is there a way to read given amount of instructions from a binary executable file on x86 architecture programmatically?
If I had a binary of a simple C program hello.c:
#include <stdio.h>
int main(){
printf("Hello world\n");
return 0;
}
Where after compilation using gcc, the disassembled function main looks like this:
000000000000063a <main>:
63a: 55 push %rbp
63b: 48 89 e5 mov %rsp,%rbp
63e: 48 8d 3d 9f 00 00 00 lea 0x9f(%rip),%rdi # 6e4 <_IO_stdin_used+0x4>
645: e8 c6 fe ff ff callq 510 <puts#plt>
64a: b8 00 00 00 00 mov $0x0,%eax
64f: 5d pop %rbp
650: c3 retq
651: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
658: 00 00 00
65b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
Is there an easy way in C to read for example first three instructions (meaning the bytes 55, 48, 89, e5, 48, 8d, 3d, 9f, 00, 00, 00) from main? It is not guaranteed that the function looks like this - the first instructions may have all different opcodes and sizes.
this prints the 10 first bytes of the main function by taking the address of the function and converting to a pointer of unsigned char, print in hex.
This small snippet doesn't count the instructions. For this you would need an instruction size table (not very difficult, just tedious unless you find the table already done, What is the size of each asm instruction?) to be able to predict the size of each instruction given the first byte.
(unless of course, the processor you're targetting has a fixed instruction size, which makes the problem trivial to solve)
Debuggers have to decode operands as well, but in some cases like step or trace, I suspect they have a table handy to compute the next breakpoint address.
#include <stdio.h>
int main(){
printf("Hello world\n");
const unsigned char *start = (const char *)&main;
int i;
for (i=0;i<10;i++)
{
printf("%x\n",start[i]);
}
return 0;
}
output:
Hello world
55
89
e5
83
e4
f0
83
ec
20
e8
seems to match the disassembly :)
00401630 <_main>:
401630: 55 push %ebp
401631: 89 e5 mov %esp,%ebp
401633: 83 e4 f0 and $0xfffffff0,%esp
401636: 83 ec 20 sub $0x20,%esp
401639: e8 a2 01 00 00 call 4017e0 <___main>
.globl _start
_start:
bl main
b .
.globl main
main:
add r1,#1
add r2,#1
add r3,#1
add r4,#1
b main
intentionally wrong architecture, architecture doesnt matter file format matters. built this into an elf file format, which is very popular, and is simply a file format which is what I understood your question to be, to read a file, not modify the binary to read the program runtime from memory.
it is very much popular and there are tools that do it which you appear to know how to run.
Disassembly of section .text:
00001000 <_start>:
1000: eb000000 bl 1008 <main>
1004: eafffffe b 1004 <_start+0x4>
00001008 <main>:
1008: e2811001 add r1, r1, #1
100c: e2822001 add r2, r2, #1
1010: e2833001 add r3, r3, #1
1014: e2844001 add r4, r4, #1
1018: eafffffa b 1008 <main>
if I hexdump the file though
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 28 00 01 00 00 00 00 10 00 00 34 00 00 00 |..(.........4...|
00000020 c0 11 00 00 00 02 00 05 34 00 20 00 01 00 28 00 |........4. ...(.|
00000030 06 00 05 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 1c 10 00 00 1c 10 00 00 05 00 00 00 |................|
00000050 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000 00 00 00 eb fe ff ff ea 01 10 81 e2 01 20 82 e2 |............. ..|
00001010 01 30 83 e2 01 40 84 e2 fa ff ff ea 41 11 00 00 |.0...#......A...|
00001020 00 61 65 61 62 69 00 01 07 00 00 00 08 01 00 00 |.aeabi..........|
00001030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001040 00 00 00 00 00 10 00 00 00 00 00 00 03 00 01 00 |................|
00001050 00 00 00 00 00 00 00 00 00 00 00 00 03 00 02 00 |................|
00001060 01 00 00 00 00 00 00 00 00 00 00 00 04 00 f1 ff |................|
00001070 06 00 00 00 00 10 00 00 00 00 00 00 00 00 01 00 |................|
00001080 18 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
00001090 09 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010a0 17 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010b0 55 00 00 00 00 10 00 00 00 00 00 00 10 00 01 00 |U...............|
000010c0 23 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |#...............|
000010d0 2f 00 00 00 08 10 00 00 00 00 00 00 10 00 01 00 |/...............|
000010e0 34 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |4...............|
000010f0 3c 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |<...............|
00001100 43 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |C...............|
00001110 48 00 00 00 00 00 08 00 00 00 00 00 10 00 01 00 |H...............|
00001120 4f 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |O...............|
00001130 00 73 6f 2e 6f 00 24 61 00 5f 5f 62 73 73 5f 73 |.so.o.$a.__bss_s|
00001140 74 61 72 74 5f 5f 00 5f 5f 62 73 73 5f 65 6e 64 |tart__.__bss_end|
00001150 5f 5f 00 5f 5f 62 73 73 5f 73 74 61 72 74 00 6d |__.__bss_start.m|
00001160 61 69 6e 00 5f 5f 65 6e 64 5f 5f 00 5f 65 64 61 |ain.__end__._eda|
00001170 74 61 00 5f 65 6e 64 00 5f 73 74 61 63 6b 00 5f |ta._end._stack._|
00001180 5f 64 61 74 61 5f 73 74 61 72 74 00 00 2e 73 79 |_data_start...sy|
00001190 6d 74 61 62 00 2e 73 74 72 74 61 62 00 2e 73 68 |mtab..strtab..sh|
000011a0 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e 41 52 |strtab..text..AR|
000011b0 4d 2e 61 74 74 72 69 62 75 74 65 73 00 00 00 00 |M.attributes....|
000011c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000011e0 00 00 00 00 00 00 00 00 1b 00 00 00 01 00 00 00 |................|
000011f0 06 00 00 00 00 10 00 00 00 10 00 00 1c 00 00 00 |................|
00001200 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00001210 21 00 00 00 03 00 00 70 00 00 00 00 00 00 00 00 |!......p........|
00001220 1c 10 00 00 12 00 00 00 00 00 00 00 00 00 00 00 |................|
00001230 01 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 |................|
00001240 00 00 00 00 00 00 00 00 30 10 00 00 00 01 00 00 |........0.......|
00001250 04 00 00 00 05 00 00 00 04 00 00 00 10 00 00 00 |................|
00001260 09 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
00001270 30 11 00 00 5c 00 00 00 00 00 00 00 00 00 00 00 |0...\...........|
00001280 01 00 00 00 00 00 00 00 11 00 00 00 03 00 00 00 |................|
00001290 00 00 00 00 00 00 00 00 8c 11 00 00 31 00 00 00 |............1...|
000012a0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
000012b0
can google the file format and find a lot of info at wikipedia, with a smidge more at one of the links
useful header information
00 10 00 00 entrh
34 00 00 00 phoff
c0 11 00 00 shoff
00 02 00 05 flags
34 00 ehsize
20 00 phentsize
01 00 phnum
28 00 shentsize
06 00 shnum
05 00shstrndx
so if I look at the beginning of the sections there are shnum number of them
0x11C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x11E8 1b 00 00 00 01 00 00 00 06 00 00 00 00 10 00 00 00 10 00 00
0x1210 21 00 00 00 03 00 00 70 00 00 00 00 00 00 00 00 1c 10 00 00
0x1238 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 30 10 00 00
0x1260 09 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 30 11 00 00
0x1288 11 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 8c 11 00 00
0x1260 strtab type offset 0x1130 which is broken into null terminated strings until you hit a double null
[0] 00
[1] 73 6f 2e 6f 00 so.o
[2] 24 61 00 $a
[3] 5f 5f 62 73 73 5f 73 74 61 72 74 5f 5f 00 __bss_start__
[4] 5f 5f 62 73 73 5f 65 6e 64 5f 5f 00 __bss_end__
[5] 5f 5f 62 73 73 5f 73 74 61 72 74 00 __bss_start
[6] 6d 61 69 6e 00 main
...
main is at address 0x115F in the file which is offset 0x2F in the
strtab.
0x1238 symtab starts at 0x1030, 0x10 or 16 bytes per entry
00001030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001040 00 00 00 00 00 10 00 00 00 00 00 00 03 00 01 00 |................|
00001050 00 00 00 00 00 00 00 00 00 00 00 00 03 00 02 00 |................|
00001060 01 00 00 00 00 00 00 00 00 00 00 00 04 00 f1 ff |................|
00001070 06 00 00 00 00 10 00 00 00 00 00 00 00 00 01 00 |................|
00001080 18 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
00001090 09 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010a0 17 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010b0 55 00 00 00 00 10 00 00 00 00 00 00 10 00 01 00 |U...............|
000010c0 23 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |#...............|
000010d0 2f 00 00 00 08 10 00 00 00 00 00 00 10 00 01 00 |/...............|
000010e0 34 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |4...............|
000010f0 3c 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |<...............|
00001100 43 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |C...............|
00001110 48 00 00 00 00 00 08 00 00 00 00 00 10 00 01 00 |H...............|
00001120 4f 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |O...............|
000010d0 2f 00 00 00 has the 0x2f offset in the symbol table
so this is main, from this entry the address 08 10 00 00 or 0x1008 in
the processors memory, unfortunately due to the values I chose it happens to also be the file offset, dont get that confused.
this section is type 00000001 PROGBITS
0x11E8 1b 00 00 00 01 00 00 00 06 00 00 00 00 10 00 00 00 10 00 00
offset 0x1000 in the file 0x1C bytes
here is the program, the machine code.
00001000 00 00 00 eb fe ff ff ea 01 10 81 e2 01 20 82 e2
00001010 01 30 83 e2 01 40 84 e2 fa ff ff ea 41 11
so starting at memory offset 0x1008 which is 8 bytes after the
entry point (unfortunately I picked a bad address to use) we need to
go 0x8 bytes offset into this data
01 10 81 e2 01 20 82 e2
00001008 <main>:
1008: e2811001 add r1, r1, #1
100c: e2822001 add r2, r2, #1
1010: e2833001 add r3, r3, #1
this is all very file dependent, the cpu could care less about labels, main only means something to the humans, not the cpu.
If I convert the elf into other formats which are perfectly executable:
motorola s record:
S00A0000736F2E7372656338
S1131000000000EBFEFFFFEA011081E2012082E212
S10F1010013083E2014084E2FAFFFFEAB1
S9031000EC
raw binary image
hexdump -C so.bin
00000000 00 00 00 eb fe ff ff ea 01 10 81 e2 01 20 82 e2 |............. ..|
00000010 01 30 83 e2 01 40 84 e2 fa ff ff ea |.0...#......|
0000001c
The instruction bytes of interest are of course there, but the symbol information isnt. It depends on the file format you are interested in as to 1) if you can find "main" and then 2) print out the first few bytes at that address.
Hmm, a bit disturbing, but if you link for 0x2000 gnu ld burns some disk space and puts the offset at 0x2000, but choose 0x20000000 and it burns more disk space but not as much
000100d0 2f 00 00 00 08 00 00 20 00 00 00 00 10 00 01 00
shows the file offset is 0x010010 but the address in target space is 0x20000008
00010010 01 30 83 e2 01 40 84 e2 fa ff ff ea 41 11 00 00
00010020 00 61 65 61 62 69 00 01 07 00 00 00 08 01
just to demonstrate/enforce the file offset and the target memory space address are two different things.
this is a very nice format for what you are wanting to do
arm-none-eabi-objcopy -O symbolsrec so.elf so.srec
cat so.srec
$$ so.srec
$a $20000000
_bss_end__ $2001001c
__bss_start__ $2001001c
__bss_end__ $2001001c
_start $20000000
__bss_start $2001001c
main $20000008
__end__ $2001001c
_edata $2001001c
_end $2001001c
_stack $80000
__data_start $2001001c
$$
S0090000736F2E686578A1
S31520000000000000EBFEFFFFEA011081E2012082E200
S31120000010013083E2014084E2FAFFFFEA9F
S70520000000DA
Related
Given:
A machine running Debian 10 and using the french keyboard mapping.
A dump of keystrokes correspoding to "azerty" obtained using:
sudo cat /dev/input/by-id/usb-Logitech_USB_Keyboard-event-kbd > test_keylogger_azerty
The following code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/types.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <xcb/xcb.h>
#include <xcb/xcb_keysyms.h>
#include <X11/Xlib.h>
#include <linux/input.h>
int main(int ac, char **av)
{
int fd, col;
xcb_connection_t *connection;
xcb_key_symbols_t *symbols;
struct input_event ev;
if (ac != 3) {
printf("Usage: %s <dump file> <symbol table index>\n", av[0]);
exit(EXIT_FAILURE);
}
connection = xcb_connect(NULL, NULL);
symbols = xcb_key_symbols_alloc(connection);
col = atoi(av[2]);
fd = open(av[1], O_RDONLY);
while (read(fd, (void *) &ev, sizeof(ev))) {
if (ev.type == EV_KEY && ev.value == 1)
printf("type: %x code: %x value: %2x => %s\n",
ev.type, ev.code, ev.value,
XKeysymToString(xcb_key_symbols_get_keysym(symbols, ev.code, col)));
}
printf("\n");
close(fd);
return(EXIT_SUCCESS);
}
A test run with xev tell me that: a == 24, b == 25 [...] y == 29.
Nevertheless, when i run my program, the obtained code don't match (and, as a result, the guessed corresponding symbol doesn't match too):
$ ./reverse_kl test_keylogger_azerty 0
type: 1 code: 10 value: 1 => egrave
type: 1 code: 11 value: 1 => underscore
type: 1 code: 12 value: 1 => ccedilla
type: 1 code: 13 value: 1 => agrave
type: 1 code: 14 value: 1 => parenright
type: 1 code: 15 value: 1 => equal
type: 1 code: 1c value: 1 => t
type: 1 code: 1d value: 1 => y
type: 1 code: 2e value: 1 => l
if i modify my code that way:
$ diff reverse_kl.c{.ref,}
33c33
< XKeysymToString(xcb_key_symbols_get_keysym(symbols, ev.code , col)));
---
> XKeysymToString(xcb_key_symbols_get_keysym(symbols, ev.code + 8 , col)));
It works better:
$ ./reverse_kl test_keylogger_azerty 0
type: 1 code: 10 value: 1 => a
type: 1 code: 11 value: 1 => z
type: 1 code: 12 value: 1 => e
type: 1 code: 13 value: 1 => r
type: 1 code: 14 value: 1 => t
type: 1 code: 15 value: 1 => y
type: 1 code: 1c value: 1 => Return
type: 1 code: 1d value: 1 => Control_L
type: 1 code: 2e value: 1 => c
Also, note that, for key 'a', i have the code 10 and adding 8 still don't give me 24 but it's working...
If anyone could help me understanding this strange behaviour ...
EDIT:
Added an hexadecimal dump of the trace as requested:
0000000 66 35 4d 5d 00 00 00 00 2b 7c 04 00 00 00 00 00
0000020 04 00 04 00 28 00 07 00 66 35 4d 5d 00 00 00 00
0000040 2b 7c 04 00 00 00 00 00 01 00 1c 00 00 00 00 00
0000060 66 35 4d 5d 00 00 00 00 2b 7c 04 00 00 00 00 00
0000100 00 00 00 00 00 00 00 00 66 35 4d 5d 00 00 00 00
0000120 a7 01 0e 00 00 00 00 00 04 00 04 00 14 00 07 00
0000140 66 35 4d 5d 00 00 00 00 a7 01 0e 00 00 00 00 00
0000160 01 00 10 00 01 00 00 00 66 35 4d 5d 00 00 00 00
0000200 a7 01 0e 00 00 00 00 00 00 00 00 00 00 00 00 00
0000220 67 35 4d 5d 00 00 00 00 22 11 01 00 00 00 00 00
0000240 04 00 04 00 14 00 07 00 67 35 4d 5d 00 00 00 00
0000260 22 11 01 00 00 00 00 00 01 00 10 00 00 00 00 00
0000300 67 35 4d 5d 00 00 00 00 22 11 01 00 00 00 00 00
0000320 00 00 00 00 00 00 00 00 67 35 4d 5d 00 00 00 00
0000340 fc fe 03 00 00 00 00 00 04 00 04 00 1a 00 07 00
0000360 67 35 4d 5d 00 00 00 00 fc fe 03 00 00 00 00 00
0000400 01 00 11 00 01 00 00 00 67 35 4d 5d 00 00 00 00
0000420 fc fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00
0000440 67 35 4d 5d 00 00 00 00 ab 31 06 00 00 00 00 00
0000460 04 00 04 00 1a 00 07 00 67 35 4d 5d 00 00 00 00
0000500 ab 31 06 00 00 00 00 00 01 00 11 00 00 00 00 00
0000520 67 35 4d 5d 00 00 00 00 ab 31 06 00 00 00 00 00
0000540 00 00 00 00 00 00 00 00 67 35 4d 5d 00 00 00 00
0000560 1d e7 07 00 00 00 00 00 04 00 04 00 08 00 07 00
0000600 67 35 4d 5d 00 00 00 00 1d e7 07 00 00 00 00 00
0000620 01 00 12 00 01 00 00 00 67 35 4d 5d 00 00 00 00
0000640 1d e7 07 00 00 00 00 00 00 00 00 00 00 00 00 00
0000660 67 35 4d 5d 00 00 00 00 23 58 0a 00 00 00 00 00
0000700 04 00 04 00 08 00 07 00 67 35 4d 5d 00 00 00 00
0000720 23 58 0a 00 00 00 00 00 01 00 12 00 00 00 00 00
0000740 67 35 4d 5d 00 00 00 00 23 58 0a 00 00 00 00 00
0000760 00 00 00 00 00 00 00 00 67 35 4d 5d 00 00 00 00
As a reminder, below is the format of the input_event structure:
struct input_event {
struct timeval time;
__u16 type;
__u16 code;
__s32 value;
};
And, other reminder, keyboard stroke obey the following rules:
type == EV_KEY == 0x01
value may be 0 for event "key released", 1 for "key pressed" and 2 is for "auto-repeat".
Here is my hex code:
42 4D C6 00 00 00 00 00 00 00 76 00 00 00 28 00
00 00 0A 00 00 00 0A 00 00 00 01 00 04 00 00 00
00 00 50 00 00 00 12 0B 00 00 12 0B 00 00 10 00
00 00 10 00 00 00 FF 00 00 00 00 FF 00 00 00 00
42 00 5A 5A 84 00 00 00 FF 00 FF 00 FF 00 00 FF
FF 00 08 FF FF 00 5A FF FF 00 FF FF FF 00 FF FF
FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF
FF 00 FF FF FF 00 92 59 00 16 47 00 00 00 25 90
01 64 61 00 00 00 59 90 11 64 61 00 00 00 99 00
16 48 11 00 00 00 90 01 64 61 11 00 00 00 00 16
64 61 00 00 00 00 01 16 46 10 09 00 00 00 11 64
41 00 99 00 00 00 16 64 11 09 95 00 00 00 66 48
10 09 53 00 00 00
I know that the pixel "assignment" starts with the first line being (10 pixels wide):
92 59 00 16 47 00 00 00
I need to count how many times each colour is in the image, but I am unable to pull the individual integer value (ie: just the 9, then just the 2, then just the 5, and so on). The only value I am able to pull is "92" then "59" then "00"...
This is my code for that segment (the offset is 118 and the total hex values remaining are 80):
int nbr_each[NBRCOLOURS];
int ch, pixel;
fseek(fptr, 118, SEEK_SET);
for (count = 0; count < 81; count++)
{
pixel = fgetc(fptr);
nbr_each[pixel] = nbr_each[pixel] + 1;
}
fgetc will get you the individual characters.
first = fgetc(fptr); // '9'
second = fgetc(fptr); // '2'
space = fgetc(fptr); // ' '
Then convert each digit to a number 0..9 by subtracting off '0':
first -= '0';
second -= '0';
Then to count each digit, something like this:
nbr_each[first]++;
nbr_each[second]++;
I'm trying to connect to SQL Server with Windows Authentication. Microsoft C# and C sources can be found at NetCpp.
In Delphi I have code like this:
function TTDS7SSPI.MakeSPN: string;
const
szBracketedInstanceFormatString = '%s/[%s]:%s';
szBracketedEmptyInstanceFormatString = '%s/[%s]%s';
szClearInstanceFormatString = '%s/%s:%s';
szClearEmptyInstanceFormatString = '%s/%s%s';
szBracketedFormatString = '%s/[%s]:%d';
szClearFormatString = '%s/%s:%d';
var
NeedBrackets: Boolean;
FmtString: string;
begin
NeedBrackets := Pos(':', FHostName) > 0;
if FInstanceName <> '' then begin
// Make an instance name based SPN, i.e. MSSQLSvc/FQDN:instancename
if NeedBrackets then begin
if FInstanceName = '' then
FmtString := szBracketedEmptyInstanceFormatString
else
FmtString := szBracketedInstanceFormatString;
end
else begin
if FInstanceName = '' then
FmtString := szClearEmptyInstanceFormatString
else
FmtString := szClearInstanceFormatString;
end;
Result := Format(FmtString, [SQL_SERVICECLASS, FHostName, FInstanceName]);
end
else begin
// Make a TCP port based SPN, i.e. MSSQLSvc/FQDN:TcpPort
Assert(FPort > 0);
if NeedBrackets then
FmtString := szBracketedFormatString
else
FmtString := szClearFormatString;
Result := Format(FmtString, [SQL_SERVICECLASS, FHostName, FPort]);
end;
end;
function TTDS7SSPI.GetAuth: TBytes;
var
pkgInfo: PSecPkgInfo;
SecBuf: SecBuffer;
BuffDesc: SecBufferDesc;
status: SECURITY_STATUS;
attrs: Cardinal;
tsExpiry: TTimeStamp;
const
NEG_STR: WideString = 'Negotiate'; // 'NTLM'; // 'Kerberos';
begin
Result := nil;
status := QuerySecurityPackageInfo({$IFDEF FPC}PSecChar{$ELSE}PSecWChar{$ENDIF}(NEG_STR), pkgInfo);
if status <> SEC_E_OK then
raise Exception.CreateFmt('Couldn''t query package info for %s, error %X', [NEG_STR, status]);
FMaxMessageLen := pkgInfo.cbMaxToken; // 4096;
FreeContextBuffer(pkgInfo);
TTimeStamp(tsExpiry).QuadPart := 0;
status := AcquireCredentialsHandle(nil, {$IFDEF FPC}PSecChar{$ELSE}PSecWChar{$ENDIF}(NEG_STR), SECPKG_CRED_BOTH, // SECPKG_CRED_OUTBOUND
nil, nil, nil, nil, #FCred, tsExpiry); // tsExpiry as var parameter
if status <> SEC_E_OK then
raise Exception.CreateFmt('AcquireCredentialsHandle error %X', [status]);
BuffDesc.ulVersion := SECBUFFER_VERSION;
BuffDesc.cBuffers := 1;
BuffDesc.pBuffers := #SecBuf;
SecBuf.BufferType := SECBUFFER_TOKEN;
SetLength(Result, FMaxMessageLen);
SecBuf.pvBuffer := #Result[0];
SecBuf.cbBuffer := FMaxMessageLen;
{status := QueryCredentialsAttributes(#FCred, SECPKG_CRED_ATTR_NAMES, #attrName);
if status = SEC_E_OK then
FSPN := PWideChar(attrName.sUserName)
else}
// For DAC use "localhost" instead of the server name (Microsoft)
FSPN := WideString(MakeSPN);
FContextAttrib := ISC_REQ_DELEGATE or ISC_REQ_MUTUAL_AUTH or ISC_REQ_INTEGRITY or ISC_REQ_EXTENDED_ERROR;
// ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_CONNECTION;
// $8C03C;
// ISC_REQ_MUTUAL_AUTH or ISC_REQ_IDENTIFY or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT or ISC_REQ_CONNECTION or ISC_REQ_DELEGATE;
status := InitializeSecurityContext(#FCred, nil, {$IFDEF FPC}PSecChar{$ELSE}PSecWChar{$ENDIF}(FSPN),
FContextAttrib,
0, SECURITY_NATIVE_DREP, nil, 0, #FCredCtx, #BuffDesc, attrs, #tsExpiry);
if status <= 0 then
raise Exception.CreateFmt('InitializeSecurityContext error %X', [status]);
if (status = SEC_I_COMPLETE_NEEDED) or (status = SEC_I_COMPLETE_AND_CONTINUE) {or (status = SEC_I_CONTINUE_NEEDED)} then begin
status := CompleteAuthToken(#FCredCtx, #BuffDesc);
if status <> SEC_E_OK then begin
FreeCredentialsHandle(#FCred);
Result := nil;
raise Exception.CreateFmt('CompleteAuthToken error %X', [status]);
end;
end
else if (status <> SEC_E_OK) and (status <> SEC_I_CONTINUE_NEEDED) then begin
// SEC_I_CONTINUE_NEEDED
// The client must send the output token to the server and wait for a return token.
// The returned token is then passed in another call to InitializeSecurityContext (Negotiate). The output token can be empty
FreeCredentialsHandle(#FCred);
Result := nil;
raise Exception.CreateFmt('InitializeSecurityContext error %X', [status]);
end;
SetLength(Result, SecBuf.cbBuffer);
end;
function TTDS7SSPI.ParseServerResponse(Buf: TBytes): TBytes;
var
InSecBuff, OutSecBuff: SecBuffer;
InBuffDesc, OutBuffDesc: SecBufferDesc;
status: SECURITY_STATUS;
attrs: Cardinal;
tsExpiry: TTimeStamp;
begin
Assert((Length(Buf) >= 32) or (Length(Buf) <= Integer(FMaxMessageLen)));
InBuffDesc.ulVersion := SECBUFFER_VERSION;
InBuffDesc.cBuffers := 1;
InBuffDesc.pBuffers := #InSecBuff;
OutBuffDesc.ulVersion := SECBUFFER_VERSION;
OutBuffDesc.cBuffers := 1;
OutBuffDesc.pBuffers := #OutSecBuff;
Assert(Length(Buf) > 0);
InSecBuff.BufferType := SECBUFFER_TOKEN;
InSecBuff.pvBuffer := #Buf[0];
InSecBuff.cbBuffer := Length(Buf);
OutSecBuff.BufferType := SECBUFFER_TOKEN;
SetLength(Result, FMaxMessageLen);
OutSecBuff.pvBuffer := #Result[0];
OutSecBuff.cbBuffer := Length(Result);
status := InitializeSecurityContext(#FCred, #FCredCtx, {$IFDEF FPC}PSecChar{$ELSE}PSecWChar{$ENDIF}(FSPN),
FContextAttrib,
0, SECURITY_NATIVE_DREP, #InBuffDesc, 0, #FCredCtx, #OutBuffDesc, attrs, #tsExpiry);
if status <> SEC_E_OK then begin
Result := nil;
raise Exception.CreateFmt('InitializeSecurityContext error %X', [status]);
end
else
SetLength(Result, OutSecBuff.cbBuffer);
end;
The SPN I got is like MSSQLSvc/3R-XP:MSSQL2008 (client and server both on 3R-XP, instance MSSQL2008). InitializeSecurityContext has status SEC_I_CONTINUE_NEEDED. Everything works without errors except that the server does not return any of the rows from the query, only TDS_DONE.
The SQL Server log says:
Login succeeded for user '3R-XP\me'. Connection made using Windows authentication. [CLIENT: 192.168.0.100]
Also I tried to compare OLEDB and mine data sent and received. I can't see the first packet sent by OLEDB due to SSL encryption. Mine SSPI login data
4E 54 4C 4D 53 53 | NTLMSS
50 00 01 00 00 00 97 B2 08 E2 09 00 09 00 2D 00 | P.............-.
00 00 05 00 05 00 28 00 00 00 05 01 28 0A 00 00 | ......(.....(...
00 0F 33 52 2D 58 50 57 4F 52 4B 47 52 4F 55 50 | ..3R-XPWORKGROUP
The server response of OLEDB (connect to another PC due to the fact that WinPCAP can only work with real adapters, so the host name is 'hp-6320' and the client name is '3R-Win7' here) is:
000000 04 01 00 A5 00 00 01 00 ED 9A 00 4E 54 4C 4D 53 | ...........NTLMS
000010 53 50 00 02 00 00 00 0E 00 0E 00 38 00 00 00 15 | SP.........8....
000020 82 8A E2 A3 6E FC 4B 59 86 13 D6 00 00 00 00 00 | ....n.KY........
000030 00 00 00 54 00 54 00 46 00 00 00 05 01 28 0A 00 | ...T.T.F.....(..
000040 00 00 0F 48 00 50 00 2D 00 36 00 33 00 32 00 30 | ...H.P.-.6.3.2.0
000050 00 02 00 0E 00 48 00 50 00 2D 00 36 00 33 00 32 | .....H.P.-.6.3.2
000060 00 30 00 01 00 0E 00 48 00 50 00 2D 00 36 00 33 | .0.....H.P.-.6.3
000070 00 32 00 30 00 04 00 0E 00 68 00 70 00 2D 00 36 | .2.0.....h.p.-.6
000080 00 33 00 32 00 30 00 03 00 0E 00 68 00 70 00 2D | .3.2.0.....h.p.-
000090 00 36 00 33 00 32 00 30 00 06 00 04 00 01 00 00 | .6.3.2.0........
0000A0 00 00 00 00 00 | .....
SQL Server response with my code (machine '3R-XP')
04 01 00 89 00 00 01 00 | ........
ED 7E 00 4E 54 4C 4D 53 53 50 00 02 00 00 00 0A | .~.NTLMSSP......
00 0A 00 38 00 00 00 15 C2 8A E2 B0 17 7A 15 A4 | ...8.........z..
21 2A 96 38 E6 3D 01 00 00 00 00 3C 00 3C 00 42 | !*.8.=.....<.<.B
00 00 00 05 01 28 0A 00 00 00 0F 33 00 52 00 2D | .....(.....3.R.-
00 58 00 50 00 02 00 0A 00 33 00 52 00 2D 00 58 | .X.P.....3.R.-.X
00 50 00 01 00 0A 00 33 00 52 00 2D 00 58 00 50 | .P.....3.R.-.X.P
00 04 00 0A 00 33 00 52 00 2D 00 58 00 50 00 03 | .....3.R.-.X.P..
00 0A 00 33 00 52 00 2D 00 58 00 50 00 00 00 00 | ...3.R.-.X.P....
00 | .
It looks the same. But after that second InitializeSecurityContext OLEDB returns the value
000000 11 01 01 A2 00 00 01 00 4E 54 4C 4D 53 53 50 00 | ........NTLMSSP.
000010 03 00 00 00 18 00 18 00 78 00 00 00 FA 00 FA 00 | ........x.......
000020 90 00 00 00 0E 00 0E 00 58 00 00 00 04 00 04 00 | ........X.......
000030 66 00 00 00 0E 00 0E 00 6A 00 00 00 10 00 10 00 | f.......j.......
000040 8A 01 00 00 15 82 88 E2 06 01 B1 1D 00 00 00 0F | ................
000050 18 B1 57 6E 0F 9B BE 6A AF 2A D4 76 8D B2 19 72 | ..Wn...j.*.v...r
000060 33 00 52 00 2D 00 57 00 69 00 6E 00 37 00 6D 00 | 3.R.-.W.i.n.7.m.
000070 65 00 33 00 52 00 2D 00 57 00 49 00 4E 00 37 00 | e.3.R.-.W.I.N.7.
000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000090 00 00 00 00 00 00 00 00 3B 97 82 77 95 74 1E 7C | ........;..w.t.|
0000A0 A8 D1 C5 2F 5F 82 7A 9C 01 01 00 00 00 00 00 00 | .../_.z.........
0000B0 EE 4C 92 1E 68 10 D1 01 B3 93 23 3B A9 14 0C EF | .L..h.....#;....
0000C0 00 00 00 00 02 00 0E 00 48 00 50 00 2D 00 36 00 | ........H.P.-.6.
0000D0 33 00 32 00 30 00 01 00 0E 00 48 00 50 00 2D 00 | 3.2.0.....H.P.-.
0000E0 36 00 33 00 32 00 30 00 04 00 0E 00 68 00 70 00 | 6.3.2.0.....h.p.
0000F0 2D 00 36 00 33 00 32 00 30 00 03 00 0E 00 68 00 | -.6.3.2.0.....h.
000100 70 00 2D 00 36 00 33 00 32 00 30 00 06 00 04 00 | p.-.6.3.2.0.....
000110 01 00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 | ......0.0.......
000120 01 00 00 00 00 20 00 00 9B 51 53 D8 0E 0F C8 EB | ..... ...QS.....
000130 F9 11 AB 3D B3 FB 86 F6 D0 D2 97 3C 4C F7 E0 48 | ...=.......<L..H
000140 C4 BF 2F 60 DC CA AB 10 0A 00 10 00 14 5E 11 19 | ../`.........^..
000150 42 DC 79 32 B1 DC 04 C0 C9 48 8D 2C 09 00 2A 00 | B.y2.....H.,..*.
000160 4D 00 53 00 53 00 51 00 4C 00 53 00 76 00 63 00 | M.S.S.Q.L.S.v.c.
000170 2F 00 68 00 70 00 2D 00 36 00 33 00 32 00 30 00 | /.h.p.-.6.3.2.0.
000180 3A 00 31 00 34 00 33 00 33 00 00 00 00 00 00 00 | :.1.4.3.3.......
000190 00 00 7D 45 28 4F E6 4B 38 90 BD F6 91 61 A7 E8 | ..}E(O.K8....a..
0001A0 8D 26 | .&
while for my code it returns
11 01 00 50 00 00 00 00 4E 54 4C 4D 53 53 50 00 | ...P....NTLMSSP.
03 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 | ........H.......
48 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 | H.......H.......
48 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 | H.......H.......
48 00 00 00 15 C2 88 E2 05 01 28 0A 00 00 00 0F | H.........(.....
As you can see all structures are empty (size 0, allocated 0, offset 48). Is there something wrong? How to fix that stuff? I've tried different flags etc already, the results are the same or even worse. OLEDB works so it seems that the server is configured properly.
With WinAPIOverride I found that authentication uses Bindings (see QueryContextAttributes SECPKG_ATTR_UNIQUE_BINDINGS) retrieved from SSL handshake in negotiation InitializeSecurityContext as SECBUFFER_CHANNEL_BINDINGS member.
So far I made SSPI based SSL handshake, got Bindings that looks like
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 17 00 00 00 20 00 00 00 | ............ ...
74 6C 73 2D 75 6E 69 71 75 65 3A 66 55 6F 05 7F | tls-unique:fUo.
DD 90 31 4F 87 02 52 | ..1O..R
found that those empty NTLMSSP message seems proper (with some extra at the end) while client and server on same machine, ODBC driver sends like
A1 77 30 75 A0 03 0A 01 01 A2 5A 04 58 4E 54 4C .w0u......Z.XNTL
4D 53 53 50 00 03 00 00 00 00 00 00 00 58 00 00 MSSP.........X..
00 00 00 00 00 58 00 00 00 00 00 00 00 58 00 00 .....X.......X..
00 00 00 00 00 58 00 00 00 00 00 00 00 58 00 00 .....X.......X..
00 00 00 00 00 58 00 00 00 15 C2 88 E2 0A 00 5A .....X.........Z
29 00 00 00 0F 9E 3F 5C EE FF F1 AF 9A 44 4C 3A ).....?\.....DL:
6F C3 20 0F 8B A3 12 04 10 01 00 00 00 9C B1 60 o. ............`
36 3B 84 96 09 00 00 00 00 6;.......
remote last authentication data looks like (ODBC driver)
4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.........
78 00 00 00 3C 01 3C 01 90 00 00 00 0E 00 0E 00 x...<.<.........
58 00 00 00 04 00 04 00 66 00 00 00 0E 00 0E 00 X.......f.......
6A 00 00 00 10 00 10 00 CC 01 00 00 15 82 88 E2 j...............
0A 00 5A 29 00 00 00 0F E0 87 5F 85 21 5A 73 17 ..Z)......_.!Zs.
04 6C 1A F5 9C BA F7 42 33 00 52 00 2D 00 57 00 .l.....B3.R.-.W.
69 00 6E 00 37 00 6D 00 65 00 33 00 52 00 2D 00 i.n.7.m.e.3.R.-.
57 00 49 00 4E 00 37 00 00 00 00 00 00 00 00 00 W.I.N.7.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
37 F2 38 62 5B 9C 7E 07 6F 89 9F 33 B2 92 3C 5C 7.8b[.~.o..3..<\
01 01 00 00 00 00 00 00 47 39 01 AD AC 4F D1 01 ........G9...O..
0D 36 47 06 7E 70 B8 A4 00 00 00 00 02 00 18 00 .6G.~p..........
48 00 50 00 2D 00 45 00 4C 00 49 00 54 00 45 00 H.P.-.E.L.I.T.E.
42 00 4F 00 4F 00 4B 00 01 00 18 00 B.O.O.K.....
while SSPI with Bindings looks slightly bigger (8 first bytes here is TDS packet header)
11 01 01 EE 00 00 00 00 4E 54 4C 4D 53 53 50 00 | ........NTLMSSP.
03 00 00 00 18 00 18 00 78 00 00 00 46 01 46 01 | ........x...F.F.
90 00 00 00 0E 00 0E 00 58 00 00 00 04 00 04 00 | ........X.......
66 00 00 00 0E 00 0E 00 6A 00 00 00 10 00 10 00 | f.......j.......
D6 01 00 00 15 82 88 E2 0A 00 5A 29 00 00 00 0F | ..........Z)....
AD A5 C9 05 8C 25 E1 A9 C5 3E 17 BD 3D 19 E3 EB | .....%...>..=...
33 00 52 00 2D 00 57 00 69 00 6E 00 37 00 6D 00 | 3.R.-.W.i.n.7.m.
65 00 33 00 52 00 2D 00 57 00 49 00 4E 00 37 00 | e.3.R.-.W.I.N.7.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 02 0B C5 A2 01 17 DB AC | ................
D8 26 9E 1B AF A1 77 32 01 01 00 00 00 00 00 00 | .&....w2........
B8 28 90 0F AD 4F D1 01 41 F1 DF 7C BE 85 5D B6 | .(...O..A..|..].
00 00 00 00 02 00 18 00 48 00 50 00 2D 00 45 00 | ........H.P.-.E.
4C 00 49 00 54 00 45 00 42 00 4F 00 4F 00 4B 00 | L.I.T.E.B.O.O.K.
01 00 18 00 48 00 50 00 2D 00 45 00 4C 00 49 00 | ....H.P.-.E.L.I.
54 00 45 00 42 00 4F 00 4F 00 4B 00 04 00 18 00 | T.E.B.O.O.K.....
48 00 50 00 2D 00 45 00 6C 00 69 00 74 00 65 00 | H.P.-.E.l.i.t.e.
62 00 6F 00 6F 00 6B 00 03 00 18 00 48 00 50 00 | b.o.o.k.....H.P.
2D 00 45 00 6C 00 69 00 74 00 65 00 62 00 6F 00 | -.E.l.i.t.e.b.o.
6F 00 6B 00 07 00 08 00 B8 28 90 0F AD 4F D1 01 | o.k......(...O..
06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00 | ..........0.0...
00 00 00 00 01 00 00 00 00 20 00 00 DC 75 9C 98 | ......... ...u..
70 C7 28 D7 BC C7 1E 14 48 70 0E 3B 8B A4 94 7C | p.(.....Hp.;...|
32 05 44 FD 85 5F D3 54 DB 6C 84 22 0A 00 10 00 | 2.D.._.T.l."....
B1 3B 92 CC 6C 5B E2 CD 0F 24 19 5F 6F 73 47 73 | .;..l[...$._osGs
09 00 3E 00 4D 00 53 00 53 00 51 00 4C 00 53 00 | ..>.M.S.S.Q.L.S.
76 00 63 00 2F 00 48 00 50 00 2D 00 45 00 4C 00 | v.c./.H.P.-.E.L.
49 00 54 00 45 00 42 00 4F 00 4F 00 4B 00 3A 00 | I.T.E.B.O.O.K.:.
4D 00 53 00 53 00 51 00 4C 00 32 00 30 00 30 00 | M.S.S.Q.L.2.0.0.
38 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 46 | 8..............F
20 EB 45 EC C8 67 9F E3 45 45 9C 79 76 47 | .E..g..EE.yvG
QueryContextAttributes(#FCtxHandle, SECPKG_ATTR_NEGOTIATION_INFO, #NegInfo) returns state SECPKG_NEGOTIATION_COMPLETE so everything suppose to be fine, server log shows that "Authentication successful" but there is still not enough rights to get results of queries or server errors like "Cannot find the object "all_types" because it does not exist or you do not have permissions" while simple queries like "SET LOCK TIMEOUT 100" runs without errors.
So my thoughts that Windows Authentication in the eyes of own creator doesn't looks secure enough to allow it to some third-party applications. Guest account enabled and have permissions to read/write data and it works through ODBC driver.
I am not so familiar with the C language and compiling it in Linux but I have something to ask and hope you can assist.
I have this line of code that uses an installed command and its parameters to join domain. (see pic).
After I run gcc join.c to compile it its created a file a.out.
So far so good but when I run vim a.out to view to content of that file I see mypassword can be easily viewed by a simple text editor. (see second pic)
Is there anything I can do to avoid this when compiling my C code?
#include <stdio.h>
#include <unistd.h>
int main ()
{
printf("Running 'net join' with the following parameters: \n");
char *domain="mydomain";
char *user="domainjoinuser";
char *pass="mypassword";
char *vastool="/opt/quest/bin/vastool";
char *ou="OU=test,DC=mtdomain,DC=local";
char unjoin[512];
sprintf(unjoin,"/opt/quest/in/vastool -u %s -w '%s' unjoin -f",user,pass);
printf("Domain: %s\n",domain);
printf("User: %s\n",user);
printf("-----------------\n");
printf("Unjoin.............\n");
system(unjoin);
printf("Join................\n");
execl("/opt/quest/bin/vastool", "vastool", "-u", user, "-w", pass, "join", "-c", "ou", "-f", domain, (char*)0);
}
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 3e 00 01 00 00 00 40 83 04 08 00 00 00 00 |..>.....#.......|
00000020 40 00 00 00 00 00 00 00 40 0a 00 00 00 00 00 00 |#.......#.......|
00000030 00 00 00 00 40 00 38 00 04 00 40 00 1c 00 1b 00 |....#.8...#.....|
00000040 03 00 00 00 04 00 00 00 20 01 00 00 00 00 00 00 |........ .......|
00000050 20 81 04 08 00 00 00 00 20 81 04 08 00 00 00 00 | ....... .......|
00000060 1c 00 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 |................|
00000070 01 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 |................|
00000080 20 01 00 00 00 00 00 00 20 81 04 08 00 00 00 00 | ....... .......|
00000090 20 81 04 08 00 00 00 00 b0 05 00 00 00 00 00 00 | ...............|
000000a0 b0 05 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |................|
000000b0 01 00 00 00 06 00 00 00 e0 06 00 00 00 00 00 00 |................|
000000c0 e0 96 04 08 00 00 00 00 e0 96 04 08 00 00 00 00 |................|
000000d0 60 02 00 00 00 00 00 00 60 02 00 00 00 00 00 00 |`.......`.......|
000000e0 00 10 00 00 00 00 00 00 02 00 00 00 06 00 00 00 |................|
000000f0 24 08 00 00 00 00 00 00 24 98 04 08 00 00 00 00 |$.......$.......|
00000100 24 98 04 08 00 00 00 00 a0 00 00 00 00 00 00 00 |$...............|
00000110 a0 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00000120 2f 6c 69 62 36 34 2f 6c 64 2d 6c 69 6e 75 78 2d |/lib64/ld-linux-|
00000130 78 38 36 2d 36 34 2e 73 6f 2e 32 00 00 00 00 00 |x86-64.so.2.....|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 01 00 00 00 12 00 00 00 70 86 04 08 |............p...|
00000160 00 00 00 00 c0 01 00 00 00 00 00 00 13 00 00 00 |................|
00000170 12 00 00 00 80 86 04 08 00 00 00 00 a1 00 00 00 |................|
00000180 00 00 00 00 1a 00 00 00 12 00 00 00 90 86 04 08 |................|
00000190 00 00 00 00 8f 00 00 00 00 00 00 00 22 00 00 00 |............"...|
000001a0 12 00 00 00 a0 86 04 08 00 00 00 00 61 00 00 00 |............a...|
000001b0 00 00 00 00 29 00 00 00 12 00 00 00 b0 86 04 08 |....)...........|
000001c0 00 00 00 00 b0 01 00 00 00 00 00 00 2f 00 00 00 |............/...|
000001d0 12 00 0c 00 80 86 04 08 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 35 00 00 00 20 00 00 00 00 00 00 00 |....5... .......|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 5f 6c |.............__l|
00000200 69 62 63 5f 73 74 61 72 74 5f 6d 61 69 6e 00 70 |ibc_start_main.p|
00000210 72 69 6e 74 66 00 73 70 72 69 6e 74 66 00 73 79 |rintf.sprintf.sy|
00000220 73 74 65 6d 00 65 78 65 63 6c 00 5f 69 6e 69 74 |stem.execl._init|
00000230 00 5f 5f 67 6d 6f 6e 5f 73 74 61 72 74 5f 5f 00 |.__gmon_start__.|
00000240 6c 69 62 63 2e 73 6f 2e 36 00 00 00 04 00 00 00 |libc.so.6.......|
00000250 08 00 00 00 06 00 00 00 04 00 00 00 03 00 00 00 |................|
00000260 07 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
00000270 02 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 |................|
00000280 00 00 00 00 f8 98 04 08 00 00 00 00 07 00 00 00 |................|
00000290 01 00 00 00 00 00 00 00 00 00 00 00 00 99 04 08 |................|
000002a0 00 00 00 00 07 00 00 00 02 00 00 00 00 00 00 00 |................|
000002b0 00 00 00 00 08 99 04 08 00 00 00 00 07 00 00 00 |................|
000002c0 03 00 00 00 00 00 00 00 00 00 00 00 10 99 04 08 |................|
000002d0 00 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 |................|
000002e0 00 00 00 00 18 99 04 08 00 00 00 00 07 00 00 00 |................|
000002f0 05 00 00 00 00 00 00 00 00 00 00 00 20 99 04 08 |............ ...|
00000300 00 00 00 00 07 00 00 00 06 00 00 00 00 00 00 00 |................|
00000310 00 00 00 00 28 99 04 08 00 00 00 00 06 00 00 00 |....(...........|
00000320 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000340 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 f0 50 54 49 |1.I..^H..H...PTI|
00000350 c7 c0 90 85 04 08 48 c7 c1 00 85 04 08 48 c7 c7 |......H......H..|
00000360 6c 83 04 08 e8 07 03 00 00 f4 66 90 55 48 89 e5 |l.........f.UH..|
00000370 48 81 ec 30 02 00 00 48 8d 05 66 13 00 00 48 89 |H..0...H..f...H.|
00000380 c7 b8 00 00 00 00 e8 f5 02 00 00 48 8d 05 86 13 |...........H....|
00000390 00 00 48 89 45 f8 48 8d 05 84 13 00 00 48 89 45 |..H.E.H......H.E|
000003a0 f0 48 8d 05 88 13 00 00 48 89 45 e8 48 8d 05 88 |.H......H.E.H...|
000003b0 13 00 00 48 89 45 e0 48 8d 05 94 13 00 00 48 89 |...H.E.H......H.|
000003c0 45 d8 48 8b 45 e8 49 89 c3 48 8b 45 f0 49 89 c2 |E.H.E.I..H.E.I..|
000003d0 48 8d 05 98 13 00 00 48 89 c6 48 8d 85 d8 fd ff |H......H..H.....|
000003e0 ff 48 89 c7 4c 89 d2 4c 89 d9 b8 00 00 00 00 e8 |.H..L..L........|
000003f0 9c 02 00 00 48 8b 45 f8 48 89 c6 48 8d 05 9b 13 |....H.E.H..H....|
00000400 00 00 48 89 c7 b8 00 00 00 00 e8 71 02 00 00 48 |..H........q...H|
00000410 8b 45 f0 48 89 c6 48 8d 05 8c 13 00 00 48 89 c7 |.E.H..H......H..|
00000420 b8 00 00 00 00 e8 56 02 00 00 48 8d 05 82 13 00 |......V...H.....|
00000430 00 48 89 c7 b8 00 00 00 00 e8 42 02 00 00 48 8d |.H........B...H.|
00000440 05 81 13 00 00 48 89 c7 b8 00 00 00 00 e8 2e 02 |.....H..........|
00000450 00 00 48 8d 85 d8 fd ff ff 48 89 c7 b8 00 00 00 |..H......H......|
00000460 00 e8 3a 02 00 00 48 8d 05 6e 13 00 00 48 89 c7 |..:...H..n...H..|
00000470 b8 00 00 00 00 e8 06 02 00 00 48 b8 00 00 00 00 |..........H.....|
00000480 00 00 00 00 50 48 8b 45 f8 50 48 8d 05 90 13 00 |....PH.E.PH.....|
00000490 00 50 48 8d 05 85 13 00 00 50 48 8d 05 7a 13 00 |.PH......PH..z..|
000004a0 00 50 48 8d 05 6d 13 00 00 50 48 8b 45 e8 49 89 |.PH..m...PH.E.I.|
000004b0 c1 48 8d 05 5b 13 00 00 49 89 c0 48 8b 45 f0 49 |.H..[...I..H.E.I|
000004c0 89 c3 48 8d 05 47 13 00 00 49 89 c2 48 8d 05 35 |..H..G...I..H..5|
000004d0 13 00 00 48 89 c6 48 8d 05 14 13 00 00 48 89 c7 |...H..H......H..|
000004e0 4c 89 d2 4c 89 d9 b8 00 00 00 00 e8 c0 01 00 00 |L..L............|
000004f0 48 83 c4 30 c9 c3 00 00 00 00 00 00 00 00 00 00 |H..0............|
00000500 48 89 6c 24 d8 4c 89 64 24 e0 48 8d 2d 4f 01 00 |H.l$.L.d$.H.-O..|
00000510 00 4c 8d 25 48 01 00 00 48 89 5c 24 d0 4c 89 6c |.L.%H...H.\$.L.l|
00000520 24 e8 4c 89 74 24 f0 4c 89 7c 24 f8 48 83 ec 38 |$.L.t$.L.|$.H..8|
00000530 4c 29 e5 41 89 ff 49 89 f6 48 c1 fd 03 49 89 d5 |L).A..I..H...I..|
00000540 31 db e8 d9 00 00 00 48 85 ed 74 1a 0f 1f 40 00 |1......H..t...#.|
00000550 4c 89 ea 4c 89 f6 44 89 ff 41 ff 14 dc 48 83 c3 |L..L..D..A...H..|
00000560 01 48 39 eb 75 ea 48 8b 5c 24 08 48 8b 6c 24 10 |.H9.u.H.\$.H.l$.|
00000570 4c 8b 64 24 18 4c 8b 6c 24 20 4c 8b 74 24 28 4c |L.d$.L.l$ L.t$(L|
00000580 8b 7c 24 30 48 83 c4 38 c3 0f 1f 80 00 00 00 00 |.|$0H..8........|
00000590 f3 c3 00 00 01 00 02 00 14 00 00 00 00 00 00 00 |................|
000005a0 01 7a 52 00 01 78 10 01 1b 0c 07 08 90 01 07 10 |.zR..x..........|
000005b0 14 00 00 00 1c 00 00 00 88 fd ff ff 2a 00 00 00 |............*...|
000005c0 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 |................|
000005d0 01 7a 52 00 01 78 10 01 1b 0c 07 08 90 01 00 00 |.zR..x..........|
000005e0 24 00 00 00 1c 00 00 00 18 ff ff ff 89 00 00 00 |$...............|
000005f0 00 4a 86 06 8c 05 66 0e 40 83 07 8d 04 8e 03 8f |.J....f.#.......|
00000600 02 02 58 0e 08 00 00 00 14 00 00 00 44 00 00 00 |..X.........D...|
00000610 80 ff ff ff 02 00 00 00 00 00 00 00 00 00 00 00 |................|
00000620 48 83 ec 08 48 8b 05 fd 12 00 00 48 85 c0 74 05 |H...H......H..t.|
00000630 e8 cb 79 fb f7 48 83 c4 08 c3 00 00 48 83 ec 08 |..y..H......H...|
00000640 48 83 c4 08 c3 00 00 00 00 00 00 00 00 00 00 00 |H...............|
00000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000660 ff 35 82 12 00 00 ff 25 84 12 00 00 00 00 00 00 |.5.....%........|
00000670 ff 25 82 12 00 00 68 00 00 00 00 e9 e0 ff ff ff |.%....h.........|
00000680 ff 25 7a 12 00 00 68 08 00 00 00 e9 d0 ff ff ff |.%z...h.........|
00000690 ff 25 72 12 00 00 68 10 00 00 00 e9 c0 ff ff ff |.%r...h.........|
000006a0 ff 25 6a 12 00 00 68 18 00 00 00 e9 b0 ff ff ff |.%j...h.........|
000006b0 ff 25 62 12 00 00 68 20 00 00 00 e9 a0 ff ff ff |.%b...h ........|
000006c0 ff 25 5a 12 00 00 68 28 00 00 00 e9 90 ff ff ff |.%Z...h(........|
000006d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000006e0 00 00 00 00 52 75 6e 6e 69 6e 67 20 27 6e 65 74 |....Running 'net|
000006f0 20 6a 6f 69 6e 27 20 77 69 74 68 20 74 68 65 20 | join' with the |
00000700 66 6f 6c 6c 6f 77 69 6e 67 20 70 61 72 61 6d 65 |following parame|
00000710 74 65 72 73 3a 20 0a 00 6d 79 64 6f 6d 61 69 6e |ters: ..mydomain|
00000720 00 64 6f 6d 61 69 6e 6a 6f 69 6e 75 73 65 72 00 |.domainjoinuser.|
00000730 6d 79 70 61 73 73 77 6f 72 64 00 2f 6f 70 74 2f |mypassword./opt/|
00000740 71 75 65 73 74 2f 62 69 6e 2f 76 61 73 74 6f 6f |quest/bin/vastoo|
00000750 6c 00 4f 55 3d 74 65 73 74 2c 44 43 3d 6d 74 64 |l.OU=test,DC=mtd|
00000760 6f 6d 61 69 6e 2c 44 43 3d 6c 6f 63 61 6c 00 2f |omain,DC=local./|
00000770 6f 70 74 2f 71 75 65 73 74 2f 69 6e 2f 76 61 73 |opt/quest/in/vas|
00000780 74 6f 6f 6c 20 2d 75 20 25 73 20 2d 77 20 27 25 |tool -u %s -w '%|
00000790 73 27 20 75 6e 6a 6f 69 6e 20 2d 66 00 44 6f 6d |s' unjoin -f.Dom|
000007a0 61 69 6e 3a 20 25 73 0a 00 55 73 65 72 3a 20 25 |ain: %s..User: %|
000007b0 73 0a 00 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d |s..-------------|
000007c0 2d 2d 2d 2d 0a 00 55 6e 6a 6f 69 6e 2e 2e 2e 2e |----..Unjoin....|
000007d0 2e 2e 2e 2e 2e 2e 2e 2e 2e 0a 00 4a 6f 69 6e 2e |...........Join.|
000007e0 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 0a |................|
000007f0 00 2f 6f 70 74 2f 71 75 65 73 74 2f 62 69 6e 2f |./opt/quest/bin/|
00000800 76 61 73 74 6f 6f 6c 00 76 61 73 74 6f 6f 6c 00 |vastool.vastool.|
00000810 2d 75 00 2d 77 00 6a 6f 69 6e 00 2d 63 00 6f 75 |-u.-w.join.-c.ou|
00000820 00 2d 66 00 01 00 00 00 00 00 00 00 44 00 00 00 |.-f.........D...|
00000830 00 00 00 00 04 00 00 00 00 00 00 00 4c 82 04 08 |............L...|
...
Is there anything i can do to avoid this when compiling my C code?
The only thing you can do is to not hard-code the password or any sensitive information into your C program: even if you encrypt this sensitive information in one way or the other, either the decryption key would need to be provided at runtime by a user running your program, or the info could be decrypted by a sufficiently motivated person. You might as well prompt the user for the password.
Note that any other form of hiding would be a mere obfuscation - a small obstacle on the way of a user who is trying to access your secret information. It may deter a few "script kiddies", but it would fall to the first knowledgeable user.
As dasblinkenlight pointed out, whatever you do will not deter somebody from getting your password. For instance, he could run strace on your program to figure out which arguments are being passed to vastool, or he could use a debugger. If you write programs with the intent of being secure, always keep Kerkhoff's principle in mind:
A (crypto-) system should be secure even if everything about the system [...] is public knowledge.
However, if you like some extra smokescreen security obfuscation, you might want to have a look at the memfrob(3) function:
void *memfrob(void *s, size_t n);
The memfrob() function
encrypts the first n bytes of the memory area s by exclusive-ORing
each character with the number 42. The effect can be reversed by using
memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR
constant is fixed, and is only suitable for hiding strings.
one way is to use a function (rot13(), reverse(), chartobinary() f.e.) and call your function with the encoded string.
I'm trying to boot eboot.nb0 from NAND. (Micron, MT29F4G08ABBDA) in WinCE7.
Processor: i.MX6Q
I have successfully booted u-boot.bin from NAND using kobs-ng tool in linux.
Also, if i use modified eboot.nb0 instead of u-boot.bin in kobs, it is booting without any problem.
But when i use MFGTool (in WinCE) for flashing eboot.nb0, it is not booting.
Following is the nanddump output when i am using kobs (linux) for flashing:
FCB:
0x00000000: 00 00 00 00 00 00 00 00 00 00 00 00 cf fc ff ff
0x00000010: 46 43 42 20 00 00 00 01 50 3c 19 06 00 00 00 00
0x00000020: 00 08 00 00 40 08 00 00 40 00 00 00 00 00 00 00
0x00000030: 00 00 00 00 00 00 00 00 04 00 00 00 00 02 00 00
0x00000040: 00 02 00 00 04 00 00 00 0a 00 00 00 03 00 00 00
0x00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00000070: 00 00 00 00 00 02 00 00 00 0b 00 00 01 01 00 00
0x00000080: 01 01 00 00 00 01 00 00 cf 07 00 00 00 00 00 00
0x00000090: 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DBBT:
0x00080000: 00 ff ff ff ff ff ff ff ff ff 00 00 00 00 44 42
0x00080010: 42 54 00 00 00 01 00 00 00 00 00 00 00 00 00 00
0x00080020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00080030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and eboot.nb0 at Page 200.
Here, why we are getting first 12 bytes as zeros? (METADATA_SIZE is set to 10). Why two additional zeros?
In WinCE (Using MFGTool):
FCB:
[Metadata: ff ff ff ff ff ff fe ff ff ff ] (only 10 bytes of metadata)
75 b8 fe ff
46 43 42 20
0 0 0 1
50 3c 19 6
0 0 0 0
0 8 0 0
40 8 0 0
40 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
4 0 0 0
0 2 0 0
0 2 0 0
4 0 0 0
a 0 0 0
3 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
d8 f9 8a d9
11 0 0 0
0 2 0 0
40 3 0 0
40 1 0 0
40 1 0 0
0 1 0 0
cf 7 0 0
0 0 0 0
0 8 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
44 cd ab ef
d4 84 a9 ef
ff ff ff ff
ff ff ff ff
ff ff ff ff
DBBT:
0 0 0 0
44 42 42 54
0 0 0 1
0 0 0 0
0 0 0 0
and eboot.nb0 at 200 page.
Following is the nandtype info structure:
//MT29F4G08ABBDAHC
{
{NAND, 4096, 2048 * 64, 64, 2048}, //FlashInfo fi;
{0x2C, 0xAC, 0x90, 0x15}, //BYTE NANDCode[NANDID_LENGTH]
3, //BYTE NumBlockCycles
5, //BYTE ChipAddrCycleNum
8, //BYTE DataWidth
1, //BYTE BBMarkNum
{0}, //BYTE BBMarkPage
6, //BYTE StatusBusyBit
0, //BYTE StatusErrorBit
64, //WORD SpareDataLength
0x70, //BYTE CmdReadStatus
0x00, //BYTE CmdRead1
0x30, //BYTE CmdRead2
0x90, //BYTE CmdReadId
0xff, //BYTE CmdReset
0x80, //BYTE CmdWrite1
0x10, //BYTE CmdWrite2
0x60, //BYTE CmdErase1
0xD0, //BYTE CmdErase2
{80, 60, 25, 6} //NANDTiming timings
}
Following is the BootBlock structure:
typedef struct _BootBlockStruct_t
{
UINT32 m_u32Checksum; //!< First fingerprint in first byte.
UINT32 m_u32FingerPrint; //!< 2nd fingerprint at byte 4.
UINT32 m_u32Version; //!< 3rd fingerprint at byte 8.
union
{
struct
{
NAND_Timing_t m_NANDTiming; //!< Optimum timing parameters for Tas, Tds, Tdh in nsec.
UINT32 m_u32Reserved; //mx28 needs a dword reservation
UINT32 m_u32DataPageSize; //!< 2048 for 2K pages, 4096 for 4K pages.
UINT32 m_u32TotalPageSize; //!< 2112 for 2K pages, 4314 for 4K pages.
UINT32 m_u32SectorsPerBlock; //!< Number of 2K sections per block.
UINT32 m_u32NumberOfNANDs; //!< Total Number of NANDs - not used by ROM.
UINT32 m_u32TotalInternalDie; //!< Number of separate chips in this NAND.
UINT32 m_u32CellType; //!< MLC or SLC.
UINT32 m_u32EccBlockNEccType; //!< Type of ECC, can be one of BCH-0-20
UINT32 m_u32EccBlock0Size; //!< Number of bytes for Block0 - BCH
UINT32 m_u32EccBlockNSize; //!< Block size in bytes for all blocks other than Block0 - BCH
UINT32 m_u32EccBlock0EccType; //!< Ecc level for Block 0 - BCH
UINT32 m_u32MetadataBytes; //!< Metadata size - BCH
UINT32 m_u32NumEccBlocksPerPage; //!< Number of blocks per page for ROM use - BCH
UINT32 m_u32EccBlockNEccLevelSDK; //!< Type of ECC, can be one of BCH-0-20
UINT32 m_u32EccBlock0SizeSDK; //!< Number of bytes for Block0 - BCH
UINT32 m_u32EccBlockNSizeSDK; //!< Block size in bytes for all blocks other than Block0 - BCH
UINT32 m_u32EccBlock0EccLevelSDK; //!< Ecc level for Block 0 - BCH
UINT32 m_u32NumEccBlocksPerPageSDK; //!< Number of blocks per page for SDK use - BCH
UINT32 m_u32MetadataBytesSDK; //!< Metadata size - BCH
UINT32 m_u32EraseThreshold; //!< To set into BCH_MODE register.
UINT32 m_u32BootPatch; //!< 0 for normal boot and 1 to load patch starting next to FCB.
UINT32 m_u32PatchSectors; //!< Size of patch in sectors.
UINT32 m_u32Firmware1_startingSector; //!< Firmware image starts on this sector.
UINT32 m_u32Firmware2_startingSector; //!< Secondary FW Image starting Sector.
UINT32 m_u32SectorsInFirmware1; //!< Number of sectors in firmware image.
UINT32 m_u32SectorsInFirmware2; //!< Number of sector in secondary FW image.
UINT32 m_u32DBBTSearchAreaStartAddress;//!< Page address where dbbt search area begins
UINT32 m_u32BadBlockMarkerByte; //!< Byte in page data that have manufacturer marked bad block marker, this will
//!< bw swapped with metadata[0] to complete page data.
UINT32 m_u32BadBlockMarkerStartBit; //!< For BCH ECC sizes other than 8 and 16 the bad block marker does not start
//!< at 0th bit of m_u32BadBlockMarkerByte. This field is used to get to the
//!< start bit of bad block marker byte with in m_u32BadBlockMarkerByte.
UINT32 m_u32BBMarkerPhysicalOffset; //!< FCB value that gives byte offset for bad block marker on physical NAND page.
UINT32 m_u32BCHType;
UINT32 m_u32TMTiming2_ReadLatency;
UINT32 m_u32TMTiming2_PreambleDelay;
UINT32 m_u32TMTiming2_CEDelay;
UINT32 m_u32TMTiming2_PostambleDelay;
UINT32 m_u32TMTiming2_CmdAddPause;
UINT32 m_u32TMTiming2_DataPause;
UINT32 m_u32TMSpeed;
UINT32 m_u32TMTiming1_BusyTimeout;
UINT32 m_u32DISBBM;
UINT32 m_u32BBMark_spare_offset;
UINT32 m_u32Onfi_sync_enable;
UINT32 m_u32Onfi_sync_speed;
UINT32 m_u32Onfi_syncNANDData;
UINT32 m_u32DISBB_Search;
} FCB_Block;
struct
{
UINT32 m_u32NumberBB; //!< # Bad Blocks stored in this table for NAND0.
UINT32 m_u32Number2KPagesBB; //!< Bad Blocks for NAND0 consume this # of 2K pages.
} DBBT_Block;
};
} BootBlockStruct_t;
Following are the values i'm assigning (Which are equal to linux):
FCB
m_u32FingerPrint = 0x20424346
m_u32Version = 0x01000000
m_u32Reserved = 0
m_NANDTiming.m_u8DataSetup = 80
m_NANDTiming.m_u8DataHold = 60
m_NANDTiming.m_u8AddressSetup = 25
m_NANDTiming.m_u8DSAMPLE_TIME = 6
m_u32PageDataSize = 2048
m_u32TotalPageSize = 2112
m_u32SectorsPerBlock = 64
m_u32NumberOfNANDs = 0
m_u32TotalInternalDie = 0
m_u32CellType = 0
m_u32EccBlockNEccType = 4
m_u32EccBlock0Size = 512
m_u32EccBlockNSize = 512
m_u32EccBlock0EccType = 4
m_u32MetadataBytes = 10
m_u32NumEccBlocksPerPage = 3
m_u32EccBlockNEccLevelSDK = 0
m_u32EccBlock0SizeSDK = 0
m_u32EccBlockNSizeSDK = 0
m_u32EccBlock0EccLevelSDK = 0
m_u32NumEccBlocksPerPageSDK = 0
m_u32MetadataBytesSDK = 0
m_u32EraseThreshold = 0
m_u32Firmware1_startingPage = 512
m_u32Firmware2_startingPage = 2816
m_u32PagesInFirmware1 = 91
m_u32PagesInFirmware2 = 91
m_u32DBBTSearchAreaStartAddress = 256
m_u32BadBlockMarkerByte = 1999
m_u32BadBlockMarkerStartBit = 0
m_u32BBMarkerPhysicalOffset = 2048
m_u32BCHType = 0
m_NANDTMTiming.m_u32TMTiming2_ReadLatency = 0
m_NANDTMTiming.m_u32TMTiming2_PreambleDelay = 0
m_NANDTMTiming.m_u32TMTiming2_CEDelay = 0
m_NANDTMTiming.m_u32TMTiming2_PostambleDelay = 0
m_NANDTMTiming.m_u32TMTiming2_CmdAddPause = 0
m_NANDTMTiming.m_u32TMTiming2_DataPause = 0
m_NANDTMTiming.m_u32TMSpeed = 0
m_NANDTMTiming.m_u32TMTiming1_BusyTimeout = 0
m_u32DISBBM = 0
DBBT
m_u32Checksum = 0x00000000
m_u32FingerPrint = 0x54424244
m_u32Version = 0x01000000
In WinCE, it is not at all booting.
Where is the mistake?
If metadata size difference is the problem , how i can solve it? ( I have also tried by changing METADATA_SIZE = 12, which increases metadata size, but not booting.)
What are those two extra bytes in linux (kobs)?
Solved.
Eboot is booting from NAND now.
Correct data to be written for booting:
FCB:
00 00 00 00 00 00 00 00 00 00 00 00 cf fc ff ff
46 43 42 20 00 00 00 01 50 3c 19 06 00 00 00 00
00 08 00 00 40 08 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 04 00 00 00 00 02 00 00
00 02 00 00 04 00 00 00 0a 00 00 00 03 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 02 00 00 00 0b 00 00 01 01 00 00
01 01 00 00 00 01 00 00 cf 07 00 00 00 00 00 00
00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 1b 0c 06 06
10 1f 03 07 00 00 00 1c 0f 17 1f 05 00 00 00 00
00 19 00 00 15 19 00 00 15 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 13 00 00 00 00 16 00 00
00 16 00 00 13 00 00 00 0f 00 00 00 0a 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 16 00 00 00 13 00 00 1c 1c 00 00
1c 1c 00 00 00 1c 00 00 1b 19 00 00 00 00 00 00
00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DBBT:
00 ff ff ff ff ff ff ff ff ff 00 00 00 00 44 42
42 54 00 00 00 01 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 74 9c 34 5d ed 4b
6d 24 4d 04 d8 e4 48 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EBOOT:
e5 ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 c2 02 c8 c7 39 aa
0c a8 ef 77 29 f1 78 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 d1 00 20 40 60 74 90 00 00 00 00 00
00 00 00 00 40 74 90 00 00 74 90 00 00 00 00 00
00 00 00 00 d1 00 20 40 00 20 04 80 00 00 00 00
00 00 00 00 54 74 90 00 20 74 90 00 00 00 00 00
00 00 00 00 00 70 90 00 00 10 00 00 01 00 00 00
00 0c 04 80 00 04 08 00 00 0c 04 80 00 04 08 00
00 00 00 00 ff 40 2d e9 00 70 a0 e1 09 06 50 e3
28 30 1f e5 00 30 80 85 18 36 9f e5 00 30 81 85
42 3e a0 e3 00 30 82 85 40 40 4f e2 40 50 4f e2
40 60 4f e2 00 06 9f e5 00 10 e0 e3 68 20 a0 e3
02 10 80 e7 00 10 e0 e3 6c 20 a0 e3 02 10 80 e7
00 10 e0 e3 70 20 a0 e3 02 10 80 e7 00 10 e0 e3
74 20 a0 e3 02 10 80 e7 00 10 e0 e3 78 20 a0 e3
02 10 80 e7 00 10 e0 e3 7c 20 a0 e3 02 10 80 e7
00 10 e0 e3 80 20 a0 e3 02 10 80 e7 00 10 e0 e3
84 20 a0 e3 02 10 80 e7 9c 05 9f e5 9c 15 9f e5
18 20 a0 e3 02 10 80 e7 94 05 9f e5 94 15 9f e5
94 25 9f e5 02 10 80 e7 88 15 9f e5 5b 2e a0 e3
02 10 80 e7 7c 15 9f e5 80 25 9f e5 02 10 80 e7
70 15 9f e5 78 25 9f e5 02 10 80 e7 64 15 9f e5
70 25 9f e5 02 10 80 e7 58 15 9f e5 68 25 9f e5
02 10 80 e7 4c 15 9f e5 60 25 9f e5 02 10 80 e7
40 15 9f e5 17 2d a0 e3 02 10 80 e7 38 10 a0 e3
4c 25 9f e5 02 10 80 e7 38 10 a0 e3 44 25 9f e5
02 10 80 e7 38 10 a0 e3 3c 25 9f e5 02 10 80 e7
38 10 a0 e3 52 2e a0 e3 02 10 80 e7 38 10 a0 e3
28 25 9f e5 02 10 80 e7 38 10 a0 e3 51 2e a0 e3
02 10 80 e7 38 10 a0 e3 14 25 9f e5 02 10 80 e7
38 10 a0 e3 0c 25 9f e5 02 10 80 e7 38 10 a0 e3
04 25 9f e5 02 10 80 e7 00 15 9f e5 00 25 9f e5
02 10 80 e7 38 10 a0 e3 f8 24 9f e5 02 10 80 e7
38 10 a0 e3 f0 24 9f e5 02 10 80 e7 38 10 a0 e3
e8 24 9f e5 2f 4b 52 82 fe b2 58 65 c4 a5 96 f4
3e 02 10 80 e7 38 10 a0 e3 59 2e a0 e3 02 10 80
e7 38 10 a0 e3 d4 24 9f e5 02 10 80 e7 00 10 a0
e3 cc 24 9f e5 02 10 80 e7 38 10 a0 e3 c4 24 9f
e5 02 10 80 e7 38 10 a0 e3 5a 2e a0 e3 02 10 80
e7 38 10 a0 e3 b0 24 9f e5 02 10 80 e7 38 10 a0
e3 a8 24 9f e5 02 10 80 e7 38 10 a0 e3 a0 24 9f
e5 02 10 80 e7 38 10 a0 e3 98 24 9f e5 02 10 80
e7 38 10 a0 e3 7a 2e a0 e3 02 10 80 e7 38 10 a0
e3 84 24 9f e5 02 10 80 e7 38 10 a0 e3 7c 24 9f
e5 02 10 80 e7 38 10 a0 e3 74 24 9f e5 02 10 80
e7 38 10 a0 e3 6c 24 9f e5 02 10 80 e7 02 18 a0
e3 75 2e a0 e3 02 10 80 e7 00 10 a0 e3 58 24 9f
e5 02 10 80 e7 02 18 a0 e3 50 24 9f e5 02 10 80
e7 38 10 a0 e3 48 24 9f e5 02 10 80 e7 02 17 a0
e3 40 24 9f e5 02 10 80 e7 3c 04 9f e5 02 19 a0
e3 1c 10 80 e5 02 19 a0 e3 30 24 9f e5 02 10 80
e7 2c 14 9f e5 5c 18 80 e5 24 14 9f e5 24 24 9f
e5 02 10 80 e7 20 14 9f e5 00 18 80 e5 18 14 9f
e5 12 2b a0 e3 02 10 80 e7 01 15 a0 e3 90 18 80
e5 01 15 a0 e3 04 24 9f e5 02 10 80 e7 00 14 9f
e5 00 24 9f e5 02 10 80 e7 02 1b a0 e3 b8 18 80
e5 02 1b a0 e3 f0 23 9f e5 02 10 80 e7 ec 13 9f
e5 1c 18 80 e5 e4 13 9f e5 20 18 80 e5 e0 13 9f
e5 24 18 80 e5 d4 13 9f e5 28 18 80 e5 d0 13 9f
e5 d0 23 9f e5 02 10 80 e7 c4 13 9f e5 c8 23 9f
e5 02 10 80 e7 b8 13 9f e5 c0 23 9f e5 02 10 80
e7 ac 13 9f e5 b8 23 9f e5 02 10 80 e7 b4 13 9f
e5 2c 18 80 e5 ac 13 9f e5 30 18 80 e5 a4 13 9f
e5 34 18 80 e5 9c 13 9f e5 38 18 80 e5 94 13 9f
.
.
.