28 October 2020, 21:17 | #21 |
Moderator
Join Date: Jun 2009
Location: France
Age: 46
Posts: 1,985
|
Hi guys, after some tests with your database and ADFW, I realized that some bootblocks can be identified by 2 or even 3 different signatures (279 bootblocks at the moment)!
The reason is obvious, identifying a 1024 bytes content with only 7 bytes is really too weak. This method was common on the antivirus of the 90's for speed and memory reasons but in 2020...it is not reasonable. If you are looking for reliability and accuracy. Please note that I do not consider a possible false positive! Examples of results: Copy Protection/Copylock Amiga 1988-1991 FAIRLIGHT Boot Loader/Fairlight Crack Bootblock Standard/DOS Cleared Bootblock [Non Bootable] Boot Loader/Fairlight Crack Bootblock Boot Loader/Bootblock Maker Custom Boot Loader/Bootblockmaker Custom => Real duplicate! Utility/DynamiteDOS v5 by Stryx Boot Loader/Jungle Command Bootleg 2.1 Boot Loader/Galdregons Domain Loader Boot Loader/Pandora Boot Loader Boot Loader/Holodream BootLoader v3.3 Boot Loader/RattleHead Slayer v1.0 Utility/OmniBoot v2.3 by KRIS of Anarchy Boot Loader/RattleHead Slayer v1.0 Utility/OmniBoot v3.2 by KRIS of Anarchy Boot Loader/RattleHead Slayer v1.0 Utility/OmniBoot v5.1 by KRIS of Anarchy Boot Loader/RattleHead Slayer v1.0 Boot Loader/Loriciel Game Bootloader Boot Loader/RattleHead Slayer v1.0 Boot Loader/Fairlight Crack Bootblock Boot Loader/RattleHead Slayer v1.0 Logo/NoVirus Bootblock by Nic Wilson Boot Loader/Roger Fischlin's BootIntro 1.0 Boot Loader/RattleHead Slayer v1.0 Boot Loader/TDC Design Boot Boot Loader/Unknown Bootloader Boot Loader/Unknown Bootloader 3 Scroller/RattleHead MovieScroll Bootsimulator v2 Boot Loader/Unknown Bootloader 3 ... Scroller/Amiga Text Scroller 8 Logo/Mosh Boot Logo Logo/PowerSlaves Logo |
28 October 2020, 23:42 | #22 |
Registered User
Join Date: Feb 2019
Location: Adelaide / SA / Australia
Age: 44
Posts: 8
|
Hello Crashdisk,
I see what you are saying and yes the detection is prone to the accidental creation of duplicate entries in the brainfile but I am not sure what the alternative would be. We could do a CRC match, but it would mean any bootblocks with variable information (such as Boot menus or Scrollers) would detect as unknown. Just using a system which matches strings in a bootblock would only work with unencrypted bootblocks and I am not sure how it would work with many viruses which have no identifiable text. In regards to the brainfile entries listed above - are these bootblocks with the same 7 bytes detection or very similar? Thankyou your feedback by the way! its been very useful and helps @jasonver2.0 and I. |
29 October 2020, 01:12 | #23 |
ABR Creator
Join Date: Mar 2006
Location: Australia
Age: 44
Posts: 178
|
Hey crashdisk
Yeah, I think i made it 7-chars identification 12 / 13 years ago and it hasn't changed since the first version of ABR. A big part of it was that Jordan and I have added all 2100+ bootblocks manually by using the program itself, trying to pick bytes that uniquely identify each bootblock. It was never a speed issue. It might be a good idea for primary detection to rely on CRC32 on static bootblocks and byte detection on variable ones. The idea then would be to increase the amount of bytes it checks for to reduce multiple detections like you say. Ill work on it |
29 October 2020, 15:05 | #24 |
Moderator
Join Date: Jun 2009
Location: France
Age: 46
Posts: 1,985
|
Hi guys,
For my part, I never liked the idea of having to choose the bytes for detection. Why some bytes and not others? So I took it the other way around. I take all the bytes except the ones I don't want! How do I do it? I use a filter based on the pattern of the useful bytes...1bit = 2 bytes Code:
---------------------------------------------------------------------- |$0000|DOS.À .....pCú..N®ÿ J€g. @ h..p.Nupÿ`údos.library...............| |$0040|................................................................| |$0080|................................................................| |$00C0|................................................................| |$0100|................................................................| |$0140|................................................................| |$0180|................................................................| |$01C0|................................................................| |$0200|................................................................| |$0240|................................................................| |$0280|................................................................| |$02C0|................................................................| |$0300|................................................................| |$0340|................................................................| |$0380|................................................................| |$03C0|................................................................| ---------------------------------------------------------------------- Pattern > 03FFFF80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 I pass to 0 the data that are not selected and I then calculate the checksum. CRC > D40F3800 |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Amiga Bootblock Reader v2 | jasonver2.0 | News | 40 | 29 April 2021 20:57 |
Amiga Bootblock Reader v3.00 | jasonver2.0 | News | 36 | 08 March 2021 03:53 |
Amiga Bootblock Reader 3.00 | jasonver2.0 | News | 10 | 03 May 2020 14:37 |
Amiga Bootblock Reader | jasonver2.0 | News | 64 | 08 March 2020 01:08 |
Can write Amiga Bootblock PC? | Retro1234 | support.Other | 8 | 10 June 2019 18:15 |
|
|