amccormack.net

Things I've learned and suspect I'll forget.

Rebasing with xxd. How to extract only the section you want

Note: [update] I wrote this post a while ago, prior to learning about dd. This post provides a good example of how to use dd. And the challnge is fun.

I was recently working with xxd when I needed to remove the first 0x1410 bytes from a file. It turns out, you can do this by using the command:

xxd -s -0x1410 -r out2.hex > out2.raw

A bit longer explanation is below.

Lets say you have a text file called sample.text:

user@computer:~/workspace$ xxd sample.text 
0000000: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000010: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000020: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000030: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000040: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000050: 8383 8383 8383 8383 8383 6162 6364 6162  ..........abcdab
0000060: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000070: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000080: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000090: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
00000a0: 6364 6162 6364 6162 6364 0a              cdabcdabcd.

All those pesky 0x83s are in the way and screwing up trying to render in vim or less. So lets write to a hex file, and start trimming up:

user@computer:~/workspace$ xxd sample.text > sample.hex
user@computer:~/workspace$ cat sample.hex
0000000: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000010: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000020: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000030: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000040: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000050: 8383 8383 8383 8383 8383 6162 6364 6162  ..........abcdab
0000060: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000070: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000080: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000090: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
00000a0: 6364 6162 6364 6162 6364 0a              cdabcdabcd.

Now, use your favorite editor to remove from 0x00 through 0x50. Now this method only seems to work for every 16 bytes, so we'll have to manually replace 0x50 through 0x5A with a printable character, but 15 maximum edits isn't so bad.

user@computer:~/workspace$ cat sample.hex
0000050: 2020 2020 2020 2020 2020 6162 6364 6162  ..........abcdab
0000060: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000070: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000080: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000090: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
00000a0: 6364 6162 6364 6162 6364 0a              cdabcdabcd.

Finally, run xxd again, this time using the reverse seek (see the xxd man pages for more info).

remnux@remnux:~/workspace$ xxd -r -s -0x50 sample.hex
          abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

Like I mentioned before, there seems to be a problem with seeking when address mod 16 != 0. If you have a way to get around that, feel free to leave a comment below.

published on 2012-12-09 06:08:59 by alex