在知道内存偏移量和字符串长度的文件中查找十六进制字符串
早上好,堆栈溢出!
我正在尝试从二进制文件中提取十六进制字符串。我无法直接找到这个字符串,但我知道该字符串的长度为 0x30,并且在已知的十六进制字符串之后从 0x10 开始。
这是我的代码
FILE *f = NULL;
unsigned char *buffer = NULL;
unsigned long fileLen;
unsigned char known_string[] = {0x45, 0x45, 0x45, 0x45};
printf("Opening file...\n");
f = fopen(argv[1], "rb");
if (!f) {
fprintf(stderr, "Unable to open %s\n", argv[1]);
return -1;
}
// Get the length
fseek(f, 0, SEEK_END);
fileLen=ftell(f);
fseek(f, 0, SEEK_SET);
// Allocate memory
buffer=malloc(fileLen);
if (!buffer)
{
fprintf(stderr, "Memory error!\n");
fclose(f);
return -1;
}
// File to buffer
fread(buffer, fileLen, 1, f);
fclose(f);
printf("Buffer starts: %p\n", &buffer[0]);
printf("Buffer ends: %p\n", &buffer[fileLen]);
// Determines offset of known_string
char *p = memmem(buffer, fileLen, bytes, 4);
if (!p) {
return -1;
} else {
printf(" General offset: %x\n", p);
}
free(buffer);
所以我得到了已知字符串的一般偏移量,但我需要获取相对于文件的偏移量。我在这一步有点卡住了。我想我必须做类似 p - &buffer[0] 的事情,但是 p 和 &buffer[0] 不是同一类型,而且 p 甚至不是真正的偏移量(例如 678987 而不是 10678987)。那么在我得到相对偏移量的情况下,我怎样才能找到未知的字符串呢?
Good morning stackoverflow !
I'm trying to extract from a binary file a hexadecimal string. I can't find this string directly, but I know that the string is 0x30 long and begins 0x10 after a known hex string.
So here is my code
FILE *f = NULL;
unsigned char *buffer = NULL;
unsigned long fileLen;
unsigned char known_string[] = {0x45, 0x45, 0x45, 0x45};
printf("Opening file...\n");
f = fopen(argv[1], "rb");
if (!f) {
fprintf(stderr, "Unable to open %s\n", argv[1]);
return -1;
}
// Get the length
fseek(f, 0, SEEK_END);
fileLen=ftell(f);
fseek(f, 0, SEEK_SET);
// Allocate memory
buffer=malloc(fileLen);
if (!buffer)
{
fprintf(stderr, "Memory error!\n");
fclose(f);
return -1;
}
// File to buffer
fread(buffer, fileLen, 1, f);
fclose(f);
printf("Buffer starts: %p\n", &buffer[0]);
printf("Buffer ends: %p\n", &buffer[fileLen]);
// Determines offset of known_string
char *p = memmem(buffer, fileLen, bytes, 4);
if (!p) {
return -1;
} else {
printf(" General offset: %x\n", p);
}
free(buffer);
So I get the general offset of the known string but I need to get the one relative to the file. I'm a bit stuck at this step. I think I must do something like p - &buffer[0], but p and &buffer[0] are not of the same type, and p is not even the real offset (678987 instead of 10678987 e.g). Then in the case I got the relative offset, how could I find the unknown string ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
由于您只对指针地址感兴趣,而不是它指向的数据,因此您也可以使用 void *,并且不必执行 &buffer[0],它不是数组。
我添加 0x10 + 4 以跳过找到的十六进制字节序列和搜索字符串之前的字节。
As you're only interested in the pointer address, not the data it points to, you may just as well use void *, and you don't have to do &buffer[0], it's not an array.
I add 0x10 + 4 to skip the found hex byte sequence and the bytes up to the searched for string.
您需要做的就是使用
unsigned char *作为p的类型 - 然后您只需减去:All you need to do is use
unsigned char *for the type ofp- then you can just subtract: