[mdlug] Reverse-engineering data protocols

Ingles, Raymond Raymond.Ingles at compuware.com
Thu Mar 3 14:22:40 EST 2011 

> From: David McMillan

>      Unfortunately, so far I can't get the client to stream data to
> anything except the proprietary server.  There's some sort of initial
> handshake between the two that so far is beyond my
(nearly-nonexistant)
> TCP/IP skills to figure out, much less duplicate.  I have determined
to
> my satisfaction that just opening the correct port and listening on it
> isn't enough.

Well, there's one other option if you can't reverse-engineer the
handshake. Set up a virtual machine on Linux, running Windows. Run the
logging software in there. Export the drive so that the Linux host can
read it. Have the Linux host watch for data files and copy them off
somewhere safe.


>      Yeah, I thought that, given the two files, it should be doable.
> The problem is, I put the two side-by-side and there's nothing visible
> that relates the two, no loose ends to grab onto.  I might as well be
> looking at two files in English and Japanese for all the connections I
> can draw between them.  The primary reason I approached the list was
in
> the hopes that there might be some key insight to serve as a starting
> point.  Someone with more experienced eyes might look at this and see
a
> pattern where all I see is white noise.

 Well, if the raw file is just binary floats (with possibly integer
timestamps) then you'll have some work to do. Write a simple program
that'll take different 4-byte chunks, interpret them as a float, and
print them out (possibly with the endianness flipped). Compare the
values with the numbers in the text file, and see if they match up. If
so, look at the bytes immediately around the bytes you've identified,
and see if they can be interpreted as a timestamp. (They should
increment...)

 Sincerely,

 Ray Ingles                                   (313) 227-2317

   Microsoft Windows - Putting new limits on productivity.


The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.

More information about the mdlug mailing list