"""Decode the GetRuntimeParameter WCF request/response (HCAL R1.2). Reads the chained WriteMessage+ReadMessage capture produced by scripts/Capture-RuntimeParam.ps1 and locates the GetRuntimeParameter exchange by searching every MDAS body for the parameter name (UTF-16) on the request side and the returned value on the response side. Dumps the surrounding bytes so the op name, the leading handle parameter, and the btRequest/btResponse buffer layout can be read off. Output is diagnostic. Sanitize before copying into docs/. """ import base64 import json import sys from pathlib import Path REPO_ROOT = Path(__file__).resolve().parent.parent CAPDIR = REPO_ROOT / "artifacts" / "reverse-engineering" / "instrumented-wcf-runtime-param" CAP = CAPDIR / "runtime-param-capture-latest.ndjson" # Markers we expect on the wire for the default "HistorianVersion" capture. NAME = "HistorianVersion" NAME_U16 = NAME.encode("utf-16-le") NAME_ASCII = NAME.encode("ascii") VALUE = "20,0,000,000" # server runtime "HistorianVersion" value (version-shaped, not secret) VALUE_U16 = VALUE.encode("utf-16-le") VALUE_ASCII = VALUE.encode("ascii") def hexdump(label, buf, base=0): print(f"=== {label}: {len(buf)} bytes ===") for off in range(0, len(buf), 16): c = buf[off:off + 16] hp = " ".join(f"{x:02X}" for x in c) ap = "".join(chr(x) if 32 <= x < 127 else "." for x in c) print(f" {base + off:04X} {hp:<48} |{ap}|") print() def ascii_strings(buf, minlen=3): out, cur, start = [], [], 0 for i, x in enumerate(buf): if 32 <= x < 127: if not cur: start = i cur.append(chr(x)) else: if len(cur) >= minlen: out.append((start, "".join(cur))) cur = [] if len(cur) >= minlen: out.append((start, "".join(cur))) return out def u16_strings(buf, minlen=3): out, i = [], 0 while i < len(buf) - 1: j, chars = i, [] while j < len(buf) - 1 and 32 <= buf[j] < 127 and buf[j + 1] == 0: chars.append(chr(buf[j])) j += 2 if len(chars) >= minlen: out.append((i, "".join(chars))) i = j else: i += 1 return out def main() -> int: if not CAP.exists(): print(f"Missing capture: {CAP}\nRun scripts/Capture-RuntimeParam.ps1 first.") return 1 records = [] for line in CAP.open(encoding="utf-8-sig"): if line.strip(): records.append(json.loads(line)) print(f"== {len(records)} MDAS bodies captured ==") for idx, rec in enumerate(records): body = base64.b64decode(rec["Base64"]) flags = [] if NAME_U16 in body or NAME_ASCII in body: flags.append("NAME") if VALUE_U16 in body or VALUE_ASCII in body: flags.append("VALUE") # The WS-Addressing action is the most reliable op label; show any string that # looks like an op (contains a slash or is short and capitalized). print(f" [{idx:02d}] {rec.get('Phase'):26s} len={len(body):5d} {','.join(flags)}") def find(predicate): hits = [] for idx, rec in enumerate(records): body = base64.b64decode(rec["Base64"]) if predicate(rec, body): hits.append((idx, rec, body)) return hits print("\n== Request candidate(s): WriteMessage bodies containing the NAME ==") for idx, rec, body in find(lambda r, b: r.get("Phase") == "WCF.WriteMessage.Body" and (NAME_U16 in b or NAME_ASCII in b)): hexdump(f"[{idx}] WriteMessage", body) print(" UTF-16 strings:") for off, s in u16_strings(body): print(f" 0x{off:04X} {s!r}") print(" ASCII strings:") for off, s in ascii_strings(body): print(f" 0x{off:04X} {s!r}") print() print("\n== Response candidate(s): ReadMessage bodies containing the VALUE ==") for idx, rec, body in find(lambda r, b: r.get("Phase") == "WCF.ReadMessage.Body" and (VALUE_U16 in b or VALUE_ASCII in b)): hexdump(f"[{idx}] ReadMessage", body) print(" UTF-16 strings:") for off, s in u16_strings(body): print(f" 0x{off:04X} {s!r}") print(" ASCII strings:") for off, s in ascii_strings(body): print(f" 0x{off:04X} {s!r}") print() return 0 if __name__ == "__main__": sys.exit(main())