Worked Example
Here's a worked example using a music database file.
I have a USB key drive with seven MP3 files on it. They are categorised into two genres, four performers, four albums and three playlists.
Let's open the database file (using File -> Open) and show the result:
There are two hex panes displayed, we'll refer to the one on the left as the Master and the one on the right as the Slave. They both show the contents of the same open file.
Hanalyse currently has the following features:
From the Master:
- Tagging regions within the file
- Navigating to an absolute or relative offset (shown in Slave)
From the Slave:
- Finding an offset (shown in Master)
Lets go through these.
Tagging allows you to annotate the binary file with metadata.
I know, for instance, that every music database file I've looked at starts with:
4B 57 44 42 00 01 03 01
So let's select those first eight bytes in the Master, right click to bring up the context menu and select 'Tag'.
This brings up a dialog, that allows us to enter a name for the tag, a tag type, a tag role, and a comment.
We'll assume these first eight bytes are some sort of signature for the file type, so here's the details I've filled in.
More usefully, I've also looked at a number of music database files and found that the next two bytes:
07 00
Seem to encode the number of MP3 files found on the USB key (in little endian format). So let's tag that as well:
By varying the number of MP3 files (and therefore the number of genres, performers, albums and playlists), I've also worked out that some of the following little endian short integers encode these values as well (actually, they encode them +1, as there is always an empty entry to cater for files that don't have ID3 tags). So here they are:
You'll note that the tagged parts of the file are shown using highlighting, and that the tags we've entered are shown in a table down the side. If we select a tagged area in Master, the corresponding tag in the table is selected, and vice versa.
Finding and Navigating are two opposites of the same coin. Finding operates from Slave to Master, and Navigating operates from Master to Slave. We'll go through Finding first, as that's a more obvious operation.
If we scroll down on the Slave, we'll notice a bunch of strings that seem to encode the title information for each MP3 file on the USB key. If we select the first character of the first string, we can bring up the context menu and select "Find Offset".
This will search the file for a reference to that file offset. Using "Find again" will find the next reference. As you can see in the following image, the offset to the string is 0x0280 and a reference to that offset is found at 0x0044 - so we'll tag it as pointing to the start of the titles.
Following the list of titles (at 0x0464) is another list that seems to be a list of directories (in FAT 8.3 format), so we'll look for a reference to that also - it appears at 0x0048.
Now that we have two references to two tables, one after another (at 0x0044 and 0x0048), we'll move on to navigating.
Using the Master, we can select some data that we suspect might be an absolute or relative offset to another part of the file, and show that part of the file in the Slave.
Given that 0x0044 and 0x0048 are references, let's give 0x004c a try
To do this, simply use one of the following in the Master context menu:
- Show absolute offset, or
- Show relative offset
And then select either:
- Little endian, or
- Big endian
Since everything has been little-endian so far, lets select the data from 0x004c to 0x004f and use the context menu to select 'Show absolute offset -> Little endian'. The Slave has now highlighted the data at 0x04a0. Nicely, this seems to be the start of a list of MP3 file names (in FAT 8.3 format).
Let's tag all this good work:
And now let's save (using File -> Save Tags) so we can pick it up again after we've had a good lie down.
