>;
} chunk_hist;
}
else if (Strncmp(chunkHdr.btChunkType, "IEND", 4) == 0)
{
SetForeColor(cBlue);
struct PNG_CHUNK_IEND
{
DWORD iendCrc <format=hex>;
} chunk_iend;
}
else
{
SetForeColor(cBlack);
struct PNG_CHUNK_UNKNOWN
{
BYTE genChunkData[chunkHdr.btChunkLen];
SetForeColor(cBlue);
DWORD genCrc <format=hex>;
} chunk_unknown;
}
}
} myPngFile;

138
cparser/PNGTemplate.bt Normal file
View File

@ -0,0 +1,138 @@
//--------------------------------------
//--- 010 Editor v2.0.1 Binary Template
//
// File: PNGTemplate.bt
// Author: Kevin O. Grover <kevin@kevingrover.net>
// Purpose: A template for parsing PNG (Portable Network Graphics) files.
// Version: 1.1 2009-02-25
// History:
// 2005-05-11 KOG Initial version
// 2005-06-29 KOG Fixed typos in comments
// 2009-02-23 KOG Decode IHDR and tEXt chunks
//
// This template was written to the PNG 1.2 Specification.
// Note however, that it does not check nor parse chunk subdata, so it
// should work with all future PNG specifications.
//
// Also, a possible caveat: PNG encourages the type of chunks to be
// mapped to strings of the form "[a-zA-Z]{4}". However, it's not a requirement.
//
// Summary of PNG Format:
// A PNG file consists of an 8 byte ID followed by a series of chunks.
// Each Chunk is
// length (4 bytes), chunk_type (4 bytes), data (length bytes), crc (4 bytes)
// CRC Does NOT include the length bytes.
//--------------------------------------
BigEndian(); // PNG files are in Network Byte order
const uint64 PNGMAGIC = 0x89504E470D0A1A0AL;
// Chunk Type
typedef union {
uint32 ctype <format=hex>; // Chunk Type
char cname[4]; // character representation
} CTYPE <read=readCTYPE>;
string readCTYPE(local CTYPE &t) {
return t.cname;
}
// -- Specific Chunks
// IHDR - Image Header
typedef struct {
uint32 width;
uint32 height;
ubyte bits;
ubyte color_type;
ubyte compression;
ubyte filter;
ubyte interlace;
} IHDR <read=readIHDR>;
string readIHDR(local IHDR &ihdr) {
local string s;
SPrintf(s, "%i x %i (x%i)", ihdr.width, ihdr.height, ihdr.bits);
return s;
}
// tEXt - Text Data
typedef struct {
string label; // to the first NULL (including)
char data[length - Strlen(label) - 1]; // rest of the data
} tEXt <read=readtEXt>;
string readtEXt(local tEXt &text) {
local string s;
SPrintf(s, "%s = %s", text.label, text.data);
return s;
}
// -- End: Specific Chunks
local uint32 CHUNK_CNT = 0;
// Generic Chunks
typedef struct {
uint32 length; // Number of data bytes (not including length,type, or crc)
local quad pos_start = FTell();
CTYPE type; // Type of chunk
if (type.cname == "IHDR") {
IHDR ihdr;
} else if (type.cname == "tEXt") {
tEXt text;
} else {
ubyte data[length]; // Data (or not present)
}
local quad data_size = FTell() - pos_start;
uint32 crc <format=hex>; // CRC type and data (not including length or crc)
local uint32 crc_calc = Checksum(CHECKSUM_CRC32, pos_start, data_size);
if (crc != crc_calc) {
local string msg;
SPrintf(msg, "*WARNING CRC Mismatch @ chunk[%d] (%08x != %08x)\n", CHUNK_CNT, crc, crc_calc);
Warning(msg);
Printf(msg);
}
CHUNK_CNT++;
} CHUNK <read=readCHUNK>;
// Chunks can be in any order: HOWEVER, IHDR must be first, IEND must be last
// Bit 5s in chunk type bytes are used to flag some things:
// Ancillary bit: bit 5 of 1st byte: 0=Critical, 1=Ancillary
// Private bit: bit 5 of 2nd byte: 0=Public, 1=Private
// Reserved bit: bit 5 of 3rd byte: MUST be 0
// Safe to Copy bit: bit 5 of 4th byte: 0=Unsafe to Copy, 1=Safe to Copy
string readCHUNK(local CHUNK &c) {
local string s;
s=readCTYPE(c.type)+" (";
s += (c.type.cname[0] & 0x20) ? "Ancillary, " : "Critical, ";
s += (c.type.cname[1] & 0x20) ? "Private, " : "Public, ";
s += (c.type.cname[2] & 0x20) ? "ERROR_RESERVED, " : "";
s += (c.type.cname[3] & 0x20) ? "Safe to Copy)" : "Unsafe to Copy)";
return s;
}
// ---------------------------------------------------------------------------
// MAIN -- Here's where we really allocate the data
// ---------------------------------------------------------------------------
uint64 pngid <format=hex>;
if (pngid != PNGMAGIC) {
Warning("Invalid PNG File: Bad Magic Number");
return -1;
}
while(!FEof()) {
CHUNK chunk;
}
if (CHUNK_CNT > 1) {
if ((chunk[0].type.cname != "IHDR") || (chunk[CHUNK_CNT-1].type.cname != "IEND")) {
local string msg;
SPrintf(msg, "*WARNING: Chunk IHDR must be first and chunk IEND must be last!\n");
Warning(msg);
Printf(msg);
}
}

220
cparser/PSFTemplate.bt Normal file
View File

@ -0,0 +1,220 @@
//--------------------------------------
//--- 010 Editor v2.0.2 Binary Template
//
// File: WSUS PSF file format
// Author: Boris Mazic
// Date: 31 August 2006
// Abstract:
// The sets of delta files for any given software update package are
// stored in a patch storage file (PSF) that is hosted on an
// HTTP 1.1 server. In addition to delta files based on any number of
// older, previously released versions of the new files, the PSF also
// contains compressed copies of the updated files. If a given target
// computer does not have an old file that matches any of the delta
// files contained in the PSF, a compressed copy of the updated file
// is downloaded instead of a delta file. This provides a seamless,
// fault-tolerant mechanism to ensure that all of the new files can
// be produced on the target computer regardless of its existing
// configuration. Because each PSF contains all of the compressed new
// files and many delta files for each new file, the patch storage
// files are often quite large. However, because each individual
// installation downloads only the required set of delta files
// necessary for that target computer, each installation will
// download only a small fraction of the entire contents of a PSF.
//--------------------------------------
//
// The name of a PSF file is in the format <SHA-1>.psf, where
// <SHA-1> part is SHA-1 checksum calculated over the entire contents
// of the PSF file.
//
// Defines a PSF file header
typedef struct {
char signature[8]; // "50 53 54 52 45 41 4D 00" = "PSTREAM\0" at offset 0.
ushort unknown1<format=hex>; // 01 00
ushort unknown2<format=hex>; // 01 00
uint psf_size_minus_1AFx<format=hex>;
uint small_patch_offset<format=hex>; // The offset of the first patch special structure (21h in size) + some other small sized patches (they are all concatenated one against each other with 4-byte alignement - zero filled padding between the boundaries)
uint large_patch_offset<format=hex>; // The offset of the first larger patch. The offset seems to be a multiple of 4KB (1000h). The larger patches are concatenated one against each other, all starting on 512-byte boundary (zero filled gaps).
uint unknown3<format=hex>; // TODO 8,27h, 2Eh
uint num_files;
uint offset<format=hex>; // an offset to the file_info_offsets field in this structure.
uint num_offsets<format=hex>; // 3, 5, 7 - more files bigger number (looks like a count of file info offsets).
uint zero1<format=hex>; // 00 00 00 00
uint zero2<format=hex>; // 00 00 00 00
uint random[4]<format=hex>; // distinct series of random numbers.
char description[];
uchar zeros[offset-FTell()]; // all zeros.
uint file_info_offsets[num_offsets]<format=hex>; // some of the values look like offsets that point to file info structures located immediately after the PSF header. There's always a values that is an offset to the last file info structure, but its location varies. Not all offsets to file info structures are listed here, but those that are are listed in ascending order, usually interspersed with zero values.
} PSFHeader <read=get_package_name>;
string get_package_name( struct PSFHeader& h )
{
local char s[512];
SPrintf(s, "%s", exists(h.name) ? h.name : "");
return s;
}
struct FileInfo;
string get_file_name( struct FileInfo& fi )
{
local char s[512];
SPrintf(s, "%s pit %Xh, %d patches + 1", exists(fi.name) ? fi.name : "", fi.patch_info_table_offset, fi.num_patches);
return s;
}
struct PatchInfo;
string get_patch_info( struct PatchInfo& pi )
{
local char s[512];
SPrintf(s, "index %Xh pos %Xh len %Xh", pi.index, pi.position, pi.length);
return s;
}
// Start here
LittleEndian();
SetBackColor( cYellow );
PSFHeader header;
// Check for the header signature
if(0 != Memcmp(header.signature, "PSTREAM\0",
sizeof(header.signature)))
{
Printf( "File is not a PSF file. Expected PSTREAM header.\n" );
return -1;
}
// build FileInfo structures for all (full) files in the PSF archive
local uint pos = 0;
local uint size = 0;
local uint align = 0;
local uint o = 0;
local uint offset = 0;
local uint f = 0;
local uint p = 0;
for(o = 0; o < header.num_offsets; ++o) {
if(header.file_info_offsets[o] == 0)
continue;
FSeek(header.file_info_offsets[o]);
for(++f; true; ++f) {
SetBackColor(cLtGreen);
struct FileInfo {
uchar unknown[3];
uchar name_len<format=hex>; // does not include null terminator
ushort num_patches; // the first patch info is not in this count (it is some special structure 21h bytes in size)
ushort compression; // 3 = delta compression, FF = uncompressed.
uint dependant_file_info_offset<format=hex>;
uint unknown_struct_offset<format=hex>; // TODO what kind of offset? It point to a structure that is 14h-24h in size and a list of these structures is located immediately after the list of file info and patch info structures.
uint patch_info_table_offset<format=hex>;
char name[name_len];
pos = FTell();
align = (pos + 3) & ~3;
if(pos != align) {
uchar padding[align-pos];
}
//zero padding
for(size=0, pos = FTell(); ReadUInt(pos) == 0; ++size, pos += 4) {
}
if(size > 0) {
SetBackColor(cSilver);
uint zeros[size];
}
} file_info <read=get_file_name>;
if(file_info.compression != 3) {
Printf( "File %d %s, num_patches %d, compression %X.\n", f-1, file_info.name, file_info.num_patches, file_info.compression);
}
FSeek(file_info.unknown_struct_offset);
SetBackColor(f & 1 ? 0x0099ff : 0xff9900);
struct Unknown {
uint unknown[5]<format=hex>; // the structure might take more then 5 quads
} unknown;
// iterate over all patch info structures for the given file (plus the first one which is not a patch but some special structure)
FSeek(file_info.patch_info_table_offset);
for(p=0; p < file_info.num_patches + 1; ++p) {
SetBackColor(p & 1 ? cLtRed : cLtPurple);
struct PatchInfo {
uchar index<format=hex>; // index of the patch info
uchar unknown[3]<format=hex>;
uint length<format=hex>;
uint position<format=hex>;
} patch_info <read=get_patch_info>;
}
//zero padding
for(size=0, pos = FTell(); ReadUInt(pos) == 0; ++size, pos += 4) {
}
if(size > 0) {
SetBackColor(cSilver);
struct PIPadding {
uint zeros[size];
} pi_padding;
}
if(file_info.dependant_file_info_offset == 0)
break;
FSeek(file_info.dependant_file_info_offset);
}
}
if(f != header.num_files) {
Printf( "Only %d of %d files found.\n", f, header.num_files);
return -1;
}
// for each (full) file build a list of Patch structures
local uint pi = 0;
for(f = 0; f < header.num_files; ++f) {
for(p=0; p < file_info[f].num_patches + 1; ++p, ++pi) {
SetBackColor(pi & 1 ? cLtYellow : cLtBlue);
FSeek(patch_info[pi].position);
// Individual patches can be decompressed using apatch.exe utility from
// Platform SDK. For the last patch (i.e. complete executable, not really
// a patch) use the following syntax:
// apatch xxx.dll.patch empty.dll xxx.dll
// where empty.dll is file of size zero bytes.
struct Patch {
char signature[4]; // "PA19" magic number
uchar flag1<format=hex>; // 02 if this is the last patch (full file) for the given file, 01 otherwise
uchar flag2<format=hex>; // 00
uchar flag3<format=hex>; // E7 if this is the last patch (full file) for the given file, E4 otherwise
uchar flag4<format=hex>; // mostly 00, but sometimes 80
// the first three quads are the same for every patch of a single file inside the PSF.
uint file1<format=hex>; // 41E5E974h
uint file2<format=hex>; // A7853400h
uint file3<format=hex>; // 01DE9B70h
uint patch1<format=hex>; // different for every patch of a single file inside the PSF.
uint patch2<format=hex>; // (flags) different, but similar for every patch of a single file inside the PSF.
if(patch_info[pi].length > 7*4) {
uchar unknown[patch_info[pi].length-7*4];
}
} patch;
// Check for the signature
if(0 != Memcmp(patch.signature, "PA19", sizeof(patch.signature))) {
Printf( "Invalid patch signature. Expected 'PA19'. File %d %s, patch info %d (index %d, position %Xh, length %Xh).\n", f, file_info[f].name, pi, patch_info[pi].index, patch_info[pi].position, patch_info[pi].length );
//return -1;
}
}
}
SetBackColor(cNone);

471
cparser/PYCTemplate.bt Normal file
View File

@ -0,0 +1,471 @@
//--------------------------------------
//--- 010 Editor v3.0.4 Binary Template
//
// File: PYCTemplate.bt
// Author: Kuang-che Wu
// Revision: 2009/04/02
// Purpose: parse python bytecode .pyc & .pyo
// support python 2.4 to 2.7
//--------------------------------------
enum <uint16> MagicValue {
PY_24a0 = 62041,
PY_24a3 = 62051,
PY_24b1 = 62061,
PY_25a0_1 = 62071,
PY_25a0_2 = 62081,
PY_25a0_3 = 62091,
PY_25a0_4 = 62092,
PY_25b3_1 = 62101,
PY_25b3_2 = 62111,
PY_25c1 = 62121,
PY_25c2 = 62131,
PY_26a0 = 62151,
PY_26a1 = 62161,
PY_27a0_1 = 62171,
PY_27a0_2 = 62181,
};
// marshal obj type of version 2
// version 2 is backward compatible to version 1 (for read)
enum <char> ObjType {
TYPE_NULL = '0',
TYPE_NONE = 'N',
TYPE_FALSE = 'F',
TYPE_TRUE = 'T',
TYPE_STOPITER = 'S',
TYPE_ELLIPSIS = '.',
TYPE_INT = 'i',
TYPE_INT64 = 'I',
TYPE_FLOAT = 'f',
TYPE_BINARY_FLOAT = 'g',
TYPE_COMPLEX = 'x',
TYPE_BINARY_COMPLEX = 'y',
TYPE_LONG = 'l',
TYPE_STRING = 's',
TYPE_INTERNED = 't',
TYPE_STRINGREF = 'R',
TYPE_TUPLE = '(',
TYPE_LIST = '[',
TYPE_DICT = '{',
TYPE_CODE = 'c',
TYPE_UNICODE = 'u',
TYPE_UNKNOWN = '?',
TYPE_SET = '<',
TYPE_FROZENSET = '>',
};
// Python/import.c
struct Magic {
MagicValue magic1;
char magic2[2];
if (magic2 != "\x0d\x0a") {
Warning("bad magic");
return 0;
}
if (EnumToString(magic1) == "") {
Warning("Unknown magic version");
return 0;
}
};
// opcode.h
// this is opname of python 2.4
// please add new opcode in ReadInstruction()
enum <ubyte> OpCode {
STOP_CODE = 0,
POP_TOP = 1,
ROT_TWO = 2,
ROT_THREE = 3,
DUP_TOP = 4,
ROT_FOUR = 5,
UNARY_POSITIVE = 10,
UNARY_NEGATIVE = 11,
UNARY_NOT = 12,
UNARY_CONVERT = 13,
UNARY_INVERT = 15,
LIST_APPEND = 18,
BINARY_POWER = 19,
BINARY_MULTIPLY = 20,
BINARY_DIVIDE = 21,
BINARY_MODULO = 22,
BINARY_ADD = 23,
BINARY_SUBTRACT = 24,
BINARY_SUBSCR = 25,
BINARY_FLOOR_DIVIDE = 26,
BINARY_TRUE_DIVIDE = 27,
INPLACE_FLOOR_DIVIDE = 28,
INPLACE_TRUE_DIVIDE = 29,
SLICE = 30,
/* Also uses 31-33 */
SLICE_a = 31,
SLICE_b = 32,
SLICE_c = 33,
STORE_SLICE = 40,
/* Also uses 41-43 */
STORE_SLICE_a = 41,
STORE_SLICE_b = 42,
STORE_SLICE_c = 43,
DELETE_SLICE = 50,
/* Also uses 51-53 */
DELETE_SLICE_a = 51,
DELETE_SLICE_b = 52,
DELETE_SLICE_c = 53,
INPLACE_ADD = 55,
INPLACE_SUBTRACT = 56,
INPLACE_MULTIPLY = 57,
INPLACE_DIVIDE = 58,
INPLACE_MODULO = 59,
STORE_SUBSCR = 60,
DELETE_SUBSCR = 61,
BINARY_LSHIFT = 62,
BINARY_RSHIFT = 63,
BINARY_AND = 64,
BINARY_XOR = 65,
BINARY_OR = 66,
INPLACE_POWER = 67,
GET_ITER = 68,
PRINT_EXPR = 70,
PRINT_ITEM = 71,
PRINT_NEWLINE = 72,
PRINT_ITEM_TO = 73,
PRINT_NEWLINE_TO = 74,
INPLACE_LSHIFT = 75,
INPLACE_RSHIFT = 76,
INPLACE_AND = 77,
INPLACE_XOR = 78,
INPLACE_OR = 79,
BREAK_LOOP = 80,
WITH_CLEANUP = 81,
LOAD_LOCALS = 82,
RETURN_VALUE = 83,
IMPORT_STAR = 84,
EXEC_STMT = 85,
YIELD_VALUE = 86,
POP_BLOCK = 87,
END_FINALLY = 88,
BUILD_CLASS = 89,
STORE_NAME = 90, /* Index in name list */
DELETE_NAME = 91, /* "" */
UNPACK_SEQUENCE = 92, /* Number of sequence items */
FOR_ITER = 93,
STORE_ATTR = 95, /* Index in name list */
DELETE_ATTR = 96, /* "" */
STORE_GLOBAL = 97, /* "" */
DELETE_GLOBAL = 98, /* "" */
DUP_TOPX = 99, /* number of items to duplicate */
LOAD_CONST = 100, /* Index in const list */
LOAD_NAME = 101, /* Index in name list */
BUILD_TUPLE = 102, /* Number of tuple items */
BUILD_LIST = 103, /* Number of list items */
BUILD_MAP = 104, /* Always zero for now */
LOAD_ATTR = 105, /* Index in name list */
COMPARE_OP = 106, /* Comparison operator */
IMPORT_NAME = 107, /* Index in name list */
IMPORT_FROM = 108, /* Index in name list */
JUMP_FORWARD = 110, /* Number of bytes to skip */
JUMP_IF_FALSE = 111, /* "" */
JUMP_IF_TRUE = 112, /* "" */
JUMP_ABSOLUTE = 113, /* Target byte offset from beginning of code */
LOAD_GLOBAL = 116, /* Index in name list */
CONTINUE_LOOP = 119, /* Start of loop (absolute) */
SETUP_LOOP = 120, /* Target address (relative) */
SETUP_EXCEPT = 121, /* "" */
SETUP_FINALLY = 122, /* "" */
LOAD_FAST = 124, /* Local variable number */
STORE_FAST = 125, /* Local variable number */
DELETE_FAST = 126, /* Local variable number */
RAISE_VARARGS = 130, /* Number of raise arguments (1, 2 or 3) */
/* CALL_FUNCTION_XXX opcodes defined below depend on this definition */
CALL_FUNCTION = 131, /* #args + (#kwargs<<8) */
MAKE_FUNCTION = 132, /* #defaults */
BUILD_SLICE = 133, /* Number of items */
MAKE_CLOSURE = 134, /* #free vars */
LOAD_CLOSURE = 135, /* Load free variable from closure */
LOAD_DEREF = 136, /* Load and dereference from closure cell */
STORE_DEREF = 137, /* Store into cell */
/* The next 3 opcodes must be contiguous and satisfy
(CALL_FUNCTION_VAR - CALL_FUNCTION) & 3 == 1 */
CALL_FUNCTION_VAR = 140, /* #args + (#kwargs<<8) */
CALL_FUNCTION_KW = 141, /* #args + (#kwargs<<8) */
CALL_FUNCTION_VAR_KW = 142, /* #args + (#kwargs<<8) */
/* Support for opargs more than 16 bits long */
EXTENDED_ARG = 143,
};
// ceval.c
const int HAVE_ARGUMENT = 90;
const int EXTENDED_ARG = 143;
struct Instruction {
if (ReadUByte(FTell()) == EXTENDED_ARG) {
ubyte opcode_extended_arg;
uint16 oparg_hi;
ubyte opcode;
if (opcode >= HAVE_ARGUMENT)
uint16 oparg;
} else {
ubyte opcode;
if (opcode >= HAVE_ARGUMENT)
uint16 oparg;
}
};
typedef int32 r_long;
typedef int64 r_long64;
typedef int16 r_short;
typedef ubyte r_byte;
struct Code {
ObjType type;
if (type != TYPE_STRING) {
Warning("code not in string type");
Exit(1);
}
r_long n;
local int remain = n;
local int end = FTell() + n;
/* trick to optimize parse speed */
while (remain >= 6) {
Instruction inst[remain/6] <read=ReadInstruction,optimize=false>;
remain = end - FTell();
}
remain = end - FTell();
while (remain > 0) {
Instruction inst <read=ReadInstruction>;
remain -= sizeof(inst);
}
};
string Opcode2Opname(OpCode opcode)
{
uint16 magic = file.magic.magic1;
local string opname = EnumToString(opcode);
if (magic >= 0) { // history between python 2.0 and 2.4
// r27197
if (opcode == 114) opname = "";
// r28249
if (opcode == 81) opname = "RETURN_NONE";
// r28494
if (opcode == 81) opname = "";
// r32346
if (opcode == 9) opname = "NOP";
// r32389
if (opcode == 9) opcode = "";
// r35378
if (opcode == 18) opname = "LIST_APPEND";
// r36216
if (opcode == 9) opname = "NOP";
}
// magic 62041 r36242 marshal version 1
// magic 62051 r37112
// magic 62061 r37403
// magic 62071 r38931 marshal version 2
// magic 62081 r39773
if (magic >= 62091) { // r42624
// r42624
if (opcode == 81) opname = "WITH_CLEANUP";
}
// magic 62092 r42952
// magic 62101 r50600
// magic 62111 r50968
// magic 62121 r51082
// magic 62131 r51729
if (magic >= 62151) { // r59548
// r59548
if (opcode == 54) opname = "STORE_MAP";
}
// magic 62161 r61290
if (magic >= 62171) { // r67818
// r67818
if (opcode == 18) opname = "";
if (opcode == 94) opname = "LIST_APPEND";
}
if (magic >= 62181) { // r70071
// r70071
if (opcode == 111) opname = "JUMP_IF_FALSE_OR_POP";
if (opcode == 112) opname = "JUMP_IF_TRUE_OR_POP";
if (opcode == 114) opname = "POP_JUMP_IF_FALSE";
if (opcode == 115) opname = "POP_JUMP_IF_TRUE";
}
return opname;
}
string ReadInstruction(Instruction &ins)
{
string s;
uint16 magic = file.magic.magic1;
OpCode opcode = (OpCode)ins.opcode;
string opname = Opcode2Opname(opcode);
if (exists(ins.oparg)) {
uint32 oparg = ins.oparg;
if (exists(ins.oparg_hi))
oparg += (uint32)ins.oparg_hi << 16;
// Note, COMPARE_OP oparg change name in r24970
if (opname == "COMPARE_OP") {
string cmp_op;
switch (oparg) {
case 0: cmp_op = "<"; break;
case 1: cmp_op = "<="; break;
case 2: cmp_op = "=="; break;
case 3: cmp_op = "!="; break;
case 4: cmp_op = ">"; break;
case 5: cmp_op = ">="; break;
case 6: cmp_op = "in"; break;
case 7: cmp_op = "not in"; break;
case 8: cmp_op = "is"; break;
case 9: cmp_op = "is not"; break;
case 10: cmp_op = "exception match"; break;
case 11: cmp_op = "BAD"; break;
}
SPrintf(s, "%s (%s)", opname, cmp_op);
} else {
SPrintf(s, "%s %d", opname, oparg);
}
} else {
s = opname;
}
return s;
}
struct LnoTab {
ObjType type;
if (type != TYPE_STRING) {
Warning("lnotab not in string type");
Exit(1);
}
r_long n;
struct {
uchar bytecode_offset_diff;
uchar line_diff;
} pair[n/2];
};
// Python/marshal.c
typedef struct r_object {
ObjType type;
switch (type) {
case TYPE_NULL:
case TYPE_NONE:
case TYPE_STOPITER:
case TYPE_ELLIPSIS:
case TYPE_FALSE:
case TYPE_TRUE:
break;
case TYPE_INT:
r_long value;
break;
case TYPE_INT64:
r_long64 value;
break;
case TYPE_LONG:
r_long n;
local int size = n<0?-n:n;
r_short digit[size];
break;
case TYPE_FLOAT:
r_byte n;
char value[n];
break;
case TYPE_BINARY_FLOAT:
double value;
break;
case TYPE_COMPLEX:
r_byte nr;
char real[nr];
r_byte ni;
char imag[ni];
break;
case TYPE_BINARY_COMPLEX:
double real;
double imag;
break;
case TYPE_INTERNED:
case TYPE_STRING:
r_long n;
if (n)
char str[n];
break;
case TYPE_STRINGREF:
r_long n;
break;
case TYPE_TUPLE:
r_long n;
if (n)
struct r_object elements[n] <optimize=false>;
break;
case TYPE_LIST:
r_long n;
if (n)
struct r_object elements[n] <optimize=false>;
break;
case TYPE_DICT:
while (1) {
struct r_object key;
if (key.type == TYPE_NULL)
break;
struct r_object val;
}
break;
case TYPE_SET:
case TYPE_FROZENSET:
r_long n;
if (n)
struct r_object elements[n] <optimize=false>;
break;
case TYPE_CODE:
r_long argcount;
r_long nlocals;
r_long stacksize;
r_long flags;
//struct r_object code;
Code code;
struct r_object consts;
struct r_object names;
struct r_object varnames;
struct r_object freevars;
struct r_object cellvars;
struct r_object filename;
struct r_object name;
r_long firstlineno;
//struct r_object lnotab;
LnoTab lnotab;
break;
default:
Warning("unknown type code");
Exit(1);
}
} r_object;
struct {
Magic magic;
char mtime[4];
r_object data;
} file;

456
cparser/RARTemplate.bt Normal file
View File

@ -0,0 +1,456 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: RARTemplate2.bt
// Author: Alexander Sherman
// Purpose: Defines a template for
// parsing RAR files.
// Revision: 7.03
//-----------------------------------
// RAR archive structures
// Based on TECHNOTE.TXT from the RAR archiver distribution
LittleEndian();
local const uint16 SignatureLen = 7;
const string RarSignature = "Rar!" + '\x1A' + '\x07';
///////////////
struct FileHeadBlock;
struct OldCommentBlock;
struct OldSubBlock;
struct SubBlock;
///////////////
enum <byte> RarBlockType
{
MARKER=0x72, ARCHIVE, FILE_OR_DIR, COMMENT_OLD, AV_OLD_1, SUBBLOCK_OLD, RR_OLD, AV_OLD_2, SUBBLOCK, _END_
};
////////////////
local uint16 _flags = 0;
/// info:
local uquad iBlocksCounter = 0;
local uquad iFiles = 0;
local uquad iDirs = 0;
local uquad iComments = 0;
local uquad iSubBlocks = 0;
local uquad iUniNames = 0;
local uquad iBadCRCCounter = 0;
local ubyte iMinVerToUnpack = 0xff;
local ubyte iMaxVerToUnpack = 0;
local uquad iTotalUnpackedSize = 0;
local uint iAV1 = 0;
local uint iAV2 = 0;
////////////////
enum <ubyte> OsType
{
_MS_DOS, _OS_2, _Win32, _Unix, _Mac_OS, _BeOS
};
enum <char> PackMethod
{
Store='0', Fastest, Fast, Normal, Good, Best
};
enum <uint16> SubType_OldStyle
{
OS2_EA = 0x0100
};
struct UnixStyleAttrs
{
uint32 owner_may_eXecute : 1;
uint32 owner_may_Write : 1;
uint32 owner_may_Read : 1;
uint32 group_may_eXecute : 1;
uint32 gorup_may_Write : 1;
uint32 group_may_Read : 1;
uint32 everybody_may_eXecute : 1;
uint32 everybody_may_Write : 1;
uint32 everybody_may_Read : 1;
uint32 _s : 1; // ??
uint32 _s : 1; // ??
uint32 _unused : 21;
};
struct DosFileAttrs
{
uint32 READONLY : 1; // 0x00000001
uint32 HIDDEN : 1; // 0x00000002
uint32 SYSTEM : 1; // 0x00000004
uint32 VOLUME : 1;
uint32 DIRECTORY : 1; // 0x00000010
uint32 ARCHIVE : 1; // 0x00000020
uint32 _res : 26;
};
struct WinFileAttrs
{
uint32 READONLY : 1;
uint32 HIDDEN : 1;
uint32 SYSTEM : 1;
uint32 VOLUME : 1;
uint32 DIRECTORY : 1;
uint32 ARCHIVE : 1;
uint32 DEVICE : 1;
uint32 NORMAL : 1;
uint32 TEMPORARY : 1;
uint32 SPARSE_FILE : 1;
uint32 REPARSE_POINT : 1;
uint32 COMPRESSED : 1;
uint32 OFFLINE : 1;
uint32 NOT_CONTENT_INDEXED : 1;
uint32 ENCRYPTED : 1;
uint32 _res2 : 17;
};
struct CommonBlockFlags
{
ushort _reserved : 14;
ushort OLD_VERSION_IGNORE : 1;
ushort ADD_SIZE_PRESENT : 1;
};
struct MainHeadFlags
{
ubyte ARCHIVE_VOLUME : 1;
ubyte ARCHIVE_COMMENT_PRESENT : 1;
ubyte ARCHIVE_LOCKED : 1;
ubyte ARCHIVE_SOLID : 1;
ubyte NEW_VOLUME_NAMING : 1;
ubyte AV_PRESENT : 1;
ubyte RECOVERY_PRESENT : 1;
ubyte BLOCK_HEADERS_ENCRYPTED : 1;
ubyte IS_FIRST_VOLUME : 1;
ubyte _reserved : 5;
ubyte OLD_VERSION_IGNORE : 1;
ubyte ADD_SIZE_PRESENT : 1;
};
enum <byte> FileDictType
{
_64K, _128K, _256K, _512K, _1024K, _2048K, _4096K, _Directory
};
struct FileHeadFlags
{
ubyte from_PREV_VOLUME : 1;
ubyte to_NEXT_VOLUME : 1;
ubyte PASSWORD_ENCRYPTED : 1;
ubyte FILE_COMMENT_PRESENT : 1;
ubyte SOLID : 1;
FileDictType DICTIONARY : 3;
ubyte HIGH_SIZE : 1;
ubyte has_UNICODE_FILENAME : 1;
ubyte ENCRYPTION_SALT : 1;
ubyte IS_OLD_FILE_VERSION : 1;
ubyte EXTENDED_TIME_INFO : 1;
ubyte _reserved : 1;
ubyte OLD_VERSION_IGNORE : 1;
ubyte ADD_SIZE_PRESENT : 1;
};
struct RarBlock
{
local quad iOfs = FTell();
uint16 HEAD_CRC <format=hex, fgcolor=cRed>;
RarBlockType HeadType <fgcolor=cGreen>;
_flags = ReadUShort(FTell());
if (HeadType == ARCHIVE)
MainHeadFlags HEAD_FLAGS;
else if (HeadType == FILE_OR_DIR)
FileHeadFlags HEAD_FLAGS;
else
CommonBlockFlags HEAD_FLAGS;
++iBlocksCounter;
if (HeadType < MARKER || HeadType > _END_)
{
Warning("Unknown Header Type (0x%02x) in Block #%Lu", HeadType, iBlocksCounter);
Printf("Unknown Header Type (0x%02x) in Block #%Lu\n", HeadType, iBlocksCounter);
}
uint16 HeaderSize;
if (HeaderSize < 7)
{
Warning("Invalid block size (%u) in Block #%Lu", HeaderSize, iBlocksCounter);
Printf("Invalid block size (%u) in Block #%Lu\n", HeaderSize, iBlocksCounter);
return -1;
}
if (HeadType != MARKER)
{
local uint16 crcCheck = Checksum(CHECKSUM_CRC32, startof(HeadType), HeaderSize-sizeof(HEAD_CRC)) & 0xFFFF;
if (crcCheck != HEAD_CRC)
{
Warning("Header CRC mismatch in Block #%Lu", iBlocksCounter);
Printf("Header CRC mismatch in Block #%Lu: expected CRC is 0x%X, got 0x%X\n", iBlocksCounter, crcCheck, HEAD_CRC);
++iBadCRCCounter;
}
}
if (HEAD_FLAGS.ADD_SIZE_PRESENT)
uint32 RawDataSize;
else
local uint32 RawDataSize = 0;
switch (HeadType) {
case ARCHIVE:
uint16 _reserved1;
uint32 _reserved2;
if (HEAD_FLAGS.ARCHIVE_COMMENT_PRESENT) struct RarBlock MainComment;
break;
case FILE_OR_DIR:
if (HEAD_FLAGS.DICTIONARY == 7)
{
++iDirs;
FileHeadBlock dir;
}
else
{
++iFiles;
FileHeadBlock file;
}
break;
case COMMENT_OLD:
OldCommentBlock cmm;
break;
case SUBBLOCK_OLD:
OldSubBlocksub;
break;
case SUBBLOCK:
SubBlock sub;
break;
case AV_OLD_1:
++iAV1;
Printf("*** AV was found (RAR v. < 2.60) @ block #%Lu.\n", iBlocksCounter);
break;
case AV_OLD_2:
++iAV2;
Printf("*** AV was found (RAR v. 2.60 - 2.9x) @ block #%Lu.\n", iBlocksCounter);
break;
}
iOfs = HeaderSize - (FTell() - iOfs);
if (iOfs > 0)
ubyte _reserved[iOfs];
if (RawDataSize > 0)
ubyte _raw[RawDataSize] <format=hex, fgcolor=cBlue>;
};
struct FileHeadBlock
{
uint32 UnpackedSize;
iTotalUnpackedSize += UnpackedSize;
OsType Host_OS;
uint32 FileCRC32 <format=hex>;
DOSTIME FileTime;
DOSDATE FileDate;
ubyte VersionToUnpack;
if (VersionToUnpack > iMaxVerToUnpack)
iMaxVerToUnpack = VersionToUnpack;
if (VersionToUnpack < iMinVerToUnpack)
iMinVerToUnpack = VersionToUnpack;
PackMethod Method;
uint16 NameSize;
switch (Host_OS) {
case _Win32:
WinFileAttrs Attributes;
break;
case _MS_DOS:
case _Mac_OS:
case _OS_2:
DosFileAttrs Attributes;
break;
case _Unix:
case _BeOS:
UnixStyleAttrs Attributes;
break;
default:
uint32 Attributes <format=binary>;
}
if (_flags & 0x0100)
{
uint32 HIGH_PACK_SIZE;
uint32 HIGH_UNP_SIZE;
iTotalUnpackSize += (HIGH_UNP_SIZE << 32);
}
if (_flags & 0x0200)
{
++iUniNames;
string FileName;
uint16 WideFileNameData[(NameSize-sizeof(FileName))/2];
}
else
char FileName[NameSize];
if (_flags & 0x0008)
{
RarBlock FileComment; // used in RAR v. <= 3.11
}
if (_flags & 0x0400)
uquad SALT <format=hex>;
};
/////////////////
struct OldCommentBlock {
++iComments;
uint16 UnpackedSize;
ubyte VersionToUnpack;
PackMethod Method;
uint16 CommentCRC <format=hex>;
Printf("*** Old style CommentBlock: (Block #%Lu)\n", iBlocksCounter);
};
struct OldSubBlock {
++iSubBlocks;
SubType_OldStyle SubType;
ubyte _reserved;
Printf("*** Old style SubBlock: %u (Block #%Lu)\n", SubType, iBlocksCounter);
};
struct SubBlock {
++iSubBlocks;
ubyte _unknown_to_me_1[15];
ubyte SubTypeLen;
ubyte _unknown_to_me_2[5];
char SubType[SubTypeLen];
Printf("*** SubBlock: %s (Block #%Lu)\n", SubType+'\0', iBlocksCounter);
switch (SubType) {
case "CMT":
++iComments;
break;
case "AV":
Printf("*** Authenticity Verification info (RAR v. 3.x) @ block #%Lu.\n", iBlocksCounter);
break;
case "RR":
Printf("*** Recovery Record was found (RAR v. 3.x) @ block #%Lu.\n", iBlocksCounter);
break;
}
};
/////////////////
local string fn = GetFileName();
local quad SignaturePos = 0;
local char Signature[SignatureLen];
if (Strstr(fn, ".rar") != Strlen(fn)-4)
{
Warning("Seeking for RAR signature...");
local quad _p = FindFirst(RarSignature);
if (_p >= 0)
FSeek(_p);
else
{
Warning("Not a RAR archive!");
return -1;
}
Warning("RAR signature found at 0x%08x.", _p);
Printf("RAR signature found at 0x%08x.\n", _p);
}
else
{
ReadBytes(Signature, SignaturePos, SignatureLen);
if (Strcmp(Signature, RarSignature))
{
Warning("Invalid RAR Archive Signature!");
return SignaturePos;
}
}
RarBlock Marker;
RarBlock ArcHeader;
if (ArcHeader.HeadType != ARCHIVE)
{
Warning("Main archive header is either bad or missing!");
return -2;
}
else
{
Printf("It is a %s%s %s %s RAR archive.\n",
SignaturePos > 0 ? "SelF-eXtractable " : "",
ArcHeader.HEAD_FLAGS.ARCHIVE_LOCKED ? "LOCKED" : "non-locked",
ArcHeader.HEAD_FLAGS.ARCHIVE_SOLID ? "SOLID" : "regular",
ArcHeader.HEAD_FLAGS.ARCHIVE_VOLUME ? "VOLUME'd" : "one-part");
if (ArcHeader.HEAD_FLAGS.ARCHIVE_COMMENT_PRESENT)
Printf("Main comment is present.\n");
if (ArcHeader.HEAD_FLAGS.AV_PRESENT)
Printf("Old style Authenticity Verification is present.\n");
if (ArcHeader.HEAD_FLAGS.RECOVERY_PRESENT)
Printf("Recovery Record is present.\n");
if (ArcHeader.HEAD_FLAGS.BLOCK_HEADERS_ENCRYPTED)
{
Printf("It's an encrypted archive. Cannot proceed, exiting...\n");
return -3;
}
}
while (!FEof())
{
RarBlock block;
}
if (block.HeadType != _END_ && iMaxVerToUnpack > 20)
{
Warning("END Marker block was expected here.");
}
if (iFiles || iDirs)
{
Printf("Version to unpack: %u.%u\n", iMaxVerToUnpack / 10, iMaxVerToUnpack % 10);
if (iMinVerToUnpack != iMaxVerToUnpack)
Printf("Some data can also be retrieved by an earlier version of %u.%u\n",
iMinVerToUnpack /10, iMinVerToUnpack %10);
}
Printf("Files: %Lu, Dirs: %Lu, Comments: %Lu, SubBlocks: %Lu, Unpacked Size: %Lu\n", iFiles, iDirs, iComments, iSubBlocks, iTotalUnpackedSize);
Printf("UNICODE Names: %Lu\n", iUniNames);
if (iBadCRCCounter)
Printf("%Lu blocks corrupted.\n", iBadCRCCounter);
Printf("Done. %Lu blocks processed.\n", iBlocksCounter);

58
cparser/RDBTemplate.bt Normal file
View File

@ -0,0 +1,58 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: RDBTemplate.bt
// Author: AnTler
// Revision: 1.0
// Purpose: Defines a template for parsing RDB files.
// Changes:
//-----------------------------------
// Define structures used in RDB files
// Defines a file header
typedef struct {
CHAR reserved[16];
DWORD fhFileTotalCount;
INT64 fhFileNameOffBits <format=hex>;
INT64 fhFileDataOffBits <format=hex>;
} RDBFILEHEADER ;
// Defines a file record
typedef struct {
local INT fileNameLength = 0;
local USHORT value = 0;
do
{
value = ReadUShort( FTell() + fileNameLength) ;
fileNameLength += sizeof(value);
} while(value != 0x0000);
CHAR frCurFileName[fileNameLength];
INT64 frCurFileDataOffBits <format=hex>;
INT64 frCurFileDataSize;
} RDBFILERECORD <read=ReadRDBFILERECORD>;
string ReadRDBFILERECORD( RDBFILERECORD &r )
{
string s;
SPrintf( s, "%s", r.frCurFileName);
return s;
}
//--------------------------------------------
// Define the file
LittleEndian();
RDBFILEHEADER rdbFileHeader;
FSeek(rdbFileHeader.fhFileNameOffBits);
local int i;
for( i = 0; i < rdbFileHeader.fhFileTotalCount; i++ )
RDBFILERECORD rdbFileRecord;

552
cparser/RESTemplate.bt Normal file
View File

@ -0,0 +1,552 @@
//------------------------------------
//--- 010 Editor v1.2 Binary Template
//
// Author: Sergey Evtushenko wildcar@mail.ru
// Purpose: Display resources structure of a res file or PE file with Resources
// Info for the .rsrc section format in PE file was taken from http://msdn.microsoft.com/en-us/library/ms809762.aspx,
// but full understanding came after this https://forum.intern0t.org/security-tutorials-guides/4135-portable-executable-format-its-rsrc-section.html
// Info for RES file format was taken from http://msdn.microsoft.com/en-us/library/windows/desktop/ms648007(v=vs.85).aspx
// There is not all the pure truth but there is some info at least
// Additionally this template display the VersionInfo resource structure
// Info for this format was taken from http://msdn.microsoft.com/en-us/library/windows/desktop/ff468916(v=vs.85).aspx
// There is also not all the truth but there is some info at least
// This template is using modified EXETemplate for skip right to rsrc section. Thanks to Blaine Lefebvre for it.
// File mask: *.res, *.exe, *.dll
// Date: 2014-07-29
// Place: Zaprudnya (sometimes Moscow), Russia
// Local global variables :)
local int64 rsrc_va, rsrc_sa, rsrc_ea, res_level;
local int32 rTypeID, rNameID, rLanguageID;
local int res_show_log=0; // Switch it to 1 for verbose output (there is output only for PE)
// Skip right to the .rsrc section
GoTo_rsrc_section();
if (rsrc_va>0)
{
//PE file detected
RESfromPEDiscover();
}
else
{
// else we think that it is a RES file
RESfromRESDiscover();
}
// DOS exe format
typedef struct {
char Signature[2];
WORD LengthOfImage;
WORD SizeOfFile;
WORD NumberOfRelocationItems;
WORD SizeOfHeader;
WORD MinPara;
WORD MaxPara;
WORD OffsetStack;
WORD InitialSp;
WORD NegativeChecksum;
WORD InitialIp;
WORD OffsetCs;
WORD OffsetFirstRelocationItem;
WORD OverlayNumber;
WORD Res1;
WORD Res2;
WORD Res3;
WORD Res4;
WORD OemId;
WORD OemInfo;
WORD Res5[10];
DWORD OffsetToPEHeader;
} DosExeHeader;
typedef struct {
int32 DirExport;
int32 DirExportSize;
int32 DirImport;
int32 DirImportSize;
int32 DirResource;
int32 DirResourceSize;
int32 DirException;
int32 DirExceptionSize;
int32 DirSecurity;
int32 DirSecuritySize;
int32 DirBasereloc;
int32 DirBaserelocSize;
int32 DirDebug;
int32 DirDebugSize;
int32 DirArchitecture;
int32 DirArchitectureSize;
int32 DirGlobalptr;
int32 DirGlobalptrSize;
int32 DirTls;
int32 DirTlsSize;
int32 DirLoadConfig;
int32 DirLoadConfig_size;
int32 DirBoundImport;
int32 DirBoundImportSize;
int32 DirIat;
int32 DirIatSize;
int32 DirDelayImport;
int32 DirDelayImportSize;
int32 DirComDescriptor;
int32 DirComDescriptorSize;
int32 DirX;
int32 DirXSize;
} DataDirectory;
typedef struct {
int32 rva;
int32 size;
} DataDir;
typedef struct {
char Sig[4];
int16 CpuType;
int16 NumSections;
time_t Tm;
int32 PointerToSymbolTable;
int32 NumberOfSymbols;
int16 NtHeaderSize;
int16 Flags;
} PeHeader;
typedef struct {
int16 Res3;
char LMajor;
char LMinor;
int32 SizeOfCode;
int32 SizeOfInitData;
int32 SizeOfUninitData;
int32 EntrypointRva;
int32 BaseOfCode;
int32 BaseOfData;
int32 ImageBase;
int32 SectionAlign;
int32 FileAlign;
int16 OsMajor;
int16 OsMinor;
int16 UserMajor;
int16 UserMinor;
int16 SubsystemMajor;
int16 SubsystemMinor;
int32 Win32VersionValue;
int32 ImageSize;
int32 HeaderSize;
int32 FileChecksum;
int16 Subsystem;
int16 DllFlags;
int32 StackReserveSize;
int32 StackCommitSize;
int32 HeapReserveSize;
int32 HeapCommitSize;
int32 LoaderFlags;
int32 NumInterestingRvaSize;
} OptionalHeader;
typedef struct{
char Name[8];
int32 VirtualSize;
int32 VirtualAddress;
int32 SizeOfRawData;
int32 PointerToRawData;
int32 PointerToRelocations;
int32 PointerToLinenumbers;
int16 NumberOfRelocations;
int16 NumberOfLinenumbers;
int32 Characteristics;
} SectionTable;
void GetResourceDirectory()
{
res_level+=1;
struct
{
local int32 j;
uint32 Characteristics;
DOSTIME TimeStamp;
DOSDATE DataStamp;
uint16 MajorVersion;
uint16 MinorVersion;
uint16 NumberOfNameEntries;
uint16 NumberOfIDEntries;
for( j=0;j<NumberOfNameEntries;j++)
{
struct
{
local int64 currentaddress;
uint32 NameRVA:31 <format=hex>;
int TopBit:1;
currentaddress= FTell();
FSeek(rsrc_sa+NameRVA);
int16 Length;
wchar_t UnicodeString[Length];
if (res_show_log==1){Printf("\nLevel %d. ",res_level);}
if (res_show_log==1){Printf("Name: %s",UnicodeString);}
FSeek(currentaddress);
uint32 DataEntryRVA:31 <format=hex>;
int PointToChild:1;
currentaddress= FTell();
if (PointToChild==1)
{
FSeek(rsrc_sa+DataEntryRVA);
GetResourceDirectory();
FSeek(currentaddress);
};
} DirectoryNameEntry;
};
for( j=0;j<NumberOfIDEntries;j++)
{
struct
{
local int64 currentaddress;
switch( res_level )
{
case 1:
uint32 IntegerID <comment=ShowType>;
rTypeID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowType(rTypeID));}
break;
case 2:
uint32 IntegerID <comment=ShowName>;
rNameID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowName(rNameID));}
break;
case 3:
uint32 IntegerID <comment=ShowLanguage>;
rLanguageID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowLanguage(rLanguageID));}
break;
}
uint32 DataEntryRVA:31 <format=hex>;
int PointToChild:1;
currentaddress= FTell();
if (PointToChild==1)
{
FSeek(rsrc_sa+DataEntryRVA);
GetResourceDirectory();
FSeek(currentaddress);
}
else
{
FSeek(rsrc_sa+DataEntryRVA);
struct
{
local int64 ba1, ba2;
int32 DataRVA <format=hex>;
int32 Size;
int32 Codepage;
int32 Reserved;
FSeek(DataRVA-(rsrc_va-rsrc_sa));
if (rTypeID==16)
{
struct
{
ba1=FTell();
char VersionInfoRAWData[Size];
ba2=FTell();
FSeek(ba1);
VersionInfo();
FSeek(ba2);
} versioninfo;
}
else
{
char ResourceRAWData[Size];
};
} DataEntry;
FSeek(currentaddress);
};
} DirectoryIDEntry;
};
} DirectoryTable;
res_level-=1;
};
string ShowType(uint32 ID)
{
local string s;
switch( ID)
{
case 1: s="Cursor";break;
case 2: s="Bitmap";break;
case 3: s="Icon";break;
case 4: s="Menu";break;
case 5: s="Dialog box";break;
case 6: s="String table entry";break;
case 7: s="Font directory";break;
case 8: s="Font";break;
case 9: s="Accelerator table";break;
case 10: s="Application defined resource (raw data)";break;
case 11: s="Message table entry";break;
case 12: s="Group cursor";break;
case 14: s="Group icon";break;
case 16: s="Version information";break;
case 17: s="Dlginclude";break;
case 19: s="Plug and play resource";break;
case 20: s="VXD";break;
case 21: s="Animated cursor";break;
case 22: s="Animated icon";break;
case 23: s="HTML";break;
case 24: s="Side-by-side assembly manifest";break;
}
SPrintf( s, "1. Resource type: %s", s );
return s;
}
string ShowName(uint32 ID)
{
local string s;
SPrintf( s, "2. Name ID: %d", ID );
return s;
}
string ShowSName(wstring Str)
{
local string s;
SPrintf( s, "2. Name: %s", Str );
return s;
}
string ShowLanguage(uint32 ID)
{
local string s;
SPrintf( s, "3. Language ID: %d", ID );
return s;
}
void RESfromPEDiscover()
{
rsrc_sa=FTell();
struct
{
if (res_show_log==1) Printf("\nResources list.");
res_level=0;
GetResourceDirectory();
} ResourcesStructure;
}
void GoTo_rsrc_section()
{
local int32 i;
rsrc_sa=0;
rsrc_va=0;
DosExeHeader DOSHead <hidden=true>;
//Check if this is a PE file, if not we cannot get the rsrc section, probably this is a plain .res file, so we should start from 0
if ( !Memcmp(DOSHead.Signature,"MZ",2) )
{
char dosstub[DOSHead.OffsetToPEHeader-(DOSHead.SizeOfHeader*0x10)] <hidden=true>;
PeHeader PEHead <hidden=true>;
if ( !Memcmp(PEHead.Sig,"PE",2) )
{
OptionalHeader OptionalHead <hidden=true>;
DataDir dd[16] <hidden=true>;
SectionTable sec[PEHead.NumSections] <hidden=true>;
for ( i = 0 ; i < PEHead.NumSections ; i++ )
{
FSeek(sec[i].PointerToRawData);
if ( !Strcmp(sec[i].Name,".rsrc") )
{
rsrc_sa=FTell();
rsrc_va=sec[i].VirtualAddress;
}
}
}
}
FSeek(rsrc_sa);
}
int Padding4Bytes(int Value)
{
return (Value%4>0)*(4-Value%4);
}
void VersionInfo()
{
struct
{
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
if (!Strcmp(szKey,"VS_VERSION_INFO")) // Check that it is true VS_VERSION_INFO (The 1st step)
{
byte padding_n[Padding4Bytes(sizeof(wValueLength))];
struct
{
DWORD dwSignature <format=hex>;
struct
{
WORD StructureMinorVersion;
WORD StructureMajorVersion;
} dwStrucVersion;
struct
{
WORD FileMinorVersion;
WORD FileMajorVersion;
} dwFileVersionMS;
struct
{
WORD FileBuildNumber;
WORD FileRevision;
} dwFileVersionLS;
struct
{
WORD FileMinorVersion;
WORD FileMajorVersion;
} dwProductVersionMS;
struct
{
WORD FileBuildNumber;
WORD FileRevision;
} dwProductVersionLS;
DWORD dwFileFlagsMask;
DWORD dwFileFlags;
DWORD dwFileOS;
DWORD dwFileType;
DWORD dwFileSubtype;
DWORD dwFileDateMS;
DWORD dwFileDateLS;
} VS_FIXEDFILEINFO;
if (VS_FIXEDFILEINFO.dwSignature==0xFEEF04BD) // Check that it is true VS_VERSION_INFO (The 2nd step)
{
byte Padding2[Padding4Bytes(sizeof(VS_FIXEDFILEINFO))]; // Should be no reason this to exist
// Check of StringFileInfo existence
struct
{
FSkip(6);
wstring szKeyCheck <hidden=true>;
FSkip(-6-sizeof(szKeyCheck));
if (!Strcmp(szKeyCheck,"StringFileInfo"))
{
local int HeaderLength;
local int64 LenghtLeft;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
LenghtLeft=wLength-HeaderLength-Padding4Bytes(HeaderLength);
while (LenghtLeft>0)
{
struct
{
local int HeaderLength;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
local int64 LenghtLeft;
LenghtLeft=wLength-6-sizeof(szKey);
while (LenghtLeft>0)
{
struct
{
local int HeaderLength;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
wstring Value;
byte padding_v[Padding4Bytes(sizeof(Value))];
}String;
LenghtLeft-=sizeof(String);
}
}StringTable;
LenghtLeft-=sizeof(StringTable);
}
}
} StringFileInfo;
// Check of VarFileInfo existence
struct
{
FSkip(6);
wstring szKeyCheck <hidden=true>;
FSkip(-6-sizeof(szKeyCheck));
if (!Strcmp(szKeyCheck,"VarFileInfo"))
{
local int HeaderLength;
local int64 LenghtLeft;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
LenghtLeft=wLength-HeaderLength-Padding4Bytes(HeaderLength);
while (LenghtLeft>0)
{
struct
{
local int HeaderLength;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
DWORD Value <format=hex>;
} Var;
LenghtLeft-=sizeof(Var);
}
}
} VarFileInfo;
}
}
} VS_VERSIONINFO;
}
void RESfromRESDiscover()
{
while (!FEof())
{
struct
{
DWORD DataSize;
DWORD HeaderSize;
WORD TYPE_type;
if (TYPE_type==0xFFFF)
{
WORD TYPE <comment=ShowType>;
}
else
{
FSkip(-2);
wstring sType;
byte padding_t[Padding4Bytes(sizeof(sType))];
}
WORD NAME_type;
if (NAME_type==0xFFFF)
{
WORD NAME <comment=ShowName>;
}
else
{
FSkip(-2);
wstring sName <comment=ShowSName>;
local int32 pn_size;
byte padding_n[Padding4Bytes(sizeof(sName))];
}
DWORD DataVersion;
WORD MemoryFlags;
WORD LanguageId <comment=ShowLanguage>;
DWORD Version;
DWORD Characteristics;
char ResourceRAWData[DataSize];
if (TYPE==16)
{
local int64 ba1, ba2;
ba2=FTell();
ba1=ba2-DataSize;
FSeek(ba1);
VersionInfo();
FSeek(ba2);
}
byte padding[Padding4Bytes(DataSize)];
} Resource;
}
}

149
cparser/RIFFTemplate.bt Normal file
View File

@ -0,0 +1,149 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: RIFFTemplate.bt
// Author: gocha
// Revision: 1.0
// Purpose: Defines a template for
// parsing generic RIFF files.
//-----------------------------------
typedef CHAR ID[4];
local int cOverTheRainbowIndex = 0;
local int cOverTheRainbow[12] = {
0xbfbfef,
0xbfcfef,
0xbfefef,
0xbfefcf,
0xbfefbf,
0xcfefbf,
0xefefbf,
0xefcfbf,
0xefbfbf,
0xefbfcf,
0xefbfef,
0xcfbfef
};
local int cGrayZone = 0xd9dadc;
local int COLOR_LUT_LENGTH = sizeof(cOverTheRainbow) / sizeof(cOverTheRainbow[0]);
//-----------------------------------
// Define structures used in RIFF files
typedef struct {
ID chunkID;
DWORD chunkSize;
UCHAR data[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} CHUNK <read=ReadCHUNK>;
string ReadCHUNK( struct CHUNK &s )
{
return s.chunkID;
}
//typedef struct LISTCHUNK LISTCHUNK;
struct LISTCHUNK {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
local char tag[5];
local DWORD size;
while( FTell() - pos < chunkSize )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
if( FTell() - pos + size > chunkSize ){
Printf( "Chunk '%s' of size %d at position 0x%LX exceeds the parent chunk size boundary.\n", tag, size, FTell() );
return -1;
}
// See which chunk this is
switch( tag )
{
case "LIST":
SetBackColor( cGrayZone );
struct LISTCHUNK list;
break;
default:
SetBackColor( cOverTheRainbow[cOverTheRainbowIndex] );
cOverTheRainbowIndex = (cOverTheRainbowIndex + 1) % COLOR_LUT_LENGTH;
CHUNK subchunk;
break;
}
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
};
typedef struct
{
ID groupID;
DWORD size;
ID riffType;
} RIFFHEADER;
//---------------------------------------------
// Define the headers
local quad riff_pos = FTell();
LittleEndian();
SetBackColor( cGrayZone );
RIFFHEADER header;
// Check for valid header
if( header.groupID != "RIFF" )
{
Warning( "File is not a valid RIFF file. Template stopped." );
return -1;
}
// Read the file as a set of chunks
local char tag[5];
local DWORD size;
while( FTell() + 8 <= FileSize() && FTell() - riff_pos != header.size + 8 )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
// See which chunk this is
switch( tag )
{
case "LIST":
SetBackColor( cGrayZone );
LISTCHUNK list;
break;
default:
SetBackColor( cOverTheRainbow[cOverTheRainbowIndex] );
cOverTheRainbowIndex = (cOverTheRainbowIndex + 1) % COLOR_LUT_LENGTH;
CHUNK chunk;
break;
}
}
// Verify the whole file size
local quad actual_size = FTell() - riff_pos;
if( actual_size != 8 + header.size )
{
Printf( "RIFF file size mismatch (header value %Ld, actual size %Ld).\n", header.size, actual_size - 8 );
return -1;
}

278
cparser/ROMFS.bt Normal file
View File

@ -0,0 +1,278 @@
//--------------------------------------
//--- 010 Editor v5.0beta1 Binary Template
//
// File: ROMFS.bt
// Author: Jordan Milne <jordan.milne-sw@saynotolinux.com>
// Revision: v0.2
// Purpose: Reverse engineering romfs images used in embedded devices
//--------------------------------------
//test suite in hex format at https://github.com/chexum/genromfs/tree/master/selftest
//format documentation at https://www.kernel.org/doc/Documentation/filesystems/romfs.txt
RequiresVersion(4, 0);
//RomFS uses big endian throughout
BigEndian();
//Color correct checksums green, bad checksums red
//Print warnings about correctness issues
#define STRICT_CHECKS 1
//Max number of bytes to read for the superblock checksum
//Defaults to 512 as per the spec.
#define MAX_SB_CHECKSUM_BYTES 512
//Magic bytes that identify a romfs image
#define MAGIC_BYTES_LEN 8
local char MAGIC_BYTES[] = "-rom1fs-";
//round up to the nearest multiple of 16
int pad16(int val)
{
return ((val & 0xf) ? (val + 16) & ~0xf : val);
}
//returns 0 for correct magic bytes, anything else is failure
int RomFSCheckMagicBytes()
{
local char found_bytes[MAGIC_BYTES_LEN];
ReadBytes(found_bytes, 0, MAGIC_BYTES_LEN);
return (Memcmp(MAGIC_BYTES, found_bytes, MAGIC_BYTES_LEN));
}
//returns 0 if checksum field for the superblock is correct and generate is 0
//returns the generated checksum if generate is 1
int32 RomFSSBChecksum(int generate)
{
local int64 skip_pos = -1;
local int32 sum;
//skip the checksum field when calculating the checksum
if(generate)
skip_pos = 3;
sum = RomFSChecksum(0, MAX_SB_CHECKSUM_BYTES, skip_pos);
//negate sum so checksum will work out to 0 when put it's put in the checksum field
//and generate is 0
if(generate)
sum = -sum;
return sum;
}
//alternative to ChecksumAlgStr CHECKSUM_INT_BE that can skip a byte
int32 RomFSChecksum(int64 pos, int64 num_bytes, int64 skip_pos)
{
local int64 i;
local int32 sum = 0;
local int64 file_size = FileSize();
if(num_bytes > file_size)
num_bytes = file_size;
//convert the number of bytes to number of ints
local int64 len = num_bytes >> 2;
for(i = 0; i < len; ++i)
{
if(i != skip_pos)
sum += ReadInt(pos + (i * 4));
}
return sum;
}
//get the length of the RomFS string at pos
int RomFSReadStringLength(int64 pos)
{
return pad16(ReadStringLength(pos));
}
//ROMFS strings are null-terminated and padded to 16 byte boundaries.
typedef struct {
string val;
//length (including terminating null)
local int len = Strlen(val) + 1;
local int pad_len = 16 - (len % 16);
//take up the rest of the space to reach the 16 byte boundary
if(pad_len)
char padding[pad_len];
} RomFSString <read=ReadRomFSString, write=WriteRomFSString>;
string ReadRomFSString(RomFSString& v)
{
string s;
SPrintf( s, "%s", v.val );
return s;
}
//Beware strings shorter than than old_len % 16 and longer than old_len + pad,
//they'll invalidate all of the positions (next_header, etc) in the entire image. Oh dear!
void WriteRomFSString(RomFSString& orig_str, string s)
{
local int start = startof(orig_str);
//Delete the old string + padding
DeleteBytes(start, RomFSReadStringLength(start));
//Make way for the new string
InsertBytes(start, pad16(Strlen(s) + 1));
//write in the new string
WriteString(start, s);
}
typedef struct {
#ifdef STRICT_CHECKS
if(RomFSCheckMagicBytes())
{
SetBackColor(cLtRed);
Printf("Incorrect magic bytes at %xh, expected \"%s\"\n", FTell(), MAGIC_BYTES);
}
else
SetBackColor(cLtGreen);
#endif
char magic_bytes[MAGIC_BYTES_LEN] <comment="Magic bytes">;
SetBackColor(cNone);
uint32 fs_size <comment="Filesystem size (in bytes)">;
#ifdef STRICT_CHECKS
//verify the checksum of the superblock (image)
if(RomFSSBChecksum(0))
{
SetBackColor(cLtRed);
Printf("Checksum Mismatch on superblock at %xh\n", FTell());
}
else
SetBackColor(cLtGreen);
#endif
int32 checksum <comment="Sum of the first 512 (or all, if the file is smaller) bytes of the file">;
SetBackColor(cNone);
RomFSString vol_name;
} RomFSHeader;
typedef enum rom_fs_entry_type {
HARD_LINK = 0,
DIRECTORY = 1,
FILE = 2,
SYMLINK = 3,
BLOCK_DEV = 4,
CHAR_DEV = 5,
SOCKET = 6,
FIFO = 7
} RomFSEntryType;
typedef int32 RomFSNextHeader <read=ReadNextHeader, write=WriteNextHeader>;
typedef struct {
RomFSNextHeader next_header : 28 <name="next_header", comment="Position of the next entry in the directory">;
int executable : 1 <name="executable", comment="Whether or not the entry is executable">;
RomFSEntryType type : 3 <name="type", comment="Type of entry">;
} RomFSObjectHdr <optimize=false, read=ReadRomFSObjectHdr>;
string ReadRomFSObjectHdr(RomFSObjectHdr& hdr)
{
string s;
SPrintf(s, "Exec: %d, Next: %s", hdr.executable, ReadNextHeader(hdr.next_header));
return s;
}
string ReadNextHeader(int32 next_header)
{
string s;
SPrintf(s, "%d", next_header << 4);
return s;
}
void WriteNextHeader(RomFSNextHeader& v, string s)
{
SScanf(s, "%d", v);
v >>= 4;
}
//some people generate invalid dir entries for . and ..
//and mess up parsing. ignore them.
int ValidDirName(string name)
{
return (name != "." && name != "..");
}
typedef struct {
SetBackColor(cLtPurple);
RomFSObjectHdr header;
SetBackColor(0xB9E2FF);
local RomFSEntryType type = header.type;
if(type == DIRECTORY)
int32 special_info <comment="position of the first file entry">;
else if(type == HARD_LINK)
int32 special_info <comment="link destination">;
else if(type == BLOCK_DEV)
int32 special_info <comment="16/16 major/minor number">;
else
int32 special_info <comment="Must be zero">;
int32 data_size <comment="Size of data in bytes (should be 0 except for files and symlinks">;
local int64 struct_start = startof(this);
#ifdef STRICT_CHECKS
//get the length of the struct (with the filename)
local int64 struct_len = 16 + RomFSReadStringLength(struct_start + 16);
if(RomFSChecksum(struct_start, struct_len, -1))
{
Printf("Checksum Mismatch on entry at %xh\n", FTell());
SetBackColor(cRed);
}
else
SetBackColor(cGreen);
#endif
int32 checksum <comment="Checksum for the entire entry excluding data field">;
SetBackColor(0xE2B9FF);
RomFSString name;
if(data_size)
{
SetBackColor(0xFFE2B9);
ubyte data[data_size] <comment="File contents or symlink destination">;
}
} RomFSObject <read=ReadRomFSObject, optimize=false>;
//Try to create entries for the subdirectory's children (if it's a directory and it has children)
void RomFSTryRecurse(RomFSObject& obj)
{
//don't recurse down self-referential or invalid directories
if(obj.header.type == DIRECTORY && ValidDirName(obj.name.val) && obj.special_info != startof(obj))
Recurse(obj.special_info);
}
string ReadRomFSObject(RomFSObject& v)
{
string s;
string type = EnumToString(v.header.type);
SPrintf(s, "%s: %s", type, v.name.val);
return s;
}
RomFSHeader header<optimize=false, comment="Filesystem header">;
void Recurse(int64 pos)
{
//while there are still files in the directory
while(pos)
{
FSeek(pos);
RomFSObject entry<comment="Filesystem entry">;
//Get the position of the next entry in the current directory
pos = entry.header.next_header << 4;
//Parse all of the children of this entry if it's valid directory
RomFSTryRecurse(entry);
}
}
Recurse(FTell());

281
cparser/RegistryHive.bt Normal file
View File

@ -0,0 +1,281 @@
//--------------------------------------
//--- 010 Editor v6.0.1 Binary Template
//
// File: RegistryHive.bt
// Author: Eric R. Zimmerman saericzimmerman@gmail.com
// Revision: 1.2
// Purpose: Parses Registry structures including Header, nk, vk, sk, and list records. Data node records are skipped
//--------------------------------------
LittleEndian();
// Defines a header record
typedef struct {
// Header for the file
char HeaderSignature[4] <fgcolor=cBlack, bgcolor=0x00ff00>;
int PrimarySequenceNumber;
int SecondarySequenceNumber;
FILETIME LastWriteTime <fgcolor=cBlack, bgcolor=0xDFF4FF>;
int MajorVersion <fgcolor=cBlack, bgcolor=cLtRed>;
int MinorVersion <fgcolor=cBlack, bgcolor=cRed>;
int FileType;
int Unknown;
int RootKeyOffset <fgcolor=cBlack, bgcolor=cLtBlue>;
int HbinTotalSize <fgcolor=cBlack, bgcolor=cPurple, format=hex>;
int Unknown2;
wchar_t EmbeddedFilename[32] <fgcolor=cBlack, bgcolor=cLtGreen>;
char Unknown3[396];
int Checksum;
} REGISTRYHEADER <size=4096> ;
typedef struct (int recordSize) {
int Size;
char Signature[2] <fgcolor=cBlack, bgcolor=0x00ff10>;
short Flags <format=binary>;
FILETIME LastWriteTime <fgcolor=cBlack, bgcolor=0xDFF4FF>;
int Spare;
int ParentCellOffset;
int SubkeyCountStable <fgcolor=cBlack, bgcolor=cLtBlue>;
int SubkeyCountVolatile;
int SubkeyListOffsetStable <fgcolor=cBlack, bgcolor=cLtBlue>;
int SubkeyListOffsetVolatile;
int ValueCount <fgcolor=cWhite, bgcolor=cDkGray>;
int ValuelistOffset <fgcolor=cBlack, bgcolor=cGray>;
int SecurityKeyOffset;
int ClassOffset;
short MaxNameLength;
byte UserVirtFlags;
byte Debug;
int MaxClassLength;
int MaxValueNameLength;
int MaxValueDataLength;
int WorkVar;
short NameLength <fgcolor=cBlack, bgcolor=cAqua>;
short ClassLength;
char Name[NameLength] <fgcolor=cBlack, bgcolor=cLtAqua>;
local int PaddingSize = recordSize - 0x50 - NameLength;
if (PaddingSize > 0)
{
char Padding[recordSize - 0x50 - NameLength];
}
} NKCELL <read=ReadNKCell, optimize=false>;
string ReadNKCell( NKCELL &nk )
{
return nk.Name;
}
typedef struct (int recordSize) {
int Size;
char Signature[2] <fgcolor=cBlack, bgcolor=0x00ff10>;
short NameLength <fgcolor=cBlack, bgcolor=cAqua>;
int DataLength;
int DataOffset;
int Type;
short Flags <format=binary>;
short Spare;
if (NameLength>0)
{
char Name[NameLength] <fgcolor=cBlack, bgcolor=cLtAqua>;
}
local int PaddingSize = recordSize - 0x18 - NameLength;
if (PaddingSize > 0)
{
char Padding [recordSize - 0x18 - NameLength];
}
} VKCELL <read=ReadVKCell, optimize=false>;
string ReadVKCell( VKCELL &vk )
{
if (vk.NameLength > 0)
{
return vk.Name;
}
else
{
return "(Default)";
}
}
typedef struct (int recordSize) {
byte AceType;
byte AceFlags;
short AceSize;
int Mask <format=binary>;
char SID[AceSize - 8]; //account for 2 bytes, short, and int
} ACE <optimize=false>;
typedef struct (int recordSize) {
byte AclRevision;
byte Sbz1;
short AclSize;
short AceCount;
short Sbz2;
if (AclSize > 0)
{
local int aceSize = 0;
local int i;
for (i = 0; i < AceCount; i++)
{
aceSize=ReadInt(FTell()+2);
ACE Ace(aceSize);
}
}
} ACL <optimize=false>;
typedef struct (int recordSize) {
byte Revision;
byte Spare;
short ControlFlag <format=binary>;
int OffsetToOwner;
int OffsetToGroup;
int OffsetToSACL;
int OffsetToDACL;
local int sizeSACL = OffsetToDACL - OffsetToSACL;
local int sizeDACL = OffsetToOwner - OffsetToDACL;
local int sizeOwnerSid = OffsetToGroup - OffsetToOwner;
local int sizeGroupSid = recordSize - OffsetToGroup;
if ((ControlFlag & 0x010) == 0x010) //0x010 == SeSaclPresent
{
ACL SACL(sizeSACL);
}
if ((ControlFlag & 0x004) == 0x004) //0x004 == SeDaclPresent
{
ACL DACL(sizeDACL);
}
char OwnerSID[sizeOwnerSid];
char GroupSID[sizeGroupSid];
} DESCRIPTOR <optimize=false>;
typedef struct (int recordSize) {
int Size;
char Signature[2] <fgcolor=cBlack, bgcolor=0x00ff10>;
short Reserved;
int Flink;
int Blink;
int ReferenceCount;
int DescriptorLength;
if (DescriptorLength)
{
DESCRIPTOR Descriptor(DescriptorLength);
}
local int PaddingSize = recordSize - 0x18 - DescriptorLength;
if (PaddingSize > 0)
{
char Padding[recordSize - 0x18 - DescriptorLength];
}
} SKCELL <optimize=false>;
typedef struct {
int Offset;
char Hash[4];
} LXOFFSET <optimize=false>;
typedef struct (int recordSize) {
int Size;
char Signature[2] <fgcolor=cBlack, bgcolor=0x00ff10>;
short NumberOfOffsets;
if (NumberOfOffsets > 0)
{
LXOFFSET offsets[NumberOfOffsets];
}
local int PaddingSize = recordSize-8-(8*NumberOfOffsets);
if (PaddingSize > 0)
{
char Padding[recordSize-8-(8*NumberOfOffsets)];
}
} LXLIST <optimize=false>;
typedef struct (int recordSize) {
int Size;
char Signature[2] <fgcolor=cBlack, bgcolor=0x00ff10>;
short NumberOfOffsets;
LXOFFSET offsets[NumberOfOffsets];
} LILIST <optimize=false>;
typedef struct {
char HbinSignature[4] <fgcolor=cBlack, bgcolor=0x00ff10>;
int RelativeOffset;
int SizeOfHbin;
int Unknown1;
int Unknown2;
FILETIME Timestamp <fgcolor=cBlack, bgcolor=0xDFF4FF>;
int unknown3;
local string sig;
local int index = 0;
local int cellSize = ReadInt(FTell());
while (index < SizeOfHbin)
{
sig = GetCellSignature();
cellSize = ReadInt(FTell());
if (cellSize == 0)
{
break; //safety net
}
switch( sig )
{
case "nk" : NKCELL nk(Abs(cellSize)); break;
case "sk" : SKCELL sk(Abs(cellSize)); break;
case "vk" : VKCELL vk(Abs(cellSize)); break;
case "li" : LILIST li(Abs(cellSize)); break;
case "lf" : LXLIST lf(Abs(cellSize)); break;
case "lh" : LXLIST lh(Abs(cellSize)); break;
default :
//Printf("Sig = %s \n",sig); //print out signatures of unknowns
FSkip(Abs(cellSize)); //skip data cells
}
index+=Abs(cellSize);
}
} HBINRECORD <size=SizeHbinRecord, optimize=false>;
int SizeHbinRecord( HBINRECORD &r)
{
return ReadInt(startof(r)+8);
}
char[] GetCellSignature()
{
//Read 4 bytes away from current to get the signature string
return ReadString(FTell() + 4, 2);
}
REGISTRYHEADER Header <bgcolor=cLtPurple>;
local int indexPosition = FTell();
local int indexPosStart = indexPosition;
local int absoluteEndPosition = Header.HbinTotalSize + 0x1000;
while (indexPosition < absoluteEndPosition)
{
HBINRECORD Hbin ;
indexPosition+= Hbin.SizeOfHbin;
}

145
cparser/RegistryPolicyFileTemplate.bt Normal file
View File

@ -0,0 +1,145 @@
//
// 010 Editor v4.0.3d Binary Template
//
// File: RegistryPolicyFileTemplate.bt
// Author: Blake Frantz (blakefrantz at gmail dot com)
// Revision: 1.0, Last Updated on 6 Mar 2013.
// Purpose: Parse registry.pol files.
// See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx
//
const DWORD REG_SZ = 1;
const DWORD REG_EXPAND_SZ = 2;
const DWORD REG_BINARY = 3;
const DWORD REG_DWORD = 4;
const DWORD REG_MULTI_SZ = 7;
typedef struct
{
CHAR LBRACKET[2] <hidden=true>;
wstring Key;
SHORT seperator0 <hidden=true>;
wstring ValueName;
SHORT seperator1 <hidden=true>;
DWORD Type <comment=DataValueTypeComment>;
SHORT seperator2 <hidden=true>;
DWORD DataSize;
SHORT seperator3 <hidden=true>;
union {
UBYTE Raw[DataSize];
DWORD Int;
wstring String;
} Data;
CHAR RBRACKET[2] <hidden=true>;
} REGISTRY_RECORD <comment=RegistryRecordComment>;
string DataValueTypeComment( DWORD type )
{
string comment = "";
switch ( type )
{
case REG_SZ : comment = "REG_SZ"; break;
case REG_EXPAND_SZ: comment = "REG_EXPAND_SZ"; break;
case REG_BINARY : comment = "REG_BINARY"; break;
case REG_DWORD : comment = "REG_DWORD"; break;
case REG_MULTI_SZ : comment = "REG_MULTI_SZ"; break;
default : comment = "UNKNOWN_TYPE"; break;
}
return comment;
}
string RegistryRecordComment( REGISTRY_RECORD &record )
{
string comment;
uchar tempBuffer[ sizeof(record) ];
ReadBytes( tempBuffer, startof(record), sizeof(record) );
string result;
ChecksumAlgArrayStr( CHECKSUM_CRC32, result, tempBuffer, sizeof(record));
if(WStrnicmp(record.ValueName, "**Del.", 6) == 0 )
{
SPrintf(comment, "ValueName '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 6), record.Key, result);
}
else if(WStrnicmp(record.ValueName, "**DeleteValues", 14) == 0 )
{
SPrintf(comment, "ValueNames '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 14), record.Key, result);
}
else if(WStrnicmp(record.ValueName, "**DelVals", 9) == 0 )
{
SPrintf(comment, "All ValueNames under '%s' will be deleted. CRC=%s", record.Key, result);
}
else if(WStrnicmp(record.ValueName, "**DeleteKeys", 12) == 0 )
{
SPrintf(comment, "Keys '%s' under '%s' will be deleted. CRC=%s", SubStr(record.ValueName, 12), record.Key, result);
}
else if(WStrnicmp(record.ValueName, "**SecureKey=0", 13) == 0 )
{
SPrintf(comment, "The DACL on '%s' will be reset to align with the root's DACL. CRC=%s", record.Key, result);
}
else if(WStrnicmp(record.ValueName, "**SecureKey=1", 13) == 0 )
{
SPrintf(comment, "The DACL on '%s' will be set as follows: Administrators, SYSTEM = Full; Users = Read Only. CRC=%s", record.Key, result);
}
else if(record.Type == REG_DWORD)
{
SPrintf(comment, "%s:%s = (REG_DWORD) %d. CRC=%s", record.Key, record.ValueName, record.Data.Int, result);
}
else if(record.Type == REG_SZ)
{
SPrintf(comment, "%s:%s = (REG_SZ) '%s'. CRC=%s", record.Key, record.ValueName, record.Data.String, result);
}
else if(record.Type == REG_EXPAND_SZ)
{
SPrintf(comment, "%s:%s = (REG_EXPAND_SZ) ... CRC=%s", record.Key, record.ValueName, result);
}
else if(record.Type == REG_BINARY)
{
SPrintf(comment, "%s:%s = (REG_BINARY) ... CRC=%s", record.Key, record.ValueName, result);
}
else if(record.Type == REG_MULTI_SZ)
{
SPrintf(comment, "%s:%s = (REG_MULTI_SZ) ... CRC=%s", record.Key, record.ValueName, result);
}
else
{
SPrintf(comment, "%s:%s (%s)", record.Key, record.ValueName, result);
}
return comment;
}
BigEndian();
DWORD REGFILE_SIGNATURE;
LittleEndian();
DWORD REGISTRY_FILE_VERSION;
if (REGFILE_SIGNATURE !=0x50526567 || REGISTRY_FILE_VERSION != 0x01 )
{
Warning( "File is not Registry Policy File Format Version 1. Template stopped." );
return -1;
}
local int records = 0;
while( !FEof() )
{
REGISTRY_RECORD record;
records++;
}
local int i;
for (i=0; i < records; i++)
{
Printf("%s\\%s\n", record[i].Key, record[i].ValueName);
}

822
cparser/SF2Template.bt Normal file
View File

@ -0,0 +1,822 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: SF2Template.bt
// Author: gocha
// Revision: 1.1
// Purpose: Defines a template for
// parsing SF2 (SoundFont 2.04) files.
// Tested with: Polyphone.
//-----------------------------------
typedef CHAR ID[4];
local int cGrayZone = 0xd9dadc;
local int cOrange = 0xaae3f9;
local int cSytrus = 0xaaf7ff;
local int cGreenGreens = 0xaaecdf;
local int cCureMarine = 0xffe1ce;
local int cCureMarine_Alt = 0xfdf1dd;
local int cPurpleMadness = 0xeec3dd;
local int cPurpleMadness_Alt = 0xffe1fa;
//-----------------------------------
// Define structures used in SF2 files
// SoundFont 2 RIFF File Format Type Definitions
typedef enum <WORD> {
monoSample = 1,
rightSample = 2,
leftSample = 4,
linkedSample = 8,
RomMonoSample = 0x8001,
RomRightSample = 0x8002,
RomLeftSample = 0x8004,
RomLinkedSample = 0x8008,
} SFSampleLink;
typedef enum <WORD> {
startAddrsOffset = 0,
endAddrsOffset = 1,
startloopAddrsOffset = 2,
endloopAddrsOffset = 3,
startAddrsCoarseOffset = 4,
modLfoToPitch = 5,
vibLfoToPitch = 6,
modEnvToPitch = 7,
initialFilterFc = 8,
initialFilterQ = 9,
modLfoToFilterFc = 10,
modEnvToFilterFc = 11,
endAddrsCoarseOffset = 12,
modLfoToVolume = 13,
chorusEffectsSend = 15,
reverbEffectsSend = 16,
pan = 17,
delayModLFO = 21,
freqModLFO = 22,
delayVibLFO = 23,
freqVibLFO = 24,
delayModEnv = 25,
attackModEnv = 26,
holdModEnv = 27,
decayModEnv = 28,
sustainModEnv = 29,
releaseModEnv = 30,
keynumToModEnvHold = 31,
keynumToModEnvDecay = 32,
delayVolEnv = 33,
attackVolEnv = 34,
holdVolEnv = 35,
decayVolEnv = 36,
sustainVolEnv = 37,
releaseVolEnv = 38,
keynumToVolEnvHold = 39,
keynumToVolEnvDecay = 40,
instrument = 41,
keyRange = 43,
velRange = 44,
startloopAddrsCoarseOffset = 45,
keynum = 46,
velocity = 47,
initialAttenuation = 48,
endloopAddrsCoarseOffset = 50,
coarseTune = 51,
fineTune = 52,
sampleID = 53,
sampleModes = 54,
scaleTuning = 56,
exclusiveClass = 57,
overridingRootKey = 58,
endOper = 60,
} SFGenerator;
typedef enum <BYTE> {
noController = 0,
noteOnVelocity = 2,
noteOnKeyNumber = 3,
polyPressure = 10,
channelPressure = 13,
pitchWheel = 14,
pitchWheelSensitivity = 16,
link = 127,
} SFGeneralController;
typedef enum <BYTE> {
generalController = 0,
midiController = 1,
} SFControllerPalette;
typedef enum <BYTE> {
increase = 0,
decrease = 1,
} SFControllerDirection;
typedef enum <BYTE> {
unipolar = 0,
bipolar = 1,
} SFControllerPolarity;
typedef enum <BYTE> {
linearType = 0,
concaveType = 1,
convexType = 2,
switchType = 3,
} SFControllerType;
typedef struct {
union {
SFGeneralController general : 7;
BYTE midi : 7;
} index;
SFControllerPalette palette : 1;
SFControllerDirection direction : 1;
SFControllerPolarity polarity : 1;
SFControllerType type : 6;
} SFModulator;
typedef enum <WORD> {
linear = 0,
absoluteValue = 2,
} SFTransform;
typedef struct
{
BYTE byLo;
BYTE byHi;
} rangesType;
typedef union
{
rangesType ranges;
SHORT shAmount;
WORD wAmount;
} genAmountType;
// SoundFont 2 RIFF File Format Level 3
typedef struct {
WORD wMajor;
WORD wMinor;
} sfVersionTag;
typedef struct {
CHAR achPresetName[20];
WORD wPreset;
WORD wBank;
WORD wPresetBagNdx;
DWORD dwLibrary;
DWORD dwGenre;
DWORD dwMorphology;
} sfPresetHeader;
typedef struct
{
WORD wGenNdx;
WORD wModNdx;
} sfPresetBag;
typedef struct
{
SFModulator sfModSrcOper;
SFGenerator sfModDestOper;
SHORT modAmount;
SFModulator sfModAmtSrcOper;
SFTransform sfModTransOper;
} sfModList;
typedef struct
{
SFGenerator sfGenOper;
genAmountType genAmount;
} sfGenList;
typedef struct
{
CHAR achInstName[20];
WORD wInstBagNdx;
} sfInst;
typedef struct
{
WORD wInstGenNdx;
WORD wInstModNdx;
} sfInstBag;
typedef struct
{
SFModulator sfModSrcOper;
SFGenerator sfModDestOper;
SHORT modAmount;
SFModulator sfModAmtSrcOper;
SFTransform sfModTransOper;
} sfInstModList;
typedef struct
{
SFGenerator sfGenOper;
genAmountType genAmount;
} sfInstGenList;
typedef struct
{
CHAR achSampleName[20];
DWORD dwStart;
DWORD dwEnd;
DWORD dwStartloop;
DWORD dwEndloop;
DWORD dwSampleRate;
BYTE byOriginalKey;
CHAR chCorrection;
WORD wSampleLink;
SFSampleLink sfSampleType;
} sfSample;
// SoundFont 2 RIFF File Format Level 2
typedef struct {
ID chunkID;
DWORD chunkSize;
CHAR text[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} ZSTRCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
if( FileSize() - pos >= sizeof( sfVersionTag ) ) {
sfVersionTag version;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} sfVersionTagCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
SHORT samples[chunkSize / 2];
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} smplCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
BYTE samples[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} sm24Ck;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfPresetHeader ) ) {
sfPresetHeader header;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} phdrCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfPresetBag ) ) {
sfPresetBag bag;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} pbagCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfModList ) ) {
sfModList mod;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} pmodCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfGenList ) ) {
sfGenList gen;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} pgenCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfInst ) ) {
sfInst inst;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} instCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfInstBag ) ) {
sfInstBag bag;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} ibagCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfInstModList ) ) {
sfInstModList mod;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} imodCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfInstGenList ) ) {
sfInstGenList gen;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} igenCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
while( chunkSize - (FTell() - pos) >= sizeof( sfSample ) ) {
sfSample sample;
}
local int unknownDataSize = chunkSize - (FTell() - pos);
if( unknownDataSize > 0 ) {
Printf( "Encountered unknown data in chunk '%s' of size %d at position 0x%LX.\n",
chunkID, unknownDataSize, FTell() );
UCHAR unknownData[unknownDataSize];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} shdrCk;
// SoundFont 2 RIFF File Format Level 2
typedef struct {
ID chunkID;
DWORD chunkSize;
CHAR data[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} UNKNOWNLISTSUBCHUNK;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
local char tag[5];
local DWORD size;
while( FTell() - pos < chunkSize )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
if( FTell() - pos + size > chunkSize ){
Printf( "Chunk '%s' of size %d at position 0x%LX exceeds the parent chunk size boundary.\n", tag, size, FTell() );
return -1;
}
// See which subchunk this is
switch( tag )
{
case "ifil":
SetBackColor( cOrange );
sfVersionTagCk ifil;
break;
case "isng":
SetBackColor( cOrange );
ZSTRCk isng;
break;
case "INAM":
SetBackColor( cOrange );
ZSTRCk INAM;
break;
case "iver":
SetBackColor( cSytrus );
sfVersionTagCk iver;
break;
case "ICRD":
SetBackColor( cSytrus );
ZSTRCk ICRD;
break;
case "IENG":
SetBackColor( cSytrus );
ZSTRCk IENG;
break;
case "IPRD":
SetBackColor( cSytrus );
ZSTRCk IPRD;
break;
case "ICOP":
SetBackColor( cSytrus );
ZSTRCk ICOP;
break;
case "ICMT":
SetBackColor( cSytrus );
ZSTRCk ICMT;
break;
case "ISFT":
SetBackColor( cSytrus );
ZSTRCk ISFT;
break;
default:
// Unknown chunk
Printf( "Encountered unknown chunk '%s' of size %d at position 0x%LX.\n",
tag, size, FTell() );
SetBackColor( cNone );
UNKNOWNLISTSUBCHUNK chunk;
break;
}
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} INFOCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
local char tag[5];
local DWORD size;
while( FTell() - pos < chunkSize )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
if( FTell() - pos + size > chunkSize ){
Printf( "Chunk '%s' of size %d at position 0x%LX exceeds the parent chunk size boundary.\n", tag, size, FTell() );
return -1;
}
// See which subchunk this is
switch( tag )
{
case "smpl":
SetBackColor( cGreenGreens );
smplCk smpl;
break;
case "sm24":
SetBackColor( cGreenGreens );
sm24Ck sm24;
break;
default:
// Unknown chunk
Printf( "Encountered unknown chunk '%s' of size %d at position 0x%LX.\n",
tag, size, FTell() );
SetBackColor( cNone );
UNKNOWNLISTSUBCHUNK chunk;
break;
}
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} sdtaCk;
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
local char tag[5];
local DWORD size;
while( FTell() - pos < chunkSize )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
if( FTell() - pos + size > chunkSize ){
Printf( "Chunk '%s' of size %d at position 0x%LX exceeds the parent chunk size boundary.\n", tag, size, FTell() );
return -1;
}
// See which subchunk this is
switch( tag )
{
case "phdr":
SetBackColor( cCureMarine );
phdrCk phdr;
break;
case "pbag":
SetBackColor( cCureMarine_Alt );
pbagCk pbag;
break;
case "pmod":
SetBackColor( cCureMarine );
pmodCk pmod;
break;
case "pgen":
SetBackColor( cCureMarine_Alt );
pgenCk pgen;
break;
case "inst":
SetBackColor( cPurpleMadness );
instCk inst;
break;
case "ibag":
SetBackColor( cPurpleMadness_Alt );
ibagCk ibag;
break;
case "imod":
SetBackColor( cPurpleMadness );
imodCk imod;
break;
case "igen":
SetBackColor( cPurpleMadness_Alt );
igenCk igen;
break;
case "shdr":
SetBackColor( cSytrus );
shdrCk shdr;
break;
default:
// Unknown chunk
Printf( "Encountered unknown chunk '%s' of size %d at position 0x%LX.\n",
tag, size, FTell() );
SetBackColor( cNone );
UNKNOWNLISTSUBCHUNK subchunk;
break;
}
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} pdtaCk;
// SoundFont 2 RIFF File Format Level 1
typedef struct {
ID chunkID;
DWORD chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
local char tag[5];
local DWORD size;
while( FTell() - pos < chunkSize )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
if( FTell() - pos + size > chunkSize ){
Printf( "Chunk '%s' of size %d at position 0x%LX exceeds the parent chunk size boundary.\n", tag, size, FTell() );
return -1;
}
UNKNOWNLISTSUBCHUNK subchunk;
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} UNKNOWNLISTCHUNK;
typedef struct {
ID chunkID;
DWORD chunkSize;
UCHAR unknownData[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
UCHAR padding;
} UNKNOWNCHUNK;
// SoundFont 2 RIFF File Format Level 0
typedef struct
{
ID groupID;
DWORD size;
ID riffType;
} RIFFHEADER;
//---------------------------------------------
// Define the headers
local quad riff_pos = FTell();
LittleEndian();
SetBackColor( cGrayZone );
RIFFHEADER header;
// Check for valid header
if( header.groupID != "RIFF" || header.riffType != "sfbk" )
{
Warning( "File is not a valid SF2 file. Template stopped." );
return -1;
}
// Read the file as a set of chunks
local char tag[5];
local DWORD size;
local char list_tag[5];
while( FTell() + 8 <= FileSize() && FTell() - riff_pos != header.size + 8 )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// Read the chunk size
size = ReadUInt( FTell() + 4 );
// See which chunk this is
switch( tag )
{
case "LIST":
// Read the chunk tag
ReadBytes( list_tag, FTell() + 8, 4 );
list_tag[4] = 0;
switch( list_tag )
{
case "INFO":
SetBackColor( cGrayZone );
INFOCk INFO;
break;
case "sdta":
SetBackColor( cGrayZone );
sdtaCk sdta;
break;
case "pdta":
SetBackColor( cGrayZone );
pdtaCk pdta;
break;
default:
SetBackColor( cNone );
UNKNOWNLISTCHUNK list;
break;
}
break;
default:
// Unknown chunk
Printf( "Encountered unknown chunk '%s' of size %d at position 0x%LX.\n",
tag, size, FTell() );
SetBackColor( cNone );
UNKNOWNCHUNK unknown;
break;
}
}
// Verify the whole file size
local quad actual_size = FTell() - riff_pos;
if( actual_size != 8 + header.size )
{
Printf( "RIFF file size mismatch (header value %Ld, actual size %Ld).\n", header.size, actual_size - 8 );
return -1;
}

87
cparser/SHPTemplate.bt Normal file
View File

@ -0,0 +1,87 @@
//--------------------------------------
//--- 010 Editor v2.1.3 Binary Template
//
// File:
// Author:
// Revision:
// Purpose:
//--------------------------------------
typedef struct point_s {double X; double Y;} POINT;
string GetByteSize(int wordSize)
{
string s;
SPrintf(s, "%d", 2*wordSize);
return s;
}
struct ESRI_SHAPE {
SetBackColor(cLtGreen);
struct HEADER {
BigEndian();
int fileCode;
int unused[5];
int fileLength <read=GetByteSize>;
LittleEndian();
int version;
enum ShapeEnum {
NullShape,
Point,
PolyLine=3,
Polygon=5,
MultiPoint=5,
PointZ=11,
PolyLineZ=13,
PolygonZ=15} shapeType;
double Xmin;
double Ymin;
double Xmax;
double Ymax;
double Zmin;
double Zmax;
double Mmin;
double Mmax;
} header;
SetBackColor(cLtGray);
struct RECORD {
BigEndian();
int recordNumber;
int contentLength <read=GetByteSize>;
LittleEndian();
enum ShapeTypeEnum {
NullShapeType,
PointType,
PolyLineType=3,
PolygonType=5,
MultiPointType=8,
PointZType=11,
PolyLineZType=13,
PolygonZType=15,
MultiPointZType=18,
PointMType=21,
PolyLineMType=23,
PolygonMType=25,
MultiPointMType=28,
MultiPatchType=31} shapeType;
if (shapeType == 1)
{
POINT location;
}
else if (shapeType == 3)
{
double box[4];
int numParts;
int numPoints;
int parts[numParts];
POINT points[numPoints];
}
else if (shapeType == 5)
{
double box[4];
int numParts;
int numPoints;
int parts[numParts];
POINT points[numPoints];
}
} record [10000] <optimize=false>;
} esri_shape;

52
cparser/SHXTemplate.bt Normal file
View File

@ -0,0 +1,52 @@
//--------------------------------------
//--- 010 Editor v2.1.3 Binary Template
//
// File:
// Author:
// Revision:
// Purpose:
//--------------------------------------
typedef struct point_s {double X; double Y;} POINT;
string GetByteSize(int wordSize)
{
string s;
SPrintf(s, "%d", 2*wordSize);
return s;
}
struct ESRI_INDEX {
SetBackColor(cLtGreen);
struct HEADER {
BigEndian();
int fileCode;
int unused[5];
int fileLength <read=GetByteSize>;
LittleEndian();
int version;
enum ShapeEnum {
NullShape,
Point,
PolyLine=3,
Polygon=5,
MultiPoint=5,
PointZ=11,
PolyLineZ=13,
PolygonZ=15} shapeType;
double Xmin;
double Ymin;
double Xmax;
double Ymax;
double Zmin;
double Zmax;
double Mmin;
double Mmax;
} header;
SetBackColor(cLtGray);
struct INDEX_RECORD {
BigEndian();
int offset <read=GetByteSize>;
int contentLength <read=GetByteSize>;
} record [(FileSize() - 100)/8];
} esri_index;

70
cparser/SRecTemplate.bt Normal file
View File

@ -0,0 +1,70 @@
//--------------------------------------
//--- 010 Editor v5.0 Binary Template
//
// File: SRecTemplate.bt
// Author: Mario Ghecea
// Revision: 1A
// Purpose: Parses Motorola S-REC
//--------------------------------------
typedef char RECORDTYPE [2];
typedef char COUNT [2];
typedef char ADDRESS16 [4];
typedef char ADDRESS24 [6];
typedef char ADDRESS32 [8];
typedef char CHECKSUM [2];
local char hexval [10];
local uint addrwidth;
local uint rec = 1;
typedef struct
{
RECORDTYPE recordType;
COUNT count;
switch(recordType)
{
case "S0": // header
case "S1": // 16-bit address record
case "S5": // total record count
case "S9": // termination 16-bit
ADDRESS16 address16;
addrwidth = 4;
break;
case "S2": // 24-bit address record
case "S8": // termination 24-bit
ADDRESS24 address24;
addrwidth = 6;
break;
case "S3": // 32-bit address record
case "S7": // termination 32-bit
ADDRESS32 adress32;
addrwidth = 8;
break;
//case "S4":
//case "S6":
default:
break;
}
local int i;
local int intval = 0;
local uint pow = 0;
local uint hexlen = 2;
local uint digit = 0;
for (i = 0; i < hexlen; i ++)
{
digit = (count[i] - '0' > 9) ? count[i] - '7' : count[i] - '0';
intval += ((uint32) digit * (1 << 4 * ((hexlen - 1) - i)));
}
local uint bytesPerLine = (uint32) ((intval - 1) * 2) - addrwidth;
if (bytesPerLine != 0)
char data [(bytesPerLine)];
//Printf("rec# %d bpl: %d %X count : %s\n\r", rec++, bytesPerLine, intval, count);
char checksum [2];
char crlf[2];
}SREC;
while( !FEof() )
{
SREC srec;
}

66
cparser/SSPTemplate.bt Normal file
View File

@ -0,0 +1,66 @@
//---------------------------------------------------------------
//--- 010 Editor v3.2 Binary Template
//
// File: SSPTemplate.bt
// Author: ThangCuAnh (TQN) - HVA
// Revision: 0.1, prototypes
// Date: 2010/10/09
// Purpose: Define a template for parsing SmartSniff Packet file
// References: http://www.nirsoft.net/utils/smsniff.html
//---------------------------------------------------------------
typedef BYTE IP_ADDRESS[4] <read = IP2Str>;
typedef BYTE MAC_ADDRESS[6] <read = MAC2Str>;
string IP2Str(IP_ADDRESS ip)
{
string strReturn;
SPrintf(strReturn, "IP: %02d.%02d.%02d.%02d", ip[0], ip[1], ip[2], ip[3]);
return strReturn;
}
typedef struct {
char signature[8]; // SMSNF200
WORD numberOfBytesInHeader;
IP_ADDRESS IP;
if ((Strcmp(signature, "SMSNF200") != 0) || (numberOfBytesInHeader != 4))
{
Warning("Not a valid SmartSniff Packet file");
return -1;
}
} SSP_HEADER;
typedef struct {
WORD packetHeaderSize;
if (packetHeaderSize != 0x18)
{
Waring("Invalid packetHeaderSize");
return -1;
}
DWORD numberOfReceivedBytes;
FILETIME fileTime;
MAC_ADDRESS sourceMAC;
MAC_ADDRESS destMAC;
BYTE packet[numberOfReceivedBytes] <fgcolor = cRed, bgcolor= cYellow>;
} SSP_PACKET;
string MAC2Str(MAC_ADDRESS mac)
{
string strReturn;
SPrintf(strReturn, "%02X-%02X-%02X-%02X-%02X-%02X", mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
return strReturn;
}
// Define the headers
LittleEndian();
SSP_HEADER header;
while (!FEof())
{
SSP_PACKET record;
}
return 1;

57
cparser/STLTemplate.bt Normal file
View File

@ -0,0 +1,57 @@
//--------------------------------------
//--- 010 Editor v3.0.5 Binary Template
//
// File: STLTemplate.bt
// Author: ZiZi
// E-mail: zefars@rambler.ru
// Revision: 1.2
// Purpose: Defines a template for
// parsing STL 3D-data files.
//-----------------------------------
typedef struct {
CHAR Caption[80];
DWORD trCount;
} STLFILEHEADER <read=STLFILEHEADERRead>;
string STLFILEHEADERRead(STLFILEHEADER &x)
{
return x.Caption;
};
typedef struct {
FLOAT x;
FLOAT y;
FLOAT z;
} tVector3f <read=tVector3fRead>;
string tVector3fRead( tVector3f &v ) {
string s;
SPrintf( s, "(%6.2f %6.2f %6.2f)", v.x, v.y, v.z );
return s;
};
typedef struct {
tVector3f Normal;
tVector3f Point0;
tVector3f Point1;
tVector3f Point2;
WORD Flags <format=hex>;
} STLTRIANGLE;
//---------------------------------------------
LittleEndian();
SetBackColor( cLtAqua );
local CHAR text_sign[5];
ReadBytes( text_sign, FTell(), 5);
if (text_sign=="solid")
{
Warning("Is ASCII STL");
return;
}
STLFILEHEADER stlh;
SetBackColor( cNone );
local int64 n=(FileSize()-84)/50;
if (stlh.trCount!=n) Warning("File corrupted: stlh.trCount must be equal %Ld", n);
STLTRIANGLE Data[n];

2205
cparser/SWFTemplate.bt Normal file
View File

File diff suppressed because it is too large Load Diff

33
cparser/SinclairMicrodriveImage.bt Normal file
View File

@ -0,0 +1,33 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: SinclairMicrodriveImage.bt
// Author:
// Revision: 1.0
// Purpose: Defines a template for parsing
// images of emulated Sinclair Microdrive
// cartridges.
//-----------------------------------
struct {
ubyte HDFLAG[1]; // Value 1, to indicate header block *See note.
// char HDNUMB[1]; // sector number (values 254 down to 1)
ubyte HDNUMB[1];
ubyte UNUSED[2]; // not used (and of undetermined value)
ubyte HDNAME[10]; // microdrive cartridge name (blank padded)
ubyte HDCHK[1]; //header checksum (of first 14 bytes)
ubyte RECFLG[1]; // - bit 0: always 0 to indicate record block
// - bit 1: set for the EOF block
// - bit 2: reset for a PRINT file
// - bits 3-7: not used (value 0)
ubyte RECNUM[1]; // data block sequence number (value starts at 0)
ubyte RECLEN[2]; // data block length (<=512, LSB first)
ubyte RECNAM[10]; // filename (blank padded)
ubyte DESCHK[1]; // record descriptor checksum (of previous 14 bytes)
ubyte CHDATA[512]; // data block
ubyte DCHK[1]; // data block checksum (of all 512 bytes of data
// block, even when not all bytes are used)
} MicrodriveSector[254] ;
ubyte WriteProtectionFlag[1];

159
cparser/TGATemplate.bt Normal file
View File

@ -0,0 +1,159 @@
//--------------------------------------
//--- 010 Editor v2.0.2 Binary Template
//
// File: TGATemplate.bt
// Author: Chiuta Adrian Marius
// E-mail: camsoftwarero@yahoo.com
// Revision: 1.0
// Purpose: Shows the fields of a TGA image.
//--------------------------------------
//Definim structurile folosite de TGA
typedef struct{
WORD FirstIndexEntry;
WORD ColorMapLength;
UBYTE ColorMapEntrySize;
}COLORMAPSPECIFICATION;
typedef struct{
WORD XOrigin;
WORD YOrigin;
WORD Width;
WORD Height;
UBYTE PixelDepth;
UBYTE ImageDescriptor;
}IMAGESPECIFICATION <read=ReadImageSpecification>;
typedef struct{
UBYTE IDLength;
UBYTE ColorMapType;
UBYTE ImageType;
COLORMAPSPECIFICATION CMSpecification;
IMAGESPECIFICATION ISpecification;
}TGAFILEHEADER <read=ReadTGAHeader>;
typedef struct{
DWORD B:5;
DWORD G:5;
DWORD R:5;
}RGB555 <read=ReadRGB555>;
typedef struct{
DWORD B:5;
DWORD G:5;
DWORD R:5;
DWORD X:1;
}XRGB1555 <read=ReadXRGB1555>;
typedef struct{
UBYTE B;
UBYTE G;
UBYTE R;
}RGB888 <read=ReadRGB888>;
typedef struct{
UBYTE B;
UBYTE G;
UBYTE R;
UBYTE A;
}ARGB8888 <read=ReadARGB8888>;
string ReadTGAHeader(TGAFILEHEADER &a)
{
switch( a.ImageType )
{
case 0:
return "No Image Data Included";
case 1:
return "Uncompressed, Color-mapped Image";
case 2:
return "Uncompressed, True-color Image";
case 3:
return "Uncompressed, Black-and-white Image";
case 9:
return "Run-length encoded, Color-mapped Image";
case 10:
return "Run-length encoded, True-color Image";
case 11:
return "Run-length encoded, Black-and-white Image";
}
}
string ReadImageSpecification(IMAGESPECIFICATION &a)
{
string s;
SPrintf( s, "Res: %dx%d^%d", a.Width, a.Height, a.PixelDepth );
return s;
}
string ReadRGB555( RGB555 &a )
{
string s;
SPrintf( s, "B=%03d G=%03d R=%03d", a.B, a.G, a.R );
return s;
}
string ReadXRGB1555( XRGB1555 &a )
{
string s;
SPrintf( s, "X=%1d B=%03d G=%03d R=%03d",a.X, a.B, a.G, a.R );
return s;
}
string ReadRGB888( RGB888 &a )
{
string s;
SPrintf( s, "B=%03d G=%03d R=%03d", a.B, a.G, a.R );
return s;
}
string ReadARGB8888( ARGB8888 &a )
{
string s;
SPrintf( s, "A=%03d B=%03d G=%03d R=%03d",a.A, a.B, a.G, a.R );
return s;
}
LittleEndian();
SetBackColor( cLtGray );
//Definim headerului fisierului TGA
TGAFILEHEADER TGAfh;
if( TGAfh.IDLength!=0 )//Definim ID-ul imaginii TGA
UBYTE ImageID[ TGAfh.IDLength ];
SetBackColor( cSilver );
//Definim culorile indexate asociate TGA-ului
if( TGAfh.ColorMapType!=0 )
switch( TGAfh.CMSpecification.ColorMapEntrySize)
{
case 15:
RGB555 ColorMap[ TGAfh.CMSpecification.ColorMapLength ];
break;
case 16:
XRGB1555 ColorMap[ TGAfh.CMSpecification.ColorMapLength ];
break;
case 24:
RGB888 ColorMap[ TGAfh.CMSpecification.ColorMapLength ];
break;
case 32:
ARGB8888 ColorMap[ TGAfh.CMSpecification.ColorMapLength ];
break;
}
SetBackColor( cLtAqua );
struct TGALine {
switch( TGAfh.ISpecification.PixelDepth )
{
case 8:
UBYTE ColorIndex[TGAfh.ISpecification.Height];
break;
case 16:
XRGB1555 Pixel[TGAfh.ISpecification.Height];
break;
case 24:
RGB888 Pixel[TGAfh.ISpecification.Height];
break;
case 32:
ARGB8888 Pixel[TGAfh.ISpecification.Height];
break;
}
}TGALines [ TGAfh.ISpecification.Width ] <optimize=true>;

1113
cparser/TIFTemplate.bt Normal file
View File

File diff suppressed because it is too large Load Diff

126
cparser/TOCTemplate.bt Normal file
View File

@ -0,0 +1,126 @@
//--------------------------------------
//--- 010 Editor v2.1.4 Binary Template
//
// File: TOCTemplate.bt
// Author: L. Potjewijd
// Revision: 1.22
// Purpose: Eudora 7.1.0.9 mailbox .TOC files
//--------------------------------------
enum <WORD> type {In,Out,Junk,Trash,User,IMAP=8};
enum <WORD> class {user,system};
enum <WORD> stat {unread,read,replied,forwarded,redirected,rebuilt,sendable,queued,sent,unsent,timed,sending,recovered};
typedef struct
{ char EudoraVersion[8]; // might contain something else, too
char MailboxName[32]; // this name is used in the window title
type MailboxType;
short Unknown0;
class MailboxClass;
struct
{ short TopLeftX; // default = 80
short TopLeftY; // default = 80
short BottomRightX; // default = 565
short BottomRightY; // default = 415
} WindowPosition;
// -1 = default size and location.
// For non-maximized and non-minimized windows only,
// relative to the main window upper left corner.
// All values are clipped to main window boundaries
// on next opening, minimum window size is 112*27 (X*Y)
// and takes precedence over clipping.
struct
{ short StatusColumnWidth; // default = 2
short JunkScoreColumnWidth; // default = 4
short PriorityColumnWidth; // default = 2
short AttachmentColumnWidth; // default = 2
short LabelColumnWidth; // default = 8
short WhoColumnWidth; // default = 16
short DateColumnWidth; // default = 16
short SizeColumnWidth; // default = 2
} ColumnWidths;
// Measurement unit is unknown (not pixels); pica's?
// Window size takes precedence over column width.
// The server and mood status columns are always
// displayed with a width of 2 when the window is
// opened, the subject column gets whatever is left.
// -1 means default width.
short Unknown1;
long HighestMsgSeqNumber;
short Unknown2[4];
short PreviewPaneDivider;
short Unknown3[5];
long NewMessageOffsetMBXfile; // = FileSize ( .mbx file ) + 1
short Unknown4;
short MessagesInMailbox; // number of active messages in mailbox
} TOChdr; // 104 bytes in total
typedef struct
{ long OffsetMBXfile <format=hex>;
long Length;
time_t GMTtimestamp;
stat Status;
SetForeColor(cGreen);
ubyte Flags1 :8 <format=binary>;
// LSB SignatureUsed was: alternate signature
// . obsolete was: signature used
// . WordwrapON
// . TabsInBody
// . KeepCopyOfSentMessage
// . InlineTextAttachment
// . ReturnReceiptTo
// MSB QuotedPrintable
ubyte Flags2 :8 <format=binary>;
// LSB MIMEencoded
// . UUencoded neither means BINHEX encoded
// . obsolete was: ShowAllHeaders
// .
// .
// . Text/HTML/Enriched
// . ReceiptRequestPending
// MSB Attachments
SetForeColor(cNone);
short Priority;
char LocalDateTime[32];
char Who[64];
char Subject[64];
struct
{ short TopLeftX;
short TopLeftY;
short BottomRightX;
short BottomRightY;
} WindowPosition;
short Label;
long OffsetLMOSfile <format=hex>;
long MsgSeqNumber;
SetForeColor(cPurple);
ubyte Flags3 :8 <format=binary>;
// LSB
// .
// .
// .
// .
// .
// .
// MSB looks like 'Return Receipt To:' header flag
ubyte Flags4 :8 <format=binary>;
// LSB
// .
// .
// .
// .
// .
// .
// MSB
SetForeColor(cNone);
short Unknown[10];
} TOCmsg; // 218 bytes in total
//====================================================================
LittleEndian();
TOChdr hdr;
while( !FEof() )
{ TOCmsg msg;
}

991
cparser/TTFTemplate.bt Normal file
View File

@ -0,0 +1,991 @@
//--- 010 Editor v2.0 Binary Template
//
// File: TTFTemplate.bt
// Author: James Newton of massmind.org
// Revisions:
// .1 reads the offsetTable
// .2 reads some tables
// .3 actually reads simple glyphs
// .31 reads simple glyphs with the points in order
// .32 reads simple glyphs with the points in CORRECT order
// .4 added prep and DSIG tables
// - fixed serious bug with offset and length from wrong
// table being used in table structures.
// .5 added GSUB and GPOS tables.
// Purpose: Easy examination and editing
// of TTF binary data
//--------------------------------------
BigEndian();
typedef signed long TT_Fixed; /* Signed Fixed 16.16 Float */
typedef signed short TT_FWord; /* Distance in FUnits */
typedef unsigned short TT_UFWord; /* Unsigned distance */
typedef signed short TT_Short;
typedef unsigned short TT_UShort;
typedef signed long TT_Long;
typedef unsigned long TT_ULong;
typedef unsigned long TT_Offset;
typedef OLETIME LONGDATETIME;
typedef signed short F2Dot14;
typedef struct tOffsetTable {
TT_Fixed SFNT_Ver; //sfnt version 0x00010000 for version 1.0.
USHORT numTables; //Number of tables.
USHORT searchRange; //(Maximum power of 2 <= numTables) x 16.
USHORT entrySelector; // Log2(maximum power of 2 <= numTables).
USHORT rangeShift; // NumTables x 16-searchRange.
};
typedef struct tTable {
union {
char asChar[4]; // 4 -byte identifier.
ULONG asLong;
} Tag;
ULONG checkSum; // CheckSum for this table.
ULONG offset; // Offset from beginning of TrueType font file.
ULONG length; // Length of this table.
};
string tTableRead( tTable &d ) {
char s[20];
SPrintf( s, " (%u) at %u for %u", d.Tag.asLong, d.offset, d.length);
s = d.Tag.asChar + s;
// s = "if (findTable(\"" + d.Tag.asChar + "\")) {struct t" + d.Tag.asChar + " " + d.Tag.asChar + " <read=t"+ d.Tag.asChar + "Read>";
return s;
}
local quad cmap_table;
local quad cmap_record;
local quad cmap_subtable;
local quad next_cmap_record;
typedef struct tcmap_format0 {
cmap_subtable = FTell();
USHORT format; // Format number is set to 0.
USHORT length; // This is the length in bytes of the subtable.
USHORT language; // Please see "Note on the language field in 'cmap' subtables" in this document.
BYTE glyphIdArray[256]; // An array that maps character codes to glyph index values.
};
typedef struct tcmap_format4 {
cmap_subtable = FTell();
USHORT format; // Format number is set to 4.
USHORT length; // This is the length in bytes of the subtable.
USHORT language; // Please see "Note on the language field in 'cmap' subtables" in this document.
USHORT segCountX2; // 2 x segCount.
USHORT searchRange; // 2 x (2**floor(log2(segCount)))
USHORT entrySelector; // log2(searchRange/2)
USHORT rangeShift; // 2 x segCount - searchRange
USHORT endCount[segCountX2 / 2]; // End characterCode for each segment, last=0xFFFF.
USHORT reservedPad; // Set to 0.
USHORT startCount[segCountX2 / 2]; // Start character code for each segment.
SHORT idDelta[segCountX2 / 2]; // Delta for all character codes in segment.
USHORT idRangeOffset[segCountX2 / 2]; // Offsets into glyphIdArray or 0
USHORT glyphIdArray[(length-(FTell()-cmap_subtable))/2 ]; // Glyph index array (arbitrary length)
//Thank you ever so much for giving us a simple count of the array entires... Jerks.
};
typedef struct tcmap_format6 {
cmap_subtable = FTell();
USHORT format; // Format number is set to 6.
USHORT length; // This is the length in bytes of the subtable.
USHORT language; // Please see "Note on the language field in 'cmap' subtables" in this document.
USHORT firstCode; // First character code of subrange.
USHORT entryCount; // Number of character codes in subrange.
USHORT glyphIdArray [entryCount]; // Array of glyph index values for character codes in the range.
};
typedef struct tcmap_format8 {
cmap_subtable = FTell();
USHORT format; // Subtable format; set to 8.
USHORT reserved; // Reserved; set to 0
ULONG length; // Byte length of this subtable (including the header)
ULONG language; // Please see "Note on the language field in 'cmap' subtables" in this document.
BYTE is32[8192]; // Tightly packed array of bits (8K bytes total) indicating whether the particular 16-bit (index) value is the start of a 32-bit character code
ULONG nGroups; // Number of groupings which follow
struct {
ULONG startCharCode; // First character code in this group; note that if this group is for one or more 16-bit character codes (which is determined from the is32 array), this 32-bit value will have the high 16-bits set to zero
ULONG endCharCode; // Last character code in this group; same condition as listed above for the startCharCode
ULONG startGlyphID; // Glyph index corresponding to the starting character code
} groupings[nGroups];
};
typedef struct tcmap_format12 {
USHORT format; // Subtable format; set to 12.
USHORT reserved; // Reserved; set to 0
ULONG length; // Byte length of this subtable (including the header)
ULONG language; // Please see "Note on the language field in 'cmap' subtables" in this document.
ULONG nGroups; // Number of groupings which follow
struct {
ULONG startCharCode; // First character code in this group
ULONG endCharCode; // Last character code in this group
ULONG startGlyphID; // Glyph index corresponding to the starting character code
} groupings[nGroups];
};
typedef struct tcmap {
cmap_table = FTell();
USHORT version; // Table version number (0).
USHORT numTables; // Number of encoding tables that follow.
struct tEncodingRecord {
cmap_record = FTell();
USHORT platformID; // Platform ID.
USHORT encodingID; // Platform-specific encoding ID.
ULONG offset; // Byte offset from beginning of table to the subtable for this encoding.
next_cmap_record = FTell();
FSeek(cmap_table+offset);
switch (ReadUShort(FTell())) {
case 0 : struct tcmap_format0 format0; break;
// case 2 : struct tcmap_format2 format2; break; //TODO
case 4 : struct tcmap_format4 format4; break;
case 6 : struct tcmap_format6 format6; break;
case 8 : struct tcmap_format8 format8; break;
// case 10 : struct tcmap_format10 format10; break; //TODO
case 12 : struct tcmap_format12 format12; break;
default : ;
}
FSeek(next_cmap_record);
} EncodingRecord[numTables] <optimize=false>;
};
typedef struct thdmx {
USHORT version; // Table version number (0)
SHORT numRecords; // Number of device records.
LONG sizeDeviceRecord; // Size of a device record, long aligned.
struct {
local quad hdmx_DeviceRecord = FTell();
UBYTE pixelSize; // Pixel size for following widths (as ppem).
UBYTE maxWidth; // Maximum width.
local quad numGlyphs = (sizeDeviceRecord - (FTell() - hdmx_DeviceRecord) ) / 1;
UBYTE widths[numGlyphs]; // Array of widths (numGlyphs is from the 'maxp' table).
} DeviceRecord[numRecords] <optimize=false>;
};
string thdmxRead( thdmx &d ) {
string s;
SPrintf( s, "V%i %u records %u bytes", d.version, d.numRecords, d.sizeDeviceRecord);
return s;
// return d.name; //use this instead to get the Unicode, etc... characters.
}
typedef struct thead {
TT_Fixed version; //Table version number 0x00010000 for version 1.0.
TT_Fixed fontRevision; // Set by font manufacturer.
ULONG checkSumAdjustment; // To compute: set it to 0, sum the entire font as ULONG, then store 0xB1B0AFBA - sum.
ULONG magicNumber; // Set to 0x5F0F3CF5.
USHORT flags; // lots of flags...
/*
Bit 0: Baseline for font at y=0;
Bit 1: Left sidebearing point at x=0;
Bit 2: Instructions may depend on point size;
Bit 3: Force ppem to integer values for all internal scaler math; may use fractional ppem sizes if this bit is clear;
Bit 4: Instructions may alter advance width (the advance widths might not scale linearly);
Bits 5-10: These should be set according to Apple's specification . However, they are not implemented in OpenType.
Bit 11: Font data is 'lossless,' as a result of having been compressed and decompressed with the Agfa MicroType Express engine.
Bit 12: Font converted (produce compatible metrics)
Bit 13: Font optimised for ClearType
Bit 14: Reserved, set to 0
Bit 15: Reserved, set to 0
*/
USHORT unitsPerEm; // Valid range is from 16 to 16384. This value should be a power of 2 for fonts that have TrueType outlines.
LONGDATETIME created; // Number of seconds since 12:00 midnight, January 1, 1904. 64-bit integer
LONGDATETIME modified; // Number of seconds since 12:00 midnight, January 1, 1904. 64-bit integer
SHORT xMin; // For all glyph bounding boxes.
SHORT yMin; // For all glyph bounding boxes.
SHORT xMax; // For all glyph bounding boxes.
SHORT yMax; // For all glyph bounding boxes.
USHORT macStyle; //
/*
Bit 0: Bold (if set to 1);
Bit 1: Italic (if set to 1)
Bit 2: Underline (if set to 1)
Bit 3: Outline (if set to 1)
Bit 4: Shadow (if set to 1)
Bit 5: Condensed (if set to 1)
Bit 6: Extended (if set to 1)
Bits 7-15: Reserved (set to 0).
*/
USHORT lowestRecPPEM; //Smallest readable size in pixels.
SHORT fontDirectionHint; //
/*
0: Fully mixed directional glyphs;
1: Only strongly left to right;
2: Like 1 but also contains neutrals;
-1: Only strongly right to left;
-2: Like -1 but also contains neutrals. 1
*/
SHORT indexToLocFormat; // 0 for short offsets, 1 for long.
SHORT glyphDataFormat; // 0 for current format.
};
typedef struct thhea {
TT_Fixed version; // Table version number 0x00010000 for version 1.0.
TT_FWord Ascender; // Typographic ascent. (Distance from baseline of highest ascender)
TT_FWord Descender; // Typographic descent. (Distance from baseline of lowest descender)
TT_FWord LineGap; // Typographic line gap.
//Negative LineGap values are treated as zero
//in Windows 3.1, System 6, and
//System 7.
TT_UFWord advanceWidthMax; // Maximum advance width value in 'hmtx' table.
TT_FWord minLeftSideBearing; // Minimum left sidebearing value in 'hmtx' table.
TT_FWord minRightSideBearing; // Minimum right sidebearing value; calculated as Min(aw - lsb - (xMax - xMin)).
TT_FWord xMaxExtent; // Max(lsb + (xMax - xMin)).
SHORT caretSlopeRise; // Used to calculate the slope of the cursor (rise/run); 1 for vertical.
SHORT caretSlopeRun; // 0 for vertical.
SHORT caretOffset; // The amount by which a slanted highlight on a glyph needs to be shifted to produce the best appearance. Set to 0 for non-slanted fonts
SHORT reserved; // set to 0
SHORT reserved; // set to 0
SHORT reserved; // set to 0
SHORT reserved; // set to 0
SHORT metricDataFormat; // 0 for current format.
USHORT numberOfHMetrics; // Number of hMetric entries in 'hmtx' table
};
string thheaRead( thhea &d ) {
string s;
SPrintf( s, "v%.2f %u hmtx records", d.version/65535.0, d.numberOfHMetrics);
return s;
// return d.name; //use this instead to get the Unicode, etc... characters.
}
typedef struct tlongHorMetric {
USHORT advanceWidth;
SHORT lsb;
};
typedef struct thmtx {
// Oh... My... GOD! Who came up with this one? It would kill someone to put numberOfHMetrics in hmtx?
// What if the hhea tag is after hhea must be unpacked first.
local ulong numberOfHMetrics = hhea.numberOfHMetrics;
struct tlongHorMetric hMetrics[numberOfHMetrics];
// Paired advance width and left side bearing values for each glyph. The value numOfHMetrics comes from the 'hhea' table.
// If the font is monospaced, only one entry need be in the array, but that entry is required. The last entry applies to all subsequent glyphs.
local ulong numLeftSideBearing = ( Table[currentTable].length - (FTell()-Table[currentTable].offset) )/2;
SHORT leftSideBearing[ numLeftSideBearing ];
// Here the advanceWidth is assumed to be the same as the advanceWidth for the last entry above.
// The number of entries in this array is derived from numGlyphs (from 'maxp' table) minus numberOfHMetrics.
// This generally is used with a run of monospaced glyphs (e.g., Kanji fonts or Courier fonts).
// Only one run is allowed and it must be at the end. This allows a monospaced font to vary the left side bearing values for each glyph.
};
string thmtxRead( thmtx &d ) {
string s;
SPrintf( s, "%u HMetrics %u leftSideBearing", d.numberOfHMetrics, d.numLeftSideBearing);
return s;
}
typedef struct tmaxp {
TT_Fixed version; //Table version number 0x00005000 for version 0.5
//(Note the difference in the representation of a non-zero fractional part, in Fixed numbers.)
if (version == 0x00005000) {
USHORT numGlyphs; // The number of glyphs in the font.
}
else {
// TT_Fixed version; // Table version number 0x00010000 for version 1.0.
USHORT numGlyphs; // The number of glyphs in the font.
USHORT maxPoints; // Maximum points in a non-composite glyph.
USHORT maxContours; // Maximum contours in a non-composite glyph.
USHORT maxCompositePoints; // Maximum points in a composite glyph.
USHORT maxCompositeContours; // Maximum contours in a composite glyph.
USHORT maxZones; // 1 if instructions do not use the twilight zone (Z0), or 2 if instructions do use Z0; should be set to 2 in most cases.
USHORT maxTwilightPoints; // Maximum points used in Z0.
USHORT maxStorage; // Number of Storage Area locations.
USHORT maxFunctionDefs; // Number of FDEFs.
USHORT maxInstructionDefs; // Number of IDEFs.
USHORT maxStackElements; // Maximum stack depth2.
USHORT maxSizeOfInstructions; // Maximum byte count for glyph instructions.
USHORT maxComponentElements; // Maximum number of components referenced at "top level" for any composite glyph.
USHORT maxComponentDepth; // Maximum levels of recursion; 1 for simple components.
}
};
string tmaxpRead( tmaxp &d ) {
string s;
if (d.version == 0x00005000) {
SPrintf( s, "v%.2f %u glyphs", d.version/65535.0, d.numGlyphs);
}
else {
SPrintf( s, "v%.2f %u glyphs %u points %u contours", d.version/65535.0, d.numGlyphs,d.maxPoints,d.maxContours);
}
return s;
}
typedef struct tname {
// http://www.microsoft.com/typography/OTSPEC/name.htm
local quad name_table = FTell();
USHORT format; // Format selector (=0).
USHORT count; // Number of name records.
USHORT stringOffset; // Offset to start of string storage (from start of table).
local quad NextNameRecord;
struct tNameRecord {
USHORT platformID; // Platform ID.
USHORT encodingID; // Platform-specific encoding ID.
USHORT languageID; // Language ID.
USHORT nameID; // Name ID.
USHORT length; // String length (in bytes).
USHORT offset; // String offset from start of storage area (in bytes).
NextNameRecord = FTell();
FSeek(name_table + stringOffset + offset);
char name[length];
FSeek(NextNameRecord);
} NameRecord[count] <read=NameRecordRead, optimize = false>;
};
string NameRecordRead( tNameRecord &d ) {
string s;
SPrintf( s, "p%i E%i L%i %s", d.platformID, d.encodingID, d.languageID, d.name );
return s;
// return d.name; //use this instead to get the Unicode, etc... characters.
}
string tnameRead( tname &name ) {
string s;
SPrintf( s, "%li Names", name.count );
return s;
}
typedef struct tOS_2 {
// http://www.microsoft.com/typography/OTSPEC/os2.htm
USHORT version; // 0x0003
SHORT xAvgCharWidth; //
USHORT usWeightClass; //
USHORT usWidthClass ; //
USHORT fsType; //
SHORT ySubscriptXSize; //
SHORT ySubscriptYSize; //
SHORT ySubscriptXOffset; //
SHORT ySubscriptYOffset; //
SHORT ySuperscriptXSize; //
SHORT ySuperscriptYSize; //
SHORT ySuperscriptXOffset; //
SHORT ySuperscriptYOffset; //
SHORT yStrikeoutSize; //
SHORT yStrikeoutPosition; //
SHORT sFamilyClass; //
struct tpanose {
UBYTE bFamilyType;
UBYTE bSerifStyle;
UBYTE bWeight;
UBYTE bProportion;
UBYTE bContrast;
UBYTE bStrokeVariation;
UBYTE bArmStyle;
UBYTE bLetterform;
UBYTE bMidline;
UBYTE bXHeight;
} panose;
ULONG ulUnicodeRange1; // Bits 0-31
ULONG ulUnicodeRange2; // Bits 32-63
ULONG ulUnicodeRange3; // Bits 64-95
ULONG ulUnicodeRange4; // Bits 96-127
CHAR achVendID[4]; //
USHORT fsSelection; //
USHORT usFirstCharIndex; //
USHORT usLastCharIndex; //
SHORT sTypoAscender; //
SHORT sTypoDescender; //
SHORT sTypoLineGap; //
USHORT usWinAscent; //
USHORT usWinDescent; //
ULONG ulCodePageRange1; // Bits 0-31
ULONG ulCodePageRange2; // Bits 32-63
SHORT sxHeight; //
SHORT sCapHeight; //
USHORT usDefaultChar; //
USHORT usBreakChar; //
USHORT usMaxContext; //
};
string tOS_2Read( tOS_2 &d ) {
string s;
SPrintf( s, "v%i chars %i to %i from %4s", d.version, d.usFirstCharIndex, d.usLastCharIndex, d.achVendID);
return s;
}
typedef struct tpost {
local quad post = FTell();
TT_Fixed version;
//0x00010000 for version 1.0
//0x00020000 for version 2.0
//0x00025000 for version 2.5 (deprecated)
//0x00030000 for version 3.0
TT_Fixed italicAngle; // Italic angle in counter-clockwise degrees from the vertical. Zero for upright text, negative for text that leans to the right (forward).
TT_FWord underlinePosition; // This is the suggested distance of the top of the underline from the baseline (negative values indicate below baseline).
// The PostScript definition; // of this FontInfo dictionary key (the y coordinate of the center of the stroke) is not used for historical reasons. The value of the PostScript key may be calculated by subtracting half the underlineThickness from the value of this field.
TT_FWord underlineThickness; // Suggested values for the underline thickness.
ULONG isFixedPitch; // Set to 0 if the font is proportionally spaced, non-zero if the font is not proportionally spaced (i.e. monospaced).
ULONG minMemType42; // Minimum memory usage when an OpenType font is downloaded.
ULONG maxMemType42; // Maximum memory usage when an OpenType font is downloaded.
ULONG minMemType1; // Minimum memory usage when an OpenType font is downloaded as a Type 1 font.
ULONG maxMemType1; // Maximum memory usage when an OpenType font is downloaded as a Type 1 font.
if (version == 0x00010000) {
}
if (version == 0x00020000) {
USHORT numberOfGlyphs; // Number of glyphs (this should be the same as numGlyphs in 'maxp' table).
local ushort numGlyphs = numberOfGlyphs; //? Assumption TODO: Verify. Seems to work
USHORT glyphNameIndex[numGlyphs]; //This is not an offset, but is the ordinal number of the glyph in 'post' string tables.
local ushort numberNewGlyphs = numberOfGlyphs; //? Assumption FALSE TODO: FIX
local quad end_name = post+Table[currentTable].length;
local quad next_name = FTell();
while (next_name < end_name) {
struct tpostName {
UBYTE length;
CHAR text[length];
} name <read=tpostNameRead>;
next_name = FTell();
}; // Glyph names with length bytes [variable] (a Pascal string).
}
if (version == 0x00025000) {
USHORT numberOfGlyphs; // Number of glyphs (this should be the same as numGlyphs in 'maxp' table).
local ushort numGlyphs = numberOfGlyphs; //? Assumption TODO: Verify. Seems to work
USHORT offset[numGlyphs]; //This is not an offset, but is the ordinal number of the glyph in 'post' string tables.
}
if (version == 0x00030000) {
}
};
string tpostNameRead( tpostName &d ) {
return d.text; //use this instead to get the Unicode, etc... characters.
}
string tpostRead( tpost &d ) {
string s;
SPrintf( s, "v%.2f %u glyphs", d.version/65535.0, d.numberOfGlyphs);
if (d.isFixedPitch) { s += " fixed pitch"; } else { s += " proportional"; };
return s;
};
typedef struct tcvt {
local quad n = Table[currentTable].length / sizeof(TT_FWord);
TT_FWord value[ n ]; // List of n values referenceable by instructions. n is the number of FWORD items that fit in the size of the table.
};
typedef struct tfpgm {
local quad n = Table[currentTable].length / sizeof(UBYTE);
UBYTE bytecode[ n ]; // Instructions. n is the number of BYTE items that fit in the size of the table.
};
typedef struct tloca {
local ulong n = maxp.numGlyphs + 1 ;
local short format = head.indexToLocFormat;
if (format == 0) {
USHORT offsets[n];
}
else {
ULONG offsets[n];
}
};
string tlocaRead( tloca &d ) {
string s;
if (d.format == 0) SPrintf( s, "%u short offsets", d.n);
else SPrintf( s, "%u long offsets", d.n);
return s;
}
//the following locals are masks for "flags" 010 v2 doesn't support #define
local USHORT ARG_1_AND_2_ARE_WORDS = 1<<0; // If this is set, the arguments are words; otherwise, they are bytes.
local USHORT ARGS_ARE_XY_VALUES = 1<<1; // If this is set, the arguments are xy values; otherwise, they are points.
local USHORT ROUND_XY_TO_GRID = 1<<2; // For the xy values if the preceding is true.
local USHORT WE_HAVE_A_SCALE = 1<<3; // This indicates that there is a simple scale for the component. Otherwise, scale = 1.0.
local USHORT RESERVED = 1<<4; // This bit is reserved. Set it to 0.
local USHORT MORE_COMPONENTS = 1<<5; // Indicates at least one more glyph after this one.
local USHORT WE_HAVE_AN_X_AND_Y_SCALE = 1<<6; // The x direction will use a different scale from the y direction.
local USHORT WE_HAVE_A_TWO_BY_TWO = 1<<7; // There is a 2 by 2 transformation that will be used to scale the component.
local USHORT WE_HAVE_INSTRUCTIONS = 1<<8; // Following the last component are instructions for the composite character.
local USHORT USE_MY_METRICS = 1<<9; // If set, this forces the aw and lsb (and rsb) for the composite to be equal to those from this original glyph. This works for hinted and unhinted characters.
local USHORT OVERLAP_COMPOUND = 1<<10; // Used by Apple in GX fonts.
local USHORT SCALED_COMPONENT_OFFSET = 1<<11; // Composite designed to have the component offset scaled (designed for Apple rasterizer).
local USHORT UNSCALED_COMPONENT_OFFSET = 1<<12; // Composite designed not to have the component offset scaled (designed for the Microsoft TrueType rasterizer).
// these flags tell us:
// bit name description
local UBYTE ON_CURVE = 1<<0; // If set, the point is on the curve; otherwise, it is off the curve.
local UBYTE X_BYTE = 1<<1; // aka "X-Short" If set, the corresponding x-coordinate is 1 byte long. If not set, 2 bytes.
local UBYTE Y_BYTE = 1<<2; // aka "Y-Short" If set, the corresponding y-coordinate is 1 byte long. If not set, 2 bytes.
//I believe the name x-Short was intended to mean "small" rather than the type SHORT.
//I've changed the names to X_BYTE and Y_BYTE since they are BYTES if set to 1
local UBYTE REPEAT = 1<<3; // If set, the next byte specifies the number of additional times this set of flags is to be repeated.
// In this way, the number of flags listed can be smaller than the number of points in a character.
local UBYTE X_TYPE = 1<<4; // This flag has two meanings, depending on how the x-Short flag is set.
// If x-Short is set, this bit describes the sign of the value,
// with 1 equalling positive and 0 negative.
// If the x-Short bit is not set and this bit is set, then
// the current x-coordinate is the same as the previous x-coordinate.
// If the x-Short bit is not set and this bit is also not set,
// the current x-coordinate is a signed 16-bit delta vector.
local UBYTE Y_TYPE = 1<<5; // This flag has two meanings, depending on how the y-Short Vector flag is set.
// If y-Short Vector is set, this bit describes the sign of the value,
// with 1 equalling positive and 0 negative.
// If the y-Short Vector bit is not set and this bit is set, then
// the current y-coordinate is the same as the previous y-coordinate.
// If the y-Short Vector bit is not set and this bit is also not set,
// the current y-coordinate is a signed 16-bit delta vector.
local UBYTE RES_1 = 1<<6; // 6 Res This bit is reserved. Set it to zero.
local UBYTE RES_2 = 1<<7; // 7 Res This bit is reserved. Set it to zero.
typedef struct tSimpleGlyphPoints {
local ulong i;
local quad xStart, xLast; xStart = xLast = FTell();
local quad yStart, yLast; yStart = FTell(); // Printf("xStart: %u\n",yStart);
yLast = 0;
local byte xLastByte = 0;
local byte yLastByte = 0;
// Printf ("%u\n",numPoints);
for (i = 0; i < numPoints; i++) {
// Printf("%u, %u X_TYPE:%u",i,flag[i],(flag[i] & X_TYPE));
if ( !( flag[i] & X_BYTE ) && ( flag[i] & X_TYPE ) ) { }//Printf ("R");}
else {
yStart++; //Printf("x");
if ( !(flag[i] & X_BYTE) ) {yStart++; }//Printf("big");}
// when flag bit 3 is not set, the x coordinate for that point is another byte long
} // Printf("\n");
} Printf("yStart: %u\n",yStart);
// Now we can decode points in pairs...
for (i = 0; i < numPoints; i++) {
struct tPoints {
FSeek(xStart);
if ( flag[i] & X_BYTE ) {
xLast = FTell(); xLastByte=1;
UBYTE xDelta; xStart = FTell();
}
else {
if ( ( flag[i] & X_TYPE ) ) {
FSeek(xLast);
if (xLast>0) {if (xLastByte) UBYTE xDeltaRepeat; else SHORT xDeltaRepeat;}
}
else {
xLast = FTell();xLastByte=0;
SHORT xDelta; xStart = FTell();
}
}
FSeek(yStart);
if ( flag[i] & Y_BYTE ) {
yLast = FTell(); yLastByte=1;
UBYTE yDelta; yStart = FTell();
}
else {
if ( ( flag[i] & Y_TYPE ) ) {
FSeek(yLast);
if (yLast>0) {if (yLastByte) UBYTE yDeltaRepeat; else SHORT yDeltaRepeat;}
}
else {
yLast = FTell(); yLastByte=0;
SHORT yDelta; yStart = FTell();
}
}
FSeek(xStart);
//First coordinates relative to (0,0); others are relative to previous point.
} points <optimize=false>;
}
};
string tPointsRead ( tSimpleGlyphPoints &d ) {
string s;
s="hello";
// long x;
// if (exists(d.xDelta)) x = d.xDelta; else x = d.xDeltaRepeat;
// if (exists(d.yDelta)) y = d.yDelta; else y = d.yDeltaRepeat;
// SPrintf(s, "%u",x);
return s;
}
typedef UBYTE bitFlag;
local bitFlag flag_repeat=0;
typedef struct tSimpleGlyphFlags {
if (flag_repeat) {
UBYTE count;
flag_repeat = 0;
}
else {
BitfieldRightToLeft();
bitFlag onCurve :1;
bitFlag xByte :1;
bitFlag yByte :1;
bitFlag repeat :1;
bitFlag xType :1;
bitFlag yType :1;
if (repeat) flag_repeat = 1;
}
};
string tSimpleGlyphFlagsRead ( tSimpleGlyphFlags &d ) {
string s;
if (exists(d.count)) {
SPrintf(s, " repeat %u times", d.count);
}
else {
s="Point";
if (d.onCurve) s += " OnCurve";
if (!d.xByte) {s += " X"; if (d.xType) s += "R";}
if (d.xByte) {s += " x"; if (d.xType) s += "+"; else s += "-";}
if (!d.yByte) {s += " Y"; if (d.yType) s += "R";}
if (d.yByte) {s += " y"; if (d.yType) s += "+"; else s += "-";}
if (d.repeat) s += " REPEAT:";
}
return s;
}
typedef struct tSimpleGlyph {
SHORT numberOfContours;
SHORT xMin; // Minimum x for coordinate data.
SHORT yMin; // Minimum y for coordinate data.
SHORT xMax; // Maximum x for coordinate data.
SHORT yMax; // Maximum y for coordinate data.
USHORT endPtsOfContours[numberOfContours]; // Array of last points of each contour; n is the number of contours.
USHORT instructionLength; // Total number of bytes for instructions.
if (instructionLength > 0) {
UBYTE instructions[instructionLength]; // Array of instructions for each glyph
}
local USHORT numPoints;
numPoints = endPtsOfContours[numberOfContours-1]+1;
//why +1? Because that works...
//,-----------------------------------
// Unpack the compressed flags table
local quad glyf_flag_table = FTell();
local quad glyf_flag_index = FTell();
local ushort i;
local ubyte repeat = 0;
local ubyte flag[numPoints];
// we have to do this in a local, 'cause of the run length compression from the "repeat" flag
local ubyte flag_value;
for (i = 0; i < numPoints; i++) {
if (repeat > 0) repeat--;
else {
flag_value = ReadUByte(glyf_flag_index++);
//only increment the pointer to the number of flags if the count on a repeat is 0
if (flag[i] & 8) repeat = ReadUByte(glyf_flag_index++);
}
flag[i] = flag_value;
}
local ushort numFlags = glyf_flag_index - glyf_flag_table;
struct {
tSimpleGlyphFlags flag[numFlags] <optimize=false, read=tSimpleGlyphFlagsRead>;
} compressedFlags;
// Array of flags for each coordinate in outline; n is the number of flags.
//`-----------------------------------
struct tSimpleGlyphPoints contours;
} ;
typedef struct tglyf {
local quad glyf_table = FTell();
local quad glyf_offset;
//The indexToLoc table stores the offsets to the locations of the glyphs in the font,
// relative to the beginning of the glyphData table.
//In order to compute the length of the last glyph element, there is an extra entry
// after the last valid index.
local ulong n;
for (n = 0; n <= 9; n++) { //BOGUS! Just to keep it real time. Use the next line instead
// for (n = 0; n <= maxp.numGlyphs; n++) {
//The (maximum) value of n is numGlyphs + 1. The value for numGlyphs is found in the 'maxp' table.
glyf_offset = loca.offsets[n];
//The actual local offset is stored, assuming the long version
//The version is specified by 'indexToLocFormat' in the head table. 0 for Short, 1 for Long.
if (head.indexToLocFormat == 0) glyf_offset *= 2;
//In the short version, the actual local offset divided by 2 is stored.
FSeek( glyf_table + glyf_offset );
if (ReadShort(FTell()) > 0) {
// If the number of contours is greater than or equal to zero, this is a single glyph;
struct tSimpleGlyph SimpleGlyph <read = tSimpleGlyphRead>;
}
if (ReadShort(FTell()) < 0 & 0==1) { // UNTESTED CODE. TODO: test
// If the number of contours is negative, this is a composite glyph.
//-------------------------------
SHORT numberOfContours;
SHORT xMin; // Minimum x for coordinate data.
SHORT yMin; // Minimum y for coordinate data.
SHORT xMax; // Maximum x for coordinate data.
SHORT yMax; // Maximum y for coordinate data.
do {
USHORT flags;
struct tGlyph {
USHORT glyphIndex;
if ( flags & ARG_1_AND_2_ARE_WORDS) {
SHORT argument1;
SHORT argument2;
}
else {
USHORT arg1and2; /* (arg1 << 8) | arg2 */
}
if ( flags & WE_HAVE_A_SCALE ) {
F2Dot14 scale; /* Format 2.14 */
}
else if ( flags & WE_HAVE_AN_X_AND_Y_SCALE ) {
F2Dot14 xscale; /* Format 2.14 */
F2Dot14 yscale; /* Format 2.14 */
}
else if ( flags & WE_HAVE_A_TWO_BY_TWO ) {
F2Dot14 xscale; /* Format 2.14 */
F2Dot14 scale01; /* Format 2.14 */
F2Dot14 scale10; /* Format 2.14 */
F2Dot14 yscale; /* Format 2.14 */
}
if (flags & WE_HAVE_INSTRUCTIONS){
USHORT numInstr;
BYTE instr[numInstr];
}
} Glyph;
} while ( flags & MORE_COMPONENTS ) ;
//-------------------------------
};
}
};
string tSimpleGlyphRead( tSimpleGlyph &d ) {
string s;
SPrintf( s, "%u contours %u insts %u flags %u points", d.numberOfContours, d.instructionLength, d.numFlags, d.numPoints);
return s;
}
typedef struct tGDEF {
TT_Fixed Version; // Version of the GDEF table-initially 0x00010000
TT_Offset GlyphClassDef; // Offset to class definition table for glyph type-from beginning of GDEF header (may be NULL)
TT_Offset AttachList; // Offset to list of glyphs with attachment points-from beginning of GDEF header (may be NULL)
TT_Offset LigCaretList; // Offset to list of positioning points for ligature carets-from beginning of GDEF header (may be NULL)
TT_Offset MarkAttachClassDef; // Offset to class definition table for mark attachment type-from beginning of GDEF header (may be NULL)
};
typedef struct tprep {
local quad n = Table[currentTable].length / sizeof(UBYTE);
UBYTE bytecode[ n ]; // Instructions. n is the number of BYTE items that fit in the size of the table.
};
typedef struct tDSIG {
local quad DSIG_table = FTell();
local quad nextSig ;
ULONG ulVersion; // Version number of the DSIG table (0x00000001)
USHORT usNumSigs; // Number of signatures in the table
USHORT usFlag; // permission flags
//Bit 0: cannot be resigned
//Bits 1-7: Reserved (Set to 0)
struct {
nextSig = FTell(); FSeek(nextSig);
ULONG ulFormat; //format of the signature
ULONG ulLength; //Length of signature in bytes
ULONG ulOffset; //Offset to the signature block from the beginning of the table
nextSig = FTell(); FSeek(DSIG_table + ulOffset);
USHORT usReserved1; // Reserved for later use; 0 for now
USHORT usReserved2; // Reserved for later use; 0 for now
ULONG cbSignature; // Length (in bytes) of the PKCS#7 packet in pbSignature
UBYTE bSignature[cbSignature]; // PKCS#7 packet
} Sigs[usNumSigs] <optimize = false>;
};
string tDSIGRead( tDSIG &d ) {
string s;
SPrintf( s, "v%u %u signature(s)", d.ulVersion, d.usNumSigs);
return s;
}
typedef struct tLangSysTable{
USHORT LookupOrder; // = NULL (reserved for an offset to a reordering table)
uint16 ReqFeatureIndex; // Index of a feature required for this language system- if no required features = 0xFFFF
uint16 FeatureCount; // Number of FeatureIndex values for this language system-excludes the required feature
uint16 FeatureIndex[FeatureCount]; // Array of indices into the FeatureList-in arbitrary order
};
typedef struct tLangSysRecord {
char LangSysTag[4]; // 4-byte LangSysTag identifier
USHORT Offset; // LangSys Offset to LangSys table-from beginning of Script table
local quad next = FTell();FSeek(ScriptTable_table + Offset);
local quad LangSys=FTell();
tLangSysTable LangSysTable;
FSeek(next);
};
string tLangSysRecordRead (tLangSysRecord &d ) {
return d.LangSysTag;
}
typedef struct tScriptRecord {
char ScriptTag[4]; //4-byte ScriptTag identifier
USHORT Offset; // to Script table-from beginning of ScriptList
local quad next = FTell();FSeek(ScriptList + Offset);
local quad ScriptTable_table=FTell();
struct {
USHORT DefaultLangSys; // Offset to DefaultLangSys table-from beginning of Script table-may be NULL
uint16 LangSysCount; // Number of LangSysRecords for this script-excluding the DefaultLangSys
tLangSysRecord LangSysRecord[LangSysCount] <optimize=false, read=tLangSysRecordRead>;
//Array of LangSysRecords-listed alphabetically by LangSysTag
} ScriptTable;
FSeek(ScriptTable_table + ScriptTable.DefaultLangSys);
tLangSysTable DefaultLangSysTable;
FSeek(next);
};
string tScriptRecordRead (tScriptRecord &d ) {
return d.ScriptTag;
}
typedef struct tScriptList {
USHORT Offset; //Offset to ScriptList table-from beginning of GSUB table
local quad next = FTell();
FSeek(GSUBorGPOS_table + Offset);
local quad ScriptList=FTell();
uint16 ScriptCount; //Number of ScriptRecords
tScriptRecord ScriptRecord[ScriptCount]<read=tScriptRecordRead, optimize = false>;
//Array of ScriptRecords -listed alphabetically by ScriptTag
FSeek(next);
};
string tScriptListRead (tScriptList &d ) {
string s;
SPrintf( s, "%u scripts", d.ScriptCount);
return s;
}
typedef struct tFeatureRecord {
char FeatureTag[4]; //4-byte FeatureTag identifier
USHORT Offset; // to Feature table-from beginning of FeatureList
local quad next = FTell();FSeek(FeatureList + Offset);
local quad FeatureTable_table=FTell();
struct {
uint16 FeatureParams; //reserved null
uint16 LookupListCount; // Number of LangSysRecords for this script-excluding the DefaultLangSys
uint16 LookupListIndex[LookupListCount] <optimize = false>;
} FeatureTable <optimize = false>;
FSeek(next);
};
string tFeatureRecordRead (tFeatureRecord &d ) {
return d.FeatureTag;
}
typedef struct tFeatureList {
USHORT Offset; //Offset to FeatureList table-from beginning of GSUB table
local quad next = FTell();
FSeek(GSUBorGPOS_table + Offset);
local quad FeatureList=FTell();
uint16 FeatureCount; //Number of FeatureRecords
tFeatureRecord FeatureRecord[FeatureCount] <read= tFeatureRecordRead, optimize = false>;
//Array of FeatureRecords -listed alphabetically by FeatureTag
FSeek(next);
};
string tFeatureListRead (tFeatureList &d ) {
string s;
SPrintf( s, "%u Features", d.FeatureCount);
return s;
}
typedef struct tLookupRecord {
USHORT Offset; //Offset to LookupList table-from beginning of GSUB table
local quad next = FTell();
FSeek(LookupList_table + Offset);
uint16 LookupType; //Different enumerations for GSUB and GPOS
uint16 LookupFlag; //Lookup qualifiers
uint16 SubTableCount; //Number of SubTables for this lookup
USHORT SubTable[SubTableCount]; //Array of offsets to SubTables-from beginning of Lookup table
FSeek(next);
};
typedef struct tLookupList {
USHORT Offset; //Offset to LookupList table-from beginning of GSUB table
local quad next = FTell();
FSeek(GSUBorGPOS_table + Offset);
local quad LookupList_table=FTell();
uint16 LookupCount; //Number of FeatureRecords
tLookupRecord LookupRecord[LookupCount] <optimize = false>;
//Array of LookupRecords -listed alphabetically by LookupTag
FSeek(next);
};
typedef struct tGSUBorGPOS {
local quad GSUBorGPOS_table = FTell();
TT_Fixed Version; //Version of the GSUB table-initially set to 0x00010000
tScriptList ScriptList <read=tScriptListRead>; //Offset to ScriptList table-from beginning of GSUB table
tFeatureList FeatureList <read=tFeatureListRead>; //Offset to FeatureList table-from beginning of GSUB table
tLookupList LookupList; //Offset to LookupList table-from beginning of GSUB table
//LookupType Enumeration table for glyph substitution
//Value Type Description
//1 LookupType_Single Replace one glyph with one glyph
//2 LookupType_Multiple Replace one glyph with more than one glyph
//3 LookupType_Alternate Replace one glyph with one of many glyphs
//4 LookupType_Ligature Replace multiple glyphs with one glyph
//5 LookupType_Context Replace one or more glyphs in context
//6 LookupType_Chaining Context Replace one or more glyphs in chained context
//7 LookupType_Extension Substitution Extension mechanism for other substitutions (i.e. this excludes the Extension type substitution itself)
//8 LookupType_Reverse chaining context single Applied in reverse order, replace single glyph in chaining context
//9+ Reserved For future use
};
string tGSUBorGPOSRead( tGSUBorGPOS &d ) {
string s;
SPrintf( s, "v%.2f", d.Version/65535.0);
return s;
}
//==================================
struct tOffsetTable OffsetTable;
struct tTable Table[OffsetTable.numTables] <read=tTableRead>;
local int currentTable; //set by findTable to index Table[] array.
int findTable( char tag[] ) {
//search the Table[] array for a matching character table tag
// set currentTable and FSeek Table[currentTable].offset
// return the table index+1 or 0 if no table found.
local int i=0;
for( i = 0; i < OffsetTable.numTables; i++ ) {
if ( Strncmp(Table[i].Tag.asChar, tag, 4)==0 ) {
currentTable = i;
FSeek(Table[i].offset);
return i+1;
}
}
return 0;
}
if (findTable("head")) {struct thead head;};
if (findTable("hdmx")) {struct thdmx hdmx <read=thdmxRead>; };
if (findTable("hhea")) {struct thhea hhea <read=thheaRead>; };
if (findTable("hmtx")) {struct thmtx hmtx <read=thmtxRead>; };
if (findTable("maxp")) {struct tmaxp maxp <read=tmaxpRead>; };
if (findTable("name")) {struct tname name <read=tnameRead>; };
if (findTable("post")) {struct tpost post <read=tpostRead>; };
//bytecode programs
if (findTable("cvt ")) {struct tcvt cvt ; };
if (findTable("fpgm")) {struct tfpgm fpgm; };
if (findTable("prep")) {struct tprep prep;};
if (findTable("GDEF")) {struct tGDEF GDEF; };
if (findTable("OS/2")) {struct tOS_2 OS_2 <read=tOS_2Read>; };
if (findTable("cmap")) {struct tcmap cmap; };
if (findTable("loca")) {struct tloca loca <read=tlocaRead>; };
if (findTable("glyf")) {struct tglyf glyf; };
if (findTable("DSIG")) {struct tDSIG DSIG <read=tDSIGRead>; };
if (findTable("GSUB")) {struct tGSUBorGPOS GSUB <read=tGSUBorGPOSRead>; };
if (findTable("GPOS")) {struct tGSUBORGPOS GPOS <read=tGSUBorGPOSRead>; };
//if (findTable("JSTF")) {struct tJSTF JSTF <read=tJSTFRead>};
//if (findTable("LTSH")) {struct tLTSH LTSH <read=tLTSHRead>};
//if (findTable("PCLT")) {struct tPCLT PCLT <read=tPCLTRead>};
//if (findTable("VDMX")) {struct tVDMX VDMX <read=tVDMXRead>};
//if (findTable("gasp")) {struct tgasp gasp <read=tgaspRead>};
//if (findTable("kern")) {struct tkern kern <read=tkernRead>};

426
cparser/TacxTemplate.bt Normal file
View File

@ -0,0 +1,426 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: Tacx Total Template.bt
// Author: Nestor Matas
// Revision: 1.0
// Purpose: Defines a template for
// parsing All Tacx files PGMF CAF IMF RLV MRLV.
//-----------------------------------
// Define structures used in Tacx files
typedef struct {
WORD FileFingerprint;
WORD FileVersion;
DWORD BlockCount;
} HEADER;
typedef struct {
WORD BlockFingerprint; //Identifies the data to follow
WORD BlockVersion; //A 3 digit number indicating the block version, e.g. 100 or 110
DWORD RecordCount; //Number of records in the block
DWORD RecordSize; //Size of each record in the block
} INFOBLOCK;
typedef struct {
DWORD CheckSum;
CHAR CourseName[34];
DWORD WattSlopePulse; //0 = Watt program, 1 = Slope program, 2 = Pulse (HR) program
DWORD TimeDist; //0 = Time based program, 1 = distance based program
DOUBLE TotalTimeDist; //Total time (in seconds) or distance (in metres) of complete program
DOUBLE EnergyCons;
FLOAT AltitudeStart;
DWORD BrakeCategory;
} GENERALINFO;
typedef struct {
FLOAT DurationDistance; //Seconds or metres, depending on program type
FLOAT PulseSlopeWatts; //Pulse, slope or watts data, depending on program type
FLOAT RollingFriction; // Usually 4.0
} PROGRAM;
typedef struct {
FLOAT Start; //Start of route section (time (s) or distance (m), depending on program type)
FLOAT End; //End of route section (time (s) or distance (m), depending on program type)
CHAR CourseSegmentName[66];
CHAR TextFile[522];
} COURSEINFO;
typedef struct{
CHAR VideoFileName[522];// Location of the RLV AVI file
FLOAT FrameRate; // Video frame rate
FLOAT OrgRunWeight;
INT FrameOffset;
} RLVINFO;
typedef struct{
UINT16 Year;
UINT16 Month;
UINT16 DayOfWeek;
UINT16 DayOfMonth;
UINT16 Hour;
UINT16 Minute;
UINT16 Second;
UINT16 Millisecond;
FLOAT RecordInterval;// secs
DOUBLE Distance;//m
DOUBLE Duration; //s
INT32 CoolDownCount;
UINT32 NotFinished;//0 = ride completed, 1 = ride not completed
BYTE HRMin; //bpm
BYTE HRMax; //bpm
CHAR Feeling[42];
CHAR Temperature[22]; //deg C
UINT16 VendorID;
UINT16 BrakeType; //Brake type. i-Magic 6402, Fortius 6466, Cosmos 6514, Fortagic (Fortius Multiplayer) 6450
UINT32 SerialNo; //
UINT32 DriverVersion; //The format of the version number is part1.part2.part3 where part1 = (DriverVersion & 0xFF0000) >> 16, part2 = (DriverVersion & 0xFF00) >> 8 and part3 = DriverVersion & 0xFF
UINT16 TrainerYear;//Trainer year of manufacture
BYTE TrainerMonth;
BYTE TrainerDay;
UINT32 BrakeSerialNo;
UINT32 BrakeVersion;
UINT16 BrakeYear;
BYTE BrakeMonth;
BYTE BrakeDay;
INT16 CalibrationX10; //Divide by 10 to get calibration value
BYTE ScaleFactor;
BYTE Reserved_1;
UINT32 Reserved_2;
FLOAT CA; //VR parameters
FLOAT Ccw;//VR parameters
FLOAT Crho;//VR parameters
FLOAT Crr;//VR parameters
FLOAT CeffBike;//VR parameters
FLOAT CeffCyclist;//VR parameters
FLOAT Slope;//VR parameters
INT16 AirSpeedAbs;//VR parameters
BYTE BikeMass;//VR parameters
BYTE CyclistWeight;//VR parameters
FLOAT VirtSpeedAccelFactor;//VR parameters
UINT32 Reserved_3;
UINT32 Reserved_4;
INT32 LazyMode;
INT32 VRParamExt;
INT32 RLVFlags;
} RIDEINFO_100;
typedef struct{
UINT16 Year;
UINT16 Month;
UINT16 DayOfWeek;
UINT16 DayOfMonth;
UINT16 Hour;
UINT16 Minute;
UINT16 Second;
UINT16 Millisecond;
FLOAT RecordInterval;// secs
DOUBLE Distance;//m
DOUBLE Duration; //s
INT32 CoolDownCount;
UINT32 NotFinished;//0 = ride completed, 1 = ride not completed
BYTE HRMin; //bpm
BYTE HRMax; //bpm
CHAR Feeling[42];
CHAR Temperature[22]; //deg C
UINT16 VendorID;
UINT16 BrakeType; //Brake type. i-Magic 6402, Fortius 6466, Cosmos 6514, Fortagic (Fortius Multiplayer) 6450
UINT32 SerialNo; //
UINT32 DriverVersion; //The format of the version number is part1.part2.part3 where part1 = (DriverVersion & 0xFF0000) >> 16, part2 = (DriverVersion & 0xFF00) >> 8 and part3 = DriverVersion & 0xFF
UINT16 TrainerYear;//Trainer year of manufacture
BYTE TrainerMonth;
BYTE TrainerDay;
UINT32 BrakeSerialNo;
UINT32 BrakeVersion;
UINT16 BrakeYear;
BYTE BrakeMonth;
BYTE BrakeDay;
INT16 CalibrationX10; //Divide by 10 to get calibration value
BYTE ScaleFactor;
BYTE Reserved_1;
UINT32 Reserved_2;
FLOAT CA; //VR parameters
FLOAT Ccw;//VR parameters
FLOAT Crho;//VR parameters
FLOAT Crr;//VR parameters
FLOAT CeffBike;//VR parameters
FLOAT CeffCyclist;//VR parameters
FLOAT Slope;//VR parameters
INT16 AirSpeedAbs;//VR parameters
BYTE BikeMass;//VR parameters
BYTE CyclistWeight;//VR parameters
FLOAT VirtSpeedAccelFactor;//VR parameters
UINT32 Reserved_3;
UINT32 Reserved_4;
INT32 RLVSlopeAdjustmentPercent;
INT32 VRParamExt;
INT32 RLVFlags;
CHAR CourseName[34];
} RIDEINFO_110;
typedef struct{
CHAR Team[34];
CHAR RiderName[34];
FLOAT Weight; //kg
BYTE Gender; // 0 = female, 1 = male for VR, reversed for Catalyst
FLOAT Height;// cm
UINT BirthYear;// UInt32
BYTE BirthMonth;
BYTE BirthDay;
BYTE HRMax;//bpm
BYTE HRRest;//bpm
BYTE HRAThreshold;
BYTE HRZone1;
BYTE HRZone2;
BYTE HRZone3;
BYTE HRZone4;
BYTE HRZone5;
CHAR Email[522];
CHAR Country[66];
CHAR Remarks[522];
} RIDERINFO;
typedef struct{
FLOAT Distance;
BYTE HR;
BYTE Cadence;
UINT16 PowerX10;//Divide by 10 to get actual power in watts
UINT16 SpeedX10;//Divide by 10 to get actual speed in km/h
} RIDEDATA;
typedef struct{
UINT CRC32;
CHAR SegmentName[66];
CHAR InfoFile[522];
DOUBLE Distance;
INT32 PrgCnt;
} RLV_MULTICOURSE;
typedef struct{
UINT32 CRC32;
CHAR ProgName[34];
INT32 PrgIdx;
DOUBLE DistTimeBeg;
DOUBLE DistTimeEnd;
CHAR Name[66];
CHAR InfoFil[522];
INT32 LapCount;
} RLV_MULTISECT;
typedef struct{
UINT32 FrameNumber;
FLOAT DistancePerFrame;
} RLV_FRAMEDISTANCE;
typedef struct{
INT32 Frame; // Frame number
INT32 Cmd;
} RLV_INFOBOX;
typedef struct{
DWORD CheckSum;
CHAR CourseName[34];
CHAR Terrain[34];
FLOAT RecordInterval;
DOUBLE CourseDistance;
DOUBLE RunTime;//Total run time of pilot route
INT32 CoolDownCount;
INT32 RunFlags;
INT32 BrakeType;
} GENERAL_INFO_VR;
typedef struct{
FLOAT X; //x co-ordinate on 3D map
FLOAT Y; //y co-ordinate on 3D map (and height in metres)
FLOAT Z; //z co-ordinate on 3D map
FLOAT Alpha;//Horizontal alignment of rider at each coordinate
FLOAT Beta; //Declination of rider at each coordinate
FLOAT Gamma;
BYTE HeartRate;
BYTE Cadence;
INT16 PowerX10;
INT16 SpeedX10;
FLOAT TerrainAngle;
FLOAT ForkAngle; // < -100 = crash
} COURSE_DATA_VR;
typedef struct{
CHAR CourseName[34];
CHAR Terrain[34];
UINT16 Year;
UINT16 Month;
UINT16 DayOfWeek;
UINT16 DayOfMonth;
UINT16 Hour;
UINT16 Minute;
UINT16 Second;
UINT16 Millisecond;
FLOAT RecordInterval;// secs
DOUBLE Distance;//m
DOUBLE Duration; //s
INT32 CoolDownCount;
UINT32 NotFinished;//0 = ride completed, 1 = ride not completed
BYTE HRMin; //bpm
BYTE HRMax; //bpm
CHAR Feeling[42];
CHAR Temperature[22]; //deg C
UINT16 VendorID;
UINT16 BrakeType; //Brake type. i-Magic 6402, Fortius 6466, Cosmos 6514, Fortagic (Fortius Multiplayer) 6450
UINT32 SerialNo; //
UINT32 DriverVersion; //The format of the version number is part1.part2.part3 where part1 = (DriverVersion & 0xFF0000) >> 16, part2 = (DriverVersion & 0xFF00) >> 8 and part3 = DriverVersion & 0xFF
UINT16 TrainerYear;//Trainer year of manufacture
BYTE TrainerMonth;
BYTE TrainerDay;
UINT32 BrakeSerialNo;
UINT32 BrakeVersion;
UINT16 BrakeYear;
BYTE BrakeMonth;
BYTE BrakeDay;
INT16 CalibrationX10; //Divide by 10 to get calibration value
BYTE ScaleFactor;
BYTE Reserved_1;
UINT32 Reserved_2;
FLOAT CA; //VR parameters
FLOAT Ccw;//VR parameters
FLOAT Crho;//VR parameters
FLOAT Crr;//VR parameters
FLOAT CeffBike;//VR parameters
FLOAT CeffCyclist;//VR parameters
FLOAT Slope;//VR parameters
INT16 AirSpeedAbs;//VR parameters
BYTE BikeMass;//VR parameters
BYTE CyclistWeight;//VR parameters
FLOAT VirtSpeedAccelFactor;//VR parameters
UINT32 Reserved_3;
UINT32 Reserved_4;
INT32 LazyMode;
INT32 VRParamExt;
INT32 CollisionsOn;
FLOAT WindStrength;//0 = none, 12 = low, 24 = middle, 36 = high
FLOAT WindDirection;// -180 < x <= 180 (north = 0)
FLOAT ScaleFactor2;
INT32 CrashTimesCount;
} RIDEINFO_VR;
typedef struct{
FLOAT X; //x co-ordinate on 3D map
FLOAT Y; //y co-ordinate on 3D map (and height in metres)
FLOAT Z; //z co-ordinate on 3D map
FLOAT Alpha; //Horizontal alignment of rider at each co-ordinate
FLOAT Beta; //Declination of rider at each co-ordinate
FLOAT Gamma;
BYTE HR;//bpm Heart rate
BYTE Cadence;//rpm
UINT16 PowerX10;//watts x 10
UINT16 SpeedX10;//km/h x 10
FLOAT TerrainAngle;//Vertical alignment of rider at each co-ordinate
FLOAT ForkAngle;//< -100 = crash
} RIDEDATA_VR;
typedef struct{
UINT32 LapTime; //ms Cumulative
} LAPDATA;
// Define the headers
LittleEndian();
HEADER head;
// Check for header
if( head.FileFingerprint != 4000
&& head.FileFingerprint != 3000
&& head.FileFingerprint != 2000
&& head.FileFingerprint != 1000 )
{
Warning( "File is not a Tacx file. Template stopped." );
return -1;
}
local int i;
for (i=0; i<head.BlockCount;i++)
{
INFOBLOCK blk;
if( blk.BlockFingerprint == 1010 )
{
GENERALINFO ginfo[blk.RecordCount];
}
else if( blk.BlockFingerprint == 2040 )
{
COURSEINFO courseinfo[blk.RecordCount];
}
else if( blk.BlockFingerprint == 1020 )
{
PROGRAM pdata[blk.RecordCount];
}
else if( blk.BlockFingerprint == 210 )
{
RIDERINFO rinfo;
}
else if( blk.BlockFingerprint == 2010 )
{
RLVINFO rlvinfo;
}
else if( blk.BlockFingerprint == 3010 )
{
if(blk.BlockVersion == 100)
RIDEINFO_100 rideinfo;
else if(blk.BlockVersion == 110)
RIDEINFO_110 rideinfo;
}
else if( blk.BlockFingerprint == 120 )
{
char notes[blk.RecordCount*blk.RecordSize];
}
else if( blk.BlockFingerprint == 3020 )
{
RIDEDATA ride[blk.RecordCount];
}
else if( blk.BlockFingerprint == 6010 )
{
RLV_MULTICOURSE rlvmcourse;
}
else if( blk.BlockFingerprint == 6020 )
{
RLV_MULTISECT rlvmsect;
}
else if( blk.BlockFingerprint == 130 )
{
DOUBLE unkown_130;
}
else if( blk.BlockFingerprint == 2020 )
{
RLV_FRAMEDISTANCE rlvfd[blk.RecordCount];
}
else if( blk.BlockFingerprint == 2030 )
{
RLV_INFOBOX iboxes[blk.RecordCount];
}
else if( blk.BlockFingerprint == 4010 )
{
GENERAL_INFO_VR ginfovr[blk.RecordCount];
}
else if( blk.BlockFingerprint == 4020 )
{
COURSE_DATA_VR cdatavr[blk.RecordCount];
}
else if( blk.BlockFingerprint == 4030 )
{
RIDEINFO_VR rinfovr[blk.RecordCount];
}
else if( blk.BlockFingerprint == 110 )
{
LAPDATA lapdata[blk.RecordCount];
}
else if( blk.BlockFingerprint == 4040)
{
RIDEDATA_VR ridedata_vr[blk.RecordCount];
}
else
{
Warning( "Unknown Block Fingerprint");
return -1;
}
}

63
cparser/UTMPTemplate.bt Normal file
View File

@ -0,0 +1,63 @@
//--------------------------------------
//--- 010 Editor v5.0beta1 Binary Template
//
// File: UTMPTemplate.bt
// Author: Matthew Geiger
// Revision: 0.1
// Purpose: Parsing entries in wtmp and utmp files on *nix hosts
//--------------------------------------
#define UT_LINESIZE 32
#define UT_NAMESIZE 32
#define UT_HOSTSIZE 256
LittleEndian();
typedef enum <uint> { /* Should be a short(?), but not on Linux systems I have seen */
EMPTY = 0, /* Record does not contain valid info
(formerly known as UT_UNKNOWN on Linux) */
RUN_LVL = 1, /* Change in system run-level (see
init(8)) */
BOOT_TIME = 2, /* Time of system boot (in ut_tv) */
NEW_TIME = 3, /* Time after system clock change
(in ut_tv) */
OLD_TIME = 4, /* Time before system clock change
(in ut_tv) */
INIT_PROCESS = 5, /* Process spawned by init(8) */
LOGIN_PROCESS = 6, /* Session leader process for user login */
USER_PROCESS = 7, /* Normal process */
DEAD_PROCESS = 8, /* Terminated process */
ACCOUNTING = 9 /* Not implemented */
} LOGIN_TYPE;
struct exit_status
{
short e_termination; /* Process termination status. */
short e_exit; /* Process exit status. */
};
struct utmp
{
LOGIN_TYPE ut_type; /* Type of login. */
int ut_pid; /* Process ID of login process. */
char ut_line[UT_LINESIZE]; /* Devicename. */
char ut_id[4]; /* Inittab ID. */
char ut_user[UT_NAMESIZE]; /* Username. */
char ut_host[UT_HOSTSIZE]; /* Hostname for remote login. */
struct exit_status ut_exit; /* Exit status of a process marked
as DEAD_PROCESS. */
long ut_session; /* Session ID, used for windowing. */
time_t high_timeval; /* Time entry was made. */
int low_timeval;
int ut_addr_v6[4]; /* Internet address of remote host. */
char __unused[20]; /* Reserved for future use. */
};
FSeek(0);
while( !FEof() )
{
utmp UTMP_entry;
}

197
cparser/VHDTemplate.bt Normal file
View File

@ -0,0 +1,197 @@
//--------------------------------------
//--- 010 Editor v5.0 Binary Template
//
// File: VHD interpretation
// Author: lurker0ster@gmail.com
// Revision: V1.0
// Purpose: Verify what I learn from Microsoft VHD specification.
//--------------------------------------
BigEndian();
typedef uint64 ULONGLONG;
enum <DWORD> OS {
OS_WI2R = 0x57693272,
OS_WINDOWS = 0x5769326B,
OS_W2RU = 0x57327275,
OS_W2KU = 0x57326B75,
OS_MACINTOSH = 0x4D616320,
OS_MACX = 0x4D163258,
};
enum <DWORD> DISK {
NONE = 0x0,
DEPRECATE = 0x1,
FIXED = 0x2,
DYNAMIC = 0x3,
DIFFERENCING = 0x4,
DEPRECATE1= 0x5,
DEPRECATE2 = 0x6,
};
typedef struct{
char cookie[8]; /* Identifies original creator of the disk */
DWORD Features <read=feaRead>;
DWORD FileformatVersion;
ULONGLONG DataOffset <comment=OffsetCheck>;
time_t TimeStamp <read=CorrectTime>; //This is the number of seconds since January 1, 2000 12:00:00 AM in UTC/GMT
char CreaterApplication[4];
DWORD CreaterVersion;
OS CreaterHostOS;
ULONGLONG OrginalSize;
ULONGLONG CurrentSize;
struct {
WORD Cylinder;
BYTE Heads;
BYTE SectorsPerCylinder;
}DiskGeometry;
DISK DiskType;
DWORD CheckSum <comment="Checksum Of footer">;
BYTE UUID[16] ;
BYTE SavedState <read=statecheck>;
BYTE hidden; //tapdisk-specific field
BYTE Reserved[426];
}FOOTER <size=512, open=true>;
string statecheck(BYTE SavedState )
{
if (0x1 == SavedState) return "In saved state";
return "not saved";
}
string feaRead(WORD Features)
{
string s;
if (Features & 0x0001) { s=s+"Temporary, " ;}
if (Features & 0x0002) { s=s+"Reserved, " ;}
return s;
}
string CorrectTime(time_t TimeStamp)
{
/* VHD uses an epoch of 12:00AM, Jan 1, 2000. */
/* Need to adjust this to the expected epoch of 1970. */
return TimeTToString((DWORD)TimeStamp + 946684800);
}
string OffsetCheck(ULONGLONG DataOffset)
{
if((DataOffset & 0xFFFFFFFF) == 0xFFFFFFFF)
{
return "Fixed disks";
}
return "";
}
typedef struct {
char Cookie[8];
ULONGLONG DataOffset; //unused
ULONGLONG TableOffset; //pointer to BAT
DWORD HeaderVersion;
DWORD MaxTableEntries; //number of blocks in the disk
DWORD BlockSize <comment=sizecmt>; //does not include the size of block bitmap
DWORD Checksum;
BYTE ParentUUID[16]; //for differencing HD
time_t ParentTimeStamp<read=CorrectTime>;
DWORD reserved;
BYTE parentUnicodeName[512];
typedef struct {
DWORD PlatformCode;
DWORD PlatformDataSpace;
DWORD PlatformDataLength;
DWORD reserved;
ULONGLONG PlatformDataOffset;
}ENTRY;
ENTRY ParentLocatorEntry[8];
BYTE reserved1[256];
}DYNAMICDISKHDEAR <size=1024>;
string sizecmt(DWORD blocksize)
{
string s;
SPrintf(s, "block siez:%dMB", blocksize/1024/1024);
return s;
}
FOOTER copyOfFooter;
DYNAMICDISKHDEAR DynamicDiskHeader;
FSeek(DynamicDiskHeader.TableOffset);
struct {
DWORD entry[DynamicDiskHeader.MaxTableEntries] <comment=entryCmt>; //1 entry for 4096 sectors (2MB)
}bat <open=true>; //Block Allocation table
string entryCmt(DWORD entry)
{
if (0xFFFFFFFF == entry) return "Unused";
return "";
}
typedef struct {
char magic[8]; //"tdbatmap"
ULONGLONG batmap_offset;
DWORD batmap_size;
DWORD batmap_version;
DWORD Checksum;
}TDBATMAP;
char magic[8];
if (Memcmp(magic, "tdbatmap", 8) == 0)
{
TDBATMAP batmap;
}else{
FSkip(-8);
}
local int index = 0;
local int BytesInSector = 512;
local int SectorsPerBlock = DynamicDiskHeader.BlockSize / BytesInSector;
local int BitmapBytes = SectorsPerBlock / 8;
//local int ResetBytes = DynamicDiskHeader.BlockSize - BitmapBytes;
//local int numsOfBlockAllocated = (FileSize()-512 - FTell() ) / (DynamicDiskHeader.BlockSize+BitmapBytes);
typedef struct {
BYTE bitmap[BitmapBytes]; //each bit represent a sector. 1: used, 0: full0s.
BYTE data[DynamicDiskHeader.BlockSize];
}DATABLOCK;
//DATABLOCK block[numsOfBlockAllocated];
do{
if (bat.entry[index] != 0xFFFFFFFF) {
Printf("Block[%d] -> VHD sector:0x%x", index, bat.entry[index]);
Printf(" VHD offset:0x%x\n", bat.entry[index]*512);
FSeek(bat.entry[index]*512);
DATABLOCK data;
}else{
//Printf("Block[%d] sparse\n", index);
}
index ++;
}while(index < DynamicDiskHeader.MaxTableEntries);
FSeek(FileSize()-512);
FOOTER Footer;
//for demo only
//offset is sector offset
string readData( uint64 offset)
{
local uint64 BlockIndex = offset/SectorsPerBlock;
local uint64 sectorIndex = offset%SectorsPerBlock;
local uint64 byteoffset = offset/8;
local uint64 bitfield = offset%8;
if(bitfield & data[BlockIndex].bitmap[byteoffset]) {
//spare
Printf("Zeros sector");
}
}

232
cparser/WAVTemplate.bt Normal file
View File

@ -0,0 +1,232 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: WAVTemplate.bt
// Author: SweetScape Software
// Revision: 1.0
// Purpose: Defines a template for
// parsing WAV audio files.
//-----------------------------------
// Typedefs for the wave file
typedef char ID[4];
// Record whether we have found a format chunk yet
local int haveValidFormat = false;
//-----------------------------------
// Define structures used in WAV files
// Stores the file header information
typedef struct
{
ID groupID;
long size;
ID riffType;
} WAVRIFFHEADER;
// Stores the format information for the file
typedef struct {
ID chunkID;
long chunkSize;
local int pos = FTell();
short wFormatTag;
unsigned short wChannels;
unsigned long dwSamplesPerSec;
unsigned long dwAvgBytesPerSec;
unsigned short wBlockAlign;
unsigned short wBitsPerSample;
// Mark that we have found a valid format chunk
haveValidFormat = true;
// Unknown data at the end of the chunk
if( chunkSize > (FTell() - pos) )
uchar unknown[ chunkSize - (FTell() - pos) ];
// Padding so the next chunk starts on an even byte
if( chunkSize & 1 )
uchar padding;
} FORMATCHUNK;
// Stores the actual wave data
typedef struct
{
ID chunkID;
long chunkSize;
// Test if we have a valid format
if( !haveValidFormat )
{
Warning( "File contains no valid WAVE format chunk." );
return -1;
}
// Parse the samples of the data
if( ((format.wBitsPerSample != 8) && (format.wBitsPerSample != 16) && (format.wBitsPerSample != 32))
|| (chunkSize % (int)format.wBlockAlign != 0) )
{
// Unsupported storage method used
unsigned char waveformData[chunkSize];
}
else if( (format.wChannels == 1) && (format.wBitsPerSample == 8) )
{
// Define an array of 8-bit samples - common case
uchar samples[ chunkSize ];
}
else if( (format.wChannels == 1) && (format.wBitsPerSample == 16) )
{
// Define an array of 16-bit samples - common case
short samples[ chunkSize/2 ];
}
else if( (format.wChannels == 1) && (format.wBitsPerSample == 32) )
{
// Define an array of 32-bit samples - common case
int samples[ chunkSize/4 ];
}
else
{
// Define general case sample
struct SAMPLES {
if( format.wBitsPerSample == 8 )
uchar channels[ format.wChannels ];
else if( format.wBitsPerSample == 16 )
short channels[ format.wChannels ];
else if( format.wBitsPerSample == 32 )
int channels[ format.wChannels ];
} samples[ chunkSize / (int)format.wBlockAlign ];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} DATACHUNK;
// Stores the size of the wave after decompression
typedef struct
{
ID chunkID;
long chunkSize;
unsigned long uncompressedSize;
} FACTCHUNK;
// Stores a list of cue points or markers to points in the data
typedef struct {
long dwIdentifier;
long dwPosition;
ID fccChunk;
long dwChunkStart;
long dwBlockStart;
long dwSampleOffset;
} CUEPOINT;
typedef struct {
ID chunkID;
long chunkSize;
local int pos = FTell();
long dwCuePoints;
CUEPOINT points[dwCuePoints];
// Unknown data at the end of the chunk
if( chunkSize > (FTell() - pos) )
uchar unknown[ chunkSize - (FTell() - pos) ];
} CUECHUNK;
// Define a list chunk with a set of subchunks
typedef struct {
ID chunkID;
long chunkSize;
char listData[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} LISTSUBCHUNK;
typedef struct {
ID chunkID;
long chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
while( FTell() - pos < chunkSize )
LISTSUBCHUNK subchunk;
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} LISTCHUNK;
// A chunk which could not be identified
typedef struct {
ID chunkID;
long chunkSize;
uchar unknownData[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} UNKNOWNCHUNK;
//---------------------------------------------
// Define the headers
LittleEndian();
SetBackColor( cLtPurple );
WAVRIFFHEADER header;
// Check for valid header
if( header.groupID != "RIFF" || header.riffType != "WAVE" )
{
Warning( "File is not a valid wave file. Template stopped." );
return -1;
}
// Read the file as a set of chunks
local char tag[5];
local uint size;
while( !FEof() )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// See which chunk this is
switch( tag )
{
case "fmt ":
SetBackColor( cLtGray );
FORMATCHUNK format;
break;
case "data":
SetBackColor( cNone );
DATACHUNK data;
break;
case "fact":
SetBackColor( cLtBlue );
FACTCHUNK fact;
break;
case "cue ":
SetBackColor( cLtGray );
CUECHUNK cue;
break;
case "LIST":
SetBackColor( cLtYellow );
LISTCHUNK list;
break;
default:
// Unknown chunk
size = ReadUInt( FTell()+4 );
Printf( "Encountered unknown chunk '%s' of size %d at position %Ld.\n",
tag, size, FTell() );
SetBackColor( cNone );
UNKNOWNCHUNK unknown;
break;
}
}

560
cparser/WAVTemplateAdv.bt Normal file
View File

@ -0,0 +1,560 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: WAVTemplateAdv.bt
// Author: SweetScape Software plus submissions
// Revision: 1.1
// Purpose: Defines a template for
// parsing WAV audio files. Includes SMPL chunk
// parsing (Parsing wav files that contains
// Sustain Loops. Useful for Game Developers).
// Tested with: CoolEdit and Sound Forge.
//-----------------------------------
// Typedefs for the wave file
typedef char ID[4];
// Record whether we have found a format chunk yet
local int haveValidFormat = false;
//-----------------------------------
// Define structures used in WAV files
// Stores the file header information
typedef struct
{
ID groupID;
long size;
ID riffType;
} WAVRIFFHEADER;
// Stores the format information for the file
typedef struct {
ID chunkID;
long chunkSize;
local int pos = FTell();
short wFormatTag;
unsigned short wChannels;
unsigned long dwSamplesPerSec;
unsigned long dwAvgBytesPerSec;
unsigned short wBlockAlign;
unsigned short wBitsPerSample;
// Mark that we have found a valid format chunk
haveValidFormat = true;
// Unknown data at the end of the chunk
if( chunkSize > (FTell() - pos) )
uchar unknown[ chunkSize - (FTell() - pos) ];
// Padding so the next chunk starts on an even byte
if( chunkSize & 1 )
uchar padding;
} FORMATCHUNK;
// Stores the actual wave data
typedef struct
{
ID chunkID;
long chunkSize;
// Test if we have a valid format
if( !haveValidFormat )
{
Warning( "File contains no valid WAVE format chunk." );
return -1;
}
// Parse the samples of the data
if( ((format.wBitsPerSample != 8) && (format.wBitsPerSample != 16) && (format.wBitsPerSample != 32))
|| (chunkSize % (int)format.wBlockAlign != 0) )
{
// Unsupported storage method used
unsigned char waveformData[chunkSize];
}
else if( (format.wChannels == 1) && (format.wBitsPerSample == 8) )
{
// Define an array of 8-bit samples - common case
uchar samples[ chunkSize ];
}
else if( (format.wChannels == 1) && (format.wBitsPerSample == 16) )
{
// Define an array of 16-bit samples - common case
short samples[ chunkSize/2 ];
}
else if( (format.wChannels == 1) && (format.wBitsPerSample == 32) )
{
// Define an array of 32-bit samples - common case
int samples[ chunkSize/4 ];
}
else
{
// Define general case sample
struct SAMPLES {
if( format.wBitsPerSample == 8 )
uchar channels[ format.wChannels ];
else if( format.wBitsPerSample == 16 )
short channels[ format.wChannels ];
else if( format.wBitsPerSample == 32 )
int channels[ format.wChannels ];
} samples[ chunkSize / (int)format.wBlockAlign ];
}
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} DATACHUNK;
// Stores the size of the wave after decompression
typedef struct
{
ID chunkID;
long chunkSize;
unsigned long uncompressedSize;
} FACTCHUNK;
// Stores a list of cue points or markers to points in the data
typedef struct {
long dwIdentifier;
long dwPosition;
ID fccChunk;
long dwChunkStart;
long dwBlockStart;
long dwSampleOffset;
} CUEPOINT;
typedef struct {
ID chunkID;
long chunkSize;
local int pos = FTell();
long dwCuePoints;
CUEPOINT points[dwCuePoints];
// Unknown data at the end of the chunk
if( chunkSize > (FTell() - pos) )
uchar unknown[ chunkSize - (FTell() - pos) ];
} CUECHUNK;
// Define a list chunk with a set of subchunks
typedef struct {
ID chunkID;
long chunkSize;
char listData[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} LISTSUBCHUNK;
typedef struct {
ID chunkID;
long chunkSize;
local quad pos = FTell();
ID chunkType;
// Read the subchunks
while( FTell() - pos < chunkSize )
LISTSUBCHUNK subchunk;
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} LISTCHUNK;
// A chunk which could not be identified
typedef struct {
ID chunkID;
long chunkSize;
uchar unknownData[chunkSize];
// Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} UNKNOWNCHUNK;
//---------------------------------------------
// SMPL / SMPL Loop
//---------------------------------------------
typedef long SMPLLOOPS_Cue_ID <read=WAV_SMPLLOOPS_Cue_ID>;
string
WAV_SMPLLOOPS_Cue_ID( SMPLLOOPS_Cue_ID cid )
{
string sret;
SPrintf( sret, "Cue Point ID: %u", cid );
return sret;
}
//---------------------------------------------
typedef long SMPLLOOPS_Play_Count <read=WAV_SMPLLOOPS_Play_Count>;
string
WAV_SMPLLOOPS_Play_Count( SMPLLOOPS_Play_Count pc )
{
string sret;
if (pc==0)
{
SPrintf( sret, " Infinite Sustain Loop (%u)", pc );
}
else
{
SPrintf( sret, "Play Count: %u", pc );
}
return sret;
}
//---------------------------------------------
typedef long SMPLLOOPS_Start <read=WAV_SMPLLOOPS_Start>;
string
WAV_SMPLLOOPS_Start( SMPLLOOPS_Start st )
{
string sret;
SPrintf( sret, "Loop Start at %u byte offset", st );
return sret;
}
//---------------------------------------------
typedef long SMPLLOOPS_End <read=WAV_SMPLLOOPS_End>;
string
WAV_SMPLLOOPS_End( SMPLLOOPS_End end )
{
string sret;
SPrintf( sret, "Loop End at %u byte offset", end );
return sret;
}
//---------------------------------------------
typedef long SMPLLOOPS_Fraction <read=WAV_SMPLLOOPS_Fraction>;
string
WAV_SMPLLOOPS_Fraction( SMPLLOOPS_Fraction f )
{
string sret;
SPrintf( sret, "Fraction: %u", f );
return sret;
}
//---------------------------------------------
typedef long SMPL_SL <read=WAV_SMPL_SL>;
string
WAV_SMPL_SL( SMPL_SL sl )
{
string sret;
SPrintf( sret, "Number of Samples Loops (Sustain Loops): %u", sl );
return sret;
}
//---------------------------------------------
typedef long SMPL_SD <read=WAV_SMPL_SD>;
string
WAV_SMPL_SD( SMPL_SD sd )
{
string sret;
SPrintf( sret, "Sample Data (number of bytes): %u", sd );
return sret;
}
//---------------------------------------------
typedef long SMPL_SMPTE_Offset <read=WAV_SMPL_SMPTE_Offset>;
string
WAV_SMPL_SMPTE_Offset( SMPL_SMPTE_Offset so )
{
string sret;
SPrintf( sret, "SMPTE Offset (for synchronization): %u", so );
return sret;
}
//---------------------------------------------
typedef long SMPL_MIDI_Pitch_Fraction <read=WAV_SMPL_MIDI_Pitch_Fraction>;
string
WAV_SMPL_MIDI_Pitch_Fraction( SMPL_MIDI_Pitch_Fraction pf )
{
string sret;
SPrintf( sret, "MIDI Pitch Fraction: %u", pf );
return sret;
}
//---------------------------------------------
typedef long SMPL_MIDI_Unity_Note <read=WAV_SMPL_MIDI_Unity_Note>;
string
WAV_SMPL_MIDI_Unity_Note( SMPL_MIDI_Unity_Note un )
{
string sret;
SPrintf( sret, "MIDI unity note value: %u", un );
return sret;
}
//---------------------------------------------
typedef long SMPL_Product <read=WAV_SMPL_Product>;
string
WAV_SMPL_Product( SMPL_Product product )
{
string sret;
SPrintf( sret, "MIDI model ID (defined by the manufacturer): %u", product );
return sret;
}
//---------------------------------------------
typedef long SMPL_Sample_Period <read=WAV_SMPL_Sample_Period>;
string
WAV_SMPL_Sample_Period( SMPL_Sample_Period sp )
{
string sret;
// The sample period specifies the duration of time that passes during the playback of one sample in nanoseconds (normally equal to 1 / Samplers Per Second, where Samples Per Second is the value found in the format chunk).
SPrintf( sret, "Sample Period: %u", sp );
return sret;
}
//---------------------------------------------
typedef long SMPL_SMPTE <read=WAV_SMPL_SMPTE>;
string
WAV_SMPL_SMPTE( SMPL_SMPTE smptef )
{
string s;
string sret;
switch( smptef )
{
case 0: SPrintf( s, "No SMPTE offset" ); break;
case 24: SPrintf( s, "24 frames per second" ); break;
case 25: SPrintf( s, "25 frames per second" ); break;
case 29: SPrintf( s, "30 frames per second with frame dropping (30 drop)" ); break;
case 30: SPrintf( s, "30 frames per second" ); break;
default: SPrintf( s, "unknown (%u)", smptef ); break;
}
SPrintf( sret, "SMPTE Format: %s", s );
return sret;
}
//---------------------------------------------
typedef long SMPL_Manufacturer <read=WAV_SMPL_Manufacturer>;
string
WAV_SMPL_Manufacturer( SMPL_Manufacturer manufacture )
{
string s;
string sret;
switch( manufacture )
{
case 0: SPrintf( s, "Unknown" ); break;
case 1: SPrintf( s, "Sequential Circuits"); break;
case 2: SPrintf( s, "Big Briar"); break;
case 3: SPrintf( s, "Octave / Plateau"); break;
case 4: SPrintf( s, "Moog"); break;
case 5: SPrintf( s, "Passport Designs"); break;
case 6: SPrintf( s, "Lexicon"); break;
case 7: SPrintf( s, "Kurzweil"); break;
case 8: SPrintf( s, "Fender"); break;
case 9: SPrintf( s, "Gulbransen"); break;
case 10: SPrintf( s, "Delta Labs"); break;
case 11: SPrintf( s, "Sound Comp."); break;
case 12: SPrintf( s, "General Electro"); break;
case 13: SPrintf( s, "Techmar"); break;
case 14: SPrintf( s, "Matthews Research"); break;
case 16: SPrintf( s, "Oberheim"); break;
case 17: SPrintf( s, "PAIA"); break;
case 18: SPrintf( s, "Simmons"); break;
case 19: SPrintf( s, "DigiDesign"); break;
case 20: SPrintf( s, "Fairlight"); break;
case 21: SPrintf( s, "JL Cooper"); break;
case 22: SPrintf( s, "Lowery"); break;
case 23: SPrintf( s, "Lin"); break;
case 24: SPrintf( s, "Emu"); break;
case 27: SPrintf( s, "Peavey"); break;
case 32: SPrintf( s, "Bon Tempi"); break;
case 33: SPrintf( s, "S.I.E.L."); break;
case 35: SPrintf( s, "SyntheAxe"); break;
case 36: SPrintf( s, "Hohner"); break;
case 37: SPrintf( s, "Crumar"); break;
case 38: SPrintf( s, "Solton"); break;
case 39: SPrintf( s, "Jellinghaus Ms"); break;
case 40: SPrintf( s, "CTS"); break;
case 41: SPrintf( s, "PPG"); break;
case 47: SPrintf( s, "Elka"); break;
case 54: SPrintf( s, "Cheetah"); break;
case 62: SPrintf( s, "Waldorf"); break;
case 64: SPrintf( s, "Kawai"); break;
case 65: SPrintf( s, "Roland"); break;
case 66: SPrintf( s, "Korg"); break;
case 67: SPrintf( s, "Yamaha"); break;
case 68: SPrintf( s, "Casio"); break;
case 70: SPrintf( s, "Kamiya Studio"); break;
case 71: SPrintf( s, "Akai"); break;
case 72: SPrintf( s, "Victor"); break;
case 75: SPrintf( s, "Fujitsu"); break;
case 76: SPrintf( s, "Sony"); break;
case 78: SPrintf( s, "Teac"); break;
case 80: SPrintf( s, "Matsushita"); break;
case 81: SPrintf( s, "Fostex"); break;
case 82: SPrintf( s, "Zoom"); break;
case 84: SPrintf( s, "Matsushita"); break;
case 85: SPrintf( s, "Suzuki"); break;
case 86: SPrintf( s, "Fuji Sound"); break;
case 87: SPrintf( s, "Acoustic Technical Laboratory"); break;
default: SPrintf( s, "Unknown"); break;
}
SPrintf( sret, "Manufacturer: %s", s);
return sret;
}
//----------------------------------------------------------------------
typedef long SMPLLOOPS_Type <read=WAV_SMPL_Loop_Type>;
string
WAV_SMPL_Loop_Type( SMPLLOOPS_Type loop )
{
string s;
switch( loop )
{
case 0 :
SPrintf( s, "Loop: Forward (%u)", loop );
break;
case 1 :
SPrintf( s, "Loop: Ping Pong (%u)", loop );
break;
case 2 :
SPrintf( s, "Loop: Reverse (%u)", loop );
break;
case 3 :
SPrintf( s, "Loop [reserved for future standard types] (%u)", loop );
break;
default:
s = "Loop: <unknown>";
}
return s;
}
//----------------------------------------------------------------------
// SMPL Loop
typedef struct {
SMPLLOOPS_Cue_ID Cue_Point;
SMPLLOOPS_Type Type;
SMPLLOOPS_Start Start;
SMPLLOOPS_End End;
SMPLLOOPS_Fraction Fraction;
SMPLLOOPS_Play_Count Play_Count;
} SMPLLOOPS;
//----------------------------------------------------------------------
// Chunk SMPL
typedef struct {
ID chunkID;
long chunkSize;
SMPL_Manufacturer Manufacturer;
SMPL_Product Product; // Product code (Manufacture)
SMPL_Sample_Period Sample_Period;
SMPL_MIDI_Unity_Note MIDI_Unity_Note;
SMPL_MIDI_Pitch_Fraction MIDI_Pitch_Fraction;
SMPL_SMPTE SMPTE;
SMPL_SMPTE_Offset SMPTE_Offset;
SMPL_SL Num_Sample_Loops;
SMPL_SD Sampler_Data;
SMPLLOOPS loops[Num_Sample_Loops];
//Padding so the next chunk starts on an even byte
if( (chunkSize & 1) && (FTell() < FileSize()) )
uchar padding;
} SMPLCHUNK;
//---------------------------------------------
// Define the headers
LittleEndian();
SetBackColor( cLtPurple );
WAVRIFFHEADER header;
// Check for valid header
if( header.groupID != "RIFF" || header.riffType != "WAVE" )
{
Warning( "File is not a valid wave file. Template stopped." );
return -1;
}
// Read the file as a set of chunks
local char tag[5];
local uint size;
while( !FEof() )
{
// Read the chunk tag
ReadBytes( tag, FTell(), 4 );
tag[4] = 0;
// See which chunk this is
switch( tag )
{
case "fmt ":
SetBackColor( cLtGray );
FORMATCHUNK format;
break;
case "data":
SetBackColor( cNone );
DATACHUNK data;
break;
case "fact":
SetBackColor( cLtBlue );
FACTCHUNK fact;
break;
case "cue ":
SetBackColor( cLtGray );
CUECHUNK cue;
break;
case "smpl":
SetBackColor( cLtGray );
SMPLCHUNK smpl;
break;
case "LIST":
SetBackColor( cLtYellow );
LISTCHUNK list;
break;
default:
// Unknown chunk
size = ReadUInt( FTell()+4 );
Printf( "Encountered unknown chunk '%s' of size %d at position %Ld.\n",
tag, size, FTell() );
SetBackColor( cNone );
UNKNOWNCHUNK unknown;
break;
}
}

428
cparser/WMFTemplate.bt Normal file
View File

@ -0,0 +1,428 @@
//--------------------------------------
//--- 010 Editor v2.1.3 Binary Template
//
// File: WMFTemplate.bt
// Author: Didier Stevens (https://DidierStevens.com)
// Revision: 0.3, prototype, only tested on 1 placeable WMF file and 1 WMF file
// Date: 2007/08/09 - 2007/08/20
// Purpose: Defines a template for parsing WMF files.
// References:
// http://wvware.sourceforge.net/caolan/ora-wmf.html
//--------------------------------------
typedef struct
{
DWORD Key; /* Magic number (always 9AC6CDD7h) */
WORD Handle; /* Metafile HANDLE number (always 0) */
SHORT Left; /* Left coordinate in metafile units */
SHORT Top; /* Top coordinate in metafile units */
SHORT Right; /* Right coordinate in metafile units */
SHORT Bottom; /* Bottom coordinate in metafile units */
WORD Inch; /* Number of metafile units per inch */
DWORD Reserved; /* Reserved (always 0) */
WORD Checksum <read=CalcCheckSum>; /* Checksum value for previous 10 WORDs */
} WMFSPECIAL;
typedef struct
{
WORD FileType; /* Type of metafile (1=memory, 2=disk) */
WORD HeaderSize; /* Size of header in WORDS (always 9) */
WORD Version; /* Version of Microsoft Windows used */
DWORD FileSize <read=CheckFileSize>; /* Total size of the metafi+le in WORDs */
WORD NumOfObjects; /* Number of objects in the file */
DWORD MaxRecordSize; /* The size of largest record in WORDs */
WORD NoParameters; /* Not Used (always 0) */
} WMFHEAD;
typedef struct
{
DWORD Size; /* Total size of the record in WORDs */
WORD Function <read=ReadFunction>; /* Function number (defined in WINDOWS.H) */
WORD Parmeters[Size-3]; /* Parameter values passed to function */
} WMFRECORD;
// Source: http://wvware.sourceforge.net/caolan/ora-wmf.html
string ReadFunction( WORD function )
{
string result;
switch (function)
{
case 0x0000:
result = "EOF";
break;
case 0x001E:
result = "SaveDC";
break;
case 0x0035:
result = "RealizePalette";
break;
case 0x0037:
result = "SetPalEntries";
break;
case 0x004F:
result = "StartPage";
break;
case 0x0050:
result = "EndPage";
break;
case 0x0052:
result = "AbortDoc";
break;
case 0x005E:
result = "EndDoc";
break;
case 0x00F7:
result = "CreatePalette";
break;
case 0x00F8:
result = "CreateBrush";
break;
case 0x0102:
result = "SetBkMode";
break;
case 0x0103:
result = "SetMapMode";
break;
case 0x0104:
result = "SetROP2";
break;
case 0x0105:
result = "SetRelabs";
break;
case 0x0106:
result = "SetPolyFillMode";
break;
case 0x0107:
result = "SetStretchBltMode";
break;
case 0x0108:
result = "SetTextCharExtra";
break;
case 0x0127:
result = "RestoreDC";
break;
case 0x012A:
result = "InvertRegion";
break;
case 0x012B:
result = "PaintRegion";
break;
case 0x012C:
result = "SelectClipRegion";
break;
case 0x012D:
result = "SelectObject";
break;
case 0x012E:
result = "SetTextAlign";
break;
case 0x0139:
result = "ResizePalette";
break;
case 0x0142:
result = "DibCreatePatternBrush";
break;
case 0x014C:
result = "ResetDc";
break;
case 0x014D:
result = "StartDoc";
break;
case 0x01F0:
result = "DeleteObject";
break;
case 0x01F9:
result = "CreatePatternBrush";
break;
case 0x01f0:
result = "DeleteObject";
break;
case 0x0201:
result = "SetBkColor";
break;
case 0x0209:
result = "SetTextColor";
break;
case 0x020A:
result = "SetTextJustification";
break;
case 0x020B:
result = "SetWindowOrg";
break;
case 0x020C:
result = "SetWindowExt";
break;
case 0x020D:
result = "SetViewportOrg";
break;
case 0x020E:
result = "SetViewportExt";
break;
case 0x020F:
result = "OffsetWindowOrg";
break;
case 0x0211:
result = "OffsetViewportOrg";
break;
case 0x0213:
result = "LineTo";
break;
case 0x0214:
result = "MoveTo";
break;
case 0x0220:
result = "OffsetClipRgn";
break;
case 0x0228:
result = "FillRegion";
break;
case 0x0231:
result = "SetMapperFlags";
break;
case 0x0234:
result = "SelectPalette";
break;
case 0x02FA:
result = "CreatePenIndirect";
break;
case 0x02FB:
result = "CreateFontIndirect";
break;
case 0x02FC:
result = "CreateBrushIndirect";
break;
case 0x02FD:
result = "CreateBitmapIndirect";
break;
case 0x0324:
result = "Polygon";
break;
case 0x0325:
result = "Polyline";
break;
case 0x0410:
result = "ScaleWindowExt";
break;
case 0x0412:
result = "ScaleViewportExt";
break;
case 0x0415:
result = "ExcludeClipRect";
break;
case 0x0416:
result = "IntersectClipRect";
break;
case 0x0418:
result = "Ellipse";
break;
case 0x0419:
result = "FloodFill";
break;
case 0x041B:
result = "Rectangle";
break;
case 0x041F:
result = "SetPixel";
break;
case 0x0429:
result = "FrameRegion";
break;
case 0x0436:
result = "AnimatePalette";
break;
case 0x0521:
result = "TextOut";
break;
case 0x0538:
result = "PolyPolygon";
break;
case 0x0548:
result = "ExtFloodFill";
break;
case 0x061C:
result = "RoundRect";
break;
case 0x061D:
result = "PatBlt";
break;
case 0x0626:
result = "Escape";
break;
case 0x062F:
result = "DrawText";
break;
case 0x06FE:
result = "CreateBitmap";
break;
case 0x06FF:
result = "CreateRegion";
break;
case 0x0817:
result = "Arc";
break;
case 0x081A:
result = "Pie";
break;
case 0x0830:
result = "Chord";
break;
case 0x0922:
result = "BitBlt";
break;
case 0x0940:
result = "DibBitblt";
break;
case 0x0A32:
result = "ExtTextOut";
break;
case 0x0B23:
result = "StretchBlt";
break;
case 0x0B41:
result = "DibStretchBlt";
break;
case 0x0F43:
result = "StretchDIBits";
break;
case 0x0d33:
result = "SetDibToDev";
break;
default:
SPrintf(result, "0x%04X", function);
}
return result;
}
string CalcCheckSum(WORD checksum)
{
string result;
int i;
WORD calculatedchecksum = 0;
for (i = 0; i < 10; i++)
calculatedchecksum ^= ReadUInt(i*2);
if (checksum == calculatedchecksum)
SPrintf(result, "%04X", checksum);
else
SPrintf(result, "NOK: stored: 0x%04X calculated: 0x%04X", checksum, calculatedchecksum);
return result;
}
string CheckFileSize(WORD FileSize)
{
string result;
WORD actualFileSize = FileSize()/2;
if (IsSpecial)
actualFileSize -= 11;
if (FileSize == actualFileSize)
SPrintf(result, "0x%04X", FileSize);
else
SPrintf(result, "NOK: stored: 0x%04X actual: 0x%04X", FileSize, actualFileSize);
return result;
}
// Define the headers
LittleEndian();
local int IsSpecial = 0;
if (0x9AC6CDD7 == ReadQuad(0))
{
WMFSPECIAL special;
IsSpecial = 1;
}
WMFHEAD header;
local int recCnt = 0;
while( !FEof() )
{
WMFRECORD record;
recCnt++;
}
if (recCnt != header.NumOfObjects)
Warning("%d objects declared and %d objects counted", header.NumOfObjects, recCnt);

33
cparser/WinhexPosTemplate.bt Normal file
View File

@ -0,0 +1,33 @@
//--------------------------------------
//--- 010 Editor v3.2.2f Binary Template
//
// File: WinhexPosTemplate
// Author: Artur Babecki
// Revision: 21.02.2012
// Purpose: the WinHex (editor by X-Ways Software Technology AG )
// stores the find results in the winhex.pos file.
// This template parses its structure and allows to
// build the script to convert WinHex results into set
// of bookmarks of 010Editor
//--------------------------------------
string Wh_WinhexID <comment="file signature">;
uint32 Wh_Flags <comment="currently - 0x00, 0X01 - Unicode">;
uint32 Wh_n_ch <comment="number of chunks">;
struct chunk {
uint16 Chsize <comment="chunk size">;
uint16 Chflags ;
uint64 Offset;
uint64 Time;
FILETIME date;
uchar RGB[3];
uchar Padding;
uint16 DescrLen;
string Descr;
if(Chflags&0x100) {
uint64 Relative_Offset;
uint64 FileId;
uint16 PathLen;
string Path;
}
//Printf("%X\n",chflags);
} wh_pos[Wh_n_ch] <optimize=false>;

196
cparser/ZIPTemplate.bt Normal file
View File

@ -0,0 +1,196 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: ZIPTemplate.bt
// Author: SweetScape Software
// Revision: 2.2
// Purpose: Defines a template for
// parsing ZIP files.
// Changes:
// 2.1 (SweetScape):
// - Added write function for ZIPFILERECORD structure.
// 2.2 (S.Gibson, KPMG LLP):
// - Fix for entry comment field
// - Fix for parsing data descriptors
//-----------------------------------
// Define structures used in ZIP files
//enum used for compression format
typedef enum <short> {
COMP_STORED = 0,
COMP_SHRUNK = 1,
COMP_REDUCED1 = 2,
COMP_REDUCED2 = 3,
COMP_REDUCED3 = 4,
COMP_REDUCED4 = 5,
COMP_IMPLODED = 6,
COMP_TOKEN = 7,
COMP_DEFLATE = 8,
COMP_DEFLATE64 = 9
} COMPTYPE;
// Defines a file record
typedef struct {
// Header for the file
char frSignature[4]; //0x04034b50
ushort frVersion;
ushort frFlags;
COMPTYPE frCompression;
DOSTIME frFileTime;
DOSDATE frFileDate;
uint frCrc <format=hex>;
uint frCompressedSize;
uint frUncompressedSize;
ushort frFileNameLength;
ushort frExtraFieldLength;
if( frFileNameLength > 0 )
char frFileName[ frFileNameLength ];
if( frExtraFieldLength > 0 )
uchar frExtraField[ frExtraFieldLength ];
// Compressed data
SetBackColor( cNone );
if( frCompressedSize > 0 )
uchar frData[ frCompressedSize ];
} ZIPFILERECORD <read=ReadZIPFILERECORD, write=WriteZIPFILERECORD>;
// Defines an entry in the directory table
typedef struct {
char deSignature[4]; //0x02014b50
ushort deVersionMadeBy;
ushort deVersionToExtract;
ushort deFlags;
COMPTYPE deCompression;
DOSTIME deFileTime;
DOSDATE deFileDate;
uint deCrc <format=hex>;
uint deCompressedSize;
uint deUncompressedSize;
ushort deFileNameLength;
ushort deExtraFieldLength;
ushort deFileCommentLength;
ushort deDiskNumberStart;
ushort deInternalAttributes;
uint deExternalAttributes;
uint deHeaderOffset;
if( deFileNameLength > 0 )
char deFileName[ deFileNameLength ];
if( deExtraFieldLength > 0 )
uchar deExtraField[ deExtraFieldLength ];
if( deFileCommentLength > 0 )
uchar deFileComment[ deFileCommentLength ];
} ZIPDIRENTRY <read=ReadZIPDIRENTRY>;
// Defines the digital signature
typedef struct {
char dsSignature[4]; //0x05054b50
ushort dsDataLength;
if( dsDataLength > 0 )
uchar dsData[ dsDataLength ];
} ZIPDIGITALSIG;
// Defintes the Data descriptor
typedef struct {
char ddSignature[4]; //0x08074b50
uint ddCRC <format=hex>;
uint ddCompressedSize;
uint ddUncompressedSize;
} ZIPDATADESCR;
// Defines the end of central directory locator
typedef struct {
char elSignature[4]; //0x06054b50
ushort elDiskNumber;
ushort elStartDiskNumber;
ushort elEntriesOnDisk;
ushort elEntriesInDirectory;
uint elDirectorySize;
uint elDirectoryOffset;
ushort elCommentLength;
if( elCommentLength > 0 )
char elComment[ elCommentLength ];
} ZIPENDLOCATOR;
//--------------------------------------------
// Custom read functions that allows the name of the
// of the file to appear in the Template Results.
string ReadZIPFILERECORD( ZIPFILERECORD &file )
{
if( exists( file.frFileName ) )
return file.frFileName;
else
return "";
}
string ReadZIPDIRENTRY( ZIPDIRENTRY &entry )
{
if( exists( entry.deFileName ) )
return entry.deFileName;
else
return "";
}
// Custom write function that allows changing
// the name of the file - note that the file
// name size cannot be increased
void WriteZIPFILERECORD( ZIPFILERECORD &file, string s )
{
local int len = Strlen( s );
if( exists( file.frFileName ) )
{
Strncpy( file.frFileName, s, file.frFileNameLength );
if( len < file.frFileNameLength )
file.frFileName[len] = 0; //null terminate
}
}
//--------------------------------------------
// Define the file
local uint tag;
LittleEndian();
while( !FEof() )
{
// Read a tag
tag = ReadUInt( FTell() );
// Read data depending upon tag - should start with 'PK'.
// Note that when duplicate variables are defined, they
// are made into an array (see 'Using Templates and Structs'
// in the help file).
if( tag == 0x04034b50 )
{
SetBackColor( cLtGray );
ZIPFILERECORD record;
}
else if( tag == 0x08074b50 )
{
SetBackColor( cLtGreen );
ZIPDATADESCR dataDescr;
}
else if( tag == 0x02014b50 )
{
SetBackColor( cLtPurple );
ZIPDIRENTRY dirEntry;
}
else if( tag == 0x05054b50 )
{
SetBackColor( cLtBlue );
ZIPDIGITALSIG digitalSig;
}
else if( tag == 0x06054b50 )
{
SetBackColor( cLtYellow );
ZIPENDLOCATOR endLocator;
}
else
{
Warning( "Unknown ZIP tag encountered. Template stopped." );
return -1;
}
}

667
cparser/ZIPTemplateAdv.bt Normal file
View File

@ -0,0 +1,667 @@
//-----------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: ZIPTemplateAdv.bt
// Author: SweetScape Software
// Revision: 2.4
// Purpose: Defines a template for
// parsing ZIP files. Handles more
// complex ZIP data such as ZIP64
// that the base ZIPTemplate.bt cannot
// read. These changes may be merged into
// the main ZIPTemplate.bt file.
//
// Changes:
// 2.1 (SweetScape):
// - Added write function for ZIPFILERECORD structure.
// 2.2 (S.Gibson, KPMG LLP):
// - Fix for entry comment field
// - Fix for parsing data descriptors
// 2.3 (DCeres):
// - Added write function for VERECORD structure.
// - Added write function for ZIP64ENDLOCATORRECORD structure.
// - Added write function for ZIP64ENDLOCATOR structure.
// - Added write function for EXTRAFIELD structure.
// 2.4 (George Woods):
// - Handle zero compressed size in header with ZIPDATADESCR header
// after compressed data.
//-----------------------------------
// Define structures used in ZIP files
typedef enum <uint> {
S_ZIPFILERECORD = 0x04034b50,
S_ZIPDATADESCR = 0x08074b50,
S_ZIPDIRENTRY = 0x02014b50,
S_ZIPDIGITALSIG = 0x05054b50,
S_ZIP64ENDLOCATORRECORD = 0x06064b50,
S_ZIP64ENDLOCATOR = 0x07064b50,
S_ZIPENDLOCATOR = 0x06054b50
} SignatureTYPE <format=hex>;
typedef enum <byte> {
OS_FAT = 0,
OS_AMIGA = 1,
OS_VMS = 2, // VAX/VMS
OS_Unix = 3,
OS_VM_CMS = 4,
OS_Atari = 5, // what if it's a minix filesystem? [cjh]
OS_HPFS = 6, // filesystem used by OS/2 (and NT 3.x)
OS_Mac = 7,
OS_Z_System = 8,
OS_CPM = 9,
OS_TOPS20 = 10, // pkzip 2.50 NTFS
OS_NTFS = 11, // filesystem used by Windows NT
OS_QDOS = 12, // SMS/QDOS
OS_Acorn = 13, // Archimedes Acorn RISC OS
OS_VFAT = 14, // filesystem used by Windows 95, NT
OS_MVS = 15,
OS_BeOS = 16, // hybrid POSIX/database filesystem
OS_Tandem = 17,
OS_OS400 = 18,
OS_OSX = 19
} HOSTOSTYPE;
typedef byte VERSIONTYPE <read=read_VERSIONTYPE>;
string read_VERSIONTYPE (local VERSIONTYPE &af) {
local string s = "";
SPrintf (s, "%1.1f", (float)af / 10);
return s;
}
typedef struct{
VERSIONTYPE Version;
HOSTOSTYPE HostOS;
} VERECORD <read=read_VERECORD>;
string read_VERECORD (local VERECORD &af) {
local string s = "";
SPrintf (s, "Ver %1.1f, ", (float)af.Version / 10);
s += EnumToString( af.HostOS);
return s;
}
//enum used for compression format
typedef enum <short> {
COMP_STORED = 0,
COMP_SHRUNK = 1,
COMP_REDUCED1 = 2,
COMP_REDUCED2 = 3,
COMP_REDUCED3 = 4,
COMP_REDUCED4 = 5,
COMP_IMPLODED = 6,
COMP_TOKEN = 7,
COMP_DEFLATE = 8, // Deflate - standard ZIP codec, used from the start, also found in regular ZIP files
COMP_DEFLATE64 = 9,
COMP_PKImploding = 10,
COMP_BZip2 = 12, // BZIP2 - Newer than deflate, with better compression and slightly slower speed.
COMP_LZMA = 14, // LZMA - advanced ZIPX codec, taken from open source 7-zip format
COMP_Terse = 18,
COMP_Lz77 = 19,
COMP_Jpeg = 0x60, // Jpeg - Codec added by WinZip for specific support of jpeg images ( http://www.winzip.com/wz_jpg_comp.pdf )
COMP_WavPack = 0x61, // WavPack - Codec for compressing specifically wav files. ( http://www.wavpack.com )
COMP_PPMd = 0x62, // PPMd - context modeling based codec, also featured in new ZIP standard. We use it in our Optimized method for text file compression. ( http://www.compression.ru/ds/ )
COMP_WzAES = 0x63 // WZAES encryption methods
} COMPTYPE;
typedef enum <ushort>{
FLAG_Encrypted = 0x0001, //Bit 0: If set, indicates that the file is encrypted.
FLAG_CompressionFlagBit1 = 0x0002,
FLAG_CompressionFlagBit2 = 0x0004,
FLAG_DescriptorUsedMask = 0x0008,
FLAG_Reserved1 = 0x0010,
FLAG_Reserved2 = 0x0020,
FLAG_StrongEncrypted = 0x0040, //Bit 6: Strong encryption
FLAG_CurrentlyUnused1 = 0x0080,
FLAG_CurrentlyUnused2 = 0x0100,
FLAG_CurrentlyUnused3 = 0x0200,
FLAG_CurrentlyUnused4 = 0x0400,
FLAG_Utf8 = 0x0800, // Bit 11: filename and comment encoded using UTF-8
FLAG_ReservedPKWARE1 = 0x1000,
FLAG_CDEncrypted = 0x2000, // Bit 13: Used when encrypting the Central Directory to indicate selected data values in the Local Header are masked to hide their actual values.
FLAG_ReservedPKWARE2 = 0x4000,
FLAG_ReservedPKWARE3 = 0x8000,
} FLAGTYPE <read=read_FLAGTYPE>;
string read_FLAGTYPE (local FLAGTYPE &af) {
local string s = "";
local int commaNeeded = 0;
local FLAGTYPE i = 1;
SPrintf (s, "%d: ", af);
while (i < FLAG_ReservedPKWARE3)
{
if (af & i)
{
if (commaNeeded)
{ s += ", "; }
s += EnumToString(i);
commaNeeded = 1;
}
i = i << 1;
}
return s;
}
typedef enum <ushort>{
EH_Zip64 = 0x0001, //Zip64 extended information extra field
EH_AVInfo = 0x0007, //AV Info
EH_ExtLanguage = 0x0008, //Reserved for extended language encoding data (PFS)
EH_OS2 = 0x0009, //OS/2
EH_NTFS = 0x000a, //NTFS
EH_OpenVMS = 0x000c, //OpenVMS
EH_UNIX = 0x000d, //UNIX
EH_fileStream = 0x000e, //Reserved for file stream and fork descriptors
EH_PatchDescriptor = 0x000f, //Patch Descriptor
EH_PKCS7X509 = 0x0014, //PKCS#7 Store for X.509 Certificates
EH_X509IDSignature = 0x0015, //X.509 Certificate ID and Signature for individual file
EH_X509IDCD = 0x0016, //X.509 Certificate ID for Central Directory
EH_StrongEncryption = 0x0017, //Strong Encryption Header
EH_RecordManagement = 0x0018, //Record Management Controls
EH_PKCS7List = 0x0019, //PKCS#7 Encryption Recipient Certificate List
EH_Attributes = 0x0065, //IBM S/390 (Z390), AS/400 (I400) attributes uncompressed
EH_ReservedAttributes = 0x0066, //Reserved for IBM S/390 (Z390), AS/400 (I400) attributes - compressed
EH_POSZIP4690 = 0x4690, //POSZIP 4690 (reserved)
EH_Mac = 0x07c8, //Macintosh
EH_ZipItMac1 = 0x2605, //ZipIt Macintosh
EH_ZipItMac2 = 0x2705, //ZipIt Macintosh 1.3.5+
EH_ZipItMac3 = 0x2805, //ZipIt Macintosh 1.3.5+
EH_InfoZIPMac = 0x334d, //Info-ZIP Macintosh
EH_Acorn = 0x4341, //Acorn/SparkFS
EH_WinNTSecurity = 0x4453, //Windows NT security descriptor (binary ACL)
EH_VM_CMS = 0x4704, //VM/CMS
EH_MVS = 0x470f, //MVS
EH_FWKCS = 0x4b46, //FWKCS MD5 (see below)
EH_OS2AccessList = 0x4c41, //OS/2 access control list (text ACL)
EH_InfoZIPOpenVMS = 0x4d49, //Info-ZIP OpenVMS
EH_Xceed = 0x4f4c, //Xceed original location extra field
EH_AOSVS = 0x5356, //AOS/VS (ACL)
EH_extTimestamp = 0x5455, //extended timestamp
EH_XceedUnicode = 0x554e, //Xceed unicode extra field
EH_InfoZIPUNIX = 0x5855, //Info-ZIP UNIX (original, also OS/2, NT, etc)
EH_InfoZIPUnicodeComment = 0x6375, //Info-ZIP Unicode Comment Extra Field
EH_BeOS = 0x6542, //BeOS/BeBox
EH_InfoZIPUnicodePath = 0x7075, //Info-ZIP Unicode Path Extra Field
EH_ASiUNIX = 0x756e, //ASi UNIX
EH_InfoZIPUNIXNew = 0x7855, //Info-ZIP UNIX (16-bit UID/GID info)
EH_InfoZIPUNIXNew3rd = 0x7875, //Info-ZIP UNIX 3rd generation (generic UID/GID, ...)
EH_WinGrowth = 0xa220, //Microsoft Open Packaging Growth Hint
EH_SMSQDOS = 0xfd4a, //SMS/QDOS
EH_WzAES = 0x9901, //
} HEADERFLAG;
typedef enum <ushort>{
AlgID_DES = 0x6601, //- DES
AlgID_RC2OLD = 0x6602, //- RC2 (version needed to extract < 5.2)
AlgID_3DES168 = 0x6603, //- 3DES 168
AlgID_3DES112 = 0x6609, //- 3DES 112
AlgID_AES128 = 0x660E, //- AES 128
AlgID_AES192 = 0x660F, //- AES 192
AlgID_AES256 = 0x6610, //- AES 256
AlgID_RC2 = 0x6702, //- RC2 (version needed to extract >= 5.2)
AlgID_Blowfish = 0x6720, //- Blowfish
AlgID_Twofish = 0x6721, //- Twofish
AlgID_RC4 = 0x6801, //- RC4
AlgID_Unknown = 0xFFFF, //- Unknown algorithm
} ALGFLAG;
typedef enum <byte>{
AES128 = 0x01, //128-bit encryption key
AES192 = 0x02, //192-bit encryption key
AES256 = 0x03, //256-bit encryption key
} AESMODE;
typedef enum <ushort>{
pfPassword = 0x0001, //- Password is required to decrypt
pfCertificates = 0x0002, //- Certificates only
pfPasswordCertificates = 0x0003, //- Password or certificate required to decrypt
} PRCFLAG;
typedef struct {
HEADERFLAG efHeaderID;
ushort efDataSize;
Printf("%d", efHeaderID);
switch (efHeaderID)
{
case EH_Zip64:
uint64 efOriginalSize;
uint64 efCompressedSize;
//uint64 efHeaderOffset;
//uint efDiskNumberStart;
break;
case EH_InfoZIPUnicodePath:
byte efVersion;
uint efNameCRC32;
if(efDataSize > 0 )
char efUnicodeName[efDataSize - 5];
break;
case EH_NTFS:
int Reserved; //4 bytes Reserved for future use
local int len = efDataSize - 4;
while (len > 0)
{
ushort Tag; //2 bytes NTFS attribute tag value #1
ushort Size; //2 bytes Size of attribute #1, in bytes
if (Tag == 0x001)
{
FILETIME Mtime; //8 bytes File last modification time
FILETIME Atime; //8 bytes File last access time
FILETIME Ctime; //8 bytes File creation time
}
else
byte Data[Size]; //(var.) Size1 Attribute #1 data
len -= Size + 4;
}
break;
case EH_StrongEncryption:
ushort Format; //2 bytes Format definition for this record
ALGFLAG AlgID; //2 bytes Encryption algorithm identifier
ushort Bitlen; //2 bytes Bit length of encryption key
PRCFLAG Flags; //2 bytes Processing flags
if (efDataSize > 8)
byte CertData[efDataSize - 8]; //TSize-8 Certificate decryption extra field data
break;
case EH_WzAES:
ushort version; //2 bytes Integer version number specific to the zip vendor
char VendorID[2]; //2 bytes 2-character vendor ID
AESMODE Strength; //1 bytes Integer mode value indicating AES encryption strength
COMPTYPE deCompression; //2 bytes The actual compression method used to compress the file
break;
default:
if(efDataSize > 0 )
char efData[ efDataSize ];
break;
}
} EXTRAFIELD <read=read_EXTRAFIELD>;
string read_EXTRAFIELD (local EXTRAFIELD &af)
{
return EnumToString(af.efHeaderID);
}
typedef struct {
HEADERFLAG efHeaderID;
uint efDataSize;
Printf("%d", efHeaderID);
switch (efHeaderID)
{
case EH_Zip64:
uint64 efOriginalSize;
uint64 efCompressedSize;
//uint64 efHeaderOffset;
//uint efDiskNumberStart;
break;
case EH_InfoZIPUnicodePath:
byte efVersion;
uint efNameCRC32;
if(efDataSize > 0 )
char efUnicodeName[efDataSize - 5];
break;
default:
if(efDataSize > 0 )
char efData[ efDataSize ];
break;
}
} EXTRA64FIELD;
typedef enum <uint>{
FA_READONLY = 0x00000001,
FA_HIDDEN = 0x00000002,
FA_SYSTEM = 0x00000004,
FA_DIRECTORY = 0x00000010,
FA_ARCHIVE = 0x00000020,
FA_DEVICE = 0x00000040,
FA_NORMAL = 0x00000080,
FA_TEMPORARY = 0x00000100,
FA_SPARSE_FILE = 0x00000200,
FA_REPARSE_POINT = 0x00000400,
FA_COMPRESSED = 0x00000800,
FA_OFFLINE = 0x00001000,
FA_NOT_CONTENT_INDEXED = 0x00002000,
FA_ENCRYPTED = 0x00004000,
FA_VIRTUAL = 0x00010000,
kIFMT = 0170000 << 16, /* Unix file type mask */
kIFDIR = 0040000 << 16, /* Unix directory */
kIFREG = 0100000 << 16, /* Unix regular file */
kIFSOCK = 0140000 << 16, /* Unix socket (BSD, not SysV or Amiga) */
kIFLNK = 0120000 << 16, /* Unix symbolic link (not SysV, Amiga) */
kIFBLK = 0060000 << 16, /* Unix block special (not Amiga) */
kIFCHR = 0020000 << 16, /* Unix character special (not Amiga) */
kIFIFO = 0010000 << 16, /* Unix fifo (BCC, not MSC or Amiga) */
kISUID = 04000 << 16, /* Unix set user id on execution */
kISGID = 02000 << 16, /* Unix set group id on execution */
kISVTX = 01000 << 16, /* Unix directory permissions control */
kIRWXU = 00700 << 16, /* Unix read, write, execute: owner */
kIRUSR = 00400 << 16, /* Unix read permission: owner */
kIWUSR = 00200 << 16, /* Unix write permission: owner */
kIXUSR = 00100 << 16, /* Unix execute permission: owner */
kIRWXG = 00070 << 16, /* Unix read, write, execute: group */
kIRGRP = 00040 << 16, /* Unix read permission: group */
kIWGRP = 00020 << 16, /* Unix write permission: group */
kIXGRP = 00010 << 16, /* Unix execute permission: group */
kIRWXO = 00007 << 16, /* Unix read, write, execute: other */
kIROTH = 00004 << 16, /* Unix read permission: other */
kIWOTH = 00002 << 16, /* Unix write permission: other */
kIXOTH = 00001 << 16 /* Unix execute permission: other */
} FILEATTRIBUTE <read=read_FILEATTRIBUTE>;
string read_FILEATTRIBUTE (local FILEATTRIBUTE &af) {
local string s = "";
local int commaNeeded = 0;
local FILEATTRIBUTE i = 1;
SPrintf (s, "0x%X: ", af);
while (i < 0xFFFFFF - 2)
{
if (af & i)
{
if (commaNeeded)
{
s += ", ";
}
s += EnumToString(i);
commaNeeded = 1;
}
i = i << 1;
}
return s;
}
// Defintes the Data descriptor
typedef struct {
SignatureTYPE ddSignature; //0x08074b50
uint ddCRC <format=hex>;
uint ddCompressedSize;
uint ddUncompressedSize;
} ZIPDATADESCR;
// Defines a file record
typedef struct {
// Header for the file
SignatureTYPE frSignature; //0x04034b50
VERECORD frVersion;
FLAGTYPE frFlags;
COMPTYPE frCompression;
DOSTIME frFileTime;
DOSDATE frFileDate;
uint frCrc <format=hex>;
uint frCompressedSize;
uint frUncompressedSize;
ushort frFileNameLength;
ushort frExtraFieldLength;
if( frFileNameLength > 0 )
char frFileName[ frFileNameLength ];
local int len = frExtraFieldLength;
while (len > 0)
{
EXTRAFIELD frExtraField;
len -= frExtraField.efDataSize + 4;
}
// Compressed data
SetBackColor( cNone );
if ((frFlags & FLAG_Encrypted) && ( frFlags & FLAG_StrongEncrypted))
{
struct
{
ushort IVSize;
byte IVData[IVSize];
uint Size;
ushort Format;
ALGFLAG AlgID;
ushort BitLen;
ushort Flags;
ushort ErdSize;
byte ErdData[ErdSize];
uint Reserved;
ushort VSize;
byte VData[VSize - 4];
uint VCRC32;
} StrongEncryptedHeader;
char frData[ frCompressedSize - StrongEncryptedHeader.IVSize - StrongEncryptedHeader.Size - 6];
}
else if ((frFlags & FLAG_Encrypted) && ( frCompression == COMP_WzAES ))
{
local int lenSalt = 0;
if (frExtraField.efHeaderID == EH_WzAES)
{
switch (frExtraField.Strength)
{
case AES128:
lenSalt = 8;
break;
case AES192:
lenSalt = 12;
break;
case AES256:
lenSalt = 16;
break;
}
}
uchar SaltValue[lenSalt];
ushort PassVerification;
uchar frData[ frCompressedSize - 12 - lenSalt];
uchar AuthenticationCode[ 10];
}
else if( (frCompressedSize > 0) && (frCompressedSize < 0xFFFFFFFF))
{
uchar frData[ frCompressedSize ];
}
else if (frCompressedSize == 0 && (frFlags & FLAG_DescriptorUsedMask))
{
// If bit 3 (0x08) of the flags field is set, then the CRC-32 and file sizes were not known when the header was written.
// Instead there is an additional header ZIPDATADESCR appended after the compressed data.
// We look for the next signature of the appended header here.
local int64 posCurrent = FTell();
local int64 posNext = FindFirst(S_ZIPDATADESCR,true,false,false,0.0,1,posCurrent);
if (posNext >= posCurrent)
{
uchar frData[posNext - posCurrent];
SetBackColor( cLtGreen );
ZIPDATADESCR dataDescr;
}
}
} ZIPFILERECORD <read=ReadZIPFILERECORD, write=WriteZIPFILERECORD>;
// Defines an entry in the directory table
typedef struct {
SignatureTYPE deSignature; //0x02014b50
VERECORD deVersionMadeBy;
VERECORD deVersionToExtract;
FLAGTYPE deFlags;
COMPTYPE deCompression;
DOSTIME deFileTime;
DOSDATE deFileDate;
uint deCrc <format=hex>;
uint deCompressedSize;
uint deUncompressedSize;
ushort deFileNameLength;
ushort deExtraFieldLength;
ushort deFileCommentLength;
ushort deDiskNumberStart;
ushort deInternalAttributes;
FILEATTRIBUTE deExternalAttributes;
uint deHeaderOffset;
if( deFileNameLength > 0 )
char deFileName[ deFileNameLength ];
local int len = deExtraFieldLength;
while (len > 0)
{
EXTRAFIELD deExtraField;
len -= deExtraField.efDataSize + 4;
}
if( deFileCommentLength > 0 )
uchar deFileComment[ deFileCommentLength ];
} ZIPDIRENTRY <read=ReadZIPDIRENTRY>;
// Defines the digital signature
typedef struct {
SignatureTYPE dsSignature; //0x05054b50
ushort dsDataLength;
if( dsDataLength > 0 )
uchar dsData[ dsDataLength ];
} ZIPDIGITALSIG;
// Zip64 end of central directory record
typedef struct {
SignatureTYPE elr64Signature; //0x06064b50
int64 elr64DirectoryRecordSize;
if (elr64DirectoryRecordSize > 1)
VERECORD elr64VersionMadeBy;
if (elr64DirectoryRecordSize > 2)
VERECORD elr64VersionToExtract;
if (elr64DirectoryRecordSize > 4)
uint el64DiskNumber;
if (elr64DirectoryRecordSize > 8)
uint el64StartDiskNumber;
if (elr64DirectoryRecordSize > 12)
int64 el64EntriesOnDisk;
if (elr64DirectoryRecordSize > 20)
int64 el64EntriesInDirectory;
if (elr64DirectoryRecordSize > 28)
int64 el64DirectorySize;
if (elr64DirectoryRecordSize > 36)
int64 el64DirectoryOffset;
if (elr64DirectoryRecordSize > 44)
{
char DataSect [elr64DirectoryRecordSize - 44];
// local int len = elr64DirectoryRecordSize - 44;
// while (len > 0)
// {
// EXTRA64FIELD frExtraField;
// len -= frExtraField.efDataSize + 4;
// }
}
} ZIP64ENDLOCATORRECORD;
//Zip64 end of central directory locator
typedef struct {
SignatureTYPE elSignature; //0x07064b50
uint elStartDiskNumber;
int64 elDirectoryOffset;
uint elEntriesInDirectory;
} ZIP64ENDLOCATOR;
// Defines the end of central directory locator
typedef struct {
SignatureTYPE elSignature; //0x06054b50
ushort elDiskNumber;
ushort elStartDiskNumber;
ushort elEntriesOnDisk;
ushort elEntriesInDirectory;
uint elDirectorySize;
uint elDirectoryOffset;
ushort elCommentLength;
if( elCommentLength > 0 )
char elComment[ elCommentLength ];
} ZIPENDLOCATOR;
//--------------------------------------------
// Custom read functions that allows the name of the
// of the file to appear in the Template Results.
string ReadZIPFILERECORD( ZIPFILERECORD &file )
{
if( exists( file.frFileName ) )
return file.frFileName;
else
return "";
}
string ReadZIPDIRENTRY( ZIPDIRENTRY &entry )
{
if( exists( entry.deFileName ) )
return entry.deFileName;
else
return "";
}
// Custom write function that allows changing
// the name of the file - note that the file
// name size cannot be increased
void WriteZIPFILERECORD( ZIPFILERECORD &file, string s )
{
local int len = Strlen( s );
if( exists( file.frFileName ) )
{
Strncpy( file.frFileName, s, file.frFileNameLength );
if( len < file.frFileNameLength )
file.frFileName[len] = 0; //null terminate
}
}
//--------------------------------------------
// Define the file
local uint tag;
LittleEndian();
while( !FEof() )
{
// Read a tag
tag = ReadUInt( FTell() );
// Read data depending upon tag - should start with 'PK'.
// Note that when duplicate variables are defined, they
// are made into an array (see 'Using Templates and Structs'
// in the help file).
if( tag == S_ZIPFILERECORD )
{
SetBackColor( cLtGray );
ZIPFILERECORD record;
if (record.frExtraFieldLength > 0 && record.frExtraField.efHeaderID == EH_Zip64)
{
//Printf("%Lu", record.frExtraField.efCompressedSize);
FSkip(record.frExtraField.efCompressedSize);
}
}
else if( tag == S_ZIPDATADESCR )
{
SetBackColor( cLtGreen );
ZIPDATADESCR dataDescr;
}
else if( tag == S_ZIPDIRENTRY )
{
SetBackColor( cLtPurple );
ZIPDIRENTRY dirEntry;
}
else if( tag == S_ZIPDIGITALSIG )
{
SetBackColor( cLtBlue );
ZIPDIGITALSIG digitalSig;
}
else if( tag == S_ZIP64ENDLOCATORRECORD )
{
SetBackColor( cYellow );
ZIP64ENDLOCATORRECORD end64Locator;
}
else if( tag == S_ZIP64ENDLOCATOR )
{
SetBackColor( cDkYellow );
ZIP64ENDLOCATOR end64Locator;
}
else if( tag == S_ZIPENDLOCATOR )
{
SetBackColor( cLtYellow );
ZIPENDLOCATOR endLocator;
}
else
{
Warning( "Unknown ZIP tag encountered. Template stopped." );
return -1;
}
}

77
cparser/cparser.vcxproj Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClCompile Include="filehelper.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="stringutils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="filehelper.h" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{B0411C78-2F06-49E0-8DE9-5C52A466F5DE}</ProjectGuid>
<RootNamespace>cparser</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

33
cparser/cparser.vcxproj.filters Normal file
View File

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="filehelper.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="stringutils.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="filehelper.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

4
cparser/cparser.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

71
cparser/dynamicmem.h Normal file
View File

@ -0,0 +1,71 @@
#pragma once
static void* emalloc(size_t size)
{
return malloc(size);
}
static void efree(void* ptr)
{
free(ptr);
}
static void* erealloc(void* ptr, size_t size)
{
return realloc(ptr, size);
}
template<typename T>
class Memory
{
public:
//
// This class guarantees that the returned allocated memory
// will always be zeroed
//
explicit Memory(const char* Reason = "Memory:???")
{
m_Ptr = nullptr;
m_Size = 0;
m_Reason = Reason;
}
explicit Memory(size_t Size, const char* Reason = "Memory:???")
{
m_Ptr = reinterpret_cast<T>(emalloc(Size));
m_Size = Size;
m_Reason = Reason;
memset(m_Ptr, 0, Size);
}
~Memory()
{
if(m_Ptr)
efree(m_Ptr);
}
T realloc(size_t Size, const char* Reason = "Memory:???")
{
m_Ptr = reinterpret_cast<T>(erealloc(m_Ptr, Size));
m_Size = Size;
m_Reason = Reason;
return (T)memset(m_Ptr, 0, m_Size);
}
size_t size()
{
return m_Size;
}
T operator()()
{
return m_Ptr;
}
private:
T m_Ptr;
size_t m_Size;
const char* m_Reason;
};

655
cparser/exFATTemplate.bt Normal file
View File

@ -0,0 +1,655 @@
/* *************************************************************************
*
* Microsoft exFAT file system Parser Template
*
*
* File Name : exfat_spec.bt
* Author : Lu wen jiang
* Created On : Mon Aug 24 13:43:40 2009
* Last Modified By: Lu wen jiang
* Last Modified On: Fri Aug 28 17:59:23 2009
* Update Count : 884
*
* HISTORY
*
* **************************************************************************/
/****************************************************************************
EXFAT FILE SYSTEM VOLUME STRUCTURE LAYOUT
|------------------------+----------------------+---------------------------|
| Sub-region Name | Offset(sector) | Size(Sectors) |
|------------------------+----------------------+---------------------------|
| | [MAIN BOOT REGION] | |
|------------------------+----------------------+---------------------------|
| Main Boot Sector | 0 | 1 |
|------------------------+----------------------+---------------------------|
| Main Extended Boot | 1 | 8 |
| Sectors | | |
|------------------------+----------------------+---------------------------|
| Main OEM Parameters | 9 | 1 |
|------------------------+----------------------+---------------------------|
| Main Reserved | 10 | 1 |
|------------------------+----------------------+---------------------------|
| Main Boot CheckSum | 11 | 1 |
|------------------------+----------------------+---------------------------|
| | [BACKUP BOOT REGION] | |
|------------------------+----------------------+---------------------------|
| Backup Boot Sector | 12 | 1 |
|------------------------+----------------------+---------------------------|
| Backup Extended Boot | 13 | 8 |
| Sectors | | |
|------------------------+----------------------+---------------------------|
| Backup OEM Parameters | 21 | 1 |
|------------------------+----------------------+---------------------------|
| Backup Reserved | 22 | 1 |
|------------------------+----------------------+---------------------------|
| Backup Boot CheckSum | 23 | 1 |
|------------------------+----------------------+---------------------------|
| | [FAT REGION] | |
|------------------------+----------------------+---------------------------|
| FAT Alignment | 24 | x |
|------------------------+----------------------+---------------------------|
| First FAT | FatOffset | FatLength |
|------------------------+----------------------+---------------------------|
| Second FAT | FATOffset+FATLength | Fatlength* |
| | | (NumberOfFats-1) |
|------------------------+----------------------+---------------------------|
| | [DATA REGION] | |
|------------------------+----------------------+---------------------------|
| Cluster Heap Alignment | (FAT End Sector) | x |
|------------------------+----------------------+---------------------------|
| Cluster Heap | ClusterHeapOffset | ClusterCount* |
| | | 2^SectorsPerClusterShift |
|------------------------+----------------------+---------------------------|
| Excess Space | (Cluster End Sector) | VolumLength- |
| | | (Cluster Heap End Sector) |
|------------------------+----------------------+---------------------------|
*****************************************************************************/
LittleEndian();
FSeek(0);
typedef char S08;
typedef unsigned char U08;
typedef unsigned short U16;
typedef unsigned int U32;
typedef uint64 U64;
struct tagTempVariable
{
local U08 flags[2];
local U32 cluster_max = 512;
local U32 cluster_array[cluster_max];
local U32 cluster_count = 0;
local U32 cluster_iter = 0;
local U32 bitmap_cluster = 2;
}exfat_temp_variable <read=TotalSizeRead>;
local U64 ______EXFAT_BOOT_SECTOR_REGION;
string TotalSizeRead(struct tagTempVariable& v)
{
string s;
SPrintf(s, "Disk Bytes: %Lu(%Lxh)", FileSize(), FileSize());
return s;
}
typedef U08 exFatVersion[2] <read=VersionRead>;
string VersionRead(exFatVersion v )
{
string s;
SPrintf(s, "exFAT Revision: %01d.%02d", v[1], v[0]);
return s;
}
string ShiftRead(U08 v)
{
string s;
SPrintf(s, "%d(%d)", v, (1<<v));
return s;
}
U08 IsValidBootSector(U08 aucJumpBoot[3],
S08 aucFileSystemName[8])
{
if (aucJumpBoot[0]==0xEB
&& aucJumpBoot[1]==0x76
&& aucJumpBoot[2]==0x90
&& aucFileSystemName[0]=='E'
&& aucFileSystemName[1]=='X'
&& aucFileSystemName[2]=='F'
&& aucFileSystemName[3]=='A'
&& aucFileSystemName[4]=='T')
{
return 1;
}
return 0;
}
typedef struct
{
U08 aucJumpBoot[3] <format=hex>;
S08 aucFileSystemName[8];
U08 aucMustBeZero[53];
U64 ulPartitionOffset;
U64 ulVolumeLength;
U32 uiFatOffset;
U32 uiFatLength;
U32 uiClusterHeapOffset;
U32 uiClusterCount;
U32 uiFirstClusterOfRootDirectory;
U32 uiVolumeSerialNumber <format=hex>;
exFatVersion usFileSystemRevision;
U16 usVolumeFlags_ActiveFat:1;
U16 usVolumeFlags_VolumeDirty:1;
U16 usVolumeFlags_MediaFailure:1;
U16 usVolumeFlags_ClearToZero:1;
U16 usVolumeFlags_Reserved:12;
U08 ucBytesPerSectorShift <read=ShiftRead>;
U08 ucSectorsPerClusterShift <read=ShiftRead>;
U08 ucNumberOfFats;
U08 ucDriveSelect <format=hex>;
U08 ucPercentInUse;
U08 aucReserved[7];
U08 aucBootCode[390];
U16 usBootSignature <format=hex>;
if (IsValidBootSector(aucJumpBoot,aucFileSystemName)==1
&& (1<<ucBytesPerSectorShift)-512)
{
U08 aucExcessSpace[(1<<ucBytesPerSectorShift)-512];
}
} BootSector_S <read=BootSectorRead>;
BootSector_S BootSector ;
string BootSectorRead(BootSector_S& v)
{
string s;
if (IsValidBootSector(v.aucJumpBoot,v.aucFileSystemName)==1)
{
SPrintf(s, "Valid exFAT Volume");
}
else
{
SPrintf(s, "Invalid exFAT Volume, %s?", v.aucFileSystemName);
}
return s;
}
if (IsValidBootSector(BootSector.aucJumpBoot,BootSector.aucFileSystemName)==0)
{
return 0;
}
local U64 ______EXFAT_VOLUME_LAYOUT_REGION;
FSeek(0);
typedef struct
{
BootSector_S BootSector;
struct
{
U08 aucExendedBootCode[(1<<BootSector.ucBytesPerSectorShift)-4];
U32 uiExtendedBootSignature <format=hex>;
}ExtendedBootSector[8];
struct
{
struct
{
U08 aucParametersGuid[16];
U08 aucCustomDefined[32];
}stParameters[10];
U08 aucReserved[(1<<BootSector.ucBytesPerSectorShift)-480];
}OEMParametersSector;
struct
{
U08 aucReserved[(1<<BootSector.ucBytesPerSectorShift)];
}ReservedSector;
struct
{
U32 aucReserved[(1<<BootSector.ucBytesPerSectorShift)/4] <format=hex>;
}BootChecksumSector;
}Boot_Region_S <read=BootRegionRead>;
string BootRegionRead(Boot_Region_S& boot)
{
string s;
SPrintf(s, "Volume Bytes: %Lu(%Lxh)",
boot.BootSector.ulVolumeLength<<boot.BootSector.ucBytesPerSectorShift,
boot.BootSector.ulVolumeLength<<boot.BootSector.ucBytesPerSectorShift);
return s;
}
Boot_Region_S Main_Boot_Region;
Boot_Region_S Backup_Boot_Region;
typedef struct
{
if (Main_Boot_Region.BootSector.uiFatOffset-24)
{
struct
{
U08 aucReserved[(1<<Main_Boot_Region.BootSector.ucBytesPerSectorShift)];
}FatAlignmentSector[Main_Boot_Region.BootSector.uiFatOffset-24];
}
struct
{
U32 uiFatEntry[Main_Boot_Region.BootSector.uiClusterCount+2] <format=hex>;
U32 uiExcessEntry[Main_Boot_Region.BootSector.uiFatLength*
(1<<Main_Boot_Region.BootSector.ucBytesPerSectorShift)/4
-(Main_Boot_Region.BootSector.uiClusterCount+2)] <format=hex>;
}FirstFAT;
if (Main_Boot_Region.BootSector.ucNumberOfFats > 1)
{
struct
{
U32 uiFatEntry[Main_Boot_Region.BootSector.uiClusterCount+2] <format=hex>;
U32 uiExcessEntry[Main_Boot_Region.BootSector.uiFatLength*
(1<<Main_Boot_Region.BootSector.ucBytesPerSectorShift)/4
-(Main_Boot_Region.BootSector.uiClusterCount+2)] <format=hex>;
}SecondFAT;
}
}Fat_Region_S <read=FatRegionRead>;
string FatRegionRead(Fat_Region_S& v)
{
string s;
SPrintf(s, "FATs: %d, EntryTotalPerFAT: %d", Main_Boot_Region.BootSector.ucNumberOfFats,
Main_Boot_Region.BootSector.uiClusterCount+2);
return s;
}
Fat_Region_S Fat_Region;
typedef struct
{
local U32 uiClusterNo = 2;
struct
{
U08 aucData[1<<Main_Boot_Region.BootSector.ucBytesPerSectorShift];
}DataSector[1<<Main_Boot_Region.BootSector.ucSectorsPerClusterShift];
}Cluster_S <read=ClusterRead>;
string ClusterRead(Cluster_S& v)
{
string s;
SPrintf(s, "ClusterNo: %d", v.uiClusterNo);
return s;
}
struct tagDataRegion
{
if (Main_Boot_Region.BootSector.uiClusterHeapOffset -
(Main_Boot_Region.BootSector.uiFatOffset +
Main_Boot_Region.BootSector.ucNumberOfFats *
Main_Boot_Region.BootSector.uiFatLength))
{
struct
{
U08 aucReserved[(1<<Main_Boot_Region.BootSector.ucBytesPerSectorShift)];
}ClusterHeapAlignmentSector[Main_Boot_Region.BootSector.uiClusterHeapOffset -
(Main_Boot_Region.BootSector.uiFatOffset +
Main_Boot_Region.BootSector.ucNumberOfFats *
Main_Boot_Region.BootSector.uiFatLength)];
}
local U64 data_cluster_total = (FileSize()-FTell())>>
Main_Boot_Region.BootSector.ucBytesPerSectorShift>>
Main_Boot_Region.BootSector.ucSectorsPerClusterShift;
if (data_cluster_total > Main_Boot_Region.BootSector.uiClusterCount)
{
data_cluster_total = Main_Boot_Region.BootSector.uiClusterCount;
}
local U32 curr_cluster_no = 0;
for (exfat_temp_variable.cluster_iter = 0;
exfat_temp_variable.cluster_iter < data_cluster_total;
exfat_temp_variable.cluster_iter++)
{
Cluster_S ClusterHeap;
ClusterHeap.uiClusterNo += curr_cluster_no;
curr_cluster_no++;
}
}Data_Region <read=DataRegionRead>;
string DataRegionRead(struct tagDataRegion& v)
{
string s;
SPrintf(s, "Cluster Total(%s): %d(%d)",
(v.data_cluster_total==Main_Boot_Region.BootSector.uiClusterCount)?"FINE":"FAIL",
Main_Boot_Region.BootSector.uiClusterCount,v.data_cluster_total);
return s;
}
if (Main_Boot_Region.BootSector.ulVolumeLength -
Main_Boot_Region.BootSector.uiClusterHeapOffset -
(Main_Boot_Region.BootSector.uiClusterCount<<
Main_Boot_Region.BootSector.ucSectorsPerClusterShift))
{
struct
{
struct
{
U08 aucReserved[(1<<Main_Boot_Region.BootSector.ucBytesPerSectorShift)];
}ReservedSector;
}ExcessSpace[Main_Boot_Region.BootSector.ulVolumeLength -
Main_Boot_Region.BootSector.uiClusterHeapOffset -
(Main_Boot_Region.BootSector.uiClusterCount<<
Main_Boot_Region.BootSector.ucSectorsPerClusterShift)];
}
///////////////////////////////////////////////////////////////////////
local int ______EXFAT_ALLOCATION_BITMAP_REGION;
FSeek((((exfat_temp_variable.bitmap_cluster-2)<<
Main_Boot_Region.BootSector.ucSectorsPerClusterShift) +
Main_Boot_Region.BootSector.uiClusterHeapOffset)<<
Main_Boot_Region.BootSector.ucBytesPerSectorShift);
typedef struct
{
local U32 byte_count;
U08 bitmap;
}Bitmap_S <read=BitmapRead>;
string BitmapRead(Bitmap_S& stBitmapByte)
{
string s;
SPrintf(s, "%08d: %d%d%d%d%d%d%d%d", stBitmapByte.byte_count+2,
(stBitmapByte.bitmap>>0)&0x1,
(stBitmapByte.bitmap>>1)&0x1,
(stBitmapByte.bitmap>>2)&0x1,
(stBitmapByte.bitmap>>3)&0x1,
(stBitmapByte.bitmap>>4)&0x1,
(stBitmapByte.bitmap>>5)&0x1,
(stBitmapByte.bitmap>>6)&0x1,
(stBitmapByte.bitmap>>7)&0x1);
return s;
}
struct tagBitmapRegion
{
local U32 bitmap_length = Main_Boot_Region.BootSector.uiClusterCount;
for (exfat_temp_variable.cluster_iter = 0;
exfat_temp_variable.cluster_iter < (bitmap_length+7)/8;
exfat_temp_variable.cluster_iter++)
{
Bitmap_S Bitmap;
Bitmap.byte_count = exfat_temp_variable.cluster_iter<<3;
}
}BITMAP_REGION <read=AllocationBitmapRegionRead>;
string AllocationBitmapRegionRead(struct tagBitmapRegion& stBitmapRegion)
{
string s;
SPrintf(s, "Bits: %d(Bytes: %d)", stBitmapRegion.bitmap_length,
(stBitmapRegion.bitmap_length+7)/8);
return s;
}
///////////////////////////////////////////////////////////////////////
local int ______EXFAT_DIRECTORY_REGION;
typedef struct
{
local U08 uc10msIncrement = 0;
U16 bDoubleSeconds:5;
U16 bMinute:6;
U16 bHour:5;
U16 bDay:5;
U16 bMonth:4;
U16 bYear:7;
}FileTime_S <read=FileTimeRead>;
string FileTimeRead(FileTime_S& v)
{
string s;
SPrintf(s, "%04d/%02d/%02d %02d:%02d:%02d.%02d", v.bYear+1980,
v.bMonth,v.bDay,v.bHour,v.bMinute,
v.bDoubleSeconds*2 + v.uc10msIncrement/100,
(v.uc10msIncrement%100));
return s;
}
typedef U08 FileName_S[30] <read=FileNameRead>;
typedef U08 VolumeLabel_S[22] <read=VolumeLabelRead>;
typedef struct
{
struct
{
U08 bTypeCode:5;
U08 bTypeImportance:1;
U08 bTypeCategory:1;
U08 bInUse:1;
}stEntryType;
if (stEntryType.bTypeCategory==0 && stEntryType.bTypeImportance==0)
{
switch (stEntryType.bTypeCode)
{
case 1: // Allocation Bitmap
U08 bBitmapIdentifier:1;
U08 bReserved:7;
U08 aucCustomDefined[18];
U32 uiFirstCluster;
U64 ulDataLength;
break;
case 2: // Up-case Table
U08 aucReserved1[3];
U32 uiTableChecksum <format=hex>;
U08 aucReserved2[12];
U32 uiFirstCluster;
U64 ulDataLength;
break;
case 3: // Volume Label
U08 ucCharacterCount;
VolumeLabel_S stVolumeLabel;
U08 aucReserved[8];
break;
case 5: // File or Directory
U08 ucSecondaryCount;
U16 usSetCheckSum <format=hex>;
U16 bAttrReadOnly:1;
U16 bAttrHidden:1;
U16 bAttrSystem:1;
U16 bAttrReserved1:1;
U16 bAttrDirectory:1;
U16 bAttrArchive:1;
U16 bAttrReserved2:10;
U08 ausReserved1[2];
FileTime_S stCreat;
FileTime_S stLastModified;
FileTime_S stLastAccessed;
U08 ucCreate10msIncrement; /* per 10ms */
U08 ucModified10msIncrement; /* per 10ms */
U08 ucLastAcc10msdIncrement; /* per 10ms */
U08 ausReserved2[9];
stCreat.uc10msIncrement = ucCreate10msIncrement;
stLastModified.uc10msIncrement = ucModified10msIncrement;
stLastAccessed.uc10msIncrement = ucLastAcc10msdIncrement;
if (bAttrDirectory == 1
&& stEntryType.bInUse == 1
&& exfat_temp_variable.cluster_count < exfat_temp_variable.cluster_max)
{
exfat_temp_variable.cluster_array[exfat_temp_variable.cluster_count]=1;
}
break;
default:
U08 ucSecondaryCount;
U16 usSetCheckSum <format=hex>;
U16 bAllocationPossible:1;
U16 bNoFatChain:1;
U16 bCustomDefined:14;
U08 aucCustomDefined[14];
U32 uiFirstCluster;
U64 ulDataLength;
break;
}
}
else if (stEntryType.bTypeCategory==0 && stEntryType.bTypeImportance==1)
{
switch (stEntryType.bTypeCode)
{
case 0: //Volume GUID
U08 ucSecondaryCount;
U16 usSetCheckSum;
U16 bAllocationPossible:1;
U16 bNoFatChain:1;
U16 bCustomDefined:14;
U08 aucVolumeGuid[16];
U08 aucReserved[10];
break;
case 1: // TexFAT Padding
U08 aucCustomDefined[31];break;
case 2: // WinCE ACL Table
U08 aucCustomDefined[31];break;
default: // Unknow
U08 aucCustomDefined[31];break;
}
}
else if (stEntryType.bTypeCategory==1 && stEntryType.bTypeImportance==0)
{
switch (stEntryType.bTypeCode)
{
case 0: // Stream Extension
U08 bAllocationPossible:1;
U08 bNoFatChain:1;
U08 bCustomDefined:6;
U08 ucReserved1;
U08 ucNameLength;
U16 usNameHash <format=hex>;
U08 aucReserved2[2];
U64 ulValidDataLength;
U08 aucReserved3[4];
U32 uiFirstCluster;
U64 ulDataLength;
if (stEntryType.bInUse == 1
&& exfat_temp_variable.cluster_count < exfat_temp_variable.cluster_max
&& exfat_temp_variable.cluster_array[exfat_temp_variable.cluster_count]==1)
{
exfat_temp_variable.cluster_array[exfat_temp_variable.cluster_count] = uiFirstCluster;
exfat_temp_variable.cluster_count++;
}
break;
case 1: // File Name
U08 bAllocationPossible:1;
U08 bNoFatChain:1;
U08 bCustomDefined:6;
FileName_S stFileNmae;
break;
default:
U08 bAllocationPossible:1;
U08 bNoFatChain:1;
U08 bCustomDefined:6;
U08 aucCustomDefined[18];
U32 uiFirstCluster;
U64 ulDataLength;
break;
}
}
else
{
U08 aucCustomDefined[31];
}
}DirectoryEntry_S <read=DirectoryRead>;
string FileNameRead(FileName_S astFileName)
{
char s[16];
U08 i;
for (i = 0; i < 15; i++)
{
s[i] = astFileName[i*2];
}
return s;
}
string VolumeLabelRead(VolumeLabel_S astFileName)
{
char s[12];
U08 i;
for (i = 0; i < 11; i++)
{
s[i] = astFileName[i*2];
}
return s;
}
string DirectoryRead(DirectoryEntry_S& stDirEntry)
{
string s = "Unknow Type";
if (stDirEntry.stEntryType.bTypeCategory==0 && stDirEntry.stEntryType.bTypeImportance==0)
{
switch (stDirEntry.stEntryType.bTypeCode)
{
case 1:SPrintf(s, "[C/P/%s]: Allocation Bitmap",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
case 2:SPrintf(s, "[C/P/%s]: Up-case Table",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
case 3:SPrintf(s, "[C/P/%s]: Valume Label(%s)",
stDirEntry.stEntryType.bInUse==0?"F":"U",
VolumeLabelRead(stDirEntry.stVolumeLabel));break;
case 5:SPrintf(s, "[C/P/%s]: Regular File(%s)",
stDirEntry.stEntryType.bInUse==0?"F":"U",
stDirEntry.bAttrDirectory==0?"File":"Directroy");break;
default:SPrintf(s, "[C/P/%s]: Unknow",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
}
}
if (stDirEntry.stEntryType.bTypeCategory==0 && stDirEntry.stEntryType.bTypeImportance==1)
{
switch (stDirEntry.stEntryType.bTypeCode)
{
case 0:SPrintf(s, "[B/P/%s]: Volume GUID",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
case 1:SPrintf(s, "[B/P/%s]: TexFAT Padding",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
case 2:SPrintf(s, "[B/P/%s]: WinCE ACL Table",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
default:SPrintf(s, "[B/P/%s]: Unknow",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
}
}
if (stDirEntry.stEntryType.bTypeCategory==1 && stDirEntry.stEntryType.bTypeImportance==0)
{
switch (stDirEntry.stEntryType.bTypeCode)
{
case 0:SPrintf(s, "[C/S/%s]: Stream Extension",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
case 1:SPrintf(s, "[C/S/%s]: File Name(%s)",
stDirEntry.stEntryType.bInUse==0?"F":"U",
FileNameRead(stDirEntry.stFileNmae));break;
default:SPrintf(s, "[C/S/%s]: Unknow",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
}
}
if (stDirEntry.stEntryType.bTypeCategory==1 && stDirEntry.stEntryType.bTypeImportance==1)
{
switch (stDirEntry.stEntryType.bTypeCode)
{
default:SPrintf(s, "[B/S/%s]: Unknow",
stDirEntry.stEntryType.bInUse==0?"F":"U");break;
}
}
return s;
}
exfat_temp_variable.cluster_count = 1;
exfat_temp_variable.cluster_array[0] = Main_Boot_Region.BootSector.uiFirstClusterOfRootDirectory;
for (exfat_temp_variable.cluster_iter = 0;
exfat_temp_variable.cluster_iter < exfat_temp_variable.cluster_count;
exfat_temp_variable.cluster_iter++)
{
FSeek((((exfat_temp_variable.cluster_array[exfat_temp_variable.cluster_iter]-2)<<
Main_Boot_Region.BootSector.ucSectorsPerClusterShift) +
Main_Boot_Region.BootSector.uiClusterHeapOffset)<<
Main_Boot_Region.BootSector.ucBytesPerSectorShift);
struct tagDirCluster
{
local int dir_cluster = exfat_temp_variable.cluster_array[exfat_temp_variable.cluster_iter];
while( !FEof() )
{
ReadBytes(exfat_temp_variable.flags, FTell(), 1);
if (exfat_temp_variable.flags[0] == 0)
{
break;
}
DirectoryEntry_S stEntry;
}
}DirectoryCluster <read=DirectoryClusterRead>;
}
string DirectoryClusterRead(struct tagDirCluster& v)
{
string s;
SPrintf(s, "Directory Cluster No: %d", v.dir_cluster);
return s;
}

47
cparser/filehelper.cpp Normal file
View File

@ -0,0 +1,47 @@
#include "filehelper.h"
#include "handle.h"
#include "dynamicmem.h"
#include "stringutils.h"
bool FileHelper::ReadAllData(const String & fileName, std::vector<unsigned char> & content)
{
Handle hFile = CreateFileW(StringUtils::Utf8ToUtf16(fileName).c_str(), GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
if(hFile == INVALID_HANDLE_VALUE)
return false;
unsigned int filesize = GetFileSize(hFile, 0);
if(!filesize)
{
content.clear();
return true;
}
Memory<char*> filedata(filesize + 1, "FileReader::ReadAllData:filedata");
DWORD read = 0;
if(!ReadFile(hFile, filedata(), filesize, &read, nullptr))
return false;
content = std::vector<unsigned char>(filedata(), filedata() + filesize);
return true;
}
bool FileHelper::WriteAllData(const String & fileName, const void* data, size_t size)
{
Handle hFile = CreateFileW(StringUtils::Utf8ToUtf16(fileName).c_str(), GENERIC_WRITE, 0, nullptr, CREATE_ALWAYS, 0, nullptr);
if(hFile == INVALID_HANDLE_VALUE)
return false;
DWORD written = 0;
return !!WriteFile(hFile, data, DWORD(size), &written, nullptr);
}
bool FileHelper::ReadAllText(const String & fileName, String & content)
{
std::vector<unsigned char> data;
if(!ReadAllData(fileName, data))
return false;
data.push_back(0);
content = String((const char*)data.data());
return true;
}
bool FileHelper::WriteAllText(const String & fileName, const String & content)
{
return WriteAllData(fileName, content.c_str(), content.length());
}

18
cparser/filehelper.h Normal file
View File

@ -0,0 +1,18 @@
#ifndef _FILEREADER_H
#define _FILEREADER_H
#include <string>
#include <vector>
using String = std::string;
class FileHelper
{
public:
static bool ReadAllData(const String & fileName, std::vector<unsigned char> & content);
static bool WriteAllData(const String & fileName, const void* data, size_t size);
static bool ReadAllText(const String & fileName, String & content);
static bool WriteAllText(const String & fileName, const String & content);
};
#endif //_FILEREADER_H

Some files were not shown because too many files have changed in this diff Show More