Wrapped exe files – Part 1

There has been an increase in video files arriving all wrapped up inside a self executing player. It’s obvious that the developers think they are helping by making playback easier, however the other EEPIP aspects of Investigation and Presentation tend to suffer in the majority of cases.

Folder-icon

The icon here is pretty much all we have to go on. At the time of writing I have been unable to determine the DVR manufacturer but my moneys on a small unbranded black box! The naming convention of the file is the Date and Time.

As is normal with this type of DVR export, the programs properties leave a lot to be desired!

exe-properties

Note to Manufacturers and Developers – PLEASE STOP LEAVING THESE BLANK….Thank you

Opening the program gives us a basic player interface and the footage.

interface

Print Picture, save a jpeg, play, pause, stop Fast Forward and Frame advance. The magnifier just makes the image bigger.

So, how do we get the video out of this player wrapper and into something more useful?

HXD-file

By opening the exe file in HXD I can see all the raw data. It is easy to follow as a lot of the programming language requires basic text information that is visible in a hex editor. What I wanted to find was the video data. This can be anywhere is the file but more commonly, it is at the end. This is due to how the DVR writes the file. It creates the player part, and then attaches the video bit on the end. Once that’s done, it gets wrapped inside the executable.

hxd-programData

Program Data visible in the text

It didn’t take long to find the start of image data that I believed to be video. This was located after a small gap at the end of the player data.

HXD-video

There didnt appear to be anything program related at the end so I copied the chunk of data into a new file. Using HXD, this was completed by

Edit > Select Block

Copy

File > New

Edit > Paste Insert

Save as
Stream

I now had a new file with just the data that I believed to be the video. Time to take a look and see what comes up!

FFprobe revealed:

[STREAM]
index=0
codec_name=mpeg4
codec_long_name=MPEG-4 part 2
profile=Advanced Simple Profile
codec_type=video
codec_time_base=1/25
codec_tag_string=[0][0][0][0]
codec_tag=0x0000
width=352
height=288
has_b_frames=0
sample_aspect_ratio=1:1
display_aspect_ratio=11:9
pix_fmt=yuv420p
level=4
timecode=N/A
quarter_sample=0
divx_packed=0
id=N/A
r_frame_rate=25/1
avg_frame_rate=0/0
time_base=1/1200000
start_pts=0
start_time=0:00:00.000000
duration_ts=N/A
duration=N/A
bit_rate=N/A
nb_frames=N/A
nb_read_frames=283
nb_read_packets=N/A
[/STREAM]

Well that’s a start!

By running it through FFmpeg and wrapping this raw mpeg4 stream inside an avi container, I took a look at it in Gspot….

Gspot

Finally, in Virtualdub….

stream in vdub

From here we can deal with the video for any purpose and are not confined inside the player executable that doesn’t allow us any flexibility.

I hope this has shown you one way of getting video out of these wrapped .exe files. There are a few different types and when I get the chance to rip another one apart, I will update with Part 2.

Advertisements
By Spreadys Posted in EEPIP

One comment on “Wrapped exe files – Part 1

  1. Pingback: IDIS Clip Player – Warning! | Spreadys.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s