[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Stego-empty hard drives... (fwd)




Forwarded message:

> Date: Tue, 22 Sep 1998 20:29:28 -0400
> From: Sunder <[email protected]>
> Subject: Re: Stego-empty hard drives... (fwd)

> Why would they implement it when they can simply have their software scan the
> BIOS code if that's what they feared?  It may cost them $10k each, but it'll
> cost them millions to design and scan every notebook type on the planet, and

No, again, they only have to scan the BIOS types and there are only a couple
thousand (if that many) of those. It really isn't that complicated, there are
only a few cpu's, there are only a few glue chip sets, only a few video driver
chip sets, only a few LCD panels, etc. Admitted when multiplied together
there are a lot of combinations. Now the board manufacturers, the BIOS
manufacturers, and the various glue chipset makers get together and share
data and the manufacturers look to their marketing to define their target
point. Then they do a cost analysis on the chipset combo's and pretty soon 
you find the market only handles a handful of fundamentaly different
machines.

If there was as much variety at the hardware level as you assume nobody
could afford to introduce new computers every few months.

> then they'll have to get their hands on newer models as soon as they hit the
> market.  You're talking about a project that's bigger in magnitude than the
> NSA.

No it isn't. All it takes to get the BIOS before it hits the market is get a
license agreement with the BIOS manufacturer. Hell, when I worked at
Compu-Add we did this sort of stuff with Award and Phoenix all the time. We
would get alpha copies to test in our new hardware on a regular basis.

> Why should YOUR BIOS need to contain encryption code or device drivers for that
> matter?  All it needs to do is to HIDE the existance of the extra partition. 

And the code in the BIOS which means it needs to be hidden just like some 
viruses.

Realisticaly it isn't this complicated. All one needs to do is write a
program that allows the operator to talk directly to the hard drive
controller. At that point it's a trivial matter to go out and find those
hidden partitions. You could use normal drive recovery software if you had a
mind, and that only costs a few hundred to a few thousand dollars and can be
bought in the back of Computer Shopper.

> You patch your BIOS by replacing a few bytes of code with CALL's and NOP's. 
> Maybe 4-8 bytes at most to modify.  The routine that checks for the track range
> is only several bytes:
> 
> 
> Somehwere in INT13 code:
>             blah
>             blah
>             blah
>             CALL biospatch
>             NOP ; to fill in the overwritten code to the next opcode
> 
> 
> biospatch  PUSH AX         ;save the register if you need it
>            MOV AX,switch   ;get the value of the hack switch switch
>            JE  popbye
>            POP AX
>            CMP AX,1234 ;or whatever register or whatever value
>            JLE bye
> deny       MOV AL,FAIL ;some reg and some value that says error, likely AL
>            RET
>            
> popbye     POP AX
> bye        ;insert the code that you overwrote with your CALL to this patch
> re           
>            RET
> 
> 
> Homework: Someone please take this code, optimize it for size and build a TSR
> patching INT 13 that JIM can install and run under DOS.

Don't bother, I already know how to do that.

This would stand out like a sore thumb.


    ____________________________________________________________________

                            The seeker is a finder.

                                     Ancient Persian Proverb

       The Armadillo Group       ,::////;::-.          James Choate
       Austin, Tx               /:'///// ``::>/|/      [email protected]
       www.ssz.com            .',  ||||    `/( e\      512-451-7087
                           -====~~mm-'`-```-mm --'-
    --------------------------------------------------------------------