reallymine
reallymine copied to clipboard
andlabs
Help with recovery
hey guys, i had the drive removed from the caddy, was stupidly connected to windows, now connected to a ubuntu box with sata. I have tried most of the commands, finding a step by step on here is hard. drive starts to decrypt, generates a 1.2GB file and then errors: "error running decrypt: open /media/tech/Data/~TechBackups/#33029/decrypted.img: file exists
sudo ./reallymine getdek /dev/sda bridge type Initio DEK: 8A9A41F4F62B8AEBBE410A5852F1E9BE06A40B82492DBBA744286D3E57FEE2E3 decryption steps: swaplongs decrypt swaplongs
@:~/go/bin$ sudo ./reallymine dumplast /dev/sda outfile.bin sector at 0x15D50F65E00
@:~/go/bin$ sudo ./reallymine dumpkeysector /dev/sda outfile.bin sector at 0x15D50D01000 bridge type Initio
@:~/go/bin$ sudo file -s /dev/sda /dev/sda: data
@:~/go/bin$ sudo dd if=/dev/sda skip=2048 count=1 status=none | hexdump 0000000 4299 8b7b 2dd3 3796 07f7 0ed3 856c af3d 0000010 e37e 075d 613f 4667 1adc 2d2b 74a2 4fb2 0000020 929d a2e2 1018 ede4 ce8a 5cf8 026a 1142 0000030 185f 1225 b242 e330 8d51 fd7e 397e a133 0000040 4d4d ec95 369b 9a20 8fc6 f52d f431 0ed7 0000050 9ff7 927e b215 d6c2 aed4 95fa 708d be91 0000060 45a3 7214 b846 d7be 5c2c f982 cfc6 82f4 0000070 7bbb 9ba4 bcac 9547 ceb0 3293 5938 a3d4 0000080 74e3 924e 2eb4 14c2 841d 7531 e836 3fd1 0000090 13c7 c495 9876 12ed 8e13 7b76 a083 af10 00000a0 37d2 a8a6 9df0 821b 306c 7ecd e951 eb4c 00000b0 ea99 6f13 f79e b7e4 05c9 6ef6 3589 bf00 00000c0 810d 3c4b e17c 4099 aba6 82b9 bda0 551a 00000d0 3b2e 5110 fb17 1610 f981 35f0 7ea1 ddd1 00000e0 1af9 6c91 5bfc e1cc 29d7 cb6f b5ae cb78 00000f0 9bb3 fdac d1ff 6c8a 3da9 b191 5caf 8877 0000100 706c 9a29 f327 fe1f 0793 40b9 522c 1bec 0000110 68b1 31c4 9fbb b4d7 58d3 910e 7ff3 a67e 0000120 9670 7c53 5fe2 c58a a7d2 48ad b443 1314 0000130 ca90 86d3 2799 0106 099f 1008 3b78 aed8 0000140 804b 1d3f 3125 5492 d5f1 2613 e99f f773 0000150 3039 c931 ffee 04df 36fb 2d17 d239 9ebd 0000160 8c9f 655c 05f0 6786 6370 db1d 97e8 830f 0000170 a99f 84b8 20e3 bd74 bc6e 53cd 5ff8 fff1 0000180 beb4 dbbe 3929 7fdf a7de 0b18 2fb7 113f 0000190 c375 a54e 77ce 6af9 4516 a429 eba0 c380 00001a0 cebf be9c de97 39ff 82b6 6fb2 c296 ae31 00001b0 711f 924f ac99 049c 7722 a50b 4e9b 80a1 00001c0 6348 550e df50 0847 b211 d4e3 2573 cbe1 00001d0 af76 f21b acf5 e83c 2dc6 ff02 2bea aed4 00001e0 cf13 2ef6 e1a3 ad7a f0d4 6a78 8007 1a5e 00001f0 1396 0136 f7df 23c2 47bc 4092 1af2 1c67 0000200
any suggestions?
The good news is that sector 2048 decrypts to the first block of an NTFS partition, so that wasn't ruined by Windows.
cat lordnecro0-sector2048.hex | cut -b 8- | tr -d ' \n' | permute 4 2301 | permute 8 67452301 | xxd -p -r | openssl enc -d -aes-256-ecb -nopad -K `cat lordnecro0-DEK.hex` | permute 4 3210 | hexdump -C
00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 08 00 00 |........?.......|
00000020 00 00 00 00 80 00 80 00 ff 7f 93 ae 00 00 00 00 |................|
00000030 00 00 0c 00 00 00 00 00 ff 37 e9 0a 00 00 00 00 |.........7......|
00000040 f6 00 00 00 01 00 00 00 4c 13 62 6e 2c 62 6e 48 |........L.bn,bnH|
00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb b8 c0 07 |.....3.....|....|
00000060 8e d8 e8 16 00 b8 00 0d 8e c0 33 db c6 06 0e 00 |..........3.....|
00000070 10 e8 53 00 68 00 0d 68 6a 02 cb 8a 16 24 00 b4 |..S.h..hj....$..|
00000080 08 cd 13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 |...s......f...@f|
00000090 0f b6 d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f |.....?.......Af.|
000000a0 b7 c9 66 f7 e1 66 a3 20 00 c3 b4 41 bb aa 55 8a |..f..f. ...A..U.|
000000b0 16 24 00 cd 13 72 0f 81 fb 55 aa 75 09 f6 c1 01 |.$...r...U.u....|
000000c0 74 04 fe 06 14 00 c3 66 60 1e 06 66 a1 10 00 66 |t......f`..f...f|
000000d0 03 06 1c 00 66 3b 06 20 00 0f 82 3a 00 1e 66 6a |....f;. ...:..fj|
000000e0 00 66 50 06 53 66 68 10 00 01 00 80 3e 14 00 00 |.fP.Sfh.....>...|
000000f0 0f 85 0c 00 e8 b3 ff 80 3e 14 00 00 0f 84 61 00 |........>.....a.|
00000100 b4 42 8a 16 24 00 16 1f 8b f4 cd 13 66 58 5b 07 |.B..$.......fX[.|
00000110 66 58 66 58 1f eb 2d 66 33 d2 66 0f b7 0e 18 00 |fXfX..-f3.f.....|
00000120 66 f7 f1 fe c2 8a ca 66 8b d0 66 c1 ea 10 f7 36 |f......f..f....6|
00000130 1a 00 86 d6 8a 16 24 00 8a e8 c0 e4 06 0a cc b8 |......$.........|
00000140 01 02 cd 13 0f 82 19 00 8c c0 05 20 00 8e c0 66 |........... ...f|
00000150 ff 06 10 00 ff 0e 0e 00 0f 85 6f ff 07 1f 66 61 |..........o...fa|
00000160 c3 a0 f8 01 e8 09 00 a0 fb 01 e8 03 00 fb eb fe |................|
00000170 b4 01 8b f0 ac 3c 00 74 09 b4 0e bb 07 00 cd 10 |.....<.t........|
00000180 eb f2 c3 0d 0a 41 20 64 69 73 6b 20 72 65 61 64 |.....A disk read|
00000190 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 00 | error occurred.|
000001a0 0d 0a 4e 54 4c 44 52 20 69 73 20 6d 69 73 73 69 |..NTLDR is missi|
000001b0 6e 67 00 0d 0a 4e 54 4c 44 52 20 69 73 20 63 6f |ng...NTLDR is co|
000001c0 6d 70 72 65 73 73 65 64 00 0d 0a 50 72 65 73 73 |mpressed...Press|
000001d0 20 43 74 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f | Ctrl+Alt+Del to|
000001e0 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 | restart........|
000001f0 00 00 00 00 00 00 00 00 83 a0 b3 c9 00 00 55 aa |..............U.|
00000200
perfect, well what do you suggest as the next attempt? try imaging the whole drive and decrypting the image? "tech@tech:~/go/bin$ sudo ./reallymine decrypt /dev/sda '/media/tech/Data/~Tech-Backups/#33029/decrypted.img' error running decrypt: read /dev/sda: input/output error"
restoring a 1.5b to a 4tb blank, cant decrypt more than 1.2GB and it errors.
no problems, thanks for your help man. i really appreciate it, i'll let you know how the ddrescue goes.
sudo ddrescue -f -n /dev/sda /media/tech/Data/ddrescueimahe /media/tech/Data/recovery.log GNU ddrescue 1.23 Press Ctrl-C to interrupt ipos: 24467 MB, non-trimmed: 49152 B, current rate: 32636 kB/s opos: 24467 MB, non-scraped: 0 B, average rate: 32366 kB/s non-tried: 1475 GB, bad-sector: 0 B, error rate: 0 B/s rescued: 24437 MB, bad areas: 0, run time: 12m 35s pct rescued: 1.62%, read errors: 2, remaining time: 12h 55m time since last successful read: 0s
Anyway, the decryption method is to reverse each block of 4 bytes, decrypt as AES-256-ECB, then reverse each 4-byte block again. If you write a short program that does the reversals, then you can pipe it through openssl, like I did in the comment where I decrypted your sector 2048. So you should be able to decrypt the image you made into another (decrypted) image.
image was successful; sudo ddrescue -f -n /dev/sda /media/tech/Data/ddrescueimahe /media/tech/Data/recovery.log GNU ddrescue 1.23 Press Ctrl-C to interrupt ipos: 1042 GB, non-trimmed: 0 B, current rate: 14336 B/s opos: 1042 GB, non-scraped: 110592 B, average rate: 30207 kB/s non-tried: 0 B, bad-sector: 8192 B, error rate: 256 B/s rescued: 1500 GB, bad areas: 16, run time: 13h 47m 47s pct rescued: 99.99%, read errors: 25, remaining time: 4s time since last successful read: 0s Finished
ok, heres the hard part then! So that is using the decrypt command with the details youve used below?
cat lordnecro0-sector2048.hex | cut -b 8- | tr -d ' \n' | permute 4 2301 | permute 8 67452301 | xxd -p -r | openssl enc -d -aes-256-ecb -nopad -K cat lordnecro0-DEK.hex | permute 4 3210 | hexdump -C
You need "permute". Here is my source (it's not pretty):
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main (argc, argv) int argc; char *argv[]; {
FILE *infile, *outfile;
short bytes[17];
char pattern[16], dummystr[16], onenum[3];
int numbytes, numoutbytes, count, dummyint;
int usestdin, usestdout;
if (argc < 5) {
usestdout = (0==0);
outfile = stdout;
}
else if (strcmp (argv[4], "-") == 0) {
usestdout = (0==0);
outfile = stdout;
}
else if (!(outfile = fopen(argv[4], "w"))) {
printf("error opening output file\n");
return 1;
}
if (argc < 4) {
usestdin = (0==0);
infile = stdin;
}
else if (strcmp (argv[3], "-") == 0) {
usestdin = (0==0);
infile = stdin;
}
else if (!(infile = fopen(argv[3], "r"))) {
printf("error opening input file\n");
return 1;
}
if (!usestdout)
if (usestdin)
printf ("reading from stdin\n");
else {
printf ("reading from \"%s\"\n", argv[3]);
printf ("writing to \"%s\"\n", argv[4]);
}
sscanf (argv[1], "%d", &numbytes);
strcpy (pattern, argv[2]);
numoutbytes = strlen (pattern);
for (count=0; count<numoutbytes; count++) {
if (pattern[count] == '-')
pattern[count] = 16;
else {
onenum[0] = '0';
onenum[1] = 'x';
onenum[2] = pattern[count];
pattern[count] = strtod (onenum, NULL);
}
}
bytes[16] = 0;
if (!usestdout) {
printf ("permutation: |");
for (count=0; count<numoutbytes; count++)
if (pattern[count] == 16)
printf ("-|");
else
printf ("%d|", pattern[count]);
printf ("\n");
}
while (!feof (infile)) {
for (count=0; count<numbytes; count++)
bytes[count] = fgetc (infile);
if (!feof (infile))
for (count=0; count<numoutbytes; count++)
fputc (bytes[pattern[count]], outfile);
}
fclose (infile);
fclose (outfile);
return 0;
}
You will have to compile it.
Then cat /path/to/your/image | permute 4 3201 | openssl enc -d -aes-256-ecb -nopad -K 8A9A41F4F62B8AEBBE410A5852F1E9BE06A40B82492DBBA744286D3E57FEE2E3 | permute 4 3210 > /path/to/decrypted/image
I don't know what will happen with a TB of data, but good luck. Let me know how it goes.
You need "permute". Here is my source (it's not pretty):
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main (argc, argv) int argc; char *argv[]; {
FILE *infile, *outfile;
short bytes[17];
char pattern[16], dummystr[16], onenum[3];
int numbytes, numoutbytes, count, dummyint;
int usestdin, usestdout;
if (argc < 5) {
usestdout = (0==0);
outfile = stdout;
}
else if (strcmp (argv[4], "-") == 0) {
usestdout = (0==0);
outfile = stdout;
}
else if (!(outfile = fopen(argv[4], "w"))) {
printf("error opening output file\n");
return 1;
}
if (argc < 4) {
usestdin = (0==0);
infile = stdin;
}
else if (strcmp (argv[3], "-") == 0) {
usestdin = (0==0);
infile = stdin;
}
else if (!(infile = fopen(argv[3], "r"))) {
printf("error opening input file\n");
return 1;
}
if (!usestdout)
if (usestdin)
printf ("reading from stdin\n");
else {
printf ("reading from \"%s\"\n", argv[3]);
printf ("writing to \"%s\"\n", argv[4]);
}
sscanf (argv[1], "%d", &numbytes);
strcpy (pattern, argv[2]);
numoutbytes = strlen (pattern);
for (count=0; count<numoutbytes; count++) {
if (pattern[count] == '-')
pattern[count] = 16;
else {
onenum[0] = '0';
onenum[1] = 'x';
onenum[2] = pattern[count];
pattern[count] = strtod (onenum, NULL);
}
}
bytes[16] = 0;
if (!usestdout) {
printf ("permutation: |");
for (count=0; count<numoutbytes; count++)
if (pattern[count] == 16)
printf ("-|");
else
printf ("%d|", pattern[count]);
printf ("\n");
}
while (!feof (infile)) {
for (count=0; count<numbytes; count++)
bytes[count] = fgetc (infile);
if (!feof (infile))
for (count=0; count<numoutbytes; count++)
fputc (bytes[pattern[count]], outfile);
}
fclose (infile);
fclose (outfile);
return 0;
}
You will have to compile it.
Then cat /path/to/your/image | permute 4 3201 | openssl enc -d -aes-256-ecb -nopad -K 8A9A41F4F62B8AEBBE410A5852F1E9BE06A40B82492DBBA744286D3E57FEE2E3 | permute 4 3210 > /path/to/decrypted/image
I don't know what will happen with a TB of data, but good luck. Let me know how it goes.
yeah, the hard part. i'm trying to compile with gcc and getting an error. do you recommend downloading permute or just building from your source?
got him going, thanks heaps for the script. i'm using a weird keyboard which is outputting a different ' everytime.
To monitor the progress, you have to open another terminal and look at the size of the decrypted image.
Let me know when it finishes.
looks like it finished up around midnight, 987.1GB, 8Hours to decrypt. so how do i mount this bad boy to see what we go?
That depends on whether Windows corrupted the MBR. file -s /path/to/decrypted/image
file -s /media/tech/Data/ExtractedData.img /media/tech/Data/ExtractedData.img: data mounting it in disk image mounter it shows as unrecognized
Try this: sudo mkdir /mnt/temp sudo losetup -o 1048576 -f /path/to/decrypted/image sudo losetup -j /path/to/decrypted/image Make a note of the number in the answer to the last command, and replace X with that number in the next command. sudo mount /dev/loopX /mnt/temp
sudo mkdir /mnt/temp
tech@tech:~/wd$ sudo losetup -o 1048576 -f /media/tech/Data/ $RECYCLE.BIN/ ExtractedData ddrescueimahe
tech@tech:~/wd$ sudo losetup -o 1048576 -f /media/tech/Data/ExtractedData
tech@tech:~/wd$ sudo losetup -j /media/tech/Data/ExtractedData /dev/loop5: [2082]:1390685 (/media/tech/Data/ExtractedData) /dev/loop12: [2082]:1390685 (/media/tech/Data/ExtractedData), offset 1048576
tech@tech:~/wd$ sudo mount /dev/loop5 /mnt/temp mount: /mnt/temp: can't read superblock on /dev/loop5.
tech@tech:~/wd$ sudo mount /dev/loop12 /mnt/temp mount: /mnt/temp: can't read superblock on /dev/loop12.
ok i had the machine reboot over night, now i have a problem; its only showing Dev3 "sudo losetup -j /media/tech/Data/ExtractedData /dev/loop3: [2066]:1390685 (/media/tech/Data/ExtractedData), offset 1048576"
ok phew. running the losetup commands again wouldn't cause any issues...?
sudo hexdump -n 512 -C /dev/loop3
[sudo] password for tech:
00000000 00 e7 c6 60 00 1b d1 fa 00 e4 48 15 00 76 a1 98 |.........H..v..| 00000010 00 d1 42 89 00 81 90 14 00 7f f7 6c 00 fc 6b b2 |..B........l..k.| 00000020 00 c5 f2 89 00 90 62 0c 00 49 21 f6 00 dd 65 0e |......b..I!...e.| 00000030 00 b5 3b 7e 00 dc 5a 18 00 42 6f b8 00 a7 81 1d |..;~..Z..Bo.....| 00000040 00 f0 db 26 00 8c ef 70 00 3b aa 8c 00 64 79 80 |...&...p.;...dy.| 00000050 00 d3 b1 99 00 7a ec 58 00 75 f2 e0 00 f1 92 86 |.....z.X.u......| 00000060 00 b2 a7 80 00 79 ef b1 00 8a 0a 22 00 5f d5 ac |.....y....."._..| 00000070 00 3e 9e 74 00 94 b6 6f 00 1e 31 d1 00 39 66 cc |.>.t...o..1..9f.| 00000080 00 d0 e5 0c 00 68 cd ef 00 4f 75 f9 00 0b c3 3e |.....h...Ou....>| 00000090 00 64 0a c0 00 80 a9 69 00 08 a8 45 00 07 ec 16 |.d.....i...E....| 000000a0 00 b3 4b 7e 00 49 5e 2f 00 23 df eb 00 98 7d 51 |..K~.I^/.#....}Q| 000000b0 00 12 05 14 00 0f 91 c5 00 72 45 52 00 b5 10 b3 |.........rER....| 000000c0 00 e7 ff 13 00 1f 4e 08 00 e7 57 22 00 01 95 af |......N...W"....| 000000d0 00 2b c6 a1 00 d8 61 16 00 d3 0e 04 00 ae 76 d0 |.+....a.......v.| 000000e0 00 25 6f e5 00 35 2f 88 00 f9 5c 7d 00 e5 6c c6 |.%o..5/...\}..l.| 000000f0 00 7c 21 24 00 f7 da 32 00 a8 b3 bc 00 54 24 96 |.|!$...2.....T$.| 00000100 00 9e 9e 26 00 f1 2e 92 00 e6 36 fa 00 3b 0d c2 |...&......6..;..| 00000110 00 61 c0 8b 00 aa d7 f0 00 18 9b 96 00 fc c3 0b |.a..............| 00000120 00 08 d5 f9 00 36 51 98 00 80 b6 59 00 72 34 7e |.....6Q....Y.r4~| 00000130 00 02 40 91 00 da 5a 91 00 4d da f6 00 f6 a5 4b |[email protected]| 00000140 00 d2 49 17 00 d8 41 ed 00 e0 72 16 00 e5 37 72 |..I...A...r...7r| 00000150 00 a5 ee 27 00 a7 a5 e9 00 a8 1f dd 00 c5 ba 79 |...'...........y| 00000160 00 98 f1 3f 00 2a fe 26 00 da 81 5d 00 c8 cc f9 |...?.*.&...]....| 00000170 00 34 3d 58 00 91 b5 1b 00 97 41 cc 00 61 9a 69 |.4=X......A..a.i| 00000180 00 a9 2c c4 00 59 63 d2 00 13 9e ba 00 27 55 00 |..,..Yc......'U.| 00000190 00 16 08 7a 00 c3 48 49 00 c6 16 33 00 93 b2 7c |...z..HI...3...|| 000001a0 00 79 5c 64 00 b5 03 03 00 4c 5e b9 00 82 86 b5 |.y\d.....L^.....| 000001b0 00 d1 8f e5 00 b9 1e ce 00 a7 60 07 00 c9 f1 12 |...............|
000001c0 00 aa 7f 95 00 07 c3 af 00 33 1a 24 00 cc 4e 7f |.........3.$..N.|
000001d0 00 ad de 32 00 6a 48 82 00 47 4a 51 00 13 56 c1 |...2.jH..GJQ..V.|
000001e0 00 64 a4 07 00 23 f5 ae 00 39 ac 90 00 58 fb b0 |.d...#...9...X..|
000001f0 00 cd 64 63 00 c9 a2 63 00 0c 23 01 00 9d 34 2e |..dc...c..#...4.|
00000200
its using a ' in the code, so the forum code is converting it to a "code" removing a few characters
sharetxt.xyz/id?7271
That is NOT what I got when I decrypted your sector 2048 (see above).
I hate to think that the decryption wasn't done right.
Try decrypting to a new image, but interrupt it after 5MB. Then hexdump that. Also send the exact command you used.
'cat /media/tech/Data/ddrescueimahe | permute 4 3201 | openssl enc -d -aes-256-ecb -nopad -K 8A9A41F4F62B8AEBBE410A5852F1E9BE06A40B82492DBBA744286D3E57FEE2E3 | permute 4 3210 > /media/tech/Data/RescuedData'
is the decryption command i used. running a new decrypt now, will post the dump shortly