I'm trying to create a minimal C example on a boot sector for educational purposes.
However, I noticed that my example was not being recognized as a boot sector because he magic 0x55aa bytes were not present as the 511th and 512th bytes.
Then, I investigated further, and it seems that this is because the .eh_frame section was getting included in the image, even though it was never mentioned in the linker script.
Why is that?
The exact setup is present here and reproduced below
build.sh:
as -ggdb3 -o entry.o entry.S
gcc -c -ggdb3 -nostartfiles -nostdlib -o main.o main.c
ld -o main.elf -T linker.ld entry.o main.o
ld --oformat binary -o main.img -T linker.ld entry.o main.o
qemu-system-x86_64 -hda main.img
linker.ld
ENTRY(mystart)
SECTIONS
{
.text : {
entry.o(.text)
*(.text)
*(.rodata)
*(.data)
/**(.eh_frame)*/
. = 0x1FE;
SHORT(0xAA55)
}
/* Reserve 16 MiB of stack. */
__stack_bottom = .;
. = . + 0x1000000;
__stack_top = .;
}
entry.S:
.text
.global mystart
mystart:
mov %rsp, __stack_top
call main
jmp .
main.c:
void main(void) {
while (1);
}
If I uncomment the .eh_frame frame above, then it gets included at the specified location, and things work, although it is not ideal and I would rather ignore that section completely.
But why does it try to include the .eh_frame in the final image if I never mention it?
I found out about .eh_frame by doing:
hd main.img
which gives:
00000000 14 00 00 00 00 00 00 00 01 7a 52 00 01 78 10 01 |.........zR..x..|
00000010 1b 0c 07 08 90 01 00 00 1c 00 00 00 1c 00 00 00 |................|
00000020 27 00 00 00 06 00 00 00 00 41 0e 10 86 02 43 0d |'........A....C.|
00000030 06 00 00 00 00 00 00 00 48 89 24 25 38 02 00 01 |........H.$%8...|
00000040 e8 02 00 00 00 eb fe 55 48 89 e5 eb fe 66 2e 0f |.......UH....f..|
00000050 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 |.......f........|
00000060 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 |.f.........f....|
00000070 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 |.....f.........f|
00000080 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 |.........f......|
00000090 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f |...f.........f..|
000000a0 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 |.......f........|
000000b0 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 |.f.........f....|
000000c0 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 |.....f.........f|
000000d0 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 |.........f......|
000000e0 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f |...f.........f..|
000000f0 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 |.......f........|
00000100 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 |.f.........f....|
00000110 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 |.....f.........f|
00000120 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 |.........f......|
00000130 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f |...f.........f..|
00000140 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 |.......f........|
00000150 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 |.f.........f....|
00000160 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 |.....f.........f|
00000170 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 |.........f......|
00000180 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f |...f.........f..|
00000190 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 |.......f........|
000001a0 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 |.f.........f....|
000001b0 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 |.....f.........f|
000001c0 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 |.........f......|
000001d0 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f |...f.........f..|
000001e0 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 |.......f........|
000001f0 00 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 |.f.........f....|
00000200 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 |.....f.........f|
00000210 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 |.........f......|
00000220 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 0f 1f |...f.........f..|
00000230 84 00 00 00 00 00 55 aa |......U.|
00000238
and then:
objdump -D main.o
which contains:
Disassembly of section .eh_frame:
0000000000000000 <.eh_frame>:
0: 14 00 adc $0x0,%al
2: 00 00 add %al,(%rax)
4: 00 00 add %al,(%rax)
6: 00 00 add %al,(%rax)
8: 01 7a 52 add %edi,0x52(%rdx)
b: 00 01 add %al,(%rcx)
d: 78 10 js 1f <.eh_frame+0x1f>
f: 01 1b add %ebx,(%rbx)
11: 0c 07 or $0x7,%al
13: 08 90 01 00 00 1c or %dl,0x1c000001(%rax)
19: 00 00 add %al,(%rax)
1b: 00 1c 00 add %bl,(%rax,%rax,1)
1e: 00 00 add %al,(%rax)
20: 00 00 add %al,(%rax)
22: 00 00 add %al,(%rax)
24: 06 (bad)
25: 00 00 add %al,(%rax)
27: 00 00 add %al,(%rax)
29: 41 0e rex.B (bad)
2b: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi)
31: 00 00 add %al,(%rax)
33: 00 00 add %al,(%rax)
35: 00 00 add %al,(%rax)
...
so we can see that in the hd main.img, the first bytes are exactly the same as those in .eh_frame, and the image size is 512 + sizeof(.eh_frame) instead of the expected 512.
Tested on Ubuntu 18.04, GCC 7.3.0, binutils 2.30.
Related
I want to apply a certain modification on a bunch of stl files. So I wrote an openSCAD program and wanted to script from the command line, but it doesn't work and I can't figure out why.
According to the man page, I thought the following command would work but it doesn't (Ah, also I use an appimage version of openSCAD (for in case it would be important):
OpenSCAD-2021.01-x86_64.AppImage -o [OUTPUT FILE NAME] 'myscript.scad' -D filename=[INPUT FILE NAME]
However, it appears, the -D options doesn't do what I expect. So I made a little test script:
echo ("START");
filename1="cube.stl";
echo(filename1=filename1, filename2=filename2);
minkowski() {
import(filename1);
sphere(r=1, $fn=24);
}
translate([30, 0, 0])
minkowski() {
import(filename2);
sphere(r=1, $fn=24);
}
If I test myscript.scad with the gui version of openSCAD, it gives the following result (which is expected):
Compiling design (CSG Tree generation)...
ECHO: "START"
WARNING: Ignoring unknown variable 'filename2' in file test.scad, line 5
ECHO: filename1 = "cube.stl", filename2 = undef
WARNING: Ignoring unknown variable 'filename2' in file test.scad, line 14
Compiling design (CSG Products generation)...
ERROR: Unsupported file format while trying to import file '""', import() at line 14
Geometries in cache: 5
Geometry cache size in bytes: 128056
CGAL Polyhedrons in cache: 0
CGAL cache size in bytes: 0
Compiling design (CSG Products normalization)...
Normalized tree has 2 elements!
Compile and preview finished.
Total rendering time: 0:00:00.177
However, if I test it in command line, no value is initialized, and by the way, I have no idea what are both those warning on line 19 and 20 while my scad file only has 16 lines:
MyPrompt> ./OpenSCAD-2021.01-x86_64.AppImage -o 'test.stl' 'test.scad' -D filename1=cube.stl -D filename2=cube.stl
WARNING: Ignoring unknown variable 'cube' in file test.scad, line 19
WARNING: Ignoring unknown variable 'cube' in file test.scad, line 20
ECHO: "START"
ECHO: filename1 = undef, filename2 = undef
ERROR: Unsupported file format while trying to import file '""', import() at line 8
Geometries in cache: 4
Geometry cache size in bytes: 118112
CGAL Polyhedrons in cache: 1
CGAL cache size in bytes: 1362752
Total rendering time: 0:00:00.854
Top level object is a 3D object:
Simple: yes
Vertices: 576
Halfedges: 3168
Edges: 1584
Halffacets: 2024
Facets: 1012
Volumes: 3
For reference the cube.stl was made with the cube(); command and contains:
00000000 4f 70 65 6e 53 43 41 44 20 4d 6f 64 65 6c 0a 00 |OpenSCAD Model..|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000050 0c 00 00 00 00 00 00 80 00 00 00 00 00 00 80 3f |...............?|
00000060 00 00 00 00 00 00 80 3f 00 00 80 3f 00 00 80 3f |.......?...?...?|
*
00000080 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 00 00 |...?............|
00000090 80 3f 00 00 80 3f 00 00 00 00 00 00 80 3f 00 00 |.?...?.......?..|
000000a0 00 00 00 00 80 3f 00 00 80 3f 00 00 00 00 00 00 |.....?...?......|
000000b0 00 00 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 |.....?..........|
000000c0 00 00 80 bf 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 80 3f 00 00 80 3f 00 00 00 00 00 00 80 3f |...?...?.......?|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 |................|
000000f0 00 00 00 00 80 bf 00 00 80 3f 00 00 80 3f 00 00 |.........?...?..|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 |.....?..........|
00000120 00 00 80 bf 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 80 3f 00 00 00 00 00 00 80 3f |.......?.......?|
00000140 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 00 00 |...........?....|
00000150 00 00 00 00 80 bf 00 00 00 80 00 00 80 3f 00 00 |.............?..|
00000160 00 00 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 |.....?..........|
*
00000180 00 00 80 3f 00 00 00 80 00 00 00 00 00 00 80 3f |...?...........?|
00000190 00 00 00 00 00 00 80 3f 00 00 80 3f 00 00 80 3f |.......?...?...?|
*
000001b0 00 00 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 |.....?..........|
000001c0 80 3f 00 00 80 3f 00 00 00 00 00 00 80 3f 00 00 |.?...?.......?..|
000001d0 00 00 00 00 80 3f 00 00 80 3f 00 00 00 00 00 00 |.....?...?......|
000001e0 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 00 80 |...........?....|
000001f0 00 00 80 3f 00 00 80 3f 00 00 00 00 00 00 00 00 |...?...?........|
00000200 00 00 80 3f 00 00 80 3f 00 00 80 3f 00 00 80 3f |...?...?...?...?|
00000210 00 00 80 3f 00 00 00 00 00 00 00 00 80 3f 00 00 |...?.........?..|
00000220 00 00 00 00 00 00 00 00 80 3f 00 00 80 3f 00 00 |.........?...?..|
00000230 80 3f 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 |.?...?..........|
00000240 80 3f 00 00 00 00 00 00 00 00 80 bf 00 00 00 00 |.?..............|
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000260 00 00 00 00 00 00 80 3f 00 00 80 3f 00 00 00 00 |.......?...?....|
00000270 00 00 80 3f 00 00 00 00 00 00 00 00 80 bf 00 00 |...?............|
00000280 00 80 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 |.............?..|
00000290 80 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.?..............|
000002a0 00 00 00 00 00 00 00 00 80 3f 00 00 |.........?..|
Ok, Got it :
The problem comes from the fact that openSCAD wants to receive string with the quotation marks. However, the shell will try to eat them. So, the correct calling syntax will be :
MyPrompt> ./Téléchargements/OpenSCAD-2021.01-x86_64.AppImage -o 'test.stl' 'test.scad' -D filename1='"cube.stl"' -D filename2='"cube.stl"'
ECHO: "START"
ECHO: filename1 = "cube.stl", filename2 = "cube.stl"
Geometries in cache: 4
Geometry cache size in bytes: 136832
CGAL Polyhedrons in cache: 1
CGAL cache size in bytes: 1524416
Total rendering time: 0:00:01.021
Top level object is a 3D object:
Simple: yes
Vertices: 672
Halfedges: 3536
Edges: 1768
Halffacets: 2200
Facets: 1100
Volumes: 3
This also explains the warnings, because it wasn't try to interpret cube.stl as a string, but as a variable name in dot notation (so the main variable name was indeed cube).
I'm currently trying to extract the raw payload from an ICMP packet.
I've managed to trim it down to the format I like (without the first 5 characters on each line and without the ....... stuff).
Original format:
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......thing.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
Scripts:
awk '{x="";x=substr($0,5,50);gsub(/ +/,"",x);print x}' nontrimmed.txt > raw.txt
tr -d "\n" < raw,txt > newraw.txt
Result:
cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f56302080010b400000000504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f5630208005b5000000000e3cf5f75780b000104e803000004e80300003bc....ect
However, I'd like to get a specific number of bytes every x characters - i.e this:
ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00
00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5
63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00
09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00
94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67
55 54 09 00 03 d3 e3 cf 5f e7
Would become this:
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
Instead of this:
cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f56302080010b400000000504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f5630208005b5000000000e3cf5f75780b000104e803000004e80300003bc....ect
But for multiple different ones of the same format:
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......flag.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 5b 50 00 00 00 00 e3 cf 5f 75 78 0b c...[P......_ux.
0030 00 01 04 e8 03 00 00 04 e8 03 00 00 3b c1 7d b7 ............;.}.
0040 30 0b ce 53 1e 99 d2 3a 1b 83 4c 7c be cd ef fa 0..S...:..L|....
0050 54 86 4d 24 19 58 c5 a9 b1 4d T.M$.X...M
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 3e f4 00 00 00 00 dd 56 4c 00 11 bf c...>......VL...
0030 42 22 2a 52 86 75 01 0a e2 90 90 f5 2b ec d0 67 B"*R.u......+..g
0040 74 5a 17 70 05 b6 27 35 21 cf 98 fb a2 5e 82 a8 tZ.p..'5!....^..
0050 56 f9 05 05 3d 3e 80 3f 68 23 V...=>.?h#
Any ideas? Thanks!
Is this what you're trying to do?
$ awk -v OFS= '{$1=$NF=""; x=x $0} END{print substr(x,85)}' file
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
The above was run against your "Original format" input file:
$ cat file
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......thing.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
If your input file can contain multiple records then:
$ awk -v OFS= '{$1=$NF=""; $0=$0; x=x $0} !NF{print substr(x,85); x=""} END{print substr(x,85)}' file
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
e3cf5f75780b000104e803000004e80300003bc17db7300bce531e99d23a1b834c7cbecdeffa54864d241958c5a9b14d
dd564c0011bf42222a528675010ae29090f52becd067745a177005b6273521cf98fba25e82a856f905053d3e803f6823
That second script was run against the block of 3 records under "But for multiple different ones of the same format:" at the end of your question but you didn't provide the expected output for it so idk if that's the expected output or not:
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00 c.........PK....
0030 09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00 .......Q..8.mp..
0040 94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67 .r......flag.jpg
0050 55 54 09 00 03 d3 e3 cf 5f e7 UT......_.
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 5b 50 00 00 00 00 e3 cf 5f 75 78 0b c...[P......_ux.
0030 00 01 04 e8 03 00 00 04 e8 03 00 00 3b c1 7d b7 ............;.}.
0040 30 0b ce 53 1e 99 d2 3a 1b 83 4c 7c be cd ef fa 0..S...:..L|....
0050 54 86 4d 24 19 58 c5 a9 b1 4d T.M$.X...M
0000 ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00 ..............E.
0010 00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 .L....#..H......
0020 63 02 08 00 3e f4 00 00 00 00 dd 56 4c 00 11 bf c...>......VL...
0030 42 22 2a 52 86 75 01 0a e2 90 90 f5 2b ec d0 67 B"*R.u......+..g
0040 74 5a 17 70 05 b6 27 35 21 cf 98 fb a2 5e 82 a8 tZ.p..'5!....^..
0050 56 f9 05 05 3d 3e 80 3f 68 23 V...=>.?h#
My managed process is suspected to have caused a BSOD at a client site. I received a full memory dump (i.e.: including kernel, physical pages only) - but still am not able to inspect my process' stacks.
After switching to my process context -
.process /p /r <MyProcAddress>
I see only -
1: kd> k
# ChildEBP RetAddr
00 b56e3b70 81f2aa5d nt!KeBugCheckEx+0x1e
01 b56e3b94 81e7b68d nt!PspCatchCriticalBreak+0x71
02 b56e3bc4 81e6dfd1 nt!PspTerminateAllThreads+0x2d
03 b56e3bf8 8d48159a nt!NtTerminateProcess+0xcd
WARNING: Stack unwind information not available. Following frames may be wrong.
04 b56e3c24 81c845e4 klif+0x7559a
05 b56e3c24 77da6bb4 nt!KiSystemServicePostCall
06 0262f34c 00220065 ntdll!KiFastSystemCallRet
07 0262f390 003e0022 0x220065
08 0262f394 0073003c 0x3e0022
09 0262f398 00730079 0x73003c
0a 0262f39c 006e003a 0x730079
0b 0262f3a0 006d0061 0x6e003a
0c 0262f3a4 00200065 0x6d0061
0d 0262f3a8 00610076 0x200065
0e 0262f3ac 0075006c 0x610076
0f 0262f3b0 003d0065 0x75006c
10 0262f3b4 00770022 0x3d0065
11 0262f3b8 006e0069 0x770022
12 0262f3bc 006f0077 0x6e0069
13 0262f3c0 00640072 0x6f0077
14 0262f3c4 00200022 0x640072
...
Which is natural for managed process. SOS extension does not work for kernel dumps.
Is there anything I can do to view the throwing managed stack? It was previously said to be 'much more difficult', but hopefully not impossible.
PS.
I'm aware of the presence of Kaspersky driver kilf.sys in the stack, and this is my personal suspect. But the question is more general - hopefully there's a way to understand what my process was doing at the time.
the stack as you posted is not correct
it appears to be overwritten or is a result of some other artefact
with such a stack details you will have a hard time deciphering
anything useful at all
the contents of stack converted to a printable range in english looks like this
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 3E 00 22 00 22 00 65 00 73 00 3C 00 3E 00 22 .>.".".e.s.<.>."
00000010 00 73 00 79 00 73 00 3C 00 6E 00 3A 00 73 00 79 .s.y.s.<.n.:.s.y
00000020 00 6D 00 61 00 6E 00 3A 00 20 00 65 00 6D 00 61 .m.a.n.:. .e.m.a
00000030 00 61 00 76 00 20 00 65 00 75 00 6C 00 61 00 76 .a.v. .e.u.l.a.v
00000040 00 3D 00 65 00 75 00 6C 00 77 00 22 00 3D 00 65 .=.e.u.l.w.".=.e
00000050 00 6E 00 69 00 77 00 22 00 6F 00 77 00 6E 00 69 .n.i.w.".o.w.n.i
00000060 00 64 00 72 00 6F 00 77 00 20 00 22 00 64 00 72 .d.r.o.w. .".d.r
try !analyze -v and see what is the bsod analysis results
Number in HEX is: 3EB8 EDFE 19FE
I know it means 16.131 in DEC, but I don't know how it's encoded.
I checked if it's BCD, IEE 754 or integer, but none of those worked.
EDIT: It's from Parkin Elmer Clarus 400 chromatograph. This data contains time in minutes.
EDIT2: Here is part of parsed data, I only have one example:
Peak Component Time Area ISTD Resp ISTD Component glycerol
# Name [min] [uV*sec] Ratio Name Amount
4 glicerol 3,823 52377,25 0,316 butanotriol 0,0159
5 butanotriol 5,267 165539,60 1,000 ----------
suma mono 16,131 2086652,93 0,489 mono C19 0,4887
And here are corespodning parts of raw data:
67 6C 69 63 65 72 6F 6C FF FF FF FF 00 00 00 04 glicerol˙˙˙˙....
00 00 00 00 00 00 00 00 00 00 00 00 86 95 E6 F4 ............†•ćô
3F 40 7E AD 2D CE E1 7C 3F 90 47 23 62 CD D1 20 ?#~.-Îá|?.G#bÍŃ
3F 24 AB 9A DF CC 8E 91 3F D4 3F F2 F7 93 40 52
3F C9 6F 26 00 00 00 00 00 00 00 00 74 CB ED 69
40 0A 5A BC 13 46 09 AC 41 54 1A F3 A6 C3 FE 05
C0 A1 AB 83 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 3B
00 00 0F 6D 00 00 0F D3 00 4A 28 80 00 7D BD 1A
00 4A 7E 4C 26 4A 16 A5 40 73 80 A7 00 00 00 00
40 73 C0 00 4B 83 8C 12 40 74 42 C7 CB 2C BB 1F
41 04 35 1C EA 62 D1 6A 40 DE 7D C4 00 00 00 00
00 00 00 07 00 00 00 80 00 00 00 67 00 00 00 81
00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 00
00 00 00 0B 62 75 74 61 6E 6F 74 72 69 6F 6C 00 ....butanotriol.
FF FF FF FF FF FF FF FF 00 00 00 01 00 00 00 00 ˙˙˙˙˙˙˙˙........
00 00 00 00 8A 95 47 69 3F 5A 10 F0 00 00 00 00 ....Š•Gi?Z.đ....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3F F0 00 00 00 00 00 00 3F F0 00 00 00 00 00 00 ?đ......?đ......
00 00 00 00 A0 E8 FC 91 40 12 27 A5 BD 8C D6 B0
41 50 62 7A 34 5A FA AA 40 9C 49 2B 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 16 7C 00 00 16 E8 00 00 16 ED
00 4D 8C D8 03 B4 0E 0F 03 9D 5F AA C2 8F 5C 29
40 7C C8 F5 71 CB 11 FD 40 7D 53 58 56 D6 7F A3
40 7D 5A 4B EA 10 78 82 41 41 1C 1A 6D 3D 44 F7
41 1F E5 8C 00 00 00 01 00 00 00 02 00 00 00 6E
00 00 00 64 00 00 00 6F 00 00 00 00 00 00 00 72
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF
FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00
88 30 F9 69 3F 96 12 04 84 DC 1A D0 40 01 F0 DF
47 2F E1 08 3F 96 C8 38 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CD CA D9 96 40 1A F5 01 D4 4E 32 45 C1 78 D2 E7
74 5D 17 46 40 F0 7E 09 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 16 ED 00 00 16 F6 00 00 16 FA 03 9D 5F AA
03 F4 EA 71 03 E0 F9 FB 56 D6 7F A3 40 7D 5A 4B
88 CF 98 C1 40 7D 65 32 7A 5F 43 F9 40 7D 6A EC
E1 92 F1 30 41 21 24 D6 52 75 CC 80 41 21 20 40
00 00 00 01 00 00 00 02 00 00 00 6E 00 00 00 64
00 00 00 6F 00 00 00 00 00 00 00 72 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
73 75 6D 61 20 6D 6F 6E 6F 00 00 00 00 00 00 02 suma mono.......
00 00 00 01 51 EB 85 1F 40 8E 3E B8 ED FE 19 FE ....Që….#Ž>¸íţ.ţ
41 3F D6 FC F1 41 FD 57 41 18 42 2A 4A C8 FD 16 A?ÖüńAýWA.B*JČý.
41 3B 96 32 3C 2C 44 95 41 13 F2 D1 FF FF FF FF A;–2<,D•A.ňŃ˙˙˙˙
00 00 00 1E 00 00 00 02 69 85 75 9B 3F 94 89 17 ........i…u›?”‰.
08 08 4F F0 3F DF 47 16 39 EC E5 8C 3F 73 DB DD ..Ođ?ßG.9ěĺŚ?sŰÝ
08 08 4F EF 3F DF 47 16 08 08 4F F0 3F DF 47 16 ..Oď?ßG...Ođ?ßG.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
I'm trying to change key and key settings but always getting same error.
List of my commands:
-----Authenticate
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Vector: 00 00 00 00 00 00 00 00
Command: 0A 00
Response: AF 8B 95 99 DC C7 71 F4 DB
RndB: 8B 95 99 DC C7 71 F4 DB
Decrypted RndB:3E 48 AA 0B D6 1F 2E EA
Shifted:48 AA 0B D6 1F 2E EA 3E
RnbA: 5A AC 38 6E 0E 0B 80 F4
RnbAB:5A AC 38 6E 0E 0B 80 F4 48 AA 0B D6 1F 2E EA 3E
Encrypted RndAB:F7 69 E9 95 DF A2 3E A0 5D 5F 47 A9 6A 15 40 AD
Command: AF F7 69 E9 95 DF A2 3E A0 5D 5F 47 A9 6A 15 40 AD
Response: 00 1F 59 B1 E0 AC FC BD 3E
newRnbA:1F 59 B1 E0 AC FC BD 3E
decrypted newRnbA: AC 38 6E 0E 0B 80 F4 5A
Session key: D9 1C AD FD 8D 2A 61 41 DA 5F 54 3C 7C EF 5D 37 D9 1C AD FD 8D 2A 61 41
-----ChangeKeySettings
Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Vector: 00 00 00 00 00 00 00 00
Session key: D9 1C AD FD 8D 2A 61 41 DA 5F 54 3C 7C EF 5D 37 D9 1C AD FD 8D 2A 61 41
New Key Setting
Crc: A9 09
Decrypted data: 0F 09 A9 00 00 00 00 00
Encrypted data: 68 31 80 24 AE 26 43 B5
Command: 54 68 31 80 24 AE 26 43 B5
Response: 1E 90 00
-----ChangeKey
Old Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Vector: 00 00 00 00 00 00 00 00
New key: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80
CRC: 89 FF
Cryptogram: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 FF 89 00 00 00 00 00 00
CryptogramEcn: 95 6D E0 F8 8F 26 83 96 E6 5D 1C 88 9E 9D EA 89 9E 8D A5 61 19 F7 90 48
Command: C4 00 95 6D E0 F8 8F 26 83 96 E6 5D 1C 88 9E 9D EA 89 9E 8D A5 61 19 F7 90 48
Response: 1E 90 00
Encription method is: 2K3DES
Q1: is my crc16 is right?
Q2: is my encryption is right?
Q3: If yes, what is wrong?
I'm hoping on fast help.
Thank you