insorg
Platinum Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Цитата: Binmay - command line binary search and replace
Copyright (C) 2004-2011 Sean Loaring
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Email: info@filewut.com
Web Site: http://www.filewut.com/spages/page.php/software/binmay
Introduction
------------
Binmay is a simple, little program that searches for a string of binary in a
file or stream and replaces it with another string of binary.
Outputting Raw Binary (-p)
--------------------------
Binmay will convert a string into raw binary and dump it with the -p option:
sloaring@dumpy:~$ binmay -p "61 62 63 64 65 66 67"|hd
00000000 61 62 63 64 65 66 67 |abcdefg|
00000007
Parameter String Format (-p, -s, -S, -r, -R)
--------------------------------------------
By default all parameter strings are treated as hex. Non-hex characters are
simply ignored:
$ binmay -p "61-62-63-64-65-66-67"|hd
00000000 61 62 63 64 65 66 67 |abcdefg|
00000007
$ binmay -p "61-ghijklmnopqrs62-63-64-65-66-67"|hd
00000000 61 62 63 64 65 66 67 |abcdefg|
00000007
Paramter strings can also be prefixed with 'h:', 'b:', 't:' and 'f:' denoting
hex, binary, text and file input.
$ binmay -p "h:63 61 74"
cat
$ binmay -p 'b:01100011 01100001 01110100'
cat
$ binmay -p "t:this is text"
this is text
$ echo 'monkey' >tmpfile
$ binmay -p "f:tmpfile"
monkey
Searching
---------
If only the -s parameter is specified then binmay will output a list of offsets
and matching patterns, followed by a match count:
$ binmay -p "00 00 50 00 00 00 50" | binmay -s 50
0x2:50
0x6:50
Matches: 2
$ binmay -p "00 00 50 00 00 00 50" | binmay -s 't:P'
0x2:50
0x6:50
Matches: 2
$ binmay -p "00 00 50 00 00 00 50" | binmay -s 'b:01010000'
0x2:50
0x6:50
Matches: 2
# Look look at some of the bytes surrounding an NK key prefix (6e6b) in
# a windows registry file
$ binmay -s 6e6b0000000000000000000000 -S 'ffff0000000000000000000000' -i ntuser.dat
0x1024:6e 6b 2c 00 a2 56 f4 5a 7a e1 c8 01 00
0x11bc:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x134c:6e 6b 20 00 e6 ef 97 33 3f e1 c8 01 00
0x13bc:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x14c4:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x15d4:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x16dc:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x17dc:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x191c:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x19f4:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x1b04:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x1c04:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x1c64:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x1d24:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x1e24:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x1f0c:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x2024:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x214c:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
0x2234:6e 6b 20 00 8e f2 a3 c8 3e e1 c8 01 00
...
0x7e228:6e 6b 00 00 28 00 03 00 04 00 ef be e9
0x7e274:6e 6b 20 00 d0 c7 93 49 89 e1 c8 01 00
0x7e2e4:6e 6b 20 00 6c 28 63 32 89 e1 c8 01 00
0x7e85c:6e 6b 20 00 b4 79 85 49 89 e1 c8 01 00
0x7e8cc:6e 6b 20 00 b4 79 85 49 89 e1 c8 01 00
0x7e994:6e 6b 20 00 76 65 91 49 89 e1 c8 01 00
0x7ed72:6e 6b 73 00 00 00 e0 ff ff ff 76 6b 04
0x7f17c:6e 6b 20 00 d0 6a 75 5b 89 e1 c8 01 00
0x7f1fc:6e 6b 20 00 d0 6a 75 5b 89 e1 c8 01 00
0x7f254:6e 6b 20 00 2a cd 77 5b 89 e1 c8 01 00
0x7f522:6e 6b 73 e4 07 00 18 00 00 00 f0 e3 07
Matches: 1047
Replacing
---------
Binmay can replace the strings it searches for with other strings.
To replace all instances of "ff ff af" in infile with "aa aa aa" in outfile:
binmay -s "ff ff af" -r "aa aa aa" -i infile -o outfile
To delete all instances of "ff 00"
binmay -s "ff 00" -r ""
To replace all instances of "ff fX af" with "aa aa aa aa aa":
binmay -s "ff ff af" -S "ff f0 ff" -r "aa aa aa aa aa"
Search Masking
--------------
One can apply a bitwise mask to the search string.
$ binmay -p "00 00 50 00 00 00 50 51 52 53" | \
binmay -s 50 -S "f0"
0x2:50
0x6:50
0x7:51
0x8:52
0x9:53
Matches: 5
And everything found can be replaced
$ binmay -p "00 00 50 00 00 00 50 51 52 53" | \
binmay -s 50 -S "f0" -r "11" | hd
00000000 00 00 11 00 00 00 11 11 11 11 |..........|
0000000a
Replace Masking
---------------
You can selectively replace sections of found strings with masks.
$ binmay -p "00 00 50 00 00 00 50 51 52 53"| \
binmay -s 50 -S "f0" -r "90" -R "f0" | hd
00000000 00 00 90 00 00 00 90 91 92 93 |..........|
0000000a
|
|
Всего записей: 17003 | Зарегистр. 04-11-2010 | Отправлено: 17:28 17-11-2023 | Исправлено: insorg, 17:34 17-11-2023 |
|
