Recent

Author Topic: Accessing multiple bytes inside bytearray?  (Read 3925 times)

Zvoni

  • Hero Member
  • *****
  • Posts: 2316
Re: Accessing multiple bytes inside bytearray?
« Reply #15 on: September 24, 2021, 02:36:15 pm »
I finally figured out, what's been bugging me:

HashTypeBuf is an Array of Byte, and the OP uses it for the second Parameter for XWF_GetHashValue
As the Doc's state:
Quote
and a handle to the file (hItem) must be stored in the buffer at offset 4, i.e. directly after the DWORD value
There: Directly after the DWORD-Value.
A DWORD is 4 Bytes.
How in blazes is
HashTypeBuf[1] := hOpenResultAsBytes[0];
supposed to work?
Offset 4 would be HashTypeBuf[4] (0..3 would be the 4 Bytes for this DWORD Value)

EDIT: The original C-Declaration is
Code: C  [Select][+][-]
  1. BOOL XWF_GetHashValue(
  2.    LONG nItemID,
  3.    LPVOID lpBuffer
  4. );
« Last Edit: September 24, 2021, 02:38:34 pm by Zvoni »
One System to rule them all, One Code to find them,
One IDE to bring them all, and to the Framework bind them,
in the Land of Redmond, where the Windows lie
---------------------------------------------------------------------
Code is like a joke: If you have to explain it, it's bad

Sestus

  • New Member
  • *
  • Posts: 14
Re: Accessing multiple bytes inside bytearray?
« Reply #16 on: September 24, 2021, 04:30:59 pm »
So you say it would make more sense like this:
Code: Pascal  [Select][+][-]
  1. hOpenResult := XWF_OpenItem(CurrentVolume, nItemID, $01); //Öffnen des Files, returned Handle, bei 0 unsuccessful
  2.  
  3. //Erzeugung des Hashs in XWF
  4. HashTypeBuf[0] := $10;
  5. Move(hOpenResult, HashTypeBuf[4], SizeOf(hOpenResult));
  6. GetHashOK := XWF_GetHashValue(nItemID, @HashTypeBuf[0]);
  7.  
What you said made sense to me finally. So thanks for that. Sadly the function still doesn't work. At this point the only thing i can think of is that the handle isn't stored correctly or something. As i iterated before, the numbers inside the array do not match with the original handle from hOpenItem. Its probably because the number ist to big to store for one byte (around 49 000 000). I dont know if i have to translate the big number first into a hex value or something. Something is still not quite right.
Thanks for the continued support I really appreciate it . :)
I'll attach a picture with the values that are currently inside the buffer.

440bx

  • Hero Member
  • *****
  • Posts: 3944
Re: Accessing multiple bytes inside bytearray?
« Reply #17 on: September 24, 2021, 06:04:09 pm »
Sadly the function still doesn't work.

I'll attach a picture with the values that are currently inside the buffer.
You cannot expect the debugger to show you a DWORD stored in a byte array because the debugger is told that there is an array of bytes not DWORDs.  That's why it's showing a value that is "different" (it really isn't) than what you are expecting.  It's showing the last byte of the DWORD instead of the whole DWORD (as it should.)

Play with this little program and notice that if you hover over ByteArray, you'll get a "different" value than when you hover over DwordPtr.  The difference is just that when hovering over ByteArray, the debugger shows a byte arrangement, when hovering over DwordPtr, it shows the DWORD stored at ByteArray[4].
Code: Pascal  [Select][+][-]
  1. {$APPTYPE       CONSOLE}
  2.  
  3. {$TYPEDADDRESS  ON}
  4.  
  5. {$LONGSTRINGS   OFF}
  6.  
  7. { --------------------------------------------------------------------------- }
  8.  
  9.  
  10. program _BytesAndDwords;
  11.  
  12. uses
  13.   Windows,
  14.  
  15.   sysutils
  16.   ;
  17.  
  18. var
  19.   ByteArray     : packed array[0..255] of byte;
  20.  
  21.   DwordPtr      : PDWORD;
  22.  
  23. const
  24.   HandleValue   = $76543210;      { large number                              }
  25.  
  26.  
  27. begin
  28.   writeln;
  29.   writeln;
  30.  
  31.   writeln('  HandleValue : ', '$' + IntToHex(HandleValue, 0));
  32.  
  33.   DwordPtr := PDWORD(@ByteArray[4]);
  34.  
  35.   DwordPtr^ := HandleValue;
  36.  
  37.   DwordPtr  := DwordPtr;          { to hover over DwordPtr in debugger        }
  38.  
  39.   writeln;
  40.   writeln('  HandleValue : ', '$' + IntToHex(DwordPtr^, 0));
  41.  
  42.   { note the difference with this                                             }
  43.  
  44.   ByteArray[4] := ByteArray[4];   { hover over ByteArray                      }
  45.  
  46.   writeln;
  47.   writeln('  HandleValue : ', '$' + IntToHex(ByteArray[4], 0));
  48.  
  49.  
  50.   writeln;
  51.   writeln;
  52.   writeln('press ENTER/RETURN to end this program');
  53.   readln;
  54. end.
  55.  

Note: line 33 and 35 could be combined into a single statement.  They are separate only for "demonstration" purposes.

HTH.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

Sestus

  • New Member
  • *
  • Posts: 14
Re: Accessing multiple bytes inside bytearray?
« Reply #18 on: September 24, 2021, 07:11:55 pm »
Ok than first of all thanks to all that answered. Maybe the problem lays somewehere else then. Maybe i'll write the developer again so i get the function to work properly. :)

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1312
    • Lebeau Software
Re: Accessing multiple bytes inside bytearray?
« Reply #19 on: September 24, 2021, 08:48:42 pm »
EDIT: The original C-Declaration is
Code: C  [Select][+][-]
  1. BOOL XWF_GetHashValue(
  2.    LONG nItemID,
  3.    LPVOID lpBuffer
  4. );

Here is the rest of the documentation for that function:

https://www.x-ways.net/forensics/x-tensions/XWF_functions.html

Quote
Available in v16.8 and later. May be used to retrieve the hash value of a file if one has been computed or to get it computed if not. Whether or not a hash value has been computed previously can be checked separately by calling XWF_GetItemInformation if required (as prior to v19.7 this function did not check that and returned TRUE already if no I/O error occurred). To find out the type of hash value, call XWF_GetVSProp with XWF_VSPROP_HASHTYPE1 or XWF_VSPROP_HASHTYPE2.

When the function is called, the buffer is assumed to start with a DWORD value. That value determines what the function does. The same buffer will be used to accommodate the requested hash value when control is returned to the caller (if the function succeeds). The required buffer size depends on the hash type. The following DWORD values are currently defined:

  • Case 1: < 0x00000100:
    0x01: flag to retrieve the primary hash value
    0x02: flag to retrieve the secondary hash value, requires v18.0 SR-12, v18.1 SR-7, v18.2 SR-5, v18.3 SR-4 or later
    0x10: flag to make this function compute the requested value(s) during the call if the hash value is not stored in the volume snapshot yet, which requires v19.7 or later, and a handle to the file (hItem) must be stored in the buffer at offset 4, i.e. directly after the DWORD value

    Note that only v19.7 and later can retrieve or compute two hash values at the same time. The buffer must be large enough to accommodate both hash values. If two hash values are requested and retrieved, the first hash value will be stored at the start of the buffer (buffer offset 0). The offset in the buffer where the second hash value starts depends on the size (and thus the type) of the first hash value. Prior to v19.7 you needed two separate calls to retrieve both hash values.
  • Case 2: >= 0x00000100:
    Subject to change at any time (yes, literally): In v18.8 and later, this function may also be used to retrieve pre-computed PhotoDNA hash values from the volume snapshot. For that purpose the buffer must be filled with a DWORD value of 0x00000100 or greater. 0x00000100 retrieves the 1st, 0x00000101 the 2nd, 0x00000102 the 3rd, and 0x00000103 the 4th PhotoDNA hash value (only 1 at a time). Note that for most files with graphical data, if at all, X-Ways Forensics computes only 1 such hash value. More than 1 hash value may be present if the user requested additional matching attempts with horizontal flipping and/or if X-Ways Forensics is uncertain about the vertical orientation of certain TIFF files. Note that it depends on the user whether or not PhotoDNA hash values are permanently stored in the database, which is a precondition for this function to work. The buffer must have space for 144 bytes when retrieving PhotoDNA hash values. The function returns TRUE if a PhotoDNA hash value was available and actually copied into lpBuffer.

So, in this situation, I would NOT use a byte array at all, I would use a packed record instead, eg:

Code: Pascal  [Select][+][-]
  1. const
  2.   HashSize = ...; // set as needed, depending on the hash size being requested...
  3. type
  4.   MyHashRec = packed record
  5.     case Integer of
  6.       0: (funcType: DWORD;
  7.           hItem: THandle);
  8.       1: (Hash1: array[0..HashSize-1] of Byte;
  9.           Hash2: array[0..HashSize-1] of Byte);
  10.   end;
  11.  
  12. var
  13.   rec: MyHashRec;
  14.   hOpenResult: THandle;
  15.   ...
  16. begin
  17.   ...
  18.   hOpenResult := XWF_OpenItem(CurrentVolume, nItemID, $01); //Öffnen des Files, returned Handle, bei 0 unsuccessful
  19.   ...
  20.   rec.funcType := $10;
  21.   rec.hItem := hOpenResult;
  22.   GetHashOK := XWF_GetHashValue(nItemID, @rec);
  23.   if GetHashOK then
  24.   begin
  25.     // use rec.Hash1 and rec.Hash2 as needed...
  26.   end;
  27.   ...
  28. end;
  29.  
« Last Edit: September 24, 2021, 08:57:36 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

Sestus

  • New Member
  • *
  • Posts: 14
Re: Accessing multiple bytes inside bytearray?
« Reply #20 on: September 24, 2021, 10:32:08 pm »
First thanks again. I never heard of that data type and inserted the code in my project. I think all the values during running are as intended. Still the XWF_GetHashValue function gives back false and doesn't compute a hash into the buffer/record. At this point i don't know what I could be mssing here. Before your last reply I wrote the developers if I'm missing something. Apart from that I don't really know what I could do else. :/

Zvoni

  • Hero Member
  • *****
  • Posts: 2316
Re: Accessing multiple bytes inside bytearray?
« Reply #21 on: September 25, 2021, 09:19:16 am »
Is the source code of the function available?
One System to rule them all, One Code to find them,
One IDE to bring them all, and to the Framework bind them,
in the Land of Redmond, where the Windows lie
---------------------------------------------------------------------
Code is like a joke: If you have to explain it, it's bad

Sestus

  • New Member
  • *
  • Posts: 14
Re: Accessing multiple bytes inside bytearray?
« Reply #22 on: September 25, 2021, 11:21:32 am »
Just that API in this zip.

Zvoni

  • Hero Member
  • *****
  • Posts: 2316
Re: Accessing multiple bytes inside bytearray?
« Reply #23 on: September 25, 2021, 01:10:20 pm »
Something else: are you calling with cdecl or stdcall?
What i could find it‘s stdcall

https://github.com/hmrc/XT_XWF-2-RT/blob/master/XT_API.pas
« Last Edit: September 25, 2021, 01:12:23 pm by Zvoni »
One System to rule them all, One Code to find them,
One IDE to bring them all, and to the Framework bind them,
in the Land of Redmond, where the Windows lie
---------------------------------------------------------------------
Code is like a joke: If you have to explain it, it's bad

Sestus

  • New Member
  • *
  • Posts: 14
Re: Accessing multiple bytes inside bytearray?
« Reply #24 on: September 25, 2021, 01:31:36 pm »
Yes i think it's stdcall.

Thaddy

  • Hero Member
  • *****
  • Posts: 14197
  • Probably until I exterminate Putin.
Re: Accessing multiple bytes inside bytearray?
« Reply #25 on: September 25, 2021, 01:44:27 pm »
So you mean it is Windows only?
Usually, X platform, stdcall is not so "standard", cdecl is usually the standard....
Specialize a type, not a var.

Sestus

  • New Member
  • *
  • Posts: 14
Re: Accessing multiple bytes inside bytearray?
« Reply #26 on: September 25, 2021, 01:46:18 pm »
Yeah i mean i use the API from the link. And i work on windows so for me ot works.

 

TinyPortal © 2005-2018