Converting raw data to a structure

TheNoobie (199)
Using a packet sniffer that I wrote, let's say it gives the data "4A 2B 00 00 00 00 41 3A 00 00 49 6A 00 00 03 2A 4A 09 35 2A" I can convert that data into the structure...
1
2
3
4
5
6
7
8
 
#define pktID 0x2B4A

typedef struct _Pkt
{
/*0x0*/ DWORD unk0x1; //Always 0
/*0x4*/ DWORD ProcessID;
/*0x8*/ BYTE unk0x2[0x6]; 
} Pkt, *pPkt;


Let's say I sniffed that same packet several times and that's how I figured out the structure. Well what if I had stored in a header file in the sniffer tons of different variables, SUCH AS ProcessID. Now I would like to set something up that reads the data and builds a dummy structure out of it, such as...
1
2
3
4
5
6
 
typedef struct _Dummy
{
/*0x0*/ DWORD unk0x1; //Raw Data: 00000000
/*0x4*/ DWORD ProcessID; //Raw Data: 6A490000
/*0x8*/ BYTE unk0x2[0x6]; //Raw Data: 2A35094A2A03
} Dummy, *pDummy;


I know how to compare the data to check if it matches any of the saved variables in the header file, but it's building the structure I'm having trouble with. Does anyone know how to take raw hex data and turn it into a dummy structure, or is that not possible? Otherwise I can just keep it how it's going right now and spit out the packet ID, raw data, and all the matching variables that are IN the data... just that having a built dummy structure would be so much nicer.
Last edited on
writetonsharma (1461)
are you looking for something of this kind:
1
2
3
 
long l[]={0x6A,0x49,0x00,0x00};//0x6A490000 = 1783169024
int value = l[0] << 24 | l[1] << 16 | l[2] << 8 | l[3];
printf("%d\n",value);


if you have the hex values and you know the boundaries of the values then you can convert them to decimal and insert into your struct.
TheNoobie (199)
Alright well first of all my program is more of an addon for another program. It injects itself into this program and then I type #sniffpackets while in the program and it will spit out while in the actual program what packets are going through. I can then do #sniffspecific <packetID here> to read the data going through with that packet. So if I were to #sniffspecific 2450, for example, then I may get an output like this...
 
 
00 00 00 00 45 25 00 00 32 12 34 00 04 3a 61 6f 6c 20 6d 65 73 73 65 6e 67 65 72


Whereas the code that injects into this program looks like this...
1
2
3
4
5
6
7
8
9
10
11
12
13
 
/*This code (OnNetworkingSend) is setup so that it is called whenever a packet is sent through the networking in this program I don't feel like typing out my ENTIRE code here, for sake of ease. If you have any questions, feel free to ask though.*/

extern "C" __declspec(dllexport) BOOL OnNetworkingSend(unsigned int PacketID, void *pData, unsigned int size) 
{
          CHAR pPktData[2048] = {0};
/*Lots of code here that takes the void *pData part of OnNetworkingSend, which contains all of the packet's data whenever it is called and decodes it for you, then writes it out in the chat window built into this program.*/

/*ProgramOverlayPrint is another function I don't feel like writing out for everyone here as it's not really necessary. What this does is pretty obvious, it uses the program's chat window to spit out the packets data for you.*/
		ProgramChatOverRide(pPktData);

/*The OnNetworkingSend function can return either true or false. If it returns true, then whatever packet triggered the function will go through and if it's false then it will block the packet from being sent. You can also do individual codes like "if (PacketID==2045) return(false);" so that it will only block single packets.*/
return(true);
}


Sorry, I probably gave you way too much information with that little snippet of my sniffer but I'm trying to help everyone understand exactly what it is I'm dealing with. Anyway, so by reading those 2 little code snippets then you will see...
1
2
3
 
CHAR pPktData[2048] = { 0x00, 0x00, 0x00, 0x00, 0x45, 0x25, 0x00, 0x00, 0x32, 0x12, 0x34, 0x00, 0x04, 0x3a, 0x61, 0x6f, 0x6c, 0x20, 0x6d, 0x65, 0x73, 0x73, 0x65, 0x6e, 0x67, 0x65, 0x72 }; 

/*Making pPktData equal to 00 00 00 00 45 25 00 00 32 12 34 00 04 3a 61 6f 6c 20 6d 65 73 73 65 6e 67 65 72*/


Alright now I want my RawDataToStructure() converter to read this and turn it into a rough guess of what the structure is (rough guess, but still accurate size.) Final result will look something like this...(No code yet, just explaining how I plan on formatting it)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
//We will be passing pPktData to this function
VOID RawDataToStructure(char RawData)
{
     //Read the data passed from pPktData

/*Program will use ZERO's as separators from 1 variable to another. Because the 1st byte is 0 and it goes on for 3 more bytes as 0, then the 1st variable will be either DWORD unk0x1 or BYTE unk0x1[0x4]. Now the 2nd variable this will build starts at 0x45 and goes on for another byte before hitting 2 ZERO separator bytes, building another DWORD for the structure builder. The next one is 15 bytes and ends with no more zero's, so it would be BYTE unk0x3[15].*/

//Next it will compare the pulled variables with saved common variables in a header

/*Would then print final result (I can handle that after I figure out how to make this conversion) and save it to a document if desired (again, can do that when I figure out how to convert to a structure. The printed result would look like below if you were in the program that my tool injects into.*/
NoobieNetworking: Data structure built for packet ID: 0x%x //Hex PacketID
NoobieNetworking: typedef struct _DummyPkt
NoobieNetworking: {
NoobieNetworking:     DWORD Unk0x1; //Data: 00000000
NoobieNetworking:     DWORD MailboxID; //Data: 45250000
NoobieNetworking:     BYTE Unk0x2[0xF]; //Data: 043a616f6c206d657373656e676572
NoobieNetworking: } DummyPkt, *pDummyPkt;


Along with comparing variables in the data with known variables across a header file, there's lots more I would like to do so I can make this sniffer an incredibly helpful tool for me. Problem is I'm really not sure how to go about converting raw HEX data and building a structure out of it, using zeros as separators. By the way, I know using 0's as separators may normally not be a good idea, but it's just a dummy structure and in this program I don't think I've ever seen a 0 if it wasn't the end of a variable or a completely blank variable by itself, such as a DWORD that's constantly 0.
writetonsharma (1461)
hmmm...for me the code which matters is this:
 
 
CHAR pPktData[2048] = { 0x00, 0x00, 0x00, 0x00, 0x45, 0x25, 0x00, 0x00, 0x32, 0x12, 0x34, 0x00, 0x04....


1
2
3
4
5
6
7
8
9
10
 
VOID RawDataToStructure(char RawData)
{

NoobieNetworking: Data structure built for packet ID: 0x%x //Hex PacketID
NoobieNetworking: typedef struct _DummyPkt
NoobieNetworking: {
NoobieNetworking:     DWORD Unk0x1; //Data: 00000000
NoobieNetworking:     DWORD MailboxID; //Data: 45250000
NoobieNetworking:     BYTE Unk0x2[0xF]; //Data: 043a616f6c206d657373656e676572
NoobieNetworking: } DummyPkt, *pDummyPkt;


ok?? now i dont know how you exactly are going to take out the data.. what i have understood is that, first four bytes will be Unk0x1, next four bytes will be MailboxID and rest will be Unk0x2.. am i correct??

on these lines we can discuss how you convert your raw data to your structurre.. if you understand this then you can convert anything accordingly..
writetonsharma (1461)
looking at the code i wrote previously..


1
2
3
 
long l[]={0x6A,0x49,0x00,0x00};//0x6A490000 = 1783169024
int value = l[0] << 24 | l[1] << 16 | l[2] << 8 | l[3];
printf("%d\n",value);




as you can see i've converted four bytes to a DWORD.. similarly you can do for the rest of it..lets write a small code:

//say your sniffer gave you this data and you want to convert this to your structure:



1
2
 
#define unsigned char BYTE
BYTE pPktData[2048] ={ 0x00, 0x00, 0x00, 0x00, 0x45, 0x25, 0x00, 0x00, 0x32, 0x12, 0x34, 0x00, 0x04, 0x3a, 0x61, 0x6f, 0x6c};




it could be like this:

1
2
3
4
5
6
7
8
9
10
11
12
 
VOID RawDataToStructure(BYTE *RawData, _DummyPkt *pkt)
{

pkt->Unk0x1 = *(RawData+0) << 24 | *(RawData+1) << 16 | *(RawData+2)  << 8 | *(RawData+3) ;

pkt->MailboxID = *(RawData+4) << 24 | *(RawData+5) << 16 | *(RawData+6)  << 8 | *(RawData+7) ;

for(int i = 8,j = 0;*(RawData + i) != '\0';i++)
pkt->Unk0x2[j++] = *(RawData + i);

return;
}




you can automate this otherwise this way you can fill your structure.. tell me if im not doing what you expect.
Topic archived. No new replies allowed.