Can’t really parse decompressed data while the data is compressed. The true meat-and-potatoes of the SimCity 2000 data is in fact compressed. CNAM chunks may occur at the end of a file, but I have not seen any save that has that. The string in the CNAM chunk appears to be “dirty Pascal string”.
The idea behind Synalyze It! Is to support you in all the tasks that are related to analysis of binary files. Likewise, this manual is intended to help you make the most out of the application. In any case I'm interested in your feedback. Be it positive, if you miss something or any other improvement. Top reasons why people like Synalyze It!: 1. Can decypher the internal structures of many files, such as.zip,.tar and many 'savegame' files 2. Is ranked 4th while iBored is ranked 7th. The most important reason people chose Synalyze It! Is: You can even add your own grammar for a new file. Synalyze It!/Hexinator Grammars: SANS FOR518 - Mac Forensic Analysis HFS+ & Reference Sheet. OS X - Get Synalyze It! Windows/Linux - Get Hexinator here. HFS+ Volume Header Grammar. HFS+ Catalog File Grammar. HFS+ Attribute File Grammar.
Rounding out this week with another tool review for the Mac under OS X. Earlier this week, we reviewed our favorite disassembler, Hopper for OS X. Synalyze It! Pro is another invaluable tool that we depend on. This tool is a hex editor with some very very useful features in the GUI. Namely, it lets you “lasso” different bits of text and highlight them in different colors. While this might sound basic, it is amazingly useful for performing reverse engineering of protocols and other deep-level analysis tasks of textual data.
Recently, we have been doing quite a bit of protocol testing in the lab and this tool has proven itself again and again as invaluable. My favorite feature of the tool is available by highlighting some piece of data and right clicking to bring up a menu, then selecting “compare code pages”. This brings up a window in which the highlighted data is run through a bunch of encoding/decoding schemes and presented to you both as ASCII and as hex. This makes reversing simple encoding on text as easy pie and as quick as swatting a fly. In my recent protocol work, this was a feature I used over and over again to identify various components of the data stream and figure out how each was encoded as a part of a bigger puzzle.
Another feature we have come to love is the “Show Checksums” feature. This feature displays a wide variety of checksums for the data that is highlighted and updates the checksums in realtime. This makes it pretty easy to figure out if different fields are included in the protocol’s checksum activities and leads to faster, cleaner reversing. However, I do have a couple of things I would like to see as future features for this capability. For one, I would like to see additional checksum mechanisms added and perhaps even an interface for creating your checksum scripts or equations. Additionally, I would really like it if you could get realtime updates, but with a mechanism for selecting multiple data elements and not just single strings. I really thought this would work, but could not seem to selections to “stick” so that I could add multiples.
The real power of the tool is in the creation of the “grammar files”. This is an easy to use, intuitive and powerful mechanism for reversing. I still need to practice a bit more with the grammar definition mechanisms, but I can see where this will grow the product’s usefulness rapidly. The grammar definition could lend itself to a better toolbox in the GUI. It might be easier for beginners to learn to master this capability if an set of quick and easy tools were easily available without a bunch of menu navigation. However, the feature is still excellent and the tool remains a very powerful addition to our toolbox.
The link to the App Store has a variety of screenshots of the product if you want to check it out. The product retails for $25 in the App Store and a non-Pro version is available for $5 – however, note that it lacks many features of the Pro version that make it such a useful tool.
PS – MSI has no affiliation or relationship with the product and/or the developers.