[Day 5] Reverse engineering A Christmas DOScovery: Tapes of Yule-tide Past

Previous[Day 4] Brute-forcing Baby, it's CeWLd outside Next[Day 6] Memory corruption Memories of Christmas Past

Last updated 1 year ago

[Day 5] Reverse engineering A Christmas DOScovery: Tapes of Yule-tide Past

Learning Objectives

Experience how to navigate an unfamiliar legacy system.
Learn about DOS and its connection to its contemporary, the Windows Command Prompt.
Discover the significance of file signatures and magic bytes in data recovery and file system analysis.

Overview

The Disk Operating System was a dominant operating system during the early days of personal computing. Microsoft tweaked a DOS variant and rebranded it as MS-DOS, which later served as the groundwork for their graphical extension, the initial version of Windows OS. The fundamentals of file management, directory structures, and command syntax in DOS have stood the test of time and can be found in the command prompt and PowerShell of modern-day Windows systems.

While the likelihood of needing to work with DOS in the real world is low, exploring this unfamiliar system can still be a valuable learning opportunity.

File Signature/Magic Bytes

File signatures, commonly referred to as "magic bytes", are specific byte sequences at the beginning of a file that identify or verify its content type and format. These bytes often have corresponding ASCII characters, allowing for easier human readability when inspected. The identification process helps software applications quickly determine whether a file is in a format they can handle, aiding operational functionality and security measures.

In cyber security, file signatures are crucial for identifying file types and formats. You'll encounter them in malware analysis, incident response, network traffic inspection, web security checks, and forensics. Knowing how to work with these magic bytes can help you quickly identify malicious or suspicious activity and choose the right tools for deeper analysis.

Here is a list of some of the most common files and their magic:

File Format

Magic Bytes

ASCII representation

PNG image file

89 50 4E 47 0D 0A 1A 0A

%PNG

GIF image file

47 49 46 38

GIF8

Windows and DOS executables

4D 5A

Linux ELF executables

7F 45 4C 46

.ELF

MP3 audio file

49 44 33

Solution

We are aim to get backup password. Using MSDOS to retrieve it.

Firstly, read the plan using type

From the file, we know that, if the file signature/magic byte not equals to "AC" or "41 43" the file are corrupted.

Using given tools BUMASTER.EXE, open the .bak file.

From the error message, we known that this file are corrupted. Let check the header of file.

We find the problem, let change into AC as mention earlier and we solve the challenge.

Previous[Day 4] Brute-forcing Baby, it's CeWLd outside Next[Day 6] Memory corruption Memories of Christmas Past

Last updated 1 year ago

Learning Objectives

Experience how to navigate an unfamiliar legacy system.
Learn about DOS and its connection to its contemporary, the Windows Command Prompt.
Discover the significance of file signatures and magic bytes in data recovery and file system analysis.

Overview

While the likelihood of needing to work with DOS in the real world is low, exploring this unfamiliar system can still be a valuable learning opportunity.