C++ Strange hex dump of WSAsend Packets

StackOverflow https://stackoverflow.com/questions/20718738

  •  20-09-2022
  •  | 
  •  

Question

http://prntscr.com/2ctnoz

I'm hooking a WSAsend function and dumping the packets. ASCII dump works but HEX dump sometimes shows things like you can see on the screen (the FFFFFFDD), any idea why?

code:

int WINAPI myWSASend(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
{   
    //Packet Log
    if (bLogPacketS == TRUE)
    {
        for (unsigned int i = 0; i < lpBuffers->len; i = i + 8)
        {
            printf("%02X %02X %02X %02X %02X %02X %02X %02X\t\t%c %c %c %c %c %c %c %c\n",
                  (unsigned int)lpBuffers->buf[i], (unsigned int)lpBuffers->buf[i+1], (unsigned int)lpBuffers->buf[i+2],
                  (unsigned int)lpBuffers->buf[i+3], (unsigned int)lpBuffers->buf[i+4], (unsigned int)lpBuffers->buf[i+5],
                  (unsigned int)lpBuffers->buf[i+6], (unsigned int)lpBuffers->buf[i+7],
                  (drawable((unsigned int)lpBuffers->buf[i])) ? (unsigned int)lpBuffers->buf[i] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+1])) ? (unsigned int)lpBuffers->buf[i+1] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+2])) ? (unsigned int)lpBuffers->buf[i+2] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+3])) ? (unsigned int)lpBuffers->buf[i+3] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+4])) ? (unsigned int)lpBuffers->buf[i+4] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+5])) ? (unsigned int)lpBuffers->buf[i+5] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+6])) ? (unsigned int)lpBuffers->buf[i+6] : '.',
                  (drawable((unsigned int)lpBuffers->buf[i+7])) ? (unsigned int)lpBuffers->buf[i+7] : '.');
        }
        printf("\n\n");
    }
    return (oWSASend)(s, lpBuffers, dwBufferCount, lpNumberOfBytesSent, dwFlags, lpOverlapped, lpCompletionRoutine);
}

bool drawable(unsigned int value)
{
    if (value > 32 && value < 127)
        return true;
    else
        return false;
}
Was it helpful?

Solution

You're casting to the wrong type.

You only want to change signedness, but you're expanding each byte to a four-byte word as well. In the presence of signed-to-unsigned conversion (and the resulting negative-value wraparound), this is resulting in a monstrously high value.

Each "element" of lpBuffers->buf[i] is a char, but you're casting to unsigned int. If your char is signed on your system then 0xDD is off the top of the type's range, so it wraps around to -35. Then casting it to unsigned int results in 0xFFFFFFDD.

The printf specifier %02X won't truncate this.

Presumably you wish to interpret all the bytes as unsigned, to get the full 0x000xFF range. Personally I'd convert to unsigned char (instead of unsigned int), for which the value of 0xDD is 221.

In the code below I've also made a safety adjustment to your loop condition.

for (unsigned int i = 0; i < lpBuffers->len-8; i = i + 8)
//                                         ^^
{
    printf(
        "%02X %02X %02X %02X %02X %02X %02X %02X"
          "\t\t%c %c %c %c %c %c %c %c\n",

        static_cast<unsigned char>(lpBuffers->buf[i]),
        static_cast<unsigned char>(lpBuffers->buf[i+1]),
        static_cast<unsigned char>(lpBuffers->buf[i+2]),
        static_cast<unsigned char>(lpBuffers->buf[i+3]),
        static_cast<unsigned char>(lpBuffers->buf[i+4]),
        static_cast<unsigned char>(lpBuffers->buf[i+5]),
        static_cast<unsigned char>(lpBuffers->buf[i+6]),
        static_cast<unsigned char>(lpBuffers->buf[i+7]),
        (drawable(lpBuffers->buf[i]))   ? static_cast<unsigned char>(lpBuffers->buf[i])   : '.',
        (drawable(lpBuffers->buf[i+1])) ? static_cast<unsigned char>(lpBuffers->buf[i+1]) : '.',
        (drawable(lpBuffers->buf[i+2])) ? static_cast<unsigned char>(lpBuffers->buf[i+2]) : '.',
        (drawable(lpBuffers->buf[i+3])) ? static_cast<unsigned char>(lpBuffers->buf[i+3]) : '.',
        (drawable(lpBuffers->buf[i+4])) ? static_cast<unsigned char>(lpBuffers->buf[i+4]) : '.',
        (drawable(lpBuffers->buf[i+5])) ? static_cast<unsigned char>(lpBuffers->buf[i+5]) : '.',
        (drawable(lpBuffers->buf[i+6])) ? static_cast<unsigned char>(lpBuffers->buf[i+6]) : '.',
        (drawable(lpBuffers->buf[i+7])) ? static_cast<unsigned char>(lpBuffers->buf[i+7]) : '.'
    );
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top