tag:blogger.com,1999:blog-1404660204966454042.comments2022-12-05T07:01:56.742-08:00Meme OverArkemhttp://www.blogger.com/profile/05047833961750578893noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-1404660204966454042.post-19791898779867993382013-11-09T01:13:52.118-08:002013-11-09T01:13:52.118-08:00The original sample was submitted to Virus Total a...The original sample was submitted to Virus Total a few months before my tests. My modified samples (except the properly signed one) were submitted roughly an hour or so before the tests. Approximately a week later I received the code signing certificate, signed the sample, submitted it to Virus Total and ran my tests simultaneously (roughly).<br /><br />The time elapsed could be significant, it'd be interesting to investigate.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-16572422257220803862013-11-09T00:53:54.562-08:002013-11-09T00:53:54.562-08:00Interesting article. Did you submit the samples to...Interesting article. Did you submit the samples to Virus Total before or after the test. If they were submitted prior to the test this may have given the AV vendors a heads up about the samples you were using.SReilleyhttps://www.blogger.com/profile/06750684168254684401noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-20541605293200141582013-11-06T01:50:43.410-08:002013-11-06T01:50:43.410-08:00Great work Paul.Great work Paul.Anonymoushttps://www.blogger.com/profile/18182454448025111392noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-37423847308398933842012-04-27T22:45:10.794-07:002012-04-27T22:45:10.794-07:00Feel free to email me: arkem@arkem.orgFeel free to email me: arkem@arkem.orgArkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-21115486764395587152012-04-27T20:18:44.380-07:002012-04-27T20:18:44.380-07:00That's the general response I've been gett...That's the general response I've been getting when I ask about it, but there's too much specificity in the information from free60 for it to have come from reverse engineering or from experimenting with the files. It's understandable to some extent, but how would they know that the byte at 0x366 is the disc number? And for the forums, which were you looking at. I've checked out se7ensins, xboxmb, scenex, etc., but having trouble finding anything useful.<br /><br />Also, I couldn't find anything in your py60 source code about the rsa signature. I spent the last three days trying to get the RSA to work like it does in the C# for x360, and I finally did with M2Crypto, so if you were looking for something, that works.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-81914413444143437932012-04-27T19:56:57.967-07:002012-04-27T19:56:57.967-07:00A lot of their information comes from reverse engi...A lot of their information comes from reverse engineering and experimenting with STFS files, besides that a lot of bits and pieces are avilable from various forums around the net. A lot of people have done at least a little bit of looking at these formats.<br /><br />If you're trying to understand the filesystem structure on Xbox 360 I'd recommend reading up on how FAT works on PCs and then reading the Xbox 360 specific parts. As for how STFS works, I'd recommend the Free360 Wikipedia page and reading the source code for any of the tools that handle it (including py360). You can also read my mini-guide to the file format that I released when I released py360. http://www.arkem.org/xbox360-file-reference.pdf<br /><br />Sadly there aren't any definitive works on the STFS filesystem. Hope this helps send you in the right direction.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-86623399136440366212012-04-27T19:47:51.465-07:002012-04-27T19:47:51.465-07:00Hello, I've been getting into STFS file struct...Hello, I've been getting into STFS file structure, and I currently only have free60.net and the x360 source for information. Between the two (although I'm having a bit of trouble understanding x360) I should be able to find anything I want to know, but where did the authors find their information? Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-15143396453190348362012-01-03T17:33:47.153-08:002012-01-03T17:33:47.153-08:00Oh, and the spiritual enlightenment/ascension thin...Oh, and the spiritual enlightenment/ascension thing as well... :PWolflullabyhttps://www.blogger.com/profile/13482738180431216079noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-10004533574074928552012-01-03T17:32:34.478-08:002012-01-03T17:32:34.478-08:00Now if only game money could somehow be transferre...Now if only game money could somehow be transferred into real money, then you'd be set for life. :)<br /><br />I lament that when playing DDO. Scott and I have shared in game finances, and I think we have something crazy like $700,000... That would pay off our real life house, and buy us a second one that we could use as our Sunday best.Wolflullabyhttps://www.blogger.com/profile/13482738180431216079noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-36587168237857139342012-01-02T18:15:36.449-08:002012-01-02T18:15:36.449-08:00Currently py360 does not support the original xbox...Currently py360 does not support the original xbox drive though the code could be adapted without too much trouble. If you're looking for a pre-made solution there should be plenty out there.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-42768619287454779852011-09-27T14:57:56.964-07:002011-09-27T14:57:56.964-07:00Does py360 support the xfat of the original xbox d...Does py360 support the xfat of the original xbox drive?jbeckhttps://www.blogger.com/profile/15751601788905685283noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-27610908951028288932011-08-06T15:26:35.954-07:002011-08-06T15:26:35.954-07:00Good point Shane. After reading about how Sophos s...Good point Shane. After reading about how Sophos signatures malware in Tavis' paper it did make me think that AV signatures are even more fragile than I thought.<br /><br />I know that Symantec specifically white-lists authenticode binaries (without checking the signature) but that this behaviour will be configurable in the next version of their product.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-87415618298139603392011-08-06T07:58:15.283-07:002011-08-06T07:58:15.283-07:00Signing is not the only thing that is changing the...Signing is not the only thing that is changing the results here for at least some of the engines. I took the same sample (ba87b562c829b7095bfb9e0db7a39890) and just appended 16 'x' bytes to the end.<br /><br />The detection rate in VirusTotal dropped to 23/43. This isn't as big a drop as you got from signing the exe but it shows that appending any bytes and changing the hash is enough in many cases.Huntsmanhttps://www.blogger.com/profile/17963118046472634232noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-60431513595322760692011-05-05T07:06:58.907-07:002011-05-05T07:06:58.907-07:00I am trying to use your tools and running into som...I am trying to use your tools and running into some roadblocks. Could you please contact me via Blogger/gmail, you should be able to find my information.. If not respond here.Matthttps://www.blogger.com/profile/14193421617703904299noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-64561251531007695502011-01-06T03:08:25.672-08:002011-01-06T03:08:25.672-08:00That was an illuminating read, I didn't know a...That was an illuminating read, I didn't know about big/little endians! At first I thought big endian was a Gibson reference :PSassahttps://www.blogger.com/profile/14014724243476761876noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-38137946618791681772011-01-04T07:11:39.554-08:002011-01-04T07:11:39.554-08:00From the looks of it the 360S also did away with t...From the looks of it the 360S also did away with the proprietary case and connector combo requiring just a regular SATA connector. It looks like fun times.<br /><br />I haven't looked too closely into these restrictions but from what I've read the limits on drive type and/or size are enforced by placing a special signed blob of data on the drive that the OS checks during boot. If the specific blob doesn't match the drive's size and other characteristics it refuses. This is why you can't have a drive bigger than whatever the biggest Microsoft has released without a complete mod.<br /><br />Strangely at the moment I don't even own an Xbox 360 (I'm just borrowing one from my University). I've never spent much time reading about the various homebrew/mod options so I don't really know what's possible. I've been looking at some of the mod sites and they've been really helpful but it's also been frustrating because we're focusing on very different areas.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-2621854966268274952011-01-04T06:45:04.993-08:002011-01-04T06:45:04.993-08:00I've JTAG'd one of my Xbox 360s (well, tec...I've JTAG'd one of my Xbox 360s (well, technically I had someone else do it after realising it required some delicate soldering) so I'm very interested in your findings - even if some of the more in depth stuff is sure to go over my head :P<br /><br />Fun fact: Only a small list of WD models can be used for the original Xbox 360 (unless you JTAG it), but the new 360S model seems to accept any 2.5" SATA HDD.Jaredhttps://www.blogger.com/profile/01892535228775999564noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-49510060817585205832010-12-24T17:32:49.186-08:002010-12-24T17:32:49.186-08:00I put on my streamers and party hat!I put on my streamers and party hat!Sassahttps://www.blogger.com/profile/14014724243476761876noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-62813174138157346072010-05-26T04:47:42.134-07:002010-05-26T04:47:42.134-07:00This is certainly something I'm going to look ...This is certainly something I'm going to look into. <br /><br />There's the question as to what profile data is actually stored on the 360 and what is located on Microsoft's servers. Even if everything is stored server side there's the question of whether or not the profile's credentials can be extracted from the device or recovered if deleted.Arkemhttps://www.blogger.com/profile/05047833961750578893noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-83433970732409540782010-05-25T21:06:18.602-07:002010-05-25T21:06:18.602-07:00I'd be interested in hearing about whether cre...I'd be interested in hearing about whether credit card information is retrievable after the user profile has been deleted from the machine. It's a common question on a forum I frequent, from people who are considering selling their 360s.Jaredhttps://www.blogger.com/profile/01892535228775999564noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-83990278121836439342010-01-01T20:24:26.330-08:002010-01-01T20:24:26.330-08:00I preferred the caravan logo ...I preferred the caravan logo ...gavzhttps://www.blogger.com/profile/11324240099575871121noreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-59640678605181829652009-12-24T21:05:21.058-08:002009-12-24T21:05:21.058-08:00Your ideas are intriguing to me and I would like t...Your ideas are intriguing to me and I would like to subscribe to your newsletter.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1404660204966454042.post-3519655051853716102009-12-24T18:57:35.449-08:002009-12-24T18:57:35.449-08:00FIRST!FIRST!timhttps://www.blogger.com/profile/08141777666658411434noreply@blogger.com