Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

Can I use QuickBMS to parse structs?

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

crushedice2000, posted Mon Nov 09, 2015 8:38 pm (9489)

Hi! I have a raw binary file from a closed source program and I want to parse it. Is QuickBMS the right tool for this?

Example of file (hexdump):

Code:
0000000: 5244 4649 4c45 5645 5231 2e30 7c37 aaaa  RDFILEVER1.0|7..
0000010: aaff aaff ccdd eeff 00                   .........


Example of output:

Code:
TYPE (String): RD FILE
VERSION (String): 1.0
FILL (String): |
BIG NUMBER (Unsigned 32Bit Integer): 2863311415


Really I don't want the output as that silly example. Only to export it as json or preprocess it directly in the bms program.
  • Author
  • Localization

aluigi, posted Mon Nov 09, 2015 9:11 pm (9491)

Regarding the script, quickbms supports the C structs so you don't have to write it in bms language (at least not all), for example:
Code:
unsigned char header[10];
int files;
int dummy[3]
is the same of
Code:
getdstring header 10
get files long
getdstring dummy 12


Instead regarding the visualization of the collected information, you can use the -V option but the output is just the one of quickbms so can't be reused in other applications (that maybe support xml, json or others).

Example of -V obtained from the first script running on itself:
Code:
. 00000000 getdstr header     "unsigned c" 10
    75 6e 73 69 67 6e 65 64 20 63                     unsigned c
. 0000000a get     files      0x20726168 4
. 0000000e getdstr dummy      "" 12
    68 65 61 64 65 72 5b 31 30 5d 3b 0d               header[10];.
  • Author
  • Localization

crushedice2000, posted Tue Nov 10, 2015 10:26 am (9522)

Thanks! Now I'm trying this code:

Code:
getdstring header 12
getdstring splitter 1
get files long

print "\n%header%\n%files%\n"


How can I get a unsigned long?

I'm getting -1431655881 instead of 2863311415.

Also, can I do something like this?

Code:
if files == 1234567:
    files = "COMMAND1"
else if files == 12345678:
    files = "COMMAND2"
else:
    files = "COMMAND3"
  • Author
  • Localization

aluigi, posted Tue Nov 10, 2015 10:45 am (9526)

The Print command supports only the signed and hexadecimal output by adding a |x after the name of the variable:
print "\n%header%\n%files|x%\n"

Regarding the other request, try something like:
Code:
if files == 1234567
    set files string "COMMAND1"
else if files == 12345678
    set files string "COMMAND2"
else:
    set files string "COMMAND3"
You can even use a '=' instead of 'string' or just omitting it at all.
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.