I have a program that uses compressed data in these files. So when I open these files in a HEX editor to search for values that the program gives me I cannot find those values in the files by themselves.

So I guess when the program loads these files it uncompresses the data and it makes sense. So, the uncompressed values displayed by the program will not be searhable in these files with just a hex editor.

In other words when the program uses these files the uncompressed data is shown, but if you were to open one of these files on its own in a hex editor you would not be able to just search for the uncompressed values that the program displayed.

Anyway to get around this?

yup, uncompress the files

Har har

Yes, but I need to figure out how they are compressed in order to uncompress them.

There must be some sort of 'compression algorithm' or something like that.

Howdy,

You need to tell us. Get a PE scanner.

Woodmann

Are the files executable (i.e. "self-extracting", or are they processed by another program? In any case you have to pinpoint the uncompression routine in the code of the program, and then analyze/rip it.

If the compressed files are executable it is often very easy to find the code for this routine, since it's then practically the only code in the entire program, and will also most likely be placed very near the entrypoint of the executable.

I've a feeling he's talking about compressed datafiles however...

yes.

Ok, still same approach, just a little harder to pinpoint the exact uncompress code. I would recommend breakpointing on some file read API:s though, and trace from there. That will probably land you pretty close too.

Should I use Filemon for that? (instead of breakpoints).

It shows me where the data is written to these files, but it only shows the offset and the length. What does the "length" mean in Filemon?

the length of the data that was written ?

You would want to pinpoint where in the executable code that the decompression is going on, not where in the data files that things are read (ok, maybe later on you might possibly want to know that too, but this will probably be quite clear once you have read the code anyway). So no, FileMon is probably not a very good approach to start out with, it should mostly be used to see which files a program reads, not what it reads inside them.

Hook API-commands like OpenFile, ReadFile and so on, and see where it takes you in the code.