I need to prove that a VB.NET program that I wrote was written at a particular time.
(the reason is an academic integrity investigation where someone copied my code).
I have all the code on my disk including the debug and release folders, with my username in the build paths.
Are their addition things I could do, such as looking in the binaries?
If you use IL Disassembler to open the EXE/DLL, then select menu option View>Header, there is a field called "Time-date stamp" in the COFF/PE header. It's in binary format, and according to MSDN it is:
The low 32 bits of the time stamp of the image. This represents the date and time the image was created by the linker. The value is represented in the number of seconds elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated Time, according to the system clock.
First thing you should do it copy all of the data as it stands to another device - making sure you preserve all date times. Do not open or edit any of the files.
Each file will have three timestamps, when it was created, when it was last modified etc. These can be found using DIR /T
/T Controls which time field displayed or used for sorting
timefield C Creation
A Last Access
W Last Written
Get a listing of the directory like this:
DIR myrootdir /s /ah /as /tc > fileslist.txt
This will dump out all the files with creation times to a file called fileslist.txt
Also as #EricJ says : offer your disk as evidence - but like I said make a copy first. It would be best to make an image copy (windows backup) to an another drive first.
The investigators are going about this all the wrong way.
Any timestamp data can be faked, so the best way would be for them to sit down and ask detailed questions about how the code works, to both parties seperately.
Or to ask both parties to complete a small test project, again seperately - under exam conditions.
The one that copied the work wont understand what they copied most likely, and wont be able to reproduce something based on similar concepts.
The one who did write it - well unless they cheated to, they will understand it all in depth.
Related
I'm trying to build a new voice for MaryTTS in German for a while now, but didn't succeed so far. I followed a tutorial (https://github.com/marytts/marytts/wiki/HMMVoiceCreation) and tried to understand each step. No matter what I do, I get stuck at step 14 (HMMVoiceMakeVoice), the error being:
ERROR [+2121] HInit: Too Few Observation Sequences
which usually means, that the tested phone (en9 in this example) is not found within my data set.
After changing the locale, the same error happend on the phone "de27" as Nikolay Shmyrev pointed out.
I doubt that though, since I use about 500 Audio files, which have a length of at least 5 sec, so a total well over an hour of footage.
In fact, I skipped the "en9" phone, since I don't know what exactly is represented by it. The next one to fail was "oI", which I located manually about ten times in the first few audio files.
I think it has to do with the automatic labeling to not work properly (step 2-4), but I don't know, what I can do, to get a better result?
Edit: I uploaded all the files I get until this step, which can be inspected on this shared google drive. Note, that I could not, for copyright reasons, upload the wav folder. In the logs directory, you can find the logs after each step. I couldn't find any problems there, but maybe someone will.
I do not completely understand the structure of the generated data, but I thought changing the MARYBASE/mary/trickyPhones.txt and running the make tools again would be enough to change the map name from "tS" to "Z" which sounds about the same in German. But the HMMVoiceMakeVoice still results in the same output.
So this is an intro class I am taking in reverse engineering.
So I have two files that are the same program and one is supposed to have a trojan in it.
I looked at both files and have found some very odd things. However, I don't have reasons as to why it would happen.
The PE header is different. In one file in the DOS header the PE header is located at offset F0 and the other at F8. Why? I don't really understand. Why would someone change the PE header by 8 bytes?
I noticed the code entry points are different too. Does this mean that the start of the program is jumping else where meaning both programs are running from different locations.
I noticed all of the RVA's for say the export or import table have increased or shifted up higher. I assume this is because the PE header shifted by 8 bytes, therefore everything else in the file will shift up too.
The size of code value is different, as I found one file is a bit larger than the other. The time stamps are different too meaning that the file must have been edited.
One of the files has the import symbol execve, while the other does not. I don't know what this symbol does?
Lastly, I think 1 of the export symbols has jumps and such, that the other does not have. Meaning that it is doing something it shouldn't be doing.
Anyway, these are some observations I have noticed. I just need help making sense of what these observations might mean.
Thanks.
A Noob reverse engineer.
hopefully this will clear some things up.
I noticed the code entry points are different too. Does this mean that the start of the program is jumping else where meaning both programs are running from different locations.
Ok the change in the code entry points can clearly indicate that the code has been tampered with and often means that the malicious code will be called on entry and then the malicious code will run the normal code there-after. This is done so that the user does not notice the application has been tampered with.
The size of code value is different, as I found one file is a bit larger than the other. The time stamps are different too meaning that the file must have been edited.
The change in size can also indicate that there is malicious code in the executable because executables are not supposed to grow (I don't know you are feeding yours).
One of the files has the import symbol execve, while the other does not. I don't know what this symbol does?
As for execv, please see _execv, _wexecv MSDN
I have got a PE executable file *.exe (32-bit), which is an small application (2.6Mb) to update firmware software of TV device. However, the update mechanism was only available up to 2013-03-12. I want to hack this executable just for pleasure. I'm trying to find this expiration date in file hexdump using PE Explorer, and replace it by some date in future to make this program work.
I found this article about binary date format:
binary date format
I am trying to find something like this value:
2013-03-xx: 0x713xxxxx
Is this a good approach to solve my task? Any suggestions? Do you know any others tools for hexdump that may be useful?
Best regard,
WP
There are likely a lot of values of the form 0x713xxxxx -- 2.6 MB might be larger than you've thought when you start looking through it more or less at random (you don't actually know that the application uses this date format internally).
The conventional approach to deal with this sort of problem is to use a tool to step through the program, examining the code that is executing, until you find the point where the check occurs. Then simply disable the check so that it always fails -- by altering the date, or simply by altering the code.
A popular tool for stepping through code that you do not control is the Interactive Dissassembler, IDA. You can download a freeware version of it here: https://www.hex-rays.com/products/ida/support/download_freeware.shtml
It might be harder than you think to do what you want, but you'll almost certainly learn a lot by trying.
Be aware of the legal issues you may be getting yourself into by making modifications to someone else's binaries, particularly if you distribute them afterwards.
dumpbin is a good PE parser (but if I were you, I won't do such kind of time stamp hacks :))
is there any way to use html anchor tag in a gml file..I want to create a hyperlink to location/point in a gml file.
how can i do so???
thanks in advance..
This is a little known GML technique that GREATLY increases the power of Game Maker, and is well worth learning, but as a note, it does NOT work in Studio, because of the countless new restrictions on commands. Go back to GM8.1 (I only ever use that now), and you should have no problem making use of this technique.
The technique is to write a program in another language through GML (batch, vbs, etc, or in this case, HTLM), execute it through GML, then delete the program.
Quite simply, use the file_text commands to create a file with the correct content and extension, execute it with execute_program, and then delete it with file_delete.
Specifically for this script:
argument0 is the link, including the protocol.
argument1 is the anchor, minus the # (that's handled for you).
argument2 is the full browser path.
argument3 is important. This is the time in milliseconds the program will wait before deleting the temporary link file.
(The execute_program command, even when told to wait for the program to complete, continues as soon as the temp file is loaded. If external, the redirect takes some time depending on your connection, so deleting the temporary file halfway through will cause it to fail. 10 milliseconds worked fine for me. The program will hang for this time in this setup, but if you would like to set up an alarm based system to stop it from hanging, that wouldn't be too hard.)
In other uses of this technique without the use of the internet (I use small batch and vbs files a lot), the "hang time" (pun not intended) is usually not necessary.
In addition, the browser location will need to be changed for each different computer
file=file_text_open_write(temp_directory+"\tempLink.html")
file_text_write_string(file,'<!DOCTYPE html>')
file_text_writeln(file)
file_text_write_string(file,'<html>')
file_text_writeln(file)
file_text_write_string(file,'<body onload="')
file_text_write_string(file,"location.href='")
file_text_write_string(file,argument0+"#"+argument1+"';")
file_text_write_string(file,'">')
file_text_writeln(file)
file_text_write_string(file,'</body>')
file_text_writeln(file)
file_text_write_string(file,'</html>')
file_text_close(file)
execute_program(argument2,temp_directory+"\tempLink.html",true)
sleep(argument3)
file_delete(temp_directory+"\tempLink.html")
Sorry I wish It was possible but it's not unless you want to spend a lot of time with dll's. BUT you can create a Script and reuse it everywhere in your code...
script0(argument0,argument1...)
Good news, my c64 ist still running after lots of years spending time on my attic..
But what I always wanted to know is:
How can I automatically load & run a program from a floppy disk that is already inserted
when I switch on the c64?
Some auto-running command like load "*",8,1 would be adequate...
Regards
MoC
You write that a command that you type in, like LOAD"*",8,1 would be adequate. Can I assume, then, that the only problem with that particular command is that it only loads, but doesn't automatically run, the program? If so, you have a number of solutions:
If it's a machine language program, then you should type LOAD"<FILENAME>",8,1: and then (without pressing <RETURN>) press <SHIFT>+<RUN/STOP>.
If it's a BASIC program, type LOAD"<FILENAME>",8: and then (without pressing <RETURN>) press <SHIFT>+<RUN/STOP>.
It is possible to write a BASIC program such that it automatically runs when you load it with LOAD"<FILENAME>",8,1. To do so, first add the following line to the beginning of your program:
0 POKE770,131:POKE771,164
Then issue the following commands to save the program:
PRINT"{CLR}":POKE770,113:POKE771,168:POKE43,0;POKE44,3:POKE157,0:SAVE"<FILENAME>",8
This is not possible without some custom cartridge.
One way to fix this would be getting the Retro Replay cartridge and hacking your own code for it.
I doubt there is a way to do it; you would need a cartridge which handles this case and I don't think one like that exists.
A better and more suitable solution is EasyFlash actually. Retro Replay is commonly used with its own ROM. Since it is a very useful cartridge by default ROM, I would never flash another ROM to it. Also it is more expensive than EasyFlash if you don't have any of those cartridges.
At the moment, I have Prince Of Persia (!) ROM written to my EasyFlash and when I open my c64, it autoruns just like you asked for.
Not 100% relevant, but C128 can autoboot disks in C128 mode. For example Ultima V (which has musics on C128 but not on C64 or C128 in C64 mode) autoboots.
As for cartridges, I'd recommend 1541 Ultimate 2. It can also run games from module rom images (although Prince of Persia doesn't work for me for some reason, perhaps software issue?), but you also get rather good floppy emulator (which also makes it easier to transfer stuff to real disks), REU, tape interface (if you order it) etc.
If you are working with a ML program, there are several methods. If you aren't worried about ever returning to normal READY prompt without a RESET, you can have a small loader that loads into the stack ($0100-$01FF) The loader would just load the next section of code, then jump to it. It would start at $0102 and needs to be as small as possible. Many times, the next piece to load is only 2 characters, so the file name can be placed at $0100 & $0101. Then all you need to do is set LFS, SETNAM, LOAD, then JMP to it. Fill the rest of the stack area with $01. It is also rather safe to only save $0100-$010d so that the entire program will fit on a single disk block.
One issue with this, is that it clears out past stack entries (so, your program will need to reset the stack pointer back to the top.) If your program tries to do a normal RTS out of itself, random things can occur. If you want to exit the program, you'll need to jmp to the reset vector ($FFFC by default,) to do so.