Hackaday

[Adam Outler] shows us how to expand the Linux tools available on Android without rooting the device. He does this by installing BusyBox. The binary is copied to the device using the Android Developer Bridge. He then opens an ADB shell, adds execution permissions to the binary, and runs it. BusyBox calls itself the Swiss Army Knife of Embedded Linux. It provides a set of very common tools which you’ll find useful in your tinkering. The one that [Adam] shows off in his video is the vi editor, but the basics that make a shell work are all there like: ls, mkdir, grep, dmesg, mount… you get the point.

So what are you going to do with your unrooted device now that you have these commands at your disposal? That’s really for you to figure out. [Adam] continues his demonstration by installing a package that does require root access…

View original post 46 more words

Advertisements

Application Trial bypass(draft)

This document covers the very basics of working around the limitations of programs that have not been fully activated in other words trial programs. I do not promote piracy and do not recommend it. This document is for educational purposes only! I also assume that you have a basic understanding of assembly and basic knowledge of a debugger.

Read more of this post

NTFS Boot Record (NTFS forensics part 2)

New Technology File System (NTFS) is Microsoft’s preferred file system to be installed on all new machines that utilize the Windows operating system. NTFS is superior then the standard FAT file system for several factors that it can reach greater sizes and it is “self healing,” as well as NTFS provides security, compression, encryption. The benefits that NTFS provides are not available on FAT systems. These benefits also make it a preferred option for the majority of computers. This chapter explains the first sector in the partition of a standard install of NTFS. It is required that you understand how to read hexadecimal and how the hard drive stores data on your system.

The tools that will be required will be a hex editor such as HxD which can be found at http://mx-nedus.de/en, also administrator access is required to be able to read the hard drive at a disk level.  This document will not go in depth on how to use a hex editor. I am keeping this as generic as possible so you can use your own tools, an understanding of your tools is required.

Figure 2-1 shows sector zero of an active NTFS partition. This sector stores information for NTFS and has executable code for loading windows. The MBR sector is important for getting sector size (typically 512 bytes), sectors per cluster and the master file table location start. Also could possibly to be used to get the master file table mirror location if the original master file table has been destroyed. From this capture you can determine that this is a NTFS by examining 8 bytes with an offset of 3 bytes. Looking at the Unicode section you will see NTFS or in hex 4E 54 46 53 20 20 20 20. If you are performing forensic analysis on a hard drive with an unknown file system this is an excellent way to determine what file system is being used.  Table 2-1 lists the structure of the MBR sector. To find what you are looking for take how many bytes there are before what you are looking for and then find the offset in the hex editor.

Figure 2-1

Finding the $MFT Start

The master file table stores all the Meta data about a file, file location, creation time, accessed time and more. If the file is small enough the information in the file will be stored in the $MFT. When a file is deleted all that changes in the $MFT is a single byte which informs the file system that the file is no longer in use. This explains how certain programs and companies can recover a file after it has been deleted from the operating system. Changing a byte is quicker then actually erasing the file off of the hard drive. Operating systems will eventually use that space the file that was deleted was deleted making the file un-recoverable in most cases. There are some theory methods such as taking the platter and finding the difference from the zero and a one of a bit is off and then getting the value of the erased file that way.

In order for us to find the starting location of the $MFT we need to find the MFT start value and then multiply it by the sectors per cluster. To find the sectors per clusters you start from the beginning of the sector and then go to an offset of 13 bytes and get the next byte.  In our example the next byte is 0x08 which translated to 8 sectors per cluster. The next important piece of information that is needed is the MFT start location. In our example you want to go to an offset of 48 or 0x30 and obtain the next 8 bytes. We will obtain the value 00 00 0C 00 00 00 00 00. This will convert to C0000 when converting it from the hex to decimal system. After converting you should obtain the value 786432. That is the block starting point but in order to get the correct block we must multiply that by the sectors per cluster which is 8. The starting point in our example is 6291456. To obtain the mirror you do the same steps except for getting the MFT start you obtain the MFT Mirror Start.

Definition Bytes
Jump 3
Format 8
Bytes Per Sector 2
Sectors Per Cluster 1
Boot Sectors 2
MBz1 1
Mbz2 2
Reserved 1 2
Media Type 1
Mbz3 2
Sectors Per Track 2
Number of heads 2
Partition Offset 4
Reserved 2 8
Total Sectors 8
MFT Start 8
MFT Mirror Start 8
Clusters Per File Record 4
Clusters Per Index Block 4
Volume Serial Number 8
Code 430
Boot Signature 2

Table 2-1

To obtain how many bytes are in each table you need to the following pieces of information which is clusters per file record, sectors per cluster, and bytes per cluster. Using the table 2-1 and figure 2-1 as the example we can obtain the values 246, 8 and 512 respectively. We need to figure if the value of clusters per file record is smaller than 0x80 or 128 in decimal then we need to multiple 246 * 8 * 512 to get the cluster but since 246 is larger than 128 we need to subtract 256 from clusters per file record which we would get 10 in our example. We need to bitwise left shift it with 1 and then we will get 1024 bytes per file record or 2 sectors.  Bytes per file record is also described as how long each file entry is.

NTFS Forensics Part 1

In performing any action relating to computer forensics, programming or any other aspect of a file system storage it is important to understand basics of the operating on binary systems, storage types, etc. Failure to understand the basic workings of a computer properly can result in a lot of wasted time scratching your head wondering what you are looking at.  Understanding how to convert hex to decimal or binary to decimal or even convert it the other way around is crucial to understanding in detail how file systems work. Also it is important to know how the hard drive provides data to the application to read and writes data to the disk.

Counting Systems

Counting systems range differently in the computer realm and the human realm. Humans rely on the decimal counting system that is based on the base of 10. The system counts in the following way, as many are aware of 0, 1, 2, 3, 4, 5, 6, 7, 8, 9. Computers do not understand the decimal system but understand the binary system. Binary is a base-2 number system limiting our options of either 0 or 1. Hexadecimal is also another counting system that you will commonly deal with in the computer realm, which is a base-16 system. The option for hexadecimal range from 0 to F which is different from the base population is accustomed to.

Converting these from one system to another is time consuming to learn as it forces you to think out of the realm of what you are use to. You may or may not be used to seeing numbers such as FF which is 255 in decimal. Practicing the conversion process several times will allow you to convert from one counting system to another. You should understand how to convert from one system to the other before continuing. Memorizing how to convert it is not necessary but understanding it is a key point to focus on.

Binary Structures

Binary can be grouped into several categories to know how many bits you are talking about. A group of 8 bits or eight 1 and zeros beside each other is known as 1 byte. 16 bits or sixteen one and zeros together can be classified as a word.

Storage Types

Storage system started at the smallest form and has grown to be several terabytes in size as well as many types of storage systems. Knowing these types of systems will not only allow you to make informed decisions of pulling data off and how data is stored in the forensic field but also troubleshooting regular computer issues. Data is stored on storage devices in the form of binary such as either a one or a zero. This document will not cover how the storage controller writes to the storage media but rather the types of media storage types.

Volatile Memory and Non-volatile Memory

Memory can be stored on a device that will retain its state when power is lost or loses its state when the power is lost to the device. Volatile memory is the form of storage that requires power to maintain stored information. Devices such as Random Access Memory (RAM) are included in the volatile memory section. Hard drives, USB drives are included in the section of non-volatile memory. It is important to know these due to the fact if you power off the machine to move to another location to perform forensic analysis then you will lose all memory in RAM.

Hard drives explained.

Hard drives are made from several different pieces that make a platter that stored the information. Knowing each piece of information will aid in the understanding on how the hard drive reads the data. Heads is the device in the hard drive that reads data from the platter and a single hard drive can have multiple heads in the hard drive enclosure.  The platter contains tracks, cylinders and sectors and the operating system adds on this by forming Blocks or clusters. Tracks are a thin concentric strip on the platter service which contains the magnetic medium to which the data is written. Cylinders contain the same track number on each platter in the enclosure. Sectors are the most important piece to get out of this section. Tracks are subdivided into smaller sections called sectors. This is the smallest storage unit on a hard drive. The typical amount for hard drive sectors are 512 bytes.  Blocks and Clusters are used in the file system and group multiple sectors into one “sector.”

Little Endian vs Big Endian

This section does not conclude which architecture is better or which one can perform more calculations per second but it does describe the basics of how each architecture works. Little endian is processors such as x86 and big endian  is processors such as IBM PowerPC Core. The biggest difference between these two architectures is how they order the bytes in an external media. Little endian stores the low order byte first and big endian stores the high order byte first. Figure 1-1 shows part of the NTFS MBR and the bytes per sector highlighted. If you try to convert 2 to decimal you will get 2. In order to get 12 you have to read it backwards and convert it to 200( 00 02 becomes 200.) If you take 200 and convert it to decimal it shows that we have 512 bytes per sector.

1-1

C++ Assembly – ADD

This section of the assembly tutorial builds on the MOV tutorial and adds one execution command to the code. This is the ADD execution command. This is still a fairly pointless piece of code that can be executed just as well in pure C++ as in assembly.

I recommend knowing basic C++, I am using Microsoft Visual Studio C++ 2010 Express for these tutorials.  Create a basic console application and include iostream I am going to be using the line using namespace std; in my examples to help keep the code clean for the beginners.  This tutorial also assumes that you have covered the previous tutorial of the MOV command.

In this example we are going to add the numbers 248 and 100 together and display them.

int Number1, Number2, Result;

__asm {

mov Number1, 248

mov Number2, 100

mov EAX, Number1

Add EAX, Number2

Mov Result, EAX

}

Let’s examine the code.

We define the integers Number1, Number2 and Result.

Mov Number1, 248

Mov Number2, 100

We initiate the two variables Number1 and Number2.

MOV EAX, Number1

This command we are moving the number 248 into the EAX register.

ADD EAX, Number2

This ASM line adds what is in EAX with Number2 and stores it in the EAX register.

Mov Result, EAX

We are moving the EAX register into the Result Variable.

If we do a cout << Result; It should show 348.

There are execution commands such as Add and more that I will explain in other documents.

#include “stdafx.h”

#include <iostream>

using namespace std;

int _tmain(int argc, _TCHAR* argv[])

{

int Number1, Number2, Result;

__asm {

mov Number1, 248

mov Number2, 100

mov EAX, Number1

Add EAX, Number2

Mov Result, EAX

}

cout << “Number1 = ” << Result << endl;

return 0;

}

Recap

This document covered the basics of including basic assembly code in Microsoft Visual Studio c++. This example is rather useless as in C++ can be done in less typing but this code was just used as an example to get your feet wet with assembly.

C++ With Assembly – MOV

C++ with Assembly is often times a complex subject with many C++ programmers. Assembly for many modern programs are not required as the preprocessor can provide just enough speed as programming in pure ASM can provide. It is better to learn how to write the best code for the preprocessor V.S. programming in ASM.  There are a few subjects that can utilize more speed in ASM then allowing the preprocessor convert the code to ASM but these will be covered in a later topic.

I recommend knowing basic C++, I am using Microsoft Visual Studio C++ 2010 Express for these tutorials.  Create a basic console application and include iostream I am going to be using the line using namespace std; in my examples to help keep the code clean for the beginners.

To inform the compiler what sections are using assembly code you can use either of the following:

__asm {

Code

}

Or  __asm code

If you are using a different compiler then Microsoft Visual Studio then there may be different methods depending on your compiler. Please research to your specific compiler to be certain.

Our first example is going to move the number 248 into a defined variable number1.

int Number1;

int Result;

__asm {

mov Number1, 248

mov EAX, Number1

Mov Result, EAX

}

The code is pointless as it does nothing that programming in pure C++ cannot do. Let’s examine the code.

We define two integers Number1 and Result and leave them blank.

__asm {

}

Then we create the __asm block by the following code.

Mov Number1, 248

This command we are moving number 248 into number1. If we was to do a cout << Number1; It would display the number 248.

MOV EAX, Number1

This command we are moving the number 248 into the EAX register(If you do not know what the EAX register is or simply a EAX register please refer to my register section or to Intel, IBM, or AMD developer documentations.)

Mov Result, EAX

This command moves what is in register EAX into the Result variable. Now we have put the number 248 into the result variable.

If we do a cout << Result; It should show 248.

There are execution commands such as Add and more that I will explain in other documents.

#include “stdafx.h”

#include <iostream>

using namespace std;

int _tmain(int argc, _TCHAR* argv[])

{

//asm(“assembly code”);

int Number1;

int Result;

__asm {

mov Number1, 248

mov EAX, Number1

Mov Result, EAX

}

cout << “Number1 = ” << Number1 << endl;

return 0;

}

Recap

This document covered the basics of including basic assembly code in Microsoft Visual Studio c++. This example is rather useless as in C++ can be done in less typing but this code was just used as an example to get your feet wet with assembly.

Programming Variable to bytes

CHAR = 1 byte

SHORT = 2 byte

LONG = 4 byte

LONGLONG = 8 byte

USN = 8 byte

DWORD = 4 byte

WORD = 2 byte

BOOLEAN = 1 byte

INT = 4 byte