HOLA 3
Hackers of the Lost Ark Winning Answers
By: Kevin Shannon
1. The purpose of the attacker's "dir" command was to
produce a text file named 'file.txt' list of the C:
drive and all subdirectories, NOT containinging any
hidden, system, or read-only files.
The purpose of the attacker's "find" command was to
search through the 'file.txt' list and display the
line number of any line containing "LostArk"
2. The purpose of the attacker's "strings" command
was to do an ASCII search of the C:\ drive and all
subdirectories to find the number string "9906753".
3. The purpose of the attacker's "lads" command was
to list each and every alternate data stream (ADS)
containing the text "LostArk", for all directories on
the C:\ drive, including all subdirectories.
4. The purpose of the attacker's "dd" command was to
display in the MS-DOS window, the contents of the
physical memory. The "conv=noerror" command will grab
the system memory until you reach the end of file
error. As a result, you will see a beginning error
reported when the starting offset of the read goes
beyond the range of addressable physical memory, "The
parameter is incorrect." This is equivalent to an end
of file condition and is expected.
There is one problem with the attacker's "dd
if=\\.\PhysicalMemeory conv=noerror" command. The
command as written, does not pipe to a file and
therefore, will display the physical memory contents
directly to the MS-DOS screen.
There are two issues with displaying this information
directory to the MS-DOS screen:
1. The MS-DOS buffer size may not be large enough to
accomodate all of the physical memory contents and,
2. If the WINIAC server has a speaker connected,
this process will cause several annoying beeps to
occurr, which is probably how New Jersey Jones was
alerted to the WINIAC console in the first place!
5. I would think that the best method to secure the
file would be to encrypt it using a 4,096 bit
encryption key. As for concealing the location of the
file, nothing beats physical security. Put it on a
floppy, Zip, or Jaz disk and keep it in a safe.
If New Jersey Jones and the government would prefer to
keep the file on the WINIAC server, then definitely
rename it to anything other than "LostArk" or
"9906753", encrypt it, and store in a virtual disk
that may be unmounted. The attacker would never be
able to see the file, as it would exist in another
virtual disk file on the WINIAC file system. New
Jersey Jones would need to remember which virtual disk
and how to mount the virtual disk and decrypt the file
for viewing. And for heaven's sake, don't use the
WINIAC's ShadowCopy feature on this file!
KMS
Kevin Shannon
produce a text file named 'file.txt' list of the C:
drive and all subdirectories, NOT containinging any
hidden, system, or read-only files.
The purpose of the attacker's "find" command was to
search through the 'file.txt' list and display the
line number of any line containing "LostArk"
2. The purpose of the attacker's "strings" command
was to do an ASCII search of the C:\ drive and all
subdirectories to find the number string "9906753".
3. The purpose of the attacker's "lads" command was
to list each and every alternate data stream (ADS)
containing the text "LostArk", for all directories on
the C:\ drive, including all subdirectories.
4. The purpose of the attacker's "dd" command was to
display in the MS-DOS window, the contents of the
physical memory. The "conv=noerror" command will grab
the system memory until you reach the end of file
error. As a result, you will see a beginning error
reported when the starting offset of the read goes
beyond the range of addressable physical memory, "The
parameter is incorrect." This is equivalent to an end
of file condition and is expected.
There is one problem with the attacker's "dd
if=\\.\PhysicalMemeory conv=noerror" command. The
command as written, does not pipe to a file and
therefore, will display the physical memory contents
directly to the MS-DOS screen.
There are two issues with displaying this information
directory to the MS-DOS screen:
1. The MS-DOS buffer size may not be large enough to
accomodate all of the physical memory contents and,
2. If the WINIAC server has a speaker connected,
this process will cause several annoying beeps to
occurr, which is probably how New Jersey Jones was
alerted to the WINIAC console in the first place!
5. I would think that the best method to secure the
file would be to encrypt it using a 4,096 bit
encryption key. As for concealing the location of the
file, nothing beats physical security. Put it on a
floppy, Zip, or Jaz disk and keep it in a safe.
If New Jersey Jones and the government would prefer to
keep the file on the WINIAC server, then definitely
rename it to anything other than "LostArk" or
"9906753", encrypt it, and store in a virtual disk
that may be unmounted. The attacker would never be
able to see the file, as it would exist in another
virtual disk file on the WINIAC file system. New
Jersey Jones would need to remember which virtual disk
and how to mount the virtual disk and decrypt the file
for viewing. And for heaven's sake, don't use the
WINIAC's ShadowCopy feature on this file!
KMS
Kevin Shannon
