Some of you may be aware of my Reverse Engineering tool RevEnge.
I just wanted to show you a feature that I am currently working on with RevEnge. Basically it is a rewrite of the structure editor to include a new Structure Definition Language (SDL). The SDL allows the user to code parsers for some quite complex structures to allow RevEnge to display them in decoded form. Once a SDL is written for a structure it can be shared with other users. A nice feature is the report which writes an HTML file containing the raw data, the decoded data and the SDL used to decode the data.
By way of example I have attached two reports below, one for a FastTrack DBB file (now pretty much defunct but is serves as a simple example) the second is for an MFT record where, in this example, you can see 12 of the possible dates associated with this file entry.
I am also working on a feature whereby you could, after defining a suitable SDL file, point RevEnge at say an extracted MFT and all of the records would be written to a either an HTML report or a CSV file.
The links look odd … some mistake somewhere? Add a tailing ';' to all those '& n b s p ' without one.
Hmmm - I had not checked the reports in Firefox - Explorer displays the reports OK.
OK sorted now - cheers.
Some of the features now in RevEnge
The PDU stuff is particularly useful for hex dump analysis on mobile phones on a recent job it probably saved me hours.
Support for PDU (SMS) encoded data
- dynamic decode and display at cursor position
- search for PDU encoded words
- search for possible PDU encoded data
Support for 24 different date types (39 including big endian variants)
- includes date formats seen on mobile phones and GPSs
- dynamic decode and display of all date formats at cursor position
- search for one or more dates in a given date range
- auto highlight of dates in user specified range
Dynamic decode and display at cursor position of
- ZLib data (used in encase compressed files)
- UUencoded data
- Base64 encoded data
- ROT13/18 and 47
- Nokia encoded telephone numbers
- Binary coded decimal (BCD)
- Nibble swapped BCD
Comprehensive data description language (DDL)
- dynamic display of data at cursor based on DDL
- export of DDL decoded data as HTML report
- export of DDL decoded data as CSV (e.g. complete contents of an MFT file as CSV)
- specify specific words and have all occurrences highlighted (e.g. JFIF, EVF, sanderson)
- multiple keywords
- specific date ranges in all support formats (at once if required)
- hex values
- blank or non blank sectors
- PDU (SMS) encoded text strings
- Possible PDU encoded data (when you don’t have specific keywords)
Calculate MD5/SHA/encase CRC (more to come)
Overwrite data with specific pattern
Check disk (or selected area) is blank
- Drives and logical volumes
- Files > 4GB
- Encase image files