(Smashing &) Recostructing FAT For Fun & Profit Author Name: Nicola Last Name: Gatta Age: 24 Profession: student at University of Brescia e-mail: nicola.gatta@yoda2000.net Disclaimer: 1) I'm Italian and I don't speak English very well, so I'm sorry for any grammatical/lexical error 2) I can't answer the Bonus Question, 'cause I don't use Microsoft software (infact I've been using only Linux & Solaris since 1998) Used Software: 1) hexedit, an excellent Linux Hex editor 2) pkzip 2.51 for Solaris 3) unzip 5.50 for Linux 4) OpenOffice for Linux 1. The BOOT SECTOR First of all check the md5sum and unzip the image.zip to image Let's look at the output of [nicola@Westeros nicola]$ hexedit image 00000000 EB 3C 90 4D 53 44 4F 53 35 2E 30 00 02 01 01 00 02 E0 00 40 0B F0 09 00 12 00 02 00 .<.MSDOS5.0........@........ 0000001C 00 00 00 00 00 00 00 00 00 00 29 CF CD B1 C4 4E 4F 20 4E 41 4D 45 20 20 20 20 46 41 ..........)....NO NAME FA 00000038 54 31 32 20 20 20 33 C9 8E D1 BC F0 7B 8E D9 B8 00 20 8E C0 FC BD 00 7C 38 4E 24 7D T12 3.....{.... .....|8N$} 00000054 24 8B C1 99 E8 3C 01 72 1C 83 EB 3A 66 A1 1C 7C 26 66 3B 07 26 8A 57 FC 75 06 80 CA $....<.r...:f..|&f;.&.W.u... 00000070 02 88 56 02 80 C3 10 73 EB 33 C9 8A 46 10 98 F7 66 16 03 46 1C 13 56 1E 03 46 0E 13 ..V....s.3..F...f..F..V..F.. 0000008C D1 8B 76 11 60 89 46 FC 89 56 FE B8 20 00 F7 E6 8B 5E 0B 03 C3 48 F7 F3 01 46 FC 11 ..v.`.F..V.. ....^...H...F.. 000000A8 4E FE 61 BF 00 00 E8 E6 00 72 39 26 38 2D 74 17 60 B1 0B BE A1 7D F3 A6 61 74 32 4E N.a......r9&8-t.`....}..at2N 000000C4 74 09 83 C7 20 3B FB 72 E6 EB DC A0 FB 7D B4 7D 8B F0 AC 98 40 74 0C 48 74 13 B4 0E t... ;.r.....}.}....@t.Ht... 000000E0 BB 07 00 CD 10 EB EF A0 FD 7D EB E6 A0 FC 7D EB E1 CD 16 CD 19 26 8B 55 1A 52 B0 01 .........}....}......&.U.R.. 000000FC BB 00 00 E8 3B 00 72 E8 5B 8A 56 24 BE 0B 7C 8B FC C7 46 F0 3D 7D C7 46 F4 29 7D 8C ....;.r.[.V$..|...F.=}.F.)}. 00000118 D9 89 4E F2 89 4E F6 C6 06 96 7D CB EA 03 00 00 20 0F B6 C8 66 8B 46 F8 66 03 46 1C ..N..N....}..... ...f.F.f.F. 00000134 66 8B D0 66 C1 EA 10 EB 5E 0F B6 C8 4A 4A 8A 46 0D 32 E4 F7 E2 03 46 FC 13 56 FE EB f..f....^...JJ.F.2....F..V.. 00000150 4A 52 50 06 53 6A 01 6A 10 91 8B 46 18 96 92 33 D2 F7 F6 91 F7 F6 42 87 CA F7 76 1A JRP.Sj.j...F...3......B...v. 0000016C 8A F2 8A E8 C0 CC 02 0A CC B8 01 02 80 7E 02 0E 75 04 B4 42 8B F4 8A 56 24 CD 13 61 .............~..u..B...V$..a 00000188 61 72 0B 40 75 01 42 03 5E 0B 49 75 06 F8 C3 41 BB 00 00 60 66 6A 00 EB B0 4E 54 4C ar.@u.B.^.Iu...A...`fj...NTL 000001A4 44 52 20 20 20 20 20 20 0D 0A 52 65 6D 6F 76 65 20 64 69 73 6B 73 20 6F 72 20 6F 74 DR ..Remove disks or ot 000001C0 68 65 72 20 6D 65 64 69 61 2E FF 0D 0A 44 69 73 6B 20 65 72 72 6F 72 FF 0D 0A 50 72 her media....Disk error...Pr 000001DC 65 73 73 20 61 6E 79 20 6B 65 79 20 74 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 ess any key to restart...... 000001F8 00 00 00 AC CB D8 55 AA F0 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ......U..................... 00000214 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............................ 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2B C0 02 2D E0 02 2F 00 03 31 20 03 33 ...............+..-../..1 .3 0000024C 40 03 35 60 03 37 80 03 39 A0 03 3B C0 03 3D E0 03 3F 00 04 41 20 04 43 40 04 45 60 @.5`.7..9..;..=..?..A .C@.E` 00000268 04 47 80 04 FF AF 04 4B C0 04 4D F0 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .G.....K..M................. The floopy is formatted with MSDOS and the filesystem is FAT12. Can I jump the description of FAT filesystem? ;-) Ok, ok, just say that the floppy has a structure like this: #sector content 0 BOOT 1 1st FAT 1+sec/FAT 2nd Fat .... m Root directory entry .... n File Data From the Boot Sector some information can be retrieved: 1) The disk has (only) 2 FATS 2) Each FAT is long 0x1200 bytes (9 sectors = 9*512 = 4608 bytes) 3) The 1st FAT begins at 0x200 (after the Boot record) 4) The 2nd FAT begins at 0x1400 (after the 1st FAT) 5) The directory entries start at 0x2600 6) The data region starts at 0x3E00 2. The First File Let'so go to the root directory entry on the image We can see three dir entry: 00002600 E5 64 00 6F 00 63 00 00 00 FF FF 0F 00 BC FF FF FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF .d.o.c.......................... 00002620 E5 4A 00 69 00 6D 00 6D 00 79 00 0F 00 BC 20 00 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 .J.i.m.m.y.... .J.u.n.g.l...e... 00002640 E5 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 .IMMYJ~1DOC .h8F+-+-..Ou.,...P.. 00002660 42 67 00 63 00 20 00 20 00 20 00 0F 00 F4 20 00 20 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bg.c. . . .... . . . . . ... . . 00002680 01 63 00 6F 00 76 00 65 00 72 00 0F 00 F4 20 00 70 00 61 00 67 00 65 00 2E 00 00 00 6A 00 70 00 .c.o.v.e.r.... .p.a.g.e.....j.p. 000026A0 43 4F 56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46 2B 2D 2B 2D 00 00 DA 43 2B 2D A4 01 E1 3C 00 00 COVERP~1JPG .mMF+-+-...C+-...<.. 000026C0 42 69 00 74 00 73 00 2E 00 65 00 0F 00 9E 78 00 65 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bi.t.s...e....x.e. . . . ... . . 000026E0 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00 6C 00 65 00 64 00 20 00 56 00 00 00 69 00 73 00 .S.c.h.e.d....u.l.e.d. .V...i.s. 00002700 53 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 E8 03 00 00 SCHEDU~1EXE .SSF+-+-...B.,I..... There are ***THREE*** entries in the FAT. But if I mount the image with a command like this: [nicola@Westeros nicola]# mount -o loop image /mnt/sotm and give [nicola@Westeros nicola]$ ls -lQa /mnt/sotm I can see only drwxr-xr-x 2 root root 7168 gen 1 1970 "." drwxr-xr-x 9 root root 4096 set 2 11:08 ".." -rwxr-xr-x 1 root root 15585 set 11 08:30 "cover page.jpgc " -rwxr-xr-x 1 root root 1000 mag 24 08:20 "schedu~1.exe" There's a file deleted!!! (Thanks to the initial byte of the directory entry of this file which is set to 0xE5). If I remember when I used MSDOS, the undelete program couldn't reconstruct the first character of the file because it was set to E5. Now the first thing to do is to reconstruct the file. a) Umount the image, b) Edit the FAT entry in the image file in such a way: (undelete the file by substitution of the first byte of the three rows) 00002600 42 64 00 6F 00 63 00 00 00 FF FF 0F 00 BC FF FF FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF .d.o.c.......................... | Standard value 00002620 01 4A 00 69 00 6D 00 6D 00 79 00 0F 00 BC 20 00 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 .J.i.m.m.y.... .J.u.n.g.l...e... | Standard value 00002640 4A 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 JIMMYJ~1DOC .h8F+-+-..Ou.,...P.. | Letter "J" c)save the image, remount it and read the "Jimmy Jungle.doc" File. Now we can open the file: "Jimmy Jungle.doc" Oh, no! It's truncated! Now, let's watch the FAT Table, the second cluster (address 0x200) contains 00000200 F0 FF FF 03 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....@........................... 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2B ...............................+ 00000240 C0 02 2D E0 02 2F 00 03 31 20 03 33 40 03 35 60 03 37 80 03 39 A0 03 3B C0 03 3D E0 03 3F 00 04 ..-../..1 .3@.5.7..9..;..=..?.. 00000260 41 20 04 43 40 04 45 60 04 47 80 04 FF AF 04 4B C0 04 4D F0 FF 00 00 00 00 00 00 00 00 00 00 00 A .C@.E.G.....K..M............. Sure the Fat Table is damaged And so the 2nd FAT! Good way to hide data! Two ways of solving the problem: 1) reconstruct the FAT table (MSDOS, on floopy disk, wrote file sequentially!!) 2) dump the image and get the data of the file (hoping there is no damaged cluster) I choose the first. I wrote a file (same size of "Jimmy Jungle.doc") on a floppy disk, dumped an image of it and compared the FATs. Now I'm able to reconstruct the FAT Table in this way: 00000200 F0 FF FF 03 40 00 05 60 00 07 80 00 09 A0 00 0B C0 00 0D E0 00 0F 00 01 11 20 01 13 40 01 15 60 ....@.. ...................@.. 00000220 01 17 80 01 19 A0 01 1B C0 01 1D E0 01 1F 00 02 21 20 02 23 40 02 25 60 02 27 80 02 29 A0 02 2B ................! .#@.%.'..)..+ 00000240 C0 02 2D E0 02 2F 00 03 31 20 03 33 40 03 35 60 03 37 80 03 39 A0 03 3B C0 03 3D E0 03 3F 00 04 ..-../..1 .3@.5.7..9..;..=..?.. 00000260 41 20 04 43 40 04 45 60 04 47 80 04 FF AF 04 4B C0 04 4D F0 FF 00 00 00 00 00 00 00 00 00 00 00 A .C@.E.G.....K..M............. Remount the image file in loop. Whoah !! Here's the dump of "Jimmy Jungle.doc": Jimmy Jungle 626 Jungle Ave Apt 2 Jungle, NY 11111 Jimmy: Dude, your pot must be the best it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia. These kids, they tell me marijuana isnt addictive, but they dont stop buying from me. Man, Im sure glad you told me about targeting the high school students. You must have some experience. Its like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. Im an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year! I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive. Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later. Thanks, Joe There are two files to retrieve yet. At work! 3. The second File Before to start: could it be that coverpage.jpg file contains the password to unzip the file "SCHEDU~1.exe" ? Probably yes ;-) The second file is "cover page.jpg " : it is important because it contains the password that encrypt the zipped file. It's not very important the file itself: it appear to be a JPEG file. But it's empty!!! Wher is the password ??? Whhen I dumped the image I found that the file starts 00009200 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08 ......JFIF...........C........ 00009220 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20 ........................... $.' 00009240 22 2C 23 1C 1C 28 37 29 2C 30 31 34 34 34 1F 27 39 3D 38 32 3C 2E 33 34 32 FF DB 00 43 01 09 09 ",#..(7),01444.'9=82<.342...C... 00009260 09 0C 0B 0C 18 0D 0D 18 32 21 1C 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ........2!.!22222222222222222222 00009280 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 FF C0 222222222222222222222222222222.. 000092A0 00 11 08 00 C7 00 D0 03 01 22 00 02 11 01 03 11 01 FF C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 ........."...................... 000092C0 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 ................................ 000092E0 05 04 04 00 00 01 7D 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 ......}........!1A..Qa."q.2....# 00009300 42 B1 C1 15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A B...R..$3br........%&'()*456789: 00009320 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A CDEFGHIJSTUVWXYZcdefghijstuvwxyz 00009340 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 ................................ 00009360 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 ................................ 00009380 F2 F3 F4 F5 F6 F7 F8 F9 FA FF C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 ................................ 000093A0 02 03 04 05 06 07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 ..............................w. 000093C0 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09 23 33 52 F0 15 ......!1..AQ.aq."2...B.....#3R.. 000093E0 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49 br...$4.%.....&'()*56789:CDEFGHI 00009400 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 JSTUVWXYZcdefghijstuvwxyz....... [...snip...] 0000CEC0 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 FF ...(...(...(...(...(...(...(.... 0000CEE0 D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................ 0000CF00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................ 0000CF20 70 77 3D 67 6F 6F 64 74 69 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pw=goodtimes.................... This "pw=goodtimes" sounds very interesting, it could be the password, but we are pedantic: we want to reconstruct the image itself Now: 1) from the root directory entry, the file is long 0x3c31 2) infact the file starts at 0x9200 and finish at 0xCF31, so the real size is 0x3d31 Write the new value in the root dir entry: 00002600 42 64 00 6F 00 63 00 00 00 FF FF 0F 00 BC FF FF FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF Bd.o.c.......................... 00002620 01 4A 00 69 00 6D 00 6D 00 79 00 0F 00 BC 20 00 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 .J.i.m.m.y.... .J.u.n.g.l...e... 00002640 4A 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 JIMMYJ~1DOC .h8F+-+-..Ou.,...P.. 00002660 42 67 00 63 00 20 00 20 00 20 00 0F 00 F4 20 00 20 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bg.c. . . .... . . . . . ... . . 00002680 01 63 00 6F 00 76 00 65 00 72 00 0F 00 F4 20 00 70 00 61 00 67 00 65 00 2E 00 00 00 6A 00 70 00 .c.o.v.e.r.... .p.a.g.e.....j.p. 000026A0 43 4F 56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46 2B 2D 2B 2D 00 00 DA 43 2B 2D A4 01 31 3D 00 00 COVERP~1JPG .mMF+-+-...C+-@.1=.. || || here! 000026C0 42 69 00 74 00 73 00 2E 00 65 00 0F 00 9E 78 00 65 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bi.t.s...e....x.e. . . . ... . . 000026E0 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00 6C 00 65 00 64 00 20 00 56 00 00 00 69 00 73 00 .S.c.h.e.d....u.l.e.d. .V...i.s. 00002700 53 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 70 09 00 00 SCHEDU~1EXE .SSF+-+-...B.,I.p... After that I noticed that in directory entry the initial sector is wrong! it points to a wrong floppy zone! Why? It's simple: The Files data region starts at 0x3E00 The data of the first file starts at the second sector of the data region 00002600 42 64 00 6F 00 63 00 00 00 FF FF 0F 00 BC FF FF FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF Bd.o.c.......................... 00002620 01 4A 00 69 00 6D 00 6D 00 79 00 0F 00 BC 20 00 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 .J.i.m.m.y.... .J.u.n.g.l...e... 00002640 4A 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 JIMMYJ~1DOC .h8F+-+-..Ou.,...P.. || second sector <--------------------------------------- Infact 0x3E00 + 2 * 0x200 = 0x4200 Where 0x200 (= 512 bytes) is the size of a cluster So, as hexedit shows, the first file starts at 0x4200. The same for the third file: 000026C0 42 69 00 74 00 73 00 2E 00 65 00 0F 00 9E 78 00 65 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bi.t.s...e....x.e. . . . ... . . 000026E0 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00 6C 00 65 00 64 00 20 00 56 00 00 00 69 00 73 00 .S.c.h.e.d....u.l.e.d. .V...i.s. 00002700 53 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 E8 03 00 00 SCHEDU~1EXE .SSF+-+-...B.,I..... || 0x49 = 73rd sector <------------------------------------------- The third data starts at 0x3E00 + 0x49 * 0x200 = 0xd000 That's right! Where the second second file starts? 00002660 42 67 00 63 00 20 00 20 00 20 00 0F 00 F4 20 00 20 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bg.c. . . .... . . . . . ... . . 00002680 01 63 00 6F 00 76 00 65 00 72 00 0F 00 F4 20 00 70 00 61 00 67 00 65 00 2E 00 00 00 6A 00 70 00 .c.o.v.e.r.... .p.a.g.e.....j.p. 000026A0 43 4F 56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46 2B 2D 2B 2D 00 00 DA 43 2B 2D A4 01 31 3D 00 00 COVERP~1JPG .mMF+-+-...C+-@.1=.. || Absurd!!! False !!! <-------- Remember the dump: 00009200 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08 ......JFIF...........C........ 00009220 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20 ........................... $.' The second file starts at 0x9200 But 0x9200 = 0x3E00 + 0x200 * 0x2A -->> Then the starting sector of the jpeg file is at 0x2A Now put this value in the directory entry 00002660 42 67 00 63 00 20 00 20 00 20 00 0F 00 F4 20 00 20 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bg.c. . . .... . . . . . ... . . 00002680 01 63 00 6F 00 76 00 65 00 72 00 0F 00 F4 20 00 70 00 61 00 67 00 65 00 2E 00 00 00 6A 00 70 00 .c.o.v.e.r.... .p.a.g.e.....j.p. 000026A0 43 4F 56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46 2B 2D 2B 2D 00 00 DA 43 2B 2D 2A 00 31 3D 00 00 COVERP~1JPG .mMF+-+-...C+-@.1=.. || here! Save the image and remount with the loop option, and we have a good image which says: "POT SMOKERS MONTHLY Your monthly guide to the best pot on the plant (what does the image represent?) This month's featured pot grower, smpker and seller is Jimmy Jungle." As Joe said in the letter, the password was stored in a file, but not in the "Jimmy Jungle.doc" Sure it is in this file: dump the JPEG file and in the final bytes there's a 00003D20 70 77 3D 67 6F 6F 64 74 69 6D 65 73 00 00 00 00 00 pw=goodtimes..... The password to decrypt the zipped file (probably) is "goodtimes" 4. The Third File Just see the third directory entry: 000026C0 42 69 00 74 00 73 00 2E 00 65 00 0F 00 9E 78 00 65 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bi.t.s...e....x.e. . . . ... . . 000026E0 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00 6C 00 65 00 64 00 20 00 56 00 00 00 69 00 73 00 .S.c.h.e.d....u.l.e.d. .V...i.s. 00002700 53 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 E8 03 00 00 SCHEDU~1EXE .SSF+-+-...B.,I..... The file size is 0x03E8 (= 1000 bytes) If I dump the floopy image and search for the file (it starts with PK.... --> it's a Zip File) I can see that it is stored from 0000D000 50 4B 03 04 14 00 01 00 08 00 98 5A B7 2C C7 55 60 8D EA 08 00 00 00 42 00 00 14 00 00 00 53 63 PK.........Z.,.U......B......Sc to 0000D960 05 06 00 00 00 00 01 00 01 00 42 00 00 00 1C 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........B..................... So the file is 0xD970 - 0xD000 = 0x970 bytes long ( = 2416 ). So the information in the entry is wrong!. Just correct the entry in the directory: I wrote the value 70 09 in place of E8 03 in the image file: 000026C0 42 69 00 74 00 73 00 2E 00 65 00 0F 00 9E 78 00 65 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 Bi.t.s...e....x.e. . . . ... . . 000026E0 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00 6C 00 65 00 64 00 20 00 56 00 00 00 69 00 73 00 .S.c.h.e.d....u.l.e.d. .V...i.s. 00002700 53 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 70 09 00 00 SCHEDU~1EXE .SSF+-+-...B.,I..... || || here! Save the image and remount it in loop: [nicola@Westeros nicola]# mount -o loop image /mnt/sotm [nicola@Westeros nicola]$ ls -lQa /mnt/sotm drwxr-xr-x 2 root root 7168 gen 1 1970 "." drwxr-xr-x 9 root root 4096 set 2 11:08 ".." -rwxr-xr-x 1 root root 20480 apr 15 14:42 "Jimmy Jungle.doc" -rwxr-xr-x 1 root root 15585 set 11 08:30 "cover page.jpgc " -rwxr-xr-x 1 root root 2416 mag 24 08:20 schedu~1.exe It's time to look inside of the last file. It's a zip archive: 1) I used the old Solaris pkzip to fix the zip (yes, it had some errors) 2) After that I used the Linux unzip to decrypt the file with the password "goodtimes". It's a Excel File: "Scheduled Visits.xls" -rw-rw-rw- 1 nicola nicola 16896 mag 23 11:20 Scheduled Visits.xls I opened it with OpenOffice and that's the result: Month DAY HIGH SCHOOLS 2002 April Monday (1) Smith Hill High School (A) Tuesday (2) Key High School (B) Wednesday (3) Leetch High School (C) Thursday (4) Birard High School (D) Friday (5) Richter High School (E) Monday (1) Hull High School (F) Tuesday (2) Smith Hill High School (A) Wednesday (3) Key High School (B) Thursday (4) Leetch High School (C) Friday (5) Birard High School (D) Monday (1) Richter High School (E) Tuesday (2) Hull High School (F) Wednesday (3) Smith Hill High School (A) Thursday (4) Key High School (B) Friday (5) Leetch High School (C) Monday (1) Birard High School (D) Tuesday (2) Richter High School (E) Wednesday (3) Hull High School (F) Thursday (4) Smith Hill High School (A) Friday (5) Key High School (B) Monday (1) Leetch High School (C) Tuesday (2) Birard High School (D) May Wednesday (3) Richter High School (E) Thursday (4) Hull High School (F) Friday (5) Smith Hill High School (A) Monday (1) Key High School (B) Tuesday (2) Leetch High School (C) Wednesday (3) Birard High School (D) Thursday (4) Richter High School (E) Friday (5) Hull High School (F) Monday (1) Smith Hill High School (A) Tuesday (2) Key High School (B) Wednesday (3) Leetch High School (C) Thursday (4) Birard High School (D) Friday (5) Richter High School (E) Monday (1) Hull High School (F) Tuesday (2) Smith Hill High School (A) Wednesday (3) Key High School (B) Thursday (4) Leetch High School (C) Friday (5) Birard High School (D) Monday (1) Richter High School (E) Tuesday (2) Hull High School (F) Wednesday (3) Smith Hill High School (A) Thursday (4) Key High School (B) Friday (5) Leetch High School (C) June Monday (1) Birard High School (D) Tuesday (2) Richter High School (E) Wednesday (3) Hull High School (F) Thursday (4) Smith Hill High School (A) Friday (5) Key High School (B) Monday (1) Leetch High School (C) Tuesday (2) Birard High School (D) Wednesday (3) Richter High School (E) Thursday (4) Hull High School (F) Friday (5) Smith Hill High School (A) Monday (1) Key High School (B) Tuesday (2) Leetch High School (C) Wednesday (3) Birard High School (D) Thursday (4) Richter High School (E) Friday (5) Hull High School (F) Monday (1) Smith Hill High School (A) Tuesday (2) Key High School (B) Wednesday (3) Leetch High School (C) Thursday (4) Birard High School (D) Friday (5) Richter High School (E) Nice, isn't it?