A forum for reverse engineering, OS internals and malware analysis 

Reversing MBR dump

Discussion on reverse-engineering and debugging.

Re: Reversing MBR dump

 #10525  by EP_X0FF
 Thu Dec 22, 2011 1:06 pm
Tigzy wrote:MaxSS was not supposed to alter only partition table?
Only in current version.

Re: Reversing MBR dump

 #10526  by Tigzy
 Thu Dec 22, 2011 1:08 pm
Well, I need to review my classics :D
Ok. Will implement something to decrypt MBR. Some of you got a TDL4 dump for testing purpose? I only got VMs at work, so can't infect a physical machine.

Re: Reversing MBR dump

 #10528  by EP_X0FF
 Thu Dec 22, 2011 1:22 pm
Tigzy wrote:Some of you got a TDL4 dump for testing purpose? I only got VMs at work, so can't infect a physical machine.
Take any dropper from TDL4 dedicated thread (Alureon.DX, not Alureon.FE) and infect VM. It should work.

Re: Reversing MBR dump

 #10533  by Tigzy
 Thu Dec 22, 2011 2:55 pm
A little help for decryption?

I got the key (0x147 and the begin offset 0x2A).
How the ROR is done? do we shift any byte 0x47 times (don't think so) or do we take all bytes shifted 0x47 times?

Re: Reversing MBR dump

 #10534  by rkhunter
 Thu Dec 22, 2011 3:01 pm
Tigzy wrote:A little help for decryption?

I got the key (0x147 and the begin offset 0x2A).
How the ROR is done? do we shift any byte 0x47 times (don't think so) or do we take all bytes shifted 0x47 times?
What tool you are using for decryption?

Re: Reversing MBR dump

 #10536  by EP_X0FF
 Thu Dec 22, 2011 3:15 pm
Tigzy wrote:A little help for decryption?

I got the key (0x147 and the begin offset 0x2A).
How the ROR is done? do we shift any byte 0x47 times (don't think so) or do we take all bytes shifted 0x47 times?
Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture
 Return to “Reverse Engineering and Debugging”