Win9x DMF floppy user/org writing.
Page 1 of 1

Author:  The Distractor [ Sat Sep 17, 2016 7:55 pm ]
Post subject:  Win9x DMF floppy user/org writing.

I recently was lead into this research because something wasn't quite right with a set of DMF images made from a folder dump. Setup was erroring out, obviously trying to read the "name/org" data written to Disk 2.

Some research lead me to find out that this data is actually written to track 0, sector 0 of the floppy, right after the actual BPB/boot sector data, at offset 0x94:

struct diskusagedata {
  uint16_t magic; // 0x5555
  uint16_t offsetchecksum; // 0x1FA - <offset to magic>
  uint16_t length;
  char data[length];

On an untouched Windows 95 Disk 2, length and data should be entirely zeroes.

On a touched Disk 2, length is 0x54.

The data is encrypted with a hardcoded XOR key:
char dataxorkey[] = "sdfERzs@$&%|])\x13\x9f";
void decryptdata(char *data,uint16_t length) {
  int i;
  for (i = 0; i < length; i++) {
    data[i] ^= dataxorkey[i % 0x10];

After decryption, the data is in the following structure:
struct decrypteddiskusage {
  char name[0x1e];
  char org[0x1e];
  char serial[0x18];

The strings are null terminated and padded with what seems to be an information leak.

For an example, take a look at the current (because I'm sure this touched disk 2 will be rectified soon!) disk 2 of Windows 95 4.00.499 on the FTP:

Here's the whole diskusagedata block, from 0x94 until the end of the sector, base64'd:

After decryption, you can easily see that this disk 2 was previously used by:
Name: Toni L Lynch
Company: <blank>
Serial: 26104-080-0223635-50681

..which is (almost) exactly what the setup tells you (it regens the last 5 chars of the serial, by generating 5 new random digits):


Page 1 of 1 All times are UTC [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group