Friday, January 28, 2011

Xbox 360 Forensics: Part 4

In our last episode I had just about given up on x360 after spending a week or so digging around its code base, where did I go from there?

Well I decided to sit down with the pages on XTAF and on Xbox 360 File Systems, the source code of a couple of XTAF implementations (x360 and utaf.c), a hex editor and python and I started over. This was a fun project, it turns out that in my time patching x360 I'd learnt almost everything I needed to implement my own parser and some mucking around with a hex editor and the docs got me the rest of the way. At that point I started reading about the FUSE bindings for python which are poorly documented but still make filesystem development super easy, I now want to implement everything as a filesystem!

This was the beginnings of my py360 python module (which may one day see public release, bear with me!) and it was good. The first thing I did with my new filesystem and library was to take a recursive directory listing and perform a 'find . -type f -exec sha1sum {} \;' on the filesystem. When this went swimmingly I moved on to the next problem, which was to unleash libmagic (through file) on the filesystem but to my disappointment the mighty libmagic came back with nothing, everything showed as data. This was a problem and certainly not one that I had seriously anticipated. The next step was to see if I could make any sense out of these files quickly and the utility strings is my goto tool in these situations. Strings revealed that while there was a fair amount of ASCII text there was also a very large amount of UTF16 (big-endian) including what looked like the text of game achievements, unfortunately I couldn't find much of a reference to the gamertag of the user on this image nor any other stuff of interest. This is when I resigned myself to doing things the hard way... stay tuned!

No comments:

Post a Comment