I have a .data file given to me that I am suppose to read. I know that .data files can be opened with a text editor, and that was the first thing I did. The result from opening the .data file was gibberish:
0k2QDg0Wmyns3/1vDtqmQoapFQvQaf11MYdXqKmu+vMtd4GxdoTqAWBXB/YXJ3fNjT4MZHKXHLVBcr4CGjPnYwfMzEL7SnWbYWXIEnZSHgBVGKhmkdV+mH+bpBNAU4s6oWs/fs2hjhws3vd/7dQzJh6eBNoA7OF/Wt+03QWrwiWbCKDNc26wGqUlLKYMN1D8fYW2t52+ojlyVs51Bmt5+0lEYo3LD7fZUQPI51Axcj4E01h9Vsm6noS3dp+KkBUCtNV1GZerGTeWMPPptnDgoVSWHaHfVQMVAFvu8AP4OEhYrg7URVW3c7vpyct+/GaIj4qzejPiaiTm/8yd+3qtQLXo+QE4dAbO7P6KhAsawJqkMXQnLyFMcQbZ6rXEfN5gZy6YL+XCcJs1YPPML/Tt1ZIz4gi9QaV0EMEuzEnchnPW0s+Gkk3KVJzPRvH37Kz4SVT1fTkMHFnTOMVU+uEr3Qu+toCGM3aVJcYBdbswMtmDk9TCC1k4bI89B1ktHcemZku1R6C9MLdDVSPdVP+GxBE4dqwPssGHDSI1uCzMq/FEePKXX0r1tRNtRrSAQlwRCaSMjyhWeQCP0yz1Ux0RpPuiFmza9nC4jkf7YIP9FZ/RiZRJw7MUirwZa0ftoSLiRUkerVE7CjzRjLOxDm9EqYGf0R+hAp2BrjPOXV6XWs3EBTwpDbDPup4T+DeV2LZc7ufupV7cG0kCOP/W2PWAA/4HlR9t4tqST1BxghIciLgkPgH30SLwEsVqlKXycltbrrUNf3H2whJOYbKlIPEu/HVcXxZ3PWaiin13okV7PVw=
I am not sure what to do with this .data file and what I can do to get the readable file.
Edit: This is my first post in stack overflow, hopefully I followed guidelines and please let me know if I should categorize this question with a different tag. Thanks!
Related
I need help to understand these concepts.
I understand that the rva is an offset from the base address. But Its relative to what in a file? I understood it was from where the image will be loaded in memory, but in the executable file itself, an rva is relative to what? The beggining of the file, so the file Id at the start?
Thanks for reading :)
Yes, usually from the start of the file. There are probably a couple of exceptions when you get deeper into specific parts of a file. You will generally find them when reading the documentation:
MESSAGE_RESOURCE_BLOCK.OffsetToEntries:
The offset, in bytes, from the beginning of the MESSAGE_RESOURCE_DATA structure to the MESSAGE_RESOURCE_ENTRY structures in this MESSAGE_RESOURCE_BLOCK. The MESSAGE_RESOURCE_ENTRY structures contain the message strings.
i got two PE files having same sections named as ".data". These name contains different bytes when we see in hex dump. This sections is having 00 bytes in contents. What is this file type can be?
https://www.curlybrace.com/archive/PE%20File%20Structure.pdf
You can get all the details about section names here [PE file Structure]
And then decide yourself if the file is malicious or not.
Happy Overflowing :D
Normal compilers shouldn't produce two sections with identical names, so the likely explanation is that the binary was modified post-compilation. Such obvious modifications are typical (but not conclusive) of malware. Without further information, it's not possible to say much else.
I googled over the internet and couldn't find best answer.
What I am doing now is making a GUI, and that software can overwrite the information of the first line of the file that it opens. I tried to look at filestream etc. document in msdn but can not make it works.
How can I locate specific line such as first line or specify bytes count and offset I want to replace in the file?
Thanks
I am analyzing PE structure.
some article in MSDN(http://msdn.microsoft.com/en-us/magazine/bb985997.aspx) says
"IMAGE_DIRECTORY_ENTRY_IMPORT" points to the imports(an array of IMAGE_IMPORT_DESCRIPTOR structures).
I checked the actual value with 010 Editor PE template.
however the value seemed to be encoded somehow and I don't know how to interpret.
pictures below clearly explains this situation problem.
some advice would be appreciated...!
I looked through the template, and it would appear that the "FOA" comments are generated by passing an RVA to the "RVA2FOA" function, which looks like it's converting the RVA to a file offset.
That makes sense, the file offset is something you often want to know (especially in a HEX editor, where you have to navigate by file offset), and FOA looks like it can be short for File Offset Something-or-other.
This question already has answers here:
How do I insert and delete some characters in the middle of a file?
(4 answers)
Closed 9 years ago.
I'm writing a program to edit a txt file.
But I found that the windows API WriteFile can only add data/characters to a file, but not deleting data from files.
The only solution I've come up is to read the whole file into a buffer using ReadFile, and then use a loop to shift the data one by one, then replace the old file with the new file. But I think this will probably make my program really slow.
Can anyone help please
thanks.
If you're trying to delete from the end of the file it can be very fast with truncate() and ftruncate().
Where are you trying to delete the data from? If it's from the middle, you'll have to use fseek(): If the file contains "ABCDEFG", and you want to delete "DEF", use fseek() to get to G, copy "G" into a buffer, fseek to where "C" is, then write() what's there. Then truncate the file to the correct size with ftruncate().
If this really becomes a performance issue for you, you'll want to either design your file in a way that accounts for this or use a database of some kind. You may also want to use memory-mapped files, but usually this is better done by a database that someone else wrote instead of reinventing the wheel.
Files are linear streams of data. If you want to remove content from a file, you must re-write all the content of the file that follows the part that you have remove. So, unless the content to be removed is at the end of the file, you will need to perform some writing. In the worst case scenario, in order to remove the first byte of a file, you need to re-write the entire file apart from the byte that you removed.
FWIW, Raymond Chen wrote a nice article on this subject: How do I delete bytes from the beginning of a file?