© 2024 R-Tools Technology Inc.
All rights reserved.
You may create your own patterns yourself.
An example of a commented pattern parsing an AVI file.
The syntax of pattern description is similar to that of the XML language. The folder where the files should be placed is specified on the Main tab of the Settings dialog box.
Pattern header
Each pattern starts with a standard header
<?xml version="1.0" encoding="utf-8"?>
Section template
Each pattern starts with a section giving to the pattern a name that will be shown in the parsed data pane.
Attributes :
name |
Specifies the pattern name shown in the parsed data pane |
<template name="AVI File LIST">
........
</template>
Section signature
Attributes :
align <positive integer> |
Specifies if the data structure address is aligned (i.g., by a sector: 512) |
This section contains elements field with hex-codes of the signature. The attribute offset specifies their offset from the start of the record. Field length is equal to the number of hex-codes.
<signature align="1">
<field offset="0">46 49</field>
<field offset="2">4c 45</field>
</signature>
Section section
Such sections contain all expressions and operations needed for the pattern to parse the data. A section name is shown in the parsed data pane. In fact, sections are virtual objects used to group logically connected field s. Sections can be nested.
The main section is not shown in the parsed data pane.
Section contain elements field which are actual data objects. field names are shown in the parsed data pane with their values.
Attributes :
name |
Specifies the pattern name shown in the parsed data pane |
<section name="JUNK">
....
</section>
Data types (in field )
• integer
Sub-types:
int8
int16
int32
int64
uint8
uint16
uint32
uint64
uintX
Attributes:
endian: (be | le | system) |
Optional. Default: system . |
base: (decimal | hex | octal) |
Optional. Specifies data representation. Default: decimal . |
as-offset: <expression> |
Optional. Specifies that this field is an offset and its value should be evaluated using the expression. A special variable this returns the value of this field. |
purpose: (offset | rsector |sector | cluster | rcluster) |
Optional. Specifies the type of the as-offset expression result . If this attribute is present, the attribute is necessary if the offset value should differ from the value of this field (variable this ). rsector and rcluster are offsets relative to the absolute position of the pattern beginning. |
assigned-template: <TemplateName> |
Specifies the pattern name linked with this field. Ignored if the as-offset or purpose attributes are not specified. |
var: <Name> |
Optional. Specifies the name under which the value of this field can be accessed in expressions. |
• binary
Attributes:
display-encoding: (hex | binary) |
Optional. Default: hex . |
size: <bytes> |
Mandatory. |
• char
Attributes:
size: <bytes> |
Mandatory. |
codepage: (ansi | oem | utf8 | utf16) |
Optional. Specifies which codepage is used. Default: ansi . |
• filetime
Shows time in the Win32 format (64 bits)
• unixtime
Shows time in the Unix format (seconds from 01/01/1970)
• filetime
Shows time in the DOS format (date: hiword, time: loword)
• bits
Attributes:
size: <bytes> |
Mandatory. |
pos: <comma separated list of bit positions> |
Mandatory. Specifies bit positions in a data block. |
Commands
• goto
Specifies a jump to a specified offset (either absolute or relative one)
Attributes:
address: <expression> |
Specifies an absolute address to jump to. |
offset: <expression> |
Specifies a relative offset to jump by. |
One and only one of the attributes should always be specified.
• if
Evaluates a condition specified in the test attribute and, if the condition is true, reads fields specified in this tag.
Attribute:
test: <expression> |
Sets a condition to test against. |
• repea t
Reads the fields specified in the tag until the exit condition is equal to 0 or specified times
Attributes:
count: <expression> |
<expression> is evaluated one time upon entering the block. Internal elements are read the specified number of times. |
test: <expression> |
<expression> is evaluated upon entering the block. Similar to the C++ construction while(...) {} . |
test: <expression> |
<expression> is evaluated upon exiting the block. Similar to the C++ construction do {} while(...) . |
• setvar
Sets the value of an internal variable. As an example, this command is convenient to store the current offset. The value of the current offset is stored in a predefined variable offset .
Attributes:
var: <string> |
Specifies the name of the variable. |
expr: <expression> |
Specifies an expression which result will be assigned to the variable. |
Expressions
Expressions in the patterns are arithmetic expressions which syntax is similar to that of the C language, including operation preceding.
The following operations are supported:
+ - * / & | > < <= >= != == || &&
Predefined variables
• offset
An offset in bytes from the pattern beginning data is currently read at.
• start_position
An absolute position of the pattern beginning. offset + start_position = absolute offset.
• this
This variable exists only within the context of the ass-offset expression evaluation and is the current value of the data field for which that expression is specified