NiKoDeMoS pReSeNtZ

The Quick Guide to Smashing those insidious *.DAT filez.

It all began one day with a casual stroll through http://www.Fravia.org/ when I came across the interesting information about USER.DAT and SYSTEM.DAT. Amazed to find all of this interesting information about myself stored in there, I set on a quest to pursue this mysterious file.

Problem:

Figure out what the Hell USER.DAT and SYSTEM.DAT are, and how to extract any gems that might be found.

The Attack:

It was really quite simple. The first thing that I did was go into a DOS session. You'll notice that USER.DAT is hidden. Try a:

ATTRIB -H USER.DAT

And you get some stupid message about Windows not even going there. Try to copy it:

COPY USER.DAT USERSV.DAT

And it can't see the file. Can't modify it. So, I just did

EDIT USER.DAT

Then took File Save as � and got myself a malleable copy!

Okay, I noticed there were some good strings. I wanted to list them in a logical way. My first attempt, getinfo.zip, was rather limited. I load the file into a buffer, then scan the buffer for certain strings (Name, Address, Mail) and then dump whatever valid alphanumeric characters I find after that. Gave some interesting results.

What next? Let's see how the darned things are stored! So, I pulled out a handy hex editor and started examing strings. What I found was something like this:

0000 0700 0800 5573 6572 2049 444A 4C49 4B4E 5304 0000 ��User IDJLIKNESS�

Interesting. For similar strings, we see a similar pattern.

Based on this, I make the assumption:

struct ms_garbage_entry {



char dummy; 
char desc_offset;
char dummy;
char val_offset; 
char dummy;

char stringstuff[512]; } it;

Now this is grossly over-simplified, mostly because the offsets are probably words (two-byte integers) and the strings may extend to be longer, with this simplification seems to work okay for us.

So, it was simple. I went back to getinfo and modified it to a new program, getinf.zip. The basic changes were that instead of worrying about the content of this data, I am going to simply match the above structure. I go through the buffer and move it into the structure. If the dummys are not zero, I assume a bad hit and move on. I then check the value at stringstuff + desc_offset + val_offset and hope for something. The end doesn't seem to be consistent (most common is 0x01, but there is other stuff as well!).

Anyway, the result is that we get a pretty good parsing. The information is extraordinary. Close examination by dumping into an output file:

GETINF c:\windows\user.dat > string.txt

Leads to the following conclusion:

Conclusion:

The USER.DAT and SYSTEM.DAT files are manifestations of the registry!!!! If you search through your registry, then check the values in these files, you'll see the startling similarity!! This is the hidden file system of the registry, I'm convinced of it.

Future projects:

There is a lot more to do. We need to find out

What every byte in the file means
How information is referenced (where are the pointers, offsets?)
How to EXACTLY determine the data type of a value (my program guesses, but doesn't always guess right!)
How to update directly to this file, thus bypassing any Windows-monitored registry gateway

THAT'S IT FOR NOW!!! UNTIL NEXTIME �.

mailto://jayke@mindspring.com