I have added a buggy routine that attempts to interpret the content of the decrypted ccSubSdk files; this is based purely on looking at the file properties – at first I noticed that there are many GUID-like values that appear in the files many times and across many files. Then looking at the layout I tried to split the data by using these GUIDs as dividers – this was helpful and led to a better understanding of how these chunks are structured. Some patterns started emerging and in the end the serialization character of the file layout became more apparent. Walking through trial-and-error I put together a raw parser that attempts to make a better sense of the data records.<\/p>\n
The tool stores the hexadecimal dumps of the interpreted data in .met files that are now accompanying all decrypted out files for both submission.idx and actual submission files. You will find errors in some of the output files, but atm it’s the best it can do. Work in progress \ud83d\ude42<\/p>\n
The output is tagged using\u00a0 ‘###’ f.ex.:<\/p>\n
### GUID<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 21 A3 05 3F B7 43 78 45 93 C8 CD C5 F6 4A 14 9A\u00a0 !..?.CxE.....J..\r\n09\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 22 00 00 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"...\r\n\r\n06\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 01 00 00 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ....\r\n\r\n06\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 01 00 00 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ....\r\n\r\n07\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 13 00 00 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ....\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 4D 72 43 6C 65 61 6E 20 53 75 62 6D 69 73 73 69\u00a0 MrClean Submissi\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 6F 6E 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 on.\r\n\r\n### STRING-A<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 MrClean Submission<\/pre>\nThe following identifiers are now being used:<\/p>\n
\n
- STRING-A – String ANSI<\/li>\n
- STRING-W – String Wide (Unicode-16LE)<\/li>\n
- BLOB – binary blob<\/li>\n
- GUID – 16 bytes long GUID-like data<\/li>\n<\/ul>\n
The latest version of DeXRAY can be found here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
I have added a buggy routine that attempts to interpret the content of the decrypted ccSubSdk files; this is based purely on looking at the file properties – at first I noticed that there are many GUID-like values that appear … Continue reading