问题描述(需求地址):
在A机器上的日志(*.Evt)文件在A机器上可以直接读取,但是我将A机器上的日志文件拷贝到B机器上打开的时候,就会提示文件已损坏。
解决办法:
1. 首先找到 0x11111111222222223333333344444444 將之后16bytes 抄下,这16bytes会在0x28000000前,
2. 回到文件开头,把这16bytes从第17byte开始复写到32byte,
3. 最後再改第37byte的值為 0x08,就可以读进事件管理器了。
Python脚本:
1 import os, sys 2 import binascii 3 import time 4 5 def convertfile(infile, outfile): 6 7 fread = open(infile, "rb") 8 findedstr = "" 9 10 while 1: 11 strpart = fread.read(8192).encode('hex') 12 13 '''if at the end or less than 32 char''' 14 if strpart == "" or len(strpart) < 32 : 15 break 16 17 strposition = strpart.find("11111111222222223333333344444444") 18 if strposition <> -1: 19 '''if pos at end''' 20 remainstrlen = len(strpart)-strposition - 32 21 if remainstrlen < 64: 22 findedstr = strpart[strposition+32:] + fread.read((64-remainstrlen)/2).encode('hex') 23 else: 24 findedstr = strpart[strposition+32:strposition+64] 25 26 break 27 28 '''get top32 char and end32 char''' 29 prepartendstr = strpart[-64:] 30 31 '''read next 64 char''' 32 nextpartstartstr = fread.read(64).encode('hex') 33 joinstr = prepartendstr + nextpartstartstr 34 35 strposition = joinstr.find("11111111222222223333333344444444") 36 if strposition <> -1: 37 remainstrlen = len()-strposition-32 38 if remainstrlen < 64: 39 findedstr = strpart[strposition+32:] + fread.read((64-remainstrlen)/2).encode('hex') 40 else: 41 findedstr = strpart[strposition+32:strposition+64] 42 43 break 44 45 fread.seek(-64,1) 46 47 fread.close() 48 print "String find: %s"%findedstr 49 50 '''reread and write to new file''' 51 reread = open(infile, "rb") 52 fwrite = open(outfile, "wb") 53 partcount = 1 54 55 while 1: 56 instr = reread.read(8192) 57 if instr == "" : 58 break 59 60 if partcount <> 1: 61 fwrite.write(instr) 62 else: 63 instr = instr.encode('hex') 64 instr = instr[:32] + findedstr + instr[64:] 65 instr = instr[:72] + "08" + instr[74:] 66 fwrite.write(instr.decode('hex')) 67 68 partcount += 1 69 70 fwrite.close() 71 reread.close() 72 73 74 75 if __name__ == "__main__": 76 if len(sys.argv) == 1 : 77 infilepath = raw_input("Please input the path of EVT file -> ") 78 outfilepath = infilepath[:infilepath.rfind(".")] + ".new.Evt" 79 elif len(sys.argv) == 2 : 80 infilepath = sys.argv[1] 81 outfilepath = infilepath[:infilepath.rfind(".")] + ".new.Evt" 82 elif len(sys.argv) == 3: 83 infilepath = sys.argv[1] 84 outfilepath = sys.argv[2] 85 else: 86 print "Error args ." 87 raw_input("") 88 sys.exit() 89 90 starttime = time.time() 91 print "Running..." 92 convertfile(infilepath, outfilepath) 93 print "Done ." 94 endtime = time.time() 95 print "Time used: ",(endtime - starttime)," s"
错误截图:
