vonbruno
November 26th, 2004, 08:11
i need to reverse engineer a phonebook database. after two weeks of work (and learning) i'm out of ideas and need help. these are the things i found out:
the main database is a .dat file about 200mb big. it has some ascii parts (ie names of towns) but no people names are in plain ascii (didn't expect them to be). all i need are phone numbers. i checked logs from filemonitor and found the offset where the main app is doing phone number searches. from that point in file goes a consistent pattern which i think is some sort of index table.
it starts with
D9F8 4181 A386 0501 C7BF 08AE EC18 02C1 BF40 89A9 3300 C0C5 3383 AE32 00C7 17AC 3C00 C05B 8435 0086 2700
from then on a consistent pattern appears 80 03 0i 41 xx xx xx, i goes from 0 to 8. after each iteration of that pattern another one iterates 09 41 y bytes 0j like in a nested for next loop. j goes from 0 to 9 and y is 10 bytes for j=0, 5 bytes for j=1-8 and 3 bytes for j=9
the xx xx xx bytes are ie EB EC 45, DA B7 20, EF F2 7F, etc. not longint i think. i thought they may be ascii compressed, it would take me 4 bits a number given equal distribution, but then 7 digit phonenumbers wouldn't fit. also before D9 (byte where the search starts) is an plain ascii table and 14 bytes preceeding D9 (i think they are a part of my index table) are:
30 31 32 33 34 35 36 37 38 39 FA B9 1D 00
which seems very odd to me. of course the table could also be encrypted...
i also tried to re the main application. ollydebugger didn't come up with anything workable so i figured the app is packed (actually, olly suggested it
). tried ten or so unpackers, didn't come up with anything that works. tried to run it under softice, app detected it and refused to work. everything's been done on xp, i'm currently setting a machine with 98 so i'll try with frogsice
also tried debuggy. by looking through the cached strings, a lot of delphi is mentioned, also in one instance paradox. i figured that must be a paradox database, tried a couple of tools, didn't help. then i found out about WM_GETTEXT, but the window where phone number (and other data) appears is TPaintPanel type, and i don't think i can get the contents of that window with gettext (or can i?)
i'm currently all out of ideas. any help would be appreciated.
the main database is a .dat file about 200mb big. it has some ascii parts (ie names of towns) but no people names are in plain ascii (didn't expect them to be). all i need are phone numbers. i checked logs from filemonitor and found the offset where the main app is doing phone number searches. from that point in file goes a consistent pattern which i think is some sort of index table.
it starts with
D9F8 4181 A386 0501 C7BF 08AE EC18 02C1 BF40 89A9 3300 C0C5 3383 AE32 00C7 17AC 3C00 C05B 8435 0086 2700
from then on a consistent pattern appears 80 03 0i 41 xx xx xx, i goes from 0 to 8. after each iteration of that pattern another one iterates 09 41 y bytes 0j like in a nested for next loop. j goes from 0 to 9 and y is 10 bytes for j=0, 5 bytes for j=1-8 and 3 bytes for j=9
the xx xx xx bytes are ie EB EC 45, DA B7 20, EF F2 7F, etc. not longint i think. i thought they may be ascii compressed, it would take me 4 bits a number given equal distribution, but then 7 digit phonenumbers wouldn't fit. also before D9 (byte where the search starts) is an plain ascii table and 14 bytes preceeding D9 (i think they are a part of my index table) are:
30 31 32 33 34 35 36 37 38 39 FA B9 1D 00
which seems very odd to me. of course the table could also be encrypted...
i also tried to re the main application. ollydebugger didn't come up with anything workable so i figured the app is packed (actually, olly suggested it
). tried ten or so unpackers, didn't come up with anything that works. tried to run it under softice, app detected it and refused to work. everything's been done on xp, i'm currently setting a machine with 98 so i'll try with frogsicealso tried debuggy. by looking through the cached strings, a lot of delphi is mentioned, also in one instance paradox. i figured that must be a paradox database, tried a couple of tools, didn't help. then i found out about WM_GETTEXT, but the window where phone number (and other data) appears is TPaintPanel type, and i don't think i can get the contents of that window with gettext (or can i?)
i'm currently all out of ideas. any help would be appreciated.