Decoding a hex file

Question

I would like to use a webservice who deliver a binary file with some data, I know the result but I don't know how I can decode this binary with a script.

Here is my binary : https://pastebin.com/3vnM8CVk

0a39 0a06 3939 3831 3438 1206 4467 616d
6178 1a0b 6361 7264 6963 6f6e 5f33 3222
0d54 6865 204f 6c64 2047 7561 7264 2a02
....

Some part are in ASCII so it easy to catch, at the end of the file you got vehicle name in ASCII and some data, it should be kill/victory/battle/XP/Money data but I don't understand how I can decode these hexa value, I tried to compare 2 vehicles who got same kills but I don't see any match.

There is a way to decode these data ?

Thanks :)

Hello guys, after 1 year I started again to find a solution, so here is the structure of the packet I guessed : (the part between [ ] I still don't know what is it for)

[52 37 08 01 10] 4E [18] EA [01 25] AB AA AA 3E [28] D4 [01 30] EC [01 38] 88 01 [40] 91 05 [48] 9F CA 22 [50] F5 C2 9A 02 [5A 12]
                  |       |             |            |          |           |         |            |               |
                  Victories             Victory Ratio|          |           Air target|            Xp              Money earned
                          |                          |          |                     Ground Target
                          Battles                    Deaths     Respawns

So here is the result :

Victory : 78
Battles : 234
Victory Ratio : ? (should be arround 33%)
Deaths : 212
Respawns : 236
Air Target : 136
Ground Target : 657
Xp : ? (should be arround 566.56k)
Money : ? (should be arround 4.63M)

Is there a special way to calculate the result of a long hex like this ? F5 C2 9A 02 (should be arround 4.63M)

I tell you a bit more :

I know the result, but I don't know how to calculate it with these hex from the packet.

If I check a packet with a small amout of money or XP to be compatible with one hex :

[52 1E 08 01 10] 01 [18] [01 25] 00 00 80 3F [28] 01 [30] 01 [48] 24 [50] 6E [5A 09]

6E = 110 Money earned

24 = 36 XP earned

Another exemple :

[52 21 08 01 10] 02 [18] 03 [25] AB AA 2A 3F [28] 02 [30] 03 [40] 01 [48] 78 [50] C7 08 [5A 09]

XP earned = hex 78 = 120

Money earned = hex C7 08 = 705

How C7 08 can do 705 decimal ?

Here is the full content in case but I know how to isolate just these part I don't need to decode all these hex data : https://pastebin.com/vAKPynNb

No clue ? :< is it possible to do this ? Or do I need a model of this packet ? — Maxence, Apr 20 '18 at 15:15
The pastebin you shared is more like a hex representation of a binary file. Is the file like this only or it is a actual binary file? — Tarun Lalwani, Apr 21 '18 at 11:28
The file is like this, here is the url to download it : https://companion-app.warthunder.com/call/?classname=eaw_ProfileBin&lang=en&method=jzx_getPublicProfileBin&userid=998148&v=6 — Maxence, Apr 21 '18 at 11:29
This looks like some structured data written in binary format, you won't be able to extract the data out of same until unless you know the structure. Else it will mean reverse engineering the files and a time consuming effort — Tarun Lalwani, Apr 21 '18 at 11:51
Ok thanks this is what I was guessing, actually Im able to see the result of this data with the app IOS who call this url. So I tried to compare each data of vehicles who got the sames stats but for now I got no clue :/ if someone got any idea :) — Maxence, Apr 21 '18 at 11:54
if you dont have an api interface to read the file, then you need to know the structure of the file and write it yourself. also if you know the exact bit off set of data provided the code size wont change, then you can rip off data. — Yılmaz Durmaz, Apr 26 '18 at 16:16
Without more context on the generating application, this is hopeless. And probably with as well. — , Apr 27 '18 at 14:50
I have given an answer and included some code of PHP to read your data file plus some explanation. the rest is to make trials on how to get data from what part of it — Yılmaz Durmaz, Apr 27 '18 at 14:53

score 2 · Answer 1 · answered Apr 27 '18 at 09:10

What you have asked is nothing but how to reverse engineer a binary file. Lot of threads already on SO

Reverse engineer a binary dictionary file to extract strings

Tools to help reverse engineer binary file formats

https://reverseengineering.stackexchange.com/questions/3495/what-tools-exist-for-excavating-data-structures-from-flat-binary-files

http://www.iwriteiam.nl/Ha_HTCABFF.html

The final take out on all is that no single solution for you, you need to spend effort to figure it out. There are tools to help you, but don't expect a magic wand tool to give you the structure/data.

Yılmaz Durmaz · Answer 2 · 2018-04-26T20:34:09.080

Any kind of file read operation is done in text or binary format with basic file handlers. And some languages offer type reading of int, float etc. or arrays of them.

The complex operations behind these reading are almost always kept hidden from normal users. And then the user has to learn more when it comes to read/write operations of data structures.

In this case, OFFSET and SEEK are the words one must find value and act accordingly. whence data read, it must be converted to suitable data type too.

The following code shows basics for these operations to write data and read blocks to get numbers back. It is written in PHP as the OP has commented in the question he uses PHP.

Offset is calculated with these byte values to be 11: char: 1 byte, short: 2 bytes, int: 4 bytes, float: 4 bytes.

<?php
$filename = "testdata.dat";
$filehandle = fopen($filename, "w+");
$data=["test string","another test string",77,777,77777,7.77];
fwrite($filehandle,$data[0]);
fwrite($filehandle,$data[1]);
$numbers=array_slice($data,2);
fwrite($filehandle,pack("c1s1i1f1",...$numbers));
fwrite($filehandle,"end"); // gives 3 to offset
fclose($filehandle);

$filename = "testdata.dat";
$filehandle = fopen($filename, "rb+");
$offset=filesize($filename)-11-3;
fseek($filehandle,$offset);
$numberblock= fread($filehandle,11);
$numbersback=unpack("c1a/s1b/i1c/f1d",$numberblock);
var_dump($numbersback);
fclose($filehandle);
?>

Once this example understood, the rest is to find the data structure in the requested file. I had written another example but it uses assumptions. I leave the rest to readers to find what assumptions I made here. Be careful though: I know nothing about real structure and values will not be correct.

 <?php
 $filename = "testfile";
 $filehandle = fopen($filename, "rb");

 $offset=17827-2*41;  //filesize minus 2 user area
 fseek($filehandle,$offset);
 print $user1 = fread($filehandle, 41);echo "<br>";
 $user1pr=unpack("s1kill/s1victory/s1battle/s1XP/s1Money/f1Life",$user1);
 var_dump($user1pr); echo "<br>";

 fseek($filehandle,$offset+41);
 print $user2 = fread($filehandle, 41);echo "<br>";
 $user2pr=unpack("s1kill/s1victory/s1battle/i1XP/i1Money/f1Life",$user2);
 var_dump($user2pr); echo "<br>";

 echo "<br><br>";
 $repackeduser2=pack("s3i2f1",$user2pr["kill"],$user2pr["victory"],
     $user2pr["battle"],$user2pr["XP"],$user2pr["Money"],
     $user2pr["Life"]
 );
 print $user2 . "<br>" .$repackeduser2;
 print "<br>3*s1=6bytes, 2*i=6bytes, 1*f=*bytes (machine dependent)<br>";

 print pack("s1",$user2pr["kill"]) ."<br>";
 print pack("s1",$user2pr["victory"]) ."<br>";
 print pack("s1",$user2pr["battle"]) ."<br>";
 print pack("i1",$user2pr["XP"]) ."<br>";
 print pack("i1",$user2pr["Money"]) ."<br>";
 print pack("f1",$user2pr["Life"]) ."<br>";


 fclose($filehandle);
 ?>

PS: pack and unpack uses machine dependent size for some data types such as int and float, so be careful with working them. Read Official PHP:pack and PHP:unpack manuals.

Josh Bradley · Answer 3 · 2018-04-25T20:34:45.003

0

This looks more like the hexdump of a binary file. Some methods of converting hex to strings resulted in the same scrambled output. Only some lines are readable like this...

Dgamaxcardicon_32" The Old Guard

As @Tarun Lalwani said, you would have to know the structure of this data to get the in plaintext.

If you have access to the raw binary, you could try using strings https://serverfault.com/questions/51477/linux-command-to-find-strings-in-binary-or-non-ascii-file

edited Apr 25 '18 at 20:34

answered Apr 25 '18 at 20:23

Josh Bradley

1,854
1
15
31

1

My question is not how I can convert hex to ascii, but I’m looking for a way to decode all the data, few are compatible with ascii but most of them are not, its this part I want to decode. – Maxence Apr 25 '18 at 20:28
1

Got it, then like @Tarun said, you'd need to know how the data is structured. Unless someone else has an idea :) – Josh Bradley Apr 25 '18 at 20:32
Ok thanks, yes I was thinking we need to know the structure, but I was thinking too if I got this file and the result maybe I can guess the structure by matching some data but for now I found nothing interesting : – Maxence Apr 25 '18 at 20:35

Decoding a hex file

3 Answers3