Illustration winhex parsing bmp file Data instance

An example Analysis
the properties of the sample picture;

Original

The red line is the end of the file header;

The second red line is the end of the bitmap information header;

Use Windows Paint to take the color of the point (2,2) pixels; the paint is counted from 0, that is, the pixels in row 3 of line 3rd;

Search for 16 binary bc542f;

11 searches;

The data are searched by the back; it seems that the bitmap data is stored upside down;

Control the above picture;

File header
Hexadecimal value Description
4D:BM ASCII value, BMP file identifier in Windows
F4 02 00
F4 02h=7795714, is the size of the file-error, should look upside down;
F4 76h=193654 byte =189k, which is the same as the Properties dialog box display;

00 00 00 00
Reserved value, Total 0

36 00 00 00
36h=54, is the address of the image data, that is, the length of the file header + Information header + Palette

Bitmap Information Header

Hexadecimal value
Description

28 00 00 00:
Bitmap Information Header Size

25 01 00 00
The width of the image, measured in pixels, is H = 293.

DC 00 00 00
DC h = 220, which is the height of the image, in pixels per pixel

01 00
Always 1

18 00
00 18 = 24, Image color depth, 24 colors

00 00 00 00
Compression mode, 0 means no compression

02 00 F4
F4 40 = 193600 bytes = 189k, which is the image data size of the image


Image data

This image is 24 colors, no color palette;

The color of the first pixel
18 88 66
RGB (24,136,102)

The position of the pixel (2,2);
293*220

293*2+3=589
589/16, equals 36
589=16*36+13

Search the file for 16 binary bc542f
RGB (47,84,188)
2f BC
bc542f

Two BMP file Structure

Go from Network

The format of the BMP file storage structure can be found in the WINGDI.h file in Windows.
BMP files are generally composed of 4 parts, namely, bitmap file header, bitmap information header, palette, and image data, as shown in table 5-1.

Table 5-1 BMP File Composition structure

Bitmap file Header (Bitmap-file header)
Bitmap Information Header (bitmap-information header)
Color tables/palettes (color table)
Bitmap data (Bitmap-data)

Let's look at the details of each component in detail below.

1. Bitmap file Header (Bitmap-file header)

The bitmap file header (Bitmap-file header) contains the image type, image size, image data storage address, and two reserved unused fields.
Open the WINGDI.h file and search for "Bitmapfileheader" to locate the data structure definition of the bitmap file header of the BMP file.

typedef struct TAGBITMAPFILEHEADER {
WORD Bftype;
DWORD bfsize;
WORD bfReserved1;
WORD BfReserved2;
DWORD bfoffbits;
} Bitmapfileheader, far *lpbitmapfileheader, *pbitmapfileheader;


Table 5-2 lists the meanings of the fields in Tagbitmapfileheader.

Table 5-2 Tagbitmapfileheader Structure

Field name
Size (units: bytes)
Description

Bftype
2
The bitmap category, depending on the operating system, is different in Windows
, the value of this field is always ' BM '

Bfsize
4
Size of BMP image file

BfReserved1
2
Total is 0

BfReserved2
2
Total is 0

Bfoffbits
4
Address of BMP image data


2. Bitmap Information Header (bitmap-information header)


The bitmap information header (bitmap-information header) contains the size of the bitmap information header, the width of the image, the color depth of the image, the compression that describes the image data, and some other parameters.


Open the WINGDI.h file and search for "Tagbitmapinfoheader" to locate the data structure definition of the bitmap information header of the BMP file.


typedef struct tagbitmapinfoheader{
DWORD bisize;
LONG Biwidth;
LONG Biheight;
WORD biplanes;
WORD biBitCount;
DWORD bicompression;
DWORD biSizeImage;
LONG Bixpelspermeter;
LONG Biypelspermeter;
DWORD biclrused;
DWORD biclrimportant;
} Bitmapinfoheader, far *lpbitmapinfoheader, *pbitmapinfoheader;


Table 5-3 lists the meanings of the fields in Tagbitmapfileheader.


Table 5-3 Tagbitmapfileheader Structure


Field name
Size
Unit
bytes
Description

Bisize
4
The size of this structure differs depending on the operating system, and in Windows, the value of this field is always 28h bytes = 40 bytes

Biwidth
4
Width of BMP image, per pixel

Biheight
4
Total is 0

biplanes
2
Total is 0

biBitCount
2
The color depth of the BMP image, that is, the number of bits of a pixel, commonly 1, 4, 8, 16, 24 and 32, respectively, for monochrome, 16-color, 256-color, 16-bit high-color, 24-bit true color and 32-bit enhanced true color

Bicompression
4
Compression mode, 0 means no compression, 1 for RLE8 compression, 2 for RLE4 compression, and 3 for each pixel value determined by the specified mask

biSizeImage
4
BMP image data size, must be a multiple of 4, the image data size is not a multiple of 4 with 0 fill complement

Bixpelspermeter
4
Horizontal resolution, per pixel/m

Biypelspermeter
4
Vertical resolution, per pixel/m

biClrUsed
4
The color used for BMP images, 0 for all colors, and for 256-color bitmaps, this value is 100h=256

Biclrimportant
4
Important number of colors, this value is 0 o'clock all colors are important, for BMP images that use a color palette, this value will display the secondary driver color when the video card is not able to display all colors

3. Color tables/palettes (color table)

Color tables/palettes (color table) are unique to monochrome, 16-color, and 256-color image files, the corresponding palette sizes are 2, 16, and 256, the palette is in 4 bytes, each 4 bytes holds a color value, and the image's data is the index to the palette.


You can think of a palette as an array of 4 bytes per array element, assuming that the palette data for a 1256-color BMP image is:
palette [0]= Black, palette [1]= White, palette [2]= Red, palette [3]= blue ... palette [255]= Yellow
Image data The data in the palette [1], palette [0], palette [2], and palette [255] is displayed to display the image color.

In earlier computers, the graphics card was relatively backward, not necessarily guaranteed to display all colors, so the color data in the color palette should be as far as possible in the image of the main color in order in the front, the Biclrimportant field of the bitmap information header indicates how many colors are important.

Each palette has a size of 4 bytes, and a color value is stored by blue, green, and red.
Open the WINGDI.h file and search for "tagrgbtriple" to locate the data structure definition of the BMP file's palette.

typedef struct TAGRGBQUAD {
BYTE Rgbblue;
BYTE Rgbgreen;
BYTE rgbred;
BYTE rgbreserved;
} Rgbquad;

Table 5-4 lists the meanings of the fields in Tagrgbtriple.
Table 5-4 tagrgbtriple Structure

Field name

Size (units: bytes)
Description

Rgbblue
1
Blue value

Rgbgreen
1
Green value

Rgbred
1
Red value

Rgbreserved
1
Reserved, total of 0

4. Bitmap data (Bitmap-data)
If the image is monochrome, 16-color, and 256-color, the bitmap data is closely followed by the palette, and the bitmap data is the index number that points to the palette.
If the bitmap is 16-bit, 24-bit, and 32-bit color, the color palette is not preserved in the image file, i.e. there is no palette, and the image is given directly in the bitmap data.
16-bit images use 2 bytes to save color values, common in two formats: 5-bit red 5-bit green 5-bit blue and 5-bit red 6-bit green 5-bit blue, which is 555 format and 565 format. The 555 format uses only 15 bits, the last one is reserved, and is set to 0.
24-bit Images use 3 bytes to save color values, each of which represents a color, arranged in red, green, and blue.
The 32-bit image uses 4 bytes to hold the color value, each of which represents a color, except for the original red, green, and blue, as well as the alpha channel, the Transparent color.

If the image has a color palette, the bitmap data can be compressed and uncompressed as needed, and if compression is selected, the BMP image is compressed using the RLE4 or RLE8 compression algorithm, depending on whether it is a 16-color or 256-color.
The RLE4 is compressed with 16-color image data, and RLE4 compresses the data in the manner shown in table 5-5.

Table 5-5 RLE4 Compression method

Solution
1 bytes
2 bytes
3 bytes
4 bytes
N bytes

A
Number of repetitions
Color Index

B
Set to 0
The later valid
Number of color indexes
Color Index
Color Index
Color Index ...

Suppose you have the following 16-color bitmap data, a total of 20 bytes, and the data uses RLE4 compression:

05 00 04 05 00 08 09 05 04 00 04 05 08 09 04 08 07 01 00 00
Data decompression first read 05, because 05 is not equal to 0, so choose a scheme, according to a scheme, 05 indicates the number of times after the data repeat, and then read 00,00 represents two color index, each index 4 bits, the first pixel in the high 4 bits, the second pixel in the low 4 bits, that is, in one byte low pixels in the high, High pixels at low levels. 05 00 after decompression equals 00 00 0.


Read 04, select a scheme, according to the above operation parsing, 04 is the number of times after the data repeat, 05 is two color index, the 3rd color index is 5, and the 4th color index is 0. 04 05 after decompression equals 05 05.


Read 00, select the B scheme, and read 08,08 to indicate the number of color indexes that are valid later. 00 08 after decompression equals 09 05 04 00.


Read 04, select a scheme, according to the above operation parsing, 04 is the number of times after the repetition of data, 05 is two color index. 04 05 after decompression equals 05 05.


Read 08, select a scheme, according to the above operation Parsing, 08 is the number of times after the repetition of data, 09 is two color index. 08 09 After decompression equals 09 09 09 09.
Read 04, select a scheme, according to the above operation parsing, 04 is the number of times after the repetition of data, 08 is two color index. 04 08 After decompression equals 08 08.


Read 07, select a scheme, according to the above operation parsing, 07 is the number of times after the repetition of data, 01 is two color index. 07 01 after decompression equals 01 01 01 0.


Read 00, select the B scheme, read 00,00 to indicate the number of valid color indexes, 0 means none, that is, to extract a row of data.


To synthesize the above operation, the extracted data is:


00 00 00 50 50 90 50 40 00 50 50 90 90 90 90 80 80 10 10 10


Looks like the original data size, does not reflect the compression effect, this is because the above example only selects 20 bytes of data, and this 20 bytes of data duplication of data is not many, using RLE compression data is not much, sometimes the size of compression may be larger than the original data. In fact, the general situation when the data is more and repeat the time, the use of RLE compression effect is still more ideal.


RLE8 compression mode can refer to the above RLE4 decompression method, the only difference is that RLE8 use 1 bytes to store the color index, and RLE4 use 4 bits to store the color index.


Combined with the analysis of the BMP file, the following two 256-color and 24-bit color BMP image hexadecimal analysis, through the hex editor to analyze the file structure, can increase the experience of the analysis file.


5-1 and Figure 5-2, respectively, 256-color BMP image Cat2.bmp and 24-bit color BMP image cat1.bmp. Where the resolution of the cat2.bmp image is 200x153 and the file size is 31 680 bytes. The cat1.bmp image has a resolution of 200x150 and a file size of 90 056 bytes.


clip_image001


Figure 5-1 Cat2.bmp Image


clip_image002


Figure 5-2 Cat1.bmp Image


Now parse the cat2.bmp image file, as shown in Winhex open cat2.bmp,5-3.


clip_image003


(Click to view larger) Figure 5-3 Open the cat2.bmp image file in Winhex


The structure of the bitmap file header is analyzed first, as shown in 5-4. The meaning of each field in the bitmap file header of the cat2.bmp image is analyzed according to the bitmap file header structure definition of BMP file, as shown in table 5-6.


clip_image004


(Click for larger view) Figure 5-4 cat2.bmp image file Bitmap file header


Table 5-6 meaning of each field in the bitmap file header in the cat2.bmp image file


Hexadecimal value


Description


4 D:


The ASCII value of BM, the BMP file identifier in Windows


C0 7B 00 00


7B c0h=31680, is the size of the Cat2 file


00 00 00 00


Reserved value, Total 0


36 04 00


436h=1078, is the address of the image data, that is, the length of the file header + Information header + Palette


Continue to analyze the next data, according to the BMP file structure definition, the next data is the bitmap information header, cat2.bmp image file of the bitmap information header of the content 5-5 is shown.


clip_image005


(Click to view larger image) Figure 5-5 cat2.bmp image Bitmap Information header


Table 5-7 shows the meaning of the bitmap information header fields in the Cat2.bmp image file.


Table 5-7 meaning of each field in the bitmap information header in the cat2.bmp image file


Hexadecimal value


Description


28 00 00 00:


Bitmap information header size for cat2.bmp images


C8 00 00 00


XX C8 = 200, is the width of the CAT2 image, unit pixels


99 00 00 00


00 00 00 99 = 153, is the height of the cat2 image, per pixel


01 00


Always 1


08 00


8,CAT2 = The color depth of the image, i.e. 2 of the 8 powers equals 256 colors


00 00 00 00


Compression mode, 0 means no compression


8A 77 00 00


8A = 30602, is the image data size of the CAT2 image, Unit bytes


0B 00 00


0B = 2834,CAT2 Image horizontal resolution, per pixel/m


0B 00 00


0B = Vertical of 2834,CAT2 image


resolution, per pixel/m


00 00 00 00


CAT2 the number of colors used in the image, 0 means using all colors


00 00 00 00


CAT2 the number of important colors in an image, 0 means all colors are important


Continue to analyze the next data, according to the BMP file structure definition, because the cat2.bmp image is a 256-color bitmap, so there should be 256 color palettes, each palette 4 bytes, the entire palette is 1024 bytes in size. The palette data for the cat2.bmp image file is 5-6 and shown in Figure 5-7.


clip_image006


(Click to view larger image) Figure 5-6 cat2.bmp Image color palette address is stored starting from 00000036h


clip_image007


(Click to view larger image) Figure 5-7 cat2.bmp Image color palette data End address is 00000435h


As can be seen from figure 5-6 and figure 5-7, the color palette address of the cat2.bmp image starts from 00000036h to 00000435h, i.e. 00000435h-00000036h + 1 =400h = 1024.


If you want to see the actual display color of the palette for the CAT2 image, you can use Adobe Photoshop CS to open cat2.bmp, select "image" → "mode" → "color table" in the Adobe Photoshop CS menu bar to view the Cat2 palette. As shown in 5-8.


clip_image008


Figure 5-8 Viewing the Cat2 palette in Adobe Photoshop CS


The color palette of the cat2.bmp shown in Figure 5-8 and the hexadecimal data in Figure 5-6 correspond to one by one. Clicking on the color of any one pixel on the Adobe Photoshop cs palette pops up a color Picker dialog that displays detailed composition information for that pixel color. The Cat2.bmp color palette and the hexadecimal data for the cat2.bmp are shown in the corresponding relationship 5-9.


Continue to analyze the next data, according to the BMP file structure definition, if an image has a color palette, then immediately after the color palette is the image of the data, the data is not the actual color values, but to the index of the palette array, according to the index to get the color palette, 5-10 is shown.


clip_image009


(Click to view larger image) Figure 5-9 cat2.bmp color palette and cat2.bmp hexadecimal data correspondence


clip_image010


(Click to view larger image) Figure 5-10 cat2.bmp images data


Because Cat2.bmp is a 256-color bitmap, which uses 8-bit color depth as an index to the palette array, you can tell by the data shown in Figure 5-10: B1 49 49 49 49 49 99 indicates that the color of the 1th pixel in the lower-left corner of the cat2.bmp bitmap equals the palette [ 49], the color of the 2nd pixel equals the palette [49], the 3rd pixel is the color of the palette [49], the 4th pixel color equals the palette [B1] ... And so on After analyzing the cat2.bmp image, the next analysis is cat1.bmp.


Cat1.bmp image is a 24-bit color image, according to the definition of BMP file structure, cat1.bmp image does not have a color palette, the image data is stored in the actual color data, each pixel is represented by 3 bytes, respectively, is red and green blue. Because Cat1.bmp and cat2.bmp bitmap file header and bitmap information header structure, so cat1.bmp bitmap file header and bitmap information header can refer to the analysis of the face cat2.bmp, the following from the cat1.bmp of the bitmap information header end of the position to start analysis, 5-11.


clip_image011


(Click to view larger image) Figure 5-11 cat1.bmp image data


From figure 5-11 can be seen to represent each pixel red, green and blue three-color values, the actual storage is reversed storage, in the analysis of BMP image format need to pay attention to this.


Through the analysis of the storage structure of BMP file above, it is found that there is a lot of duplicate data in the bitmap file header and bitmap information header of BMP file. If the storage of a large number of BMP bitmap with deep, will inevitably waste a lot of storage space, so many times the game programmer will remove the BMP file header and information header, only a few of the necessary information and image data, then the BMP file header and information header which fields are to be retained?


Compare two 24-bit color-depth BMP image files using the Winhex file comparison feature, and observe the file header and information header of two files in a different place, as shown in 5-12.


clip_image012


(Click to view larger image) Figure 5-12 BMP image file comparing two 24-bit color depths using Winhex


As can be seen from figure 5-12, two of the same color depth of the BMP image of the file header and information header a total of 4 different places, respectively, the file header of the file size, the image width of the information head, image height and image data size.


So many times, the game programmer only retains the image file size, image width, image height and image data size information, and sometimes do not need to preserve the size of the file value, using the image data size value can be.


In the analysis of unknown file storage format, if you encounter the file header removed files, such as the above-mentioned BMP file, the analysis of unknown file format brings some difficulties. At this time need to use the hexadecimal editor file comparison function, observe two of the same kind of unknown file format to find some potential laws, if it is not observed regularly, it can only use the White box analysis method, swapped with this unknown file format of the program for disassembly tracking debugging. Of course, inspiration and luck are also important at times.

Three BMP bitmap and color palette analysis

Color table is unique to monochrome, 16-color, and 256-color image files, the corresponding palette size is 2, 16, and 256, the palette is in 4 bytes, each 4 bytes holds a color value, and the image's data is the index to the palette.


You can think of a palette as an array of 4 bytes per array element, assuming that the palette data for a 1256-color BMP image is:



palette [0]= Black, palette [1]= White, palette [2]= Red, palette [3]= blue ... palette [255]= Yellow
Image data The data in the palette [1], palette [0], palette [2], and palette [255] is displayed to display the image color.


In earlier computers, the graphics card was relatively backward, not necessarily guaranteed to display all colors, so the color data in the color palette should be as far as possible in the image of the main color in order in the front, the Biclrimportant field of the bitmap information header indicates how many colors are important.


Each palette has a size of 4 bytes, and a color value is stored by blue, green, and red.


Open the WINGDI.h file and search for "tagrgbtriple" to locate the data structure definition of the BMP file's palette.


typedef struct TAGRGBQUAD {
BYTE Rgbblue;
BYTE Rgbgreen;
BYTE rgbred;
BYTE rgbreserved;
} Rgbquad;
Table 5-4 lists the meanings of the fields in Tagrgbtriple.


Table 5-4 tagrgbtriple Structure



Field name


Size (units: bytes)


Description


Rgbblue


1


Blue value


Rgbgreen


1


Green value


Rgbred


1


Red value


Rgbreserved


1


Reserved, total of 0





If the image is monochrome, 16-color, and 256-color, the bitmap data is closely followed by the palette, and the bitmap data is the index number that points to the palette.


If the bitmap is 16-bit, 24-bit, and 32-bit color, the color palette is not preserved in the image file, i.e. there is no palette, and the image is given directly in the bitmap data.


16-bit images use 2 bytes to save color values, common in two formats: 5-bit red 5-bit green 5-bit blue and 5-bit red 6-bit green 5-bit blue, which is 555 format and 565 format. The 555 format uses only 15 bits, the last one is reserved, and is set to 0.


24-bit Images use 3 bytes to save color values, each of which represents a color, arranged in red, green, and blue.


The 32-bit image uses 4 bytes to hold the color value, each of which represents a color, except for the original red, green, and blue, as well as the alpha channel, the Transparent color.


If the image has a color palette, the bitmap data can be compressed and uncompressed as needed, and if compression is selected, the BMP image is compressed using the RLE4 or RLE8 compression algorithm, depending on whether it is a 16-color or 256-color.





1: Monochrome chart, color palette contains two colors, that is, we usually say black and white pictures
4:16 Color Map
8:256 color graphs, usually grayscale images
16:64k chart, generally no palette, image data in each of the two bytes represents a pixel, 5 or 6 bits represent an RGB component
24:16m True Color graph, generally no color palette, image data in each of the 3 bytes represents a pixel, each byte represents an RGB component
32:4g true Color, generally no color palette, each 4 bytes represents a pixel, relative to 24-bit true color graph, added a transparency, namely RGBA mode

Plot winhex parsing bmp file data instances