In C following this article (http://blogs.msdn.com/oldnewthing/archive/2006/12/21/1340571.aspx), we have succesfully been able to grab the file version information out of windows files however there are some files that seem to have a different mechanism for storing the version information that is not addressed in the article and was wondering if anyone had any ideas here.
One example of a file would be system32/oledlg.dll. Going through the file byte by byte we come to a chunk where the version information SHOULD be stored:
F^#i^#l^#e^#V^#e^#r^#s^#i^#o^#n^#^#^#^#^1.0 (x^#p^#s^#p^#.^#0^#8^#0^#4^#1^#3
^#-^#2^#1^#0^#8^#)^#^#^#^#^#.^#^G^#^A^#I^#n^#t^#e^#r^#n^#a^#l^#N^#a^#m^#e
That we can see is 1.0. However, when you look at the file information in windows the version is actually 5.1.2600.5512. The method in the article works for most files but there are a few instances I have come across where I am running into the above problem. Anyone have any experience with this? I only have access to standard C.
Based on the follow up article posted in the comment, does that mean there is no way to grab the actual file version from a file with a corrupted file info block?
I should also add that I am grabbing the files from a windows box, and then examining them on linux with a C program to grab the file info.
IT turns out the wrong peice of info for that file was being used to get the version, didn't actually need the File Version block but the "VS_VERSION_INFO" block.
Related
I want to build file sync software. Is there any way to get exact file changes (or at least changes size) with kernel systems like I-notify or others?
EDIT:
I'm interested in the following scenario with I-notify:
When getting IN_MODIFY event on a file I want retrieve in some way changed lines of the file (some kind of a file diff format). Are there any linux kernel tools to achieve this?
Even if there were such a kernel feature, it would not work in practice. You see, most editors modify files by creating a copy, then renaming it over the original one. This way the user is assured of getting either the old contents or the new contents, never a mix between the two.
The only real option is to take snapshots of the file (at e.g. when file is closed when it was open for writing, or when the file is replaced with a new one), and compare the snapshots, to find which part was changed.
Comparing two versions of a file to see which part of it was changed is itself a difficult question, as it definitely depends on the file format. For source code, unified diffs work well, but for other types (including plain text files that are not line-oriented), it's not that simple.
Could you please refine your question? The inotify API on Linux does monitor such changes, and similar changes such as if a file was open, if a file inside a directory (or the directory itself) was moved and file deletions etc.
For more, see here:
(http://man7.org/linux/man-pages/man7/inotify.7.html)
EDIT:
I believe I misread the question the first time around, if I did, yes such programs exist and the inotify API is the primary one existing within the Linux kernels. See the above link for a comprehensive guide on the different functions it provides.
i am trying to open and edit a file that contains some type of custom protection.
file game :gameguard.des
its from lineage2/interlude/system file.
this is not the original version though, it has been modified to block some packets sent to the server.
i've used VS2010 to open it and it shows me the memory and the contents in hex, like viewing computer memory.
here is the file attached. http://www20.zippyshare.com/v/88173717/file.html
so my question is, how can i open it viewing the code in a higher level and edit it? what tools i need to use to do that?
regards, George
This is a Win32 program. You can try to disassemble it, but it's itself a binary file and what the VS2010 is showing you is correct, because it's showing it most probably in HEX format to you.
You need to first figure out which compiler was used to compile this application, then maybe it helps you to refactor the executable.
The fact that you can not directly run this application might be just the extension, maybe if you change the extension to .exe, it runs under windows. I don't recommend it though.
So I have an old dictionary on my pc, pretty old that I cannot find
any track of it's developer or the website (I guess it hasnt even been released
as an official software). I have a personal project of mine and I might need some
of this words translated (about 200-300) and I see that inside the data folder that
contains the database/list of files but Im unable to extract or read this files.
Is there any way to extract or convert these .bin files to a text format or something
readable. I've used some tools like (alcohol 120%, isobuster, magiciso, Izarc) but with
no luck. I keep getting and error message saying it is not a valid cd image file.
So I'm thinking maybe this type of .bin files are not like .bin or .iso cd files that
you can mount and read and something else might be in this case.
If you have any information kindly reply with
your suggestions.
Thank you alot.
You can try using the strings utility to extract the strings out of the file. It comes with any Linux distribution and if you are on Windows, you can get it from Windows Sysinternals.
If you are lucky and the words are not encoded, you may be able to get at the data you are looking for.
.bin is one of those extensions that has been way overused, and could be anything... What did the file come from originally? Do you need to convert these words and store them back in the original file (in their transformed form), and then expect the original app to work correctly?
I've got a Windows minidump (C code) and a corresponding exe file. Unfortunately, I don't have the exact matching .pdb files, but I do have .pdbs that contain the exact same code just built at a different time. In Windbg, I can use:
.symopt+0x40
To tell it to load anything, even mismatched symbol files. This works great in this particular instance, and I'm able to get a proper call stack. I'm just curious as to whether or not Visual Studio has any such feature. We use pretty much every different version of VS here, so it doesn't matter which version it might be in. Thanks.
Try this utility:
ChkMatch utility can be used to check whether an executable and debug information file match. It can also be used to enforce matching between an executable and debug information file, if they are compatible.
For more information about debug information matching and related issues, see this article.
Supported debug information formats: DBG, PDB 2.0, PDB 7.0...
There is no override, but the poster to this question found a way to modify the PDB files to make them match the EXE.
Thanks to one of the comments on the
first answer, I checked out a link to
the pdfs of the book "Undocumented
Windows 2000 Secrets: A Programmers
Cookbook". And the author goes into
great detail about the pdb file
format. As I said before, I had
already loaded the pdb into a hex
editor and flipped some bits around
appearing that I made the
age/signature match, but it didn't
work. Well, after using the utility
from the W2k secrets book to "explode"
the pdb into the included streams, I
found out that they hide another
reference to the age in stream
3!!!!!!! Once I flipped that one as
well, it matched up in windbg.
Not sure if you want to go to this much trouble, but it looks like it can be done. If this is for production support then it could be worth your while.
Visual Studio and Windbg match pdbs by comparing the timestamps in the Executable header with timestamps store in the pdb file. You can view the timestamp by running dumpin /headers .
I haven't used chkmatch but modifying either the exe or pdb to match each other should work fine.
Be aware that this technique may not be enough to debug your binary. John Robbins in his book 'Debugging Windows' (which I can recommend) mentions that he's seen different build results from the identical source tree built at almost identical times.
Always build pdb symbols with your builds (including release builds) and archive them alongside the build products and include the .map file for good measure.
According to this post its possible to use sos windbg commands as well in visual studio. But i am not sure if ".symopt" also falls into this category.
I'm told that in VS2019 (16.7 .. 16.8 ballpark) that they switched to a multi-threaded PDB file generator to speed that up.
A side effect is that sections of the file, being generated on different threads, may end up in a different order in the file.
Bottom line, it is even more important than before that you use the PDB that was built with the EXE and no other.
I've an application, that uses encrypted (txt) files to store data. After investigating the decompiled assembly I concluded that it's a file of some DBMS. So how can find out which DBMS is this application using to store it's data, so that I can attach that file to the correct DBMS.
This is little application and there is no license problem. I can just ask the owner to gimme the data, but just curious to solve this myself.
MORE INFO:
Platform is Windows, and after trying couple of decompilers I concluded that it WAS written in Visual C++. However I couldn't fully decompile this exe, otherwise I just could find out it from the source code.
A couple ideas.
If opening the file in a HEX editor doesn't give you any information (like a magic identifier at the start of the file, which you can pop into google, then:
Use the depends tool from microsoft to grab a list of the DLLs being loaded by the application. Chances are whatever DBMS it's using is contained in an external library.
If the first two suggestions yield nothing, load the executable into IDA pro freeware and have a look at the code which is creating these files.